At FinalForms®, protecting student data is not a checkbox. It is the foundation of everything we build. Since 2012, we have served school districts across the country with a platform designed to support your district’s student data privacy, security, and FERPA obligations and the full landscape of K-12 data privacy requirements.

This FAQ answers the questions district administrators, IT directors, and data privacy officers ask us most. Our policies are publicly documented and our audits are third-party verified.

Quick Facts

• All student data is stored exclusively within the United States
• Data is encrypted in transit (HTTPS/SFTP) and at rest (AES-256)
• FinalForms has maintained 99.99%+ uptime since launching in 2012
• Multi-factor authentication (MFA) is required on all critical access points
• FinalForms has completed multiple compliance framework audits such as K12-CVAT, NIST 2.0, and PCI compliance.
• FinalForms does not sell student data or disclose it for behavioral advertising. Ever.
• Background checks are required for all personnel with access to student data

What is FERPA and why does it matter for your school software?

FERPA — the Family Educational Rights and Privacy Act — is the federal law that governs the privacy of student education records. It requires that schools protect personally identifiable information (PII) and limits who can access, share, or use that data.

FinalForms serves as an authorized service provider under FERPA. We access student data only to the extent necessary to deliver the contracted service. Student records are handled under the direction of the school district.

Districts typically operate under several overlapping privacy laws. FERPA governs student education records. COPPA applies to online services used by children under 13. State laws like SOPIPA in California and equivalent statutes in other states add additional requirements. FinalForms’s practices are designed to support your district’s compliance obligations under FERPA, COPPA, and applicable state student data privacy laws.

Our Compliance Framework

FinalForms policies are built against the following recognized standards:

• NIST CSF 2.0 — National Institute of Standards and Technology Cybersecurity Framework
• TEC SDPA — The Education Cooperative Student Data Privacy Agreement
• CoSN K-12 CVAT — Consortium for School Networking’s Cyber Vulnerability Assessment Tool

FinalForms privacy policy and data security documents are available upon request.

Frequently asked questions

Data collection

What data does FinalForms collect?

FinalForms only collects data that is specifically required, requested, and approved by the school district. We do not collect, maintain, use, or share personally identifiable information (PII) beyond what is necessary for purposes authorized by the district or the user.

• FinalForms does not sell any data in any format.
• FinalForms does not enter into partnerships that allow third-party applications to access district data.
• FinalForms does not allow third-party cookies, participate in ad networks, or use web beacons.

Does FinalForms collect data through third parties such as cookies, plug-ins, or ad networks?

FinalForms does not use advertising networks or behavioral tracking technologies within the FinalForms platform. Any cookies used are limited to essential functionality, security, and approved website analytics.

Network security and infrastructure

Does FinalForms perform penetration testing, vulnerability management, and intrusion prevention?

Yes. FinalForms rigorously monitors and evaluates its service at every level of the stack, maintains up-to-date frameworks and languages, and routinely patches software vulnerabilities. Our full Vulnerabilities and Zero-Day Attack Policy is available for review above.

FinalForms hosts all services on Amazon Web Services (AWS), which provides industry-leading physical security, redundancy, and monitoring across its data centers.

• AWS performs nightly backups and stores backups offsite.
• FinalForms developers access systems via key-based SSH only.
• FinalForms has maintained documented security procedures since inception in 2012.

   

Data storage and access

Where is student data stored, and is it encrypted?

All FinalForms data is stored within the United States. Data is encrypted in transit and at rest.

• All requests and data transfers are executed through HTTPS, SFTP, or SSH.
• Data at rest is encrypted using AES-256 encryption.
• AWS hosting facilities meet the highest standards of physical security, redundancy, and monitoring.
• FinalForms uses multi-tenant architecture. Each school district’s application runs on a unique, secure, isolated database. Data is never commingled between districts, consistent with FERPA requirements.

Who has access to student data?

Access is strictly limited. Within FinalForms, only executives, senior developers, and senior support staff may access student data. Every FinalForms employee with data access completes a rigorous, industry-standard background check before being granted any access to the platform.

FinalForms does not subcontract with any third parties outside of our hosting provider, AWS.

How does FinalForms handle parent and guardian access to records?

Authorized parents and guardians may inspect, review, update, or correct form data at any time. Authorized administrators may access time-stamped change logs of parent/guardian updates for any purpose deemed necessary by the educational institution, in accordance with applicable law.

Unauthenticated inquiries from students, parents, or staff are immediately denied.

Multi-factor authentication (MFA)

How does FinalForms secure access to critical systems, backups, and administrative accounts?

Multi-factor authentication (MFA) is mandatory across all critical FinalForms access points.

• Remote network access: MFA is required for all remote network connections.
• Email access: MFA is required for all remote access to email systems.
• Admin and privileged accounts: All administrative and privileged user accounts require MFA.
• Backup access: MFA is enforced for accessing encrypted backups stored within AWS.

   

Data retention and deletion

How does FinalForms manage data retention and disposal?

FinalForms retains data per federal and state requirements for the school district, unless a data purge or deletion is requested by the district. Data deletions and purges are complete, permanent, and non-reversible.

• School districts may request a copy of their database at any time. The database will be encrypted and delivered via SFTP.
• Upon contract termination, all district data is returned and all copies are permanently deleted.

   

Development and change management

Does FinalForms follow documented procedures for change management and patching?

Yes. FinalForms follows strict, documented procedures for all deployments, including audits and logs for every change. The process was designed for zero downtime, and FinalForms has maintained that record since launch in 2012.

School districts are notified of any changes that affect the security, storage, use, or disposal of their data.

Availability and disaster recovery

What uptime does FinalForms guarantee, and what happens in a disaster scenario?

FinalForms guarantees 99.99% uptime and has maintained a 99.99%+ uptime record since 2012, with documentation available on request.

• Daily redundant, remote backups provide 24-hour protection against disaster scenarios, including DDoS attacks.
• The FinalForms Disaster Recovery Plan is active at all times and covers both anticipated and unforeseen scenarios.
• FinalForms web services scale seamlessly to handle indefinite load increases.

   

Audits and third-party standards

Has FinalForms been audited by outside organizations?

FinalForms has completed multiple compliance framework audits such as K12-CVAT, NIST 2.0, and PCI compliance. Full documentation is available upon request.

Test and development environments

Does FinalForms use live student data in test or development environments?

FinalForms provisions test databases using applicable student data for quality assurance during testing and interface development. These local databases reside on secured, access-controlled computers and are not accessible remotely.

Data breach response

What happens if there is a data breach?

In the event of an unauthorized release, disclosure, or acquisition of student data that compromises its security, confidentiality, or integrity, FinalForms will notify the affected Local Education Agency (LEA) within 72 hours of confirming the incident, unless law enforcement requests a delay to protect an active investigation.

Breach notifications will include, at minimum:

1. The name and contact information of the reporting LEA
2. The types of personal information involved
3. The date of the breach or estimated date range, and the date of the notice
4. Whether notification was delayed due to a law enforcement investigation
5. A general description of the breach incident

FinalForms maintains a written incident response plan consistent with industry best practices and federal and state law. This plan is available in summary form to any LEA upon request. FinalForms agrees to adhere to all applicable federal and state breach notification requirements and to cooperate with the LEA to secure student data as quickly as possible.

Still Have Questions?

Contact the FinalForms security team

FinalForms is committed to transparency about how we protect student data. This page is reviewed regularly and updated to reflect changes in our practices, applicable law, and industry standards.