AEMS
Sign up

Compliance

FERPA Compliance

How AEMS helps US institutions protect student education records under the Family Educational Rights and Privacy Act.

Last updated: March 2026

AEMS and FERPA

Under FERPA, student grades, exam submissions, and academic assessments are protected education records. When a third-party service handles these records, it must operate under institutional control and use data only for authorised purposes.

AEMS is designed to fit within FERPA requirements through three mechanisms: institutional control over data, purpose-limited processing, and comprehensive access logging.

Deployment models and FERPA

Institutional plan (strongest FERPA posture)

Deploy AEMS entirely behind your university firewall. Student records never leave your network. Your IT team controls the environment, retention policies, and access. This is equivalent to running your own software; no third-party data transfer occurs.

Personal plan

The Personal plan uses a hosted AEMS account together with a paired local agent. Source exam PDFs can remain on the instructor's machine, but the hosted app fetches them from the paired agent when grading starts. Institutions evaluating FERPA posture should account for both the hosted AEMS workflow and any third-party AI provider used for inference.

Department plan

The cloud-hosted platform processes education records on EU-hosted infrastructure. Institutions using the Department plan should execute a Data Processing Agreement that establishes AEMS as a “school official” with a legitimate educational interest, as permitted under FERPA § 99.31(a)(1).

Access controls

  • Role-based access: Five distinct roles (Admin, Instructor, TA, Grader, Reviewer) with graduated permissions
  • Course-level isolation: Users only access courses and submissions they are assigned to
  • No cross-institutional data sharing: Each institution's data is fully isolated

Access logging

AEMS maintains comprehensive access logs for all education records, supporting the FERPA requirement that institutions track who accesses student records and why.

  • Every access to student submissions is logged with user ID, role, timestamp, and purpose
  • Grade modifications include before/after values and the reason for change
  • Disclosure events (e.g., posting grades to Canvas) are logged with recipient and purpose
  • Logs are queryable by student ID for access-request fulfilment

Student rights under FERPA

AEMS supports the following student rights:

  • Right to inspect: Institutions can generate per-student access reports showing all grading activity
  • Right to request amendment: Grade override capability with full audit trail
  • Right to consent to disclosure: Grades are only published to Canvas when the instructor explicitly approves

AI and automated grading under FERPA

AEMS does not make autonomous grading decisions. The AI serves as a companion that drafts marks and feedback, but all grades require mandatory human review and approval before they are finalised or disclosed to students. This means the instructor, not the AI, is the decision-maker for all education records.

Recommended institutional steps

  1. Execute a DPA or institutional agreement designating AEMS as a school official with legitimate educational interest
  2. Include AEMS in your institution's annual FERPA notification to students
  3. Use the Institutional or Personal plan for strongest FERPA posture
  4. Configure data retention policies to match your institution's records schedule

Contact

For FERPA-related enquiries: privacy@aems.app