FERPA Compliance

How Graider protects student privacy and supports educational compliance

Last updated: February 2026

Executive Summary

Graider is designed from the ground up to support FERPA (Family Educational Rights and Privacy Act) compliance. Our platform automatically strips student identifiers before any AI processing, encrypts all data in transit and at rest, and ensures that AI providers never receive information that could identify a specific student.

Key FERPA Protections

  • No student names sent to AI: Student identifiers are automatically stripped before content is sent for grading
  • No student PII stored: Graider does not retain student personally identifiable information on our servers
  • Encrypted infrastructure: All data encrypted in transit (TLS/HTTPS) and at rest
  • Teacher approval required: AI grades are suggestions — educators must review and approve before they become official
  • No AI training: None of the AI providers (OpenAI, Anthropic, Google) use API data to train their models
  • Data deletion on request: Educators can request full deletion of their data at any time

What is FERPA?

The Family Educational Rights and Privacy Act (FERPA) is a federal law that protects the privacy of student education records. It applies to all schools that receive funding from the U.S. Department of Education. Key requirements include:

  • Schools must have written consent before disclosing personally identifiable information (PII) from education records
  • Parents and eligible students have the right to access and request corrections to education records
  • Schools must maintain reasonable security measures to protect education records
  • Third-party service providers may access PII only under specific conditions (the "school official" exception)

How Graider Addresses FERPA Requirements

1. Minimizing Data Exposure

Graider's architecture is designed to minimize the exposure of student personally identifiable information (PII). This applies to all supported AI providers (OpenAI, Anthropic Claude, Google Gemini):

Data Type On Graider Servers Sent to AI Provider
Student Names No - Stripped during processing No - Automatically stripped
Student Work Content Temporarily during grading Yes - De-identified, for grading analysis
Grades & Scores Yes (encrypted, per educator) No
Feedback Comments Yes (encrypted, per educator) Generated by AI, stored encrypted
Rubrics & Settings Yes (encrypted, per educator) Yes - Sent with grading request

2. Student Name Stripping

Before any content is sent to AI providers for grading, Graider automatically:

  • Removes student names from file content
  • Replaces names with generic placeholders (e.g., "Student")
  • Strips identifying metadata from documents
  • Processes filenames to remove student identifiers

This de-identification process ensures that no AI service ever receives information that could identify a specific student.

3. Privacy-First Cloud Architecture

Graider is a cloud-based web application built with privacy as a foundational design principle:

  • No student PII stored: Student names are stripped during processing and never retained on our servers
  • Encrypted infrastructure: All data is encrypted in transit (TLS/HTTPS) and at rest on our servers
  • Data isolation: Each educator's data is logically separated from other users
  • Authenticated access: Only authorized educators can access their own data through secure account authentication
  • Secure hosting: Our infrastructure runs on Railway, a SOC 2 compliant cloud platform

4. Data Flow Transparency

Here's exactly what happens when you grade an assignment with Graider:

  1. You upload assignment files through your web browser over an encrypted connection
  2. Graider's server reads and parses the files
  3. Student names and identifiers are automatically stripped from the content
  4. De-identified content + your rubric are sent to your chosen AI provider (OpenAI, Anthropic, or Google) over encrypted connections
  5. The AI provider returns grades and feedback
  6. Graider stores results on encrypted servers, re-associating student names only when displaying results to you
  7. You review AI-generated grades and approve, modify, or reject them before they become official

The "School Official" Exception

FERPA allows schools to disclose PII to "school officials" with "legitimate educational interests" without consent. For third-party services, this typically requires:

  • A written agreement specifying permitted uses
  • That the service is under direct control of the school
  • That data is used only for specified purposes
  • Appropriate security measures

Important Consideration

While Graider strips student names before sending content to AI providers, the de-identified student work itself is sent for AI analysis. Depending on your institution's interpretation, you may need to consider whether using AI grading tools falls under the school official exception or requires separate consent. We recommend consulting with your institution's FERPA compliance officer. Graider is available to execute a Data Processing Agreement (DPA) with your institution upon request.

AI Provider Data Handling

Graider supports multiple AI providers. Here's how each handles API data:

OpenAI (GPT-4o)

  • Training: API data is NOT used to train models by default
  • Retention: Inputs/outputs retained for 30 days for abuse monitoring, then deleted
  • No PII Sent: Graider strips student names before sending
  • Policies: Privacy Policy | API Data Usage

Anthropic (Claude)

  • Training: API data is NOT used to train models
  • Retention: Inputs/outputs may be retained for up to 30 days for trust & safety
  • No PII Sent: Graider strips student names before sending
  • Policies: Privacy Policy | Commercial Terms

Google (Gemini)

  • Training: Paid API data is NOT used to train models
  • Retention: Data handling varies by product tier; API data is not retained for training
  • No PII Sent: Graider strips student names before sending
  • Policies: Privacy Policy | Gemini API Terms

Consistent Protection Across All Providers

Regardless of which AI model you choose in Graider, the same privacy protections apply: student names are stripped before any content is sent, all data is encrypted in transit and at rest, and no AI provider ever receives student PII.

Educator Responsibilities

As the educator using Graider, you retain responsibility for:

Your FERPA Compliance Checklist

  • Reviewing and approving all AI-generated grades and feedback before sharing with students
  • Ensuring your use of Graider complies with your institution's technology and privacy policies
  • Consulting with your administration or FERPA compliance officer if required
  • Maintaining the security of your Graider account credentials
  • Not sharing your account or grading results with unauthorized individuals
  • Requesting deletion of grading data when no longer needed

Comparison: Graider vs. Other AI Grading Tools

Feature Graider Typical AI Grading Tools
Student names sent to AI No (automatically stripped) Often yes
Student PII stored No — names stripped, not retained Yes, on vendor servers
Data encrypted Yes — in transit and at rest Varies by vendor
Teacher approval required Yes — AI grades are suggestions only Often auto-published
AI trains on your data No — no provider trains on API data Varies by vendor
DPA available Yes — available on request Varies by vendor
Data deletion On request, promptly fulfilled Depends on vendor policy

Best Practices for Educators

Before Using Graider

  • Review your school's acceptable use and technology policies
  • Consult with your FERPA compliance officer if you have questions
  • Understand what data is sent to AI providers and their retention policies
  • Consider whether your institution requires parental notification for AI tool usage
  • Request a Data Processing Agreement (DPA) if required by your institution

While Using Graider

  • Always review AI-generated grades and feedback before distribution
  • Keep your account credentials secure — do not share your login
  • Log out of Graider on shared or public computers
  • Instruct students not to include their names in the body of their work

Data Retention

  • Graider stores your rubrics, assignment configurations, and grading results on encrypted servers
  • Contact us to request deletion of your data at any time
  • Follow your institution's record retention policies for grade records
  • Consider periodic cleanup of old assignment configurations and results through your account settings

For IT Administrators

If you're evaluating Graider for your school or district:

  • Architecture: Cloud web application hosted on Railway (SOC 2 compliant infrastructure)
  • Data Flow: Browser → Graider servers (HTTPS) → AI providers (HTTPS). Student names stripped before AI transmission.
  • Authentication: Secure account-based authentication per educator
  • PII Handling: Student names automatically stripped before AI processing; no student PII retained on servers
  • Data Encryption: TLS/HTTPS in transit, encryption at rest
  • Data Residency: Hosted in the United States
  • DPA: Data Processing Agreement available upon request
  • SSO: ClassLink and Canvas LTI integration planned for district deployments

Frequently Asked Questions

Does Graider sign a Data Processing Agreement (DPA)?

Yes. Graider is available to execute a Data Processing Agreement with your institution. Contact us at admin@graider.live to request a DPA. Note that since student names are automatically stripped before AI processing, no AI provider receives student PII.

Can Graider be used with students under 13 (COPPA)?

Graider is a tool for educators, not for direct student use. Students don't interact with Graider or create accounts. The educator processes student work through the application.

What if a student's name appears in their essay content?

Graider strips names from metadata and file structure. If a student writes their name within the body of their work, that text would be sent to OpenAI. We recommend instructing students not to include their names in the body of their work, or manually reviewing for this before grading.

Is the AI grading accurate enough for official grades?

Graider is a tool to assist educators, not replace their judgment. You should always review AI-generated grades and feedback before making them official. The final grading decision is yours.

Contact Us

If you have questions about FERPA compliance or need additional information for your institution's review, please contact us:

admin@graider.live

We're happy to provide additional documentation or clarification for your compliance needs.

← Back to homepage