Academic
Workflows

Get in touch

We'll follow up within one business day.

We never share your contact information.

Preferred contact
Schedule a Google Meet instead
Back to TestDayFERPA Compliant

Data Privacy

How TestDay handles student data, written for coordinators, administrators, and district IT directors.

What is FERPA?

FERPA (the Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g) is a federal law that protects the privacy of student education records. It applies to all educational institutions that receive federal funding, which includes virtually every K–12 public school in the United States.

FERPA restricts the disclosure of education records and personally identifiable student information. Schools and their vendors must take appropriate steps to ensure that student data is not accessed, stored, or shared without proper authorization.

TestDay processes student names, emails, accommodations, and payment information as part of the registration workflow. That makes FERPA compliance a foundational requirement, not an afterthought.

What data does TestDay handle?

TestDay operates as the registration workflow between your district and your students and families. To do that, it processes a limited set of data provided by your district and entered by families during registration.

From your district

  • Student name and email
  • Grade level and school
  • Eligibility group (e.g., grade 10, grade 11)
  • Fee tier assignment (district-configured)
  • Testing accommodations (uploaded from College Board data)

From families during registration

  • Google OAuth sign-in (school account)
  • Registration selections (register / un-register)
  • Payment via Stripe (card data never touches our servers)

Payment data: Credit card information is collected and processed by Stripe. Card numbers never pass through or are stored on Academic Workflows servers. Stripe is PCI DSS Level 1 certified, the highest level of payment security certification.

How we protect it

Data stays in your district's ecosystem

Student data from your SIS is used to operate the registration platform for your district. It is not shared across districts, combined with other data sources, or used for any purpose beyond your registration workflow.

Access is limited, with 2FA inherited from your district

Only authorized district coordinators can access student registration data through the admin panel. Sign-in uses Google OAuth tied to your district's Google Workspace domain — which means coordinator access automatically inherits whatever two-factor authentication policy your district has configured. No separate 2FA setup required.

Data is encrypted at rest and in transit

All data is encrypted in transit over HTTPS. Data at rest is encrypted by Neon, our database provider, which is SOC 2 Type 2 certified. Encryption is not optional or add-on — it is the default for every district.

Payment is handled by Stripe

Stripe collects fees directly to your district's bank account. Academic Workflows does not process, store, or have access to credit card numbers. Stripe handles PCI compliance independently.

SIS connection is read-only

The Aeries integration reads student enrollment data to populate the registration platform. TestDay does not write back to your SIS.

Admin panel access is role-based and district-scoped

The coordinator admin panel is accessible only to users your district has explicitly authorized. Each coordinator's access is scoped strictly to your district's data — no coordinator can see, search, or export data from any other district. All admin actions are logged.

Data retention is limited

Registration data is retained only for the duration needed to operate the platform for your district. Districts can request data deletion at any time.

Our commitments

01

FERPA compliance

TestDay is designed to comply with FERPA requirements. Student data is used solely to operate the registration workflow for the district that provided it.

02

No third-party sharing — student or parent data

No student data, parent data, or family information is ever sold, shared with advertisers, or disclosed to any third party. The only external systems that touch any data are Stripe (payment processing) and Google (authentication) — both of which are necessary to operate the platform and neither of which receives student records.

03

No cross-district data use

Each district's data is isolated. Student information from one district is never accessible to another district or used to build profiles, models, or aggregate datasets.

04

Minimal data collection

We collect only the data necessary to run the registration workflow. We do not collect browsing behavior, device information, or any data beyond what is needed for the platform to function.

05

Right to deletion

Districts can request deletion of all registration data at any time. We will confirm deletion in writing within 30 days.

06

Transparency

This page is a plain-language explanation of how we handle data. If something is unclear or you need additional documentation for a district review, we are happy to provide it.

Data Processing Agreements

A signed DPA is the first step of onboarding — not an afterthought. We do not begin configuration or touch any district data until a DPA is in place. If your district requires a signed agreement before proceeding, that is exactly how we work.

We support the following frameworks and templates:

  • CITECalifornia K-12 High Speed Network vendor review process, used by many California districts
  • SDPC / NDPAStudent Data Privacy Consortium National Data Privacy Agreement, used by districts nationally
  • District-specific DPAIf your district uses its own template, we will review and work with your legal team to complete it
Request a Data Processing Agreement

Questions?

If you have questions about how TestDay handles student data, need documentation for a district review, or want to discuss FERPA compliance in detail, we are happy to help.

Contact Us