Back to Home

FERPA Compliance Statement

Approved: steve@respondwize.com

Version 1.0 - April 24 2025

Table of Contents

1. Overview

Almi acts as a School Official with a legitimate educational interest under the Family Educational Rights and Privacy Act (FERPA) when processing student information on behalf of partner institutions such as the University of Montana (UM). This document summarizes the controls, contractual commitments, and procedures that ensure Almi's compliance with FERPA.

2. Designation as School Official

  • The Master Services Agreement between UM and Almi designates Almi as a School Official per 34 CFR §99.31(a)(1)(i).
  • Almi is subject to the direct control of UM with respect to the use and maintenance of education records.

3. Allowed Data Usage

Almi will use education records solely to:

  • Match students with alumni mentors or job‑opportunity providers.
  • Facilitate outreach (calls, SMS, emails) authorized by UM.
  • Provide usage analytics to UM administrators.
  • Improve matching algorithms in aggregate, de‑identified form.

Almi will not re‑disclose personally identifiable information (PII) or use records for advertising, profiling, or unrelated research.

4. Data Access Controls

Almi implements comprehensive data access controls to protect education records, including:

  • Role-based access control (RBAC) with least privilege principles
  • Multi-factor authentication for all system access
  • Regular access reviews and audits
  • Encryption of data at rest and in transit
  • Secure logging and monitoring of all access attempts

5. Student Rights Facilitation

Almi supports student rights under FERPA by:

  • Providing students access to their education records upon request
  • Maintaining accurate records of disclosures
  • Facilitating requests for corrections to education records
  • Supporting institutions in responding to student privacy requests

6. Breach Notification

  • Almi follows its internal Incident Response Plan and will notify UM within 24 hours of confirmed breach involving education records.
  • Notification includes the nature of breach, data elements, containment actions, and remediation plan.

7. Data Retention & Destruction

  • Education records retained only as long as necessary for contract (default 365 days after last interaction, extendable by UM request).
  • Upon termination, Almi will crypto‑shred backups and securely erase production data within 30 days, providing a signed Certificate of Destruction.

8. Audits & Oversight

  • UM may audit Almi's FERPA controls annually (desk or onsite).
  • Almi provides SOC 2 Type II report and internal pen‑test summary on request.
  • Any audit findings remediated within a mutually agreed timeline.

9. Training & Awareness

  • New hires complete FERPA training within 30 days.
  • Annual refresher required; completion tracked in HRIS.

10. Point of Contact

FERPA Compliance Officer – steve@respondwize.com | +1‑469-964-4167

11. Version & Review

Reviewed at least annually or upon material change in data practices or FERPA regulations. Latest revision stored in the secure document vault.

Last updated: April 24, 2025