The 5 requirements your AI tutoring deployment must meet to satisfy FERPA, with a vendor evaluation checklist for procurement teams.
TUEL Team
Compliance
Every university CIO we talk to says the same thing: faculty want AI tutoring, but procurement won't approve a vendor until the FERPA question is answered. That question is reasonable. Student interaction data with an AI tutor — questions asked, topics struggled with, session timestamps — constitutes an educational record under federal law.
This post covers the five requirements your AI tutoring deployment must meet to comply with FERPA. We also include a vendor evaluation checklist that your procurement office can use during the RFP process. If you are an IT director, CISO, or compliance officer evaluating AI tutoring platforms, this is the reference document you need.
FERPA (the Family Educational Rights and Privacy Act, codified at 20 U.S.C. § 1232g and implemented through 34 CFR Part 99) protects "education records" — information directly related to a student that is maintained by an educational agency or institution, or by a party acting for the agency or institution. When a student asks an AI tutor about organic chemistry at 11 p.m. and the system logs that interaction tied to the student's identity, that log is an education record.
An AI tutoring vendor typically qualifies as a "school official" under the FERPA exception in 34 CFR § 99.31(a)(1)(i)(B). This exception allows disclosure of education records without consent if the vendor performs an institutional service, operates under the institution's direct control with respect to the use of records, and uses the records only for the purposes specified in the agreement. The institution must also ensure the vendor does not re-disclose the information without authorization.
The "legitimate educational interest" standard (34 CFR § 99.31(a)(1)) sets the boundary for what data the vendor can access. The vendor may only access records that are necessary to fulfill its contracted function. An AI tutoring platform does not have a legitimate educational interest in a student's financial aid records, disciplinary history, or data from courses that do not use the platform.
Directory information (34 CFR § 99.3) — name, email, enrollment status — has a separate set of rules. Institutions can designate certain information as directory information and release it without consent, but students can opt out. Your AI tutoring vendor agreement should specify which directory fields, if any, the vendor will receive, and how opt-outs are handled.
FERPA does not mandate a specific encryption standard, but the Department of Education's Privacy Technical Assistance Center (PTAC) recommends AES-256 encryption for data at rest and TLS 1.2 or higher for data in transit. Your vendor should confirm that student interaction data is encrypted in both states and specify where the data physically resides.
Data residency matters because some institutions have state-level requirements (such as Texas TAC § 202 or California's SOPIPA) that restrict where student data can be stored. Your vendor should offer U.S.-based data residency at minimum and be able to specify the cloud region where student records are stored.
FERPA requires institutions to maintain a record of each request for access to and each disclosure of personally identifiable information (34 CFR § 99.32). In practice, this means your AI tutoring platform must log who accessed student data, what data was accessed, when the access occurred, and the purpose of the access.
Audit logs should be immutable — once written, they cannot be modified or deleted by the vendor or institution administrators. Logs should be exportable in standard formats (CSV, JSON) so your compliance team can incorporate them into institutional audit workflows. The retention period for audit logs should match your institution's records retention policy, typically 5 to 7 years.
The "legitimate educational interest" standard requires that access to student records be limited to those who need it for their job function. A flat permission model where every faculty member can see every student's AI interaction history violates this principle. Your AI tutoring platform must implement role-based access control (RBAC) with at least four tiers: student (sees only their own data), instructor (sees data for students in their courses), department administrator (sees aggregate data for their department), and platform administrator (manages system configuration without accessing individual student records).
RBAC should integrate with your institution's identity provider via SAML 2.0 or OIDC so that role assignments follow existing directory structures. When a faculty member stops teaching a course at semester end, their access to that course's student interaction data should terminate automatically.
Your vendor agreement must state that the institution owns all student interaction data. This is not negotiable under FERPA: the institution, not the vendor, is the custodian of education records. The agreement should specify that upon contract termination, the vendor will return all data to the institution in a machine-readable format and delete its copies within a defined period (30 days is standard).
Data portability also means the vendor should provide API access or bulk export capabilities so your institution can move data between systems without vendor lock-in. If the vendor stores student data in a proprietary format with no export path, you have a compliance risk and a procurement red flag.
This is the requirement that eliminates most generic AI tools from consideration. If a vendor uses student interaction data to train, fine-tune, or improve its AI models, the data is being used for a purpose beyond the contracted educational service. That use falls outside the "school official" exception and would require individual student consent under FERPA.
Your vendor agreement should include an explicit prohibition on using student data for model training, product improvement, benchmarking, or any purpose other than providing the contracted tutoring service. This prohibition must extend to the vendor's subprocessors, including the underlying LLM provider.
Enterprise versions of general-purpose AI tools (ChatGPT Enterprise, Google Gemini for Workspace, Microsoft Copilot) have made progress on data privacy, but they were not built for FERPA-regulated environments. Several structural gaps persist in these platforms when used for student-facing tutoring.
Where generic AI tools fall short:
These gaps do not mean generic tools are unusable in higher education. They mean these tools require significant contractual modifications and technical workarounds to meet FERPA requirements — modifications that vendors may not be willing to make for an individual institution.
TUEL was built for FERPA-regulated education from day one. The architecture was designed around the five requirements above, not retrofitted to meet them. Here is how each requirement maps to specific TUEL capabilities.
TUEL FERPA architecture:
The Elon University deployment validated this architecture in production. Over one semester, Elon AI processed 9.5 million tokens of student interactions across multiple departments with zero data incidents and full audit trail coverage. Elon's IT security team reviewed the architecture prior to deployment and confirmed it met their FERPA compliance requirements. Read the Elon University case study at /case-studies/elon-university for detailed deployment outcomes.
Use this checklist when evaluating AI tutoring vendors during procurement. Each item maps to a specific FERPA requirement. A vendor that cannot answer "yes" to all of these items needs additional review before deployment.
FERPA compliance checklist for AI tutoring vendors:
Print this checklist and bring it to your next vendor evaluation meeting. TUEL answers "yes" to every item on this list. Request our FERPA compliance documentation package at /pricing.
Request a DemoFERPA compliance is a prerequisite, not a differentiator. The real question is whether an AI tutoring platform can meet compliance requirements while also delivering meaningful educational outcomes — course-grounded responses, faculty control, and measurable student engagement.
TUEL does both. See our pricing and deployment options at /pricing, or read how Elon University deployed FERPA-compliant AI tutoring in a single semester at /case-studies/elon-university.
Schedule a demo to see verified AI for learning in action—with your own course materials.