Student Records & FERPA
How JCIL.AI handles university deployments that process student education records under the Family Educational Rights and Privacy Act (FERPA).
JCIL.AI's role
FERPA regulates the handling of "education records" at institutions that receive US Department of Education funding. JCIL.AI is not itself a covered institution, your university is.
When a university provides student access to JCIL.AI through institutional accounts in a context where education records may flow through student conversations (e.g., a counseling-services assistant that sees grade info, an advising conversation that views application records), JCIL.AI operates as a "school official" with a legitimate educational interest under 34 CFR § 99.31(a)(1)(i)(B).
What we commit to
- No redisclosure. We do not disclose education records to any party outside the subprocessor chain documented on our subprocessors page.
- Direct institutional control. Your university can terminate our Processing at any time by closing the institutional accounts. On termination, access stops immediately.
- Use limitation. Education records are used only for the educational purpose you establish for the institutional accounts. We do not use student data for any other service, product, or training pipeline.
- Return or destruction on request. The university can request deletion of all data at any time via the compliance contact form with topic FERPA / university compliance. We honor within 30 days.
- Audit cooperation. We will support reasonable FERPA audits and provide a controls matrix within the response time requested.
What universities must do
- Add JCIL.AI to your official list of outsourced service providers operating under the school-official exception.
- Document the "legitimate educational interest" in using JCIL.AI (typically covered by your existing vendor review process).
- Scope student use of the institutional accounts to that purpose, do not direct students to Process records outside the stated purpose.
- Ensure that notice of outsourcing to JCIL.AI is consistent with your annual FERPA notification to students.
- Designate appropriate student-support staff (Dean of Students, counseling center, campus safety) to receive crisis escalations.
What student data is Processed
JCIL.AI only sees what students send in their conversations:
- Chat messages between students and JCIL.AI
- Any reference material students include in a message (e.g., course catalogs, registrar FAQs)
- Optional identity metadata if a student includes it in a message (student ID, department)
- Request metadata (IP address, approximate location) retained 30 days
We do not pull from your SIS, LMS, or other systems of record unless your integration explicitly sends that data in a message.
Executing a FERPA addendum
Our standard Data Processing Addendum covers FERPA-aligned obligations (school official status, use limitation, no redisclosure, deletion on request). Universities that need a FERPA-specific rider can request one through the compliance contact form.
If your institution's general counsel requires specific language around the school-official exception, re-disclosure, or records-of-disclosure, we will negotiate reasonable additions to the DPA.