FERPA Statement

Version: v1.0 Effective Date: May 13, 2026 Last Reviewed: May 13, 2026

Section 1 — Applicability and Scope

This statement describes how Rushing Waters Consulting LLC is structured to operate in compliance with the Family Educational Rights and Privacy Act (FERPA) in the context of formal school and district partnerships. FERPA applies to educational agencies and institutions that receive federal funding. When Rushing Waters operates under a signed agreement with a school, district, or Local Educational Agency (LEA), the following framework governs our handling of student Education Records.

Note: This statement applies to school and district partnership engagements. For direct-to-family (D2C) accounts, please refer to our Privacy Policy and COPPA Statement.

Section 2 — School Official Designation

When operating under contract with a school or district, Rushing Waters Consulting LLC functions strictly as a "School Official" possessing a "legitimate educational interest" as defined under FERPA (34 CFR §99.31(a)(1)). In this capacity:

  • We access student Education Records solely to perform services specified in our agreement with the contracting institution
  • We do not re-disclose student Education Records to third parties without written consent from the contracting LEA
  • We are subject to the same conditions governing FERPA compliance as institutional employees
  • Our use of student data is limited to the educational purpose for which access was granted

Section 3 — Data Ownership

All student Education Records and associated PII are the exclusive property of the contracting school, district, or LEA. Rushing Waters Consulting LLC claims no ownership over student data. Upon contract termination, all Education Records are returned or permanently destroyed at the LEA's direction within 30 days.

Section 4 — Security Standards

Student Education Records are protected via: AES-256 encryption at rest; TLS 1.3 encryption in transit; role-based access controls restricting data access to authorized personnel only; and regular third-party security reviews. We maintain a written data security plan available to contracting institutions upon request.

Section 5 — Breach Notification

In the event of a security incident compromising student PII or Education Records, Rushing Waters will: notify the contracting LEA within 48 hours of confirmed breach discovery; provide a written incident report within 5 business days; and cooperate fully with the institution's breach response procedures. We maintain cyber liability insurance appropriate to our operational scale.

Section 6 — PPRA Compliance

Rushing Waters does not conduct surveys, evaluations, or analyses of student personal information for any commercial purpose. Our Learning Profile system generates synthesized educational observations for the purpose of personalized instruction only, consistent with the Protection of Pupil Rights Amendment (PPRA).

Section 7 — District Contract Riders

We recognize that individual districts may have data governance requirements exceeding the federal baseline. We are prepared to execute district-specific Data Sharing Agreements (DSAs), Data Processing Agreements (DPAs), and standard Student Data Privacy Consortium (SDPC) agreements. Contact founders@rushingwatersconsulting.com to initiate a compliance review.