Contents #
- 1. Our Role: School Official with Legitimate Educational Interest
- 2. What Data We Process
- 3. Permitted Uses
- 4. Disclosure Restrictions
- 5. Security Safeguards
- 6. Data Retention and Deletion
- 7. Parent and Eligible Student Rights
- 8. State Student Privacy Laws
- 9. Data Breach Notification
- 10. Subprocessors
- 11. Contact
ByteMechanix LLC builds compliance and operational software for K-12 schools and the partners that serve them. Several of our products — most notably ComplyIQ — process information about students, staff, and families on behalf of school districts and educational service organizations. This Notice explains how ByteMechanix supports educational institutions in meeting their obligations under the Family Educational Rights and Privacy Act (FERPA, 20 U.S.C. § 1232g; 34 CFR Part 99) and applicable state student privacy laws.
This Notice is informational. The legally binding terms governing student data processing are in our Data Processing Addendum (BMX-LEG-001), which is incorporated into customer agreements with K-12 institutions.
1. Our Role: School Official with Legitimate Educational Interest #
When ByteMechanix processes student records on behalf of a school district or institution, we operate as a "school official" with a "legitimate educational interest" under the FERPA exception at 34 CFR § 99.31(a)(1)(i)(B). This means:
- The institution remains the data controller and FERPA-covered entity
- ByteMechanix performs functions for which the institution would otherwise use its own employees
- ByteMechanix is under the direct control of the institution with respect to the use and maintenance of education records
- ByteMechanix is subject to FERPA's restrictions on the use and redisclosure of personally identifiable information from education records
2. What Data We Process #
The categories of student information we may process on behalf of a customer include:
- Directory information (name, grade level, enrollment status)
- Identifiers (student ID, state-assigned IDs)
- Demographic data necessary for compliance reporting
- Special education program data, IEPs, and CAP records (within the SPED module)
- Disciplinary, attendance, and incident records relevant to compliance frameworks
- Assessment and accommodation records relevant to the customer's compliance program
We process only the data necessary for the institution's authorized use of the Service. Customers control what data is provided to ByteMechanix and may limit data ingestion through configuration.
3. Permitted Uses #
Student records processed through our Services are used solely to:
- Provide the Service requested by the institution
- Maintain, secure, and improve the Service
- Generate reports, exports, and analytics requested by the institution
- Respond to authorized institutional support requests
We do not use student records to build a profile of any student for any purpose other than supporting authorized educational purposes. We do not use student records for advertising or marketing of any kind. We do not sell student records under any circumstances.
4. Disclosure Restrictions #
ByteMechanix does not disclose student records except:
- Back to the institution that provided the data
- To subprocessors under contract with confidentiality and data protection obligations no less protective than our own
- As directed in writing by the institution
- As required by law, subpoena, or valid legal process — in which case we will, where legally permitted, notify the institution before disclosure so the institution may seek a protective order
A current list of subprocessors that may have access to student data is published at bytemechanix.co/subprocessors.
5. Security Safeguards #
We protect student records through administrative, technical, and physical safeguards including:
- Encryption in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent)
- Role-based access controls and the principle of least privilege
- Multi-factor authentication for administrative access
- Network segmentation, firewall controls, and intrusion detection
- Logging, monitoring, and alerting on access to production systems
- Background-checked personnel and security awareness training
- Annual risk assessment and ongoing SOC 2 readiness program
A more complete description is available in the ByteMechanix Security Overview.
6. Data Retention and Deletion #
ByteMechanix retains student records only for the duration of the customer agreement and for the limited periods after termination needed for export, transition, and backup expiration as set forth in the DPA. Upon written request from the institution, we will return or delete student records in accordance with the DPA.
Customers retain the ability to export their data through the Service at any time during the subscription term.
7. Parent and Eligible Student Rights #
FERPA grants parents and eligible students (students 18 or older, or attending a postsecondary institution) the right to inspect and review education records, request corrections, and consent to disclosures of personally identifiable information.
These rights are exercised with the educational institution, not directly with ByteMechanix. If you are a parent or student and have questions about education records, contact your school district directly. If your district has authorized us to assist, we will support the institution's response.
8. State Student Privacy Laws #
In addition to FERPA, ByteMechanix supports customer compliance with applicable state student privacy laws, including:
- Texas Education Code Chapter 32 and the Student Privacy provisions applicable to Texas school districts
- Student Online Personal Information Protection Acts (SOPIPA-style laws) in states where customers operate
- State data breach notification laws
Specific state law obligations are addressed in the DPA and any state-specific addenda.
9. Data Breach Notification #
In the event of a confirmed unauthorized disclosure of student records, ByteMechanix will notify the affected institution without undue delay and in accordance with timelines set in the DPA, and will cooperate with the institution's incident response and any required notifications to parents, eligible students, or regulators.
10. Subprocessors #
Subprocessors that may process student data on our behalf are listed at bytemechanix.co/subprocessors. We require all subprocessors to commit, in writing, to data protection obligations no less protective than those we provide to the institution.
11. Contact #
Privacy and FERPA inquiries: privacy@bytemechanix.co Security incidents: security@bytemechanix.co Legal notices: legal@bytemechanix.co Mailing address: ByteMechanix LLC, [Registered Texas Address]
For binding contractual terms governing student data processing, refer to the ByteMechanix Data Processing Addendum (BMX-LEG-001), available from your ByteMechanix representative or at bytemechanix.co/legal/dpa.