Ferpa business associate agreement

tawk.to has in place the following protocols that assist the educational institution clients with FERPA compliance:

• our cloud-based software and all communications use HTTPS protocol.
• all communication between the application and authentication servers is conducted via secure connections.
• we leverage off the security of our hosting partners like Google Cloud Services, AWS & Digital Ocean which have both physical and technological safeguards
• all data is encrypted in transit by TLS 1.2 and at rest using 256-bit Advanced Encryption Standard (AES-256)
• no one will have access to, nor will we disclose any information from, a student educational records without the prior written consent of the student.

Exceptions to FERPA’s Prior Written Consent Rule

FERPA contains several statutory exceptions to the rule requiring written consent before disclosing a student’s education records or FERPA PII. The most relevant exceptions to education service providers include:

• Outsourced educational functions or services. FERPA permits disclosures to other school officials, such as teachers or other school employees, with legitimate educational interests.
• Student financial aid. FERPA permits disclosures directly related to a student’s financial aid application or award (20 U.S.C. § 1232g(b)(1)(D); 34 C.F.R. § 99.31(a)(6)).
• Education research. FERPA permits disclosures to organizations conducting certain studies for educational institutions under specified conditions (20 U.S.C. § 1232g(b)(1)(F); 34 C.F.R. § 99.31(a)(6)).
• Accreditation. FERPA permits required disclosures to accreditation organizations (20 U.S.C. §1232g(b)(1)(G); 34 C.F.R. § 99.31(a)(7)).
• Health or safety. Under specific conditions, FERPA permits disclosures for:

health or safety emergencies (20 U.S.C. §1232g(b)(1)(I); 34 C.F.R. §§ 99.31(a)(10), 99.36); or treatment purposes, assuming the disclosures satisfy the HIPAA Privacy Rule if disclosed to a HIPAA covered entity (20 U.S.C. § 1232g(a)(4)(B)(iv); 34 CFR § 99.3).

• Directory information. FERPA permits disclosure of properly designated and noticed directory information (20 U.S.C. § 1232g(a)(5); 34 C.F.R. §§ 99.31(a)(11), 99.37).