Tribe AccredAI
Tribe AccredAICompliance OS
 Back to home
Compliance

FERPA at Tribe AccredAI

A plain-English summary of how Tribe AccredAI handles student education records for U.S. higher-education institutions subject to the Family Educational Rights and Privacy Act (FERPA).

Last Updated: May 2026

Our role

When your institution uploads education records to Tribe AccredAI, your institution remains the data controller. Tribe Consulting, LLC processes those records as a “school official” with “legitimate educational interests” under 34 CFR §99.31(a)(1)(i)(B), performing services your institution would otherwise perform with its own employees, under your direct control.

What we recommend uploading

The simplest way to stay safely within FERPA is to prefer de-identified or aggregated evidence (policies, narratives, aggregate outcomes like pass rates or graduation percentages) rather than identifiable student records. The evidence upload screen asks you to confirm one of two things before each upload:

  • the file contains no personally identifiable student records, or
  • your institution has authorized the upload under FERPA §99.31 — in which case Tribe AccredAI processes the record as a school official under your direct control.

Controls in the product

  • Access control. Workspace data is isolated by row-level security; only members of your organization can read it, and admin actions are role-gated.
  • Audit logging. Evidence views, downloads, exports, and consultant access changes are recorded in an insert-only activity log. Admins can request an extract.
  • AI opt-in. Evidence flagged as containing identifiable student records is excluded from AI analysis unless your workspace explicitly opts in.
  • External reviewers. Consultants invited to your workspace accept a confidentiality clause and inherit FERPA obligations through us; their access is scoped and revocable.
  • Deletion. Admins can delete an organization and its data, which removes evidence files from storage and database rows.

Security

TLS in transit, encryption at rest, tenant isolation via row-level security, MFA-ready authentication, password breach-list checks (HIBP), least-privilege production access, and immutable audit logging.

Subprocessors

See the subprocessors page for the current list, region, and purpose of each provider with potential access to education records.

Breach notification

We commit to notifying your institution without undue delay, and in any event within seventy-two (72) hours, of any confirmed unauthorized acquisition, access, use, or disclosure of education records.

FERPA Addendum & DPA

Our standard Data Processing Addendum contains a dedicated FERPA Addendum with the full set of contractual commitments — school-official designation, direct control, purpose limitation, no-redisclosure, subprocessor flow-down, security measures, breach notification, return/destruction, audit support, rights-request assistance, and the AI opt-in default.

If your institution requires a counter-signed copy or an addendum on your paper, contact legal@tribeaccredai.com.

Contact

Tribe Consulting, LLC — privacy@tribeaccredai.com