FERPA at DO

Safeguard student PII while empowering your educational institution’s growth.

Overview

The United States' Family Educational Rights and Privacy Act (“FERPA”) is a federal law designed to protect the privacy of student education records. The Act applies to educational institutions and agencies that receive funding from the U.S. Department of Education, including public schools, colleges, and universities. FERPA aims to ensure that student information is safeguarded by granting parents and eligible students essential rights to access, review, and request corrections to education records, as well as control the disclosure of a student's personally identifiable information (“PII”).

Organizations subject to FERPA store student PII on a cloud services provider (“CSP”) generally focus on the following requirements of its CSP processing such information:

  • Direct Control: Organizations must maintain “direct control” of the school regarding the use and maintenance of education records.
  • Use & Redisclosure Restrictions: CSPs processing student PII on behalf of governed organizations are limited to processing for specified purposes only and restrictions on disclosure of such information to third parties without consent or other legal justification.

DigitalOcean’s Support of FERPA and Educational Privacy

The Company provides security and privacy features intended to support educational organizations with their internal FERPA compliance and assessment efforts. The information in this section describes certain capabilities, tools, and transparency resources available through the Company’s services and is provided for informational purposes only. These features do not constitute a representation or guarantee of FERPA compliance.

School Official Criterion

  1. Direct Control & Data Ownership: As outlined in our Terms of Service, DigitalOcean (“we”) does not assert or claim ownership of any student records an educational institution opts to upload to DigitalOcean servers.
  2. User & Redisclosure Restrictions: As outlined in our Data Processing Agreement, DigitalOcean only processes customer data in accordance with a customer’s instructions.

Privacy Management

  1. We hold a Global PRP certification to evidence the strength of our reasonable security measures, including; but, not limited to access controls, encryption protocols, security monitoring techniques, and approach to risk management.
  2. As part of our privacy impact assessment and reviews, we document the categories of personal information collected and the purposes for which they are used.
  3. We implement processes to honor consumer requests, such as the right to access, delete, and correct personal information.

Security Safeguards

  1. We maintain logical access policies and procedures to protect personal information from unauthorized access.
  2. We deploy routine vulnerability scans and penetration tests to safeguard our infrastructure.

Third-Party Risk Management

  1. We make our Higher Education Community Vendor Assessment Toolkit (HECVAT) report available through our Security and Certifications Center
  2. We provide available DigitalOcean and data center provider certifications to customers through our Trust Center.
  3. We perform vendor security and privacy reviews as required under applicable privacy and data protection laws as part of the onboarding process for any third party involved in processing customer data.

Operational Resilience

  1. We provide real-time updates to our service infrastructure on the DigitalOcean Status Page
  2. We provide Service-Level Agreements for several of our products.
  3. We maintain logging and monitoring systems which analyze resource utilization and system performance, and alerts the appropriate teams of relevant issues we may need to address
  4. We have dedicated resources for managing platform availability and resiliency incidents. These resources review incident trends, conduct post-incident reviews, and manage post-incident mitigation activities
  5. We review business continuity and disaster recovery plans on an annual basis

DigitalOcean Service Customer Controls and FERPA Compliance Considerations

Customers are responsible for evaluating whether the services they deploy are configured, monitored, and governed in a manner appropriate for their compliance obligations. Customers may access additional information and supporting documentation to assist in their further evaluation of the following areas:

Access Control

While DigitalOcean protects data center access and the infrastructure control panel, customers are responsible for managing team members, SSH keys, and individual user permissions within their deployed applications.

Data Protection

DigitalOcean provides hardware-level encryption and platform isolation. Customers are responsible for encrypting PII at the application level and managing their respective encryption keys.

Retention & Deletion

DigitalOcean provides foundational tools for data storage and deletion. Customers must implement internal policies to determine when student records should be archived or destroyed.

Standardized Assessments

The Higher Education Community Vendor Assessment Tool (HECVAT) provides a standardized framework for evaluating a vendor’s security and privacy posture. Please visit our Security and Certifications Center to access DigitalOcean’s HECVAT in order to determine if the appropriate safeguards are in place for your institution.

Start building today

From GPU-powered inference and Kubernetes to managed databases and storage, get everything you need to build, scale, and deploy intelligent applications.