My Progress Bridge
Back to home

My Progress Bridge, Inc.

FERPA Compliance Statement

Effective: May 8, 2026

1. Purpose and Scope

This FERPA Compliance Statement describes how My Progress Bridge, Inc. complies with the Family Educational Rights and Privacy Act (“FERPA”), 20 U.S.C. § 1232g and 34 C.F.R. Part 99, when providing the My Progress Bridge analytics platform (the “Service”) to school districts and other local educational agencies (each, an “LEA”). It supplements, and is to be read together with, our Privacy Policy and Data Security Policy.

2. Our Role Under FERPA

2.1 School Official with Legitimate Educational Interest

We process Student Data only on behalf of, and at the direction of, the LEA. The LEA designates My Progress Bridge as a “school official” with a “legitimate educational interest” for purposes of 34 C.F.R. § 99.31(a)(1)(i)(B). We:

  • Perform an institutional service for which the LEA would otherwise use its own employees;
  • Are under the direct control of the LEA with respect to the use and maintenance of education records;
  • Are subject to 34 C.F.R. § 99.33(a) governing use and re-disclosure;
  • Use Student Data only for authorized educational purposes set forth in the LEA’s agreement.

2.2 No Use for Marketing or Targeted Advertising

My Progress Bridge does not sell Student Data and does not use Student Data to engage in targeted advertising, build personal profiles for non-educational purposes, or train commercial products unrelated to the authorized educational purpose.

3. Authorized Purposes for Use of Student Data

  • Providing dashboards, analytics, alerts, and reports to authorized LEA personnel;
  • Identifying students who may benefit from early intervention based on LEA-defined criteria;
  • Generating compliance, board, and program-evaluation reports requested by the LEA;
  • Performing technical operations necessary to deliver the Service;
  • Maintaining audit logs and supporting investigations of unauthorized access;
  • De-identifying or aggregating data for product analytics consistent with 34 C.F.R. § 99.31(b);
  • Other purposes expressly authorized in writing by the LEA.

4. Re-Disclosure

We will not re-disclose Student Data to any third party except as expressly permitted by the LEA’s agreement, as required by law, or as authorized under 34 C.F.R. § 99.33. Where re-disclosure is compelled by lawful process, we will, to the extent permitted by law, promptly notify the LEA so it may seek a protective order.

5. Subprocessors and Subcontractors

We engage a limited number of vetted subprocessors (such as cloud-hosting providers) to support the Service. Each subprocessor is bound by written agreement to (a) process Student Data only on our documented instructions, (b) maintain security measures consistent with this Statement, and (c) honor confidentiality obligations no less protective than those binding us.

6. Parent and Eligible Student Rights

FERPA grants parents (and eligible students aged 18 or older) rights to inspect and review education records, request amendment, consent to disclosures except as otherwise permitted by FERPA, and file complaints with the U.S. Department of Education. These rights are exercised through the LEA.

U.S. Department of Education contact for complaints: Student Privacy Policy Office, U.S. Department of Education, 400 Maryland Avenue SW, Washington, D.C. 20202.

7. Data Security

We maintain administrative, technical, and physical safeguards aligned with the NIST Cybersecurity Framework and the AICPA SOC 2 Trust Services Criteria, designed to meet the requirements of 8 NYCRR Part 121 § 121.5 and the New York SHIELD Act. Encryption in transit uses TLS 1.2 or higher; encryption at rest uses AES-256 or equivalent.

8. Data Retention and Destruction

We retain Student Data only as long as necessary to perform the authorized educational purpose and as specified in the LEA’s agreement. For New York LEAs, destruction occurs within sixty (60) days unless a different period is specified in the DSCA.

9. Incident Response and Breach Notification

If we become aware of an unauthorized access, acquisition, use, or disclosure of Student Data, we will:

  • Promptly investigate and contain the incident;
  • Notify the affected LEA without unreasonable delay (per 8 NYCRR Part 121 timelines for NY LEAs);
  • Provide information necessary to enable LEA notification obligations;
  • Cooperate with the LEA in responding to parents, regulators, and authorities.

10. Personnel Training and Access Controls

Access to Student Data is restricted to personnel with a legitimate need to know. Personnel with such access are subject to confidentiality obligations, complete privacy and security training upon hire and annually thereafter, and acknowledge their obligations under FERPA.

11. Audit and Oversight

We will, on reasonable notice, make available information sufficient to demonstrate compliance with this Statement, including SOC 2 reports, penetration-test summaries, subprocessor lists, and incident-response policies.

12. State Compliance

For New York LEAs, we act as a “third-party contractor” subject to Education Law § 2-d and 8 NYCRR Part 121 and adhere to the LEA’s Parents’ Bill of Rights. We comply with applicable state student-privacy laws, including California’s SOPIPA and equivalents.

13. Contact

My Progress Bridge, Inc.
Attn: Data Protection Officer / FERPA Compliance
Email: contact@myprogressbridge.com