Our Data Model
ThinkKits is a school intelligence platform that aggregates publicly available federal data from sources like NCES, USASpending.gov, USAC E-Rate, and state education agencies. We do not collect, store, process, or have access to:
- Student names, grades, or academic records
- Individually identifiable student information
- Parent or guardian personal data
- Student disciplinary records
- Student health records
All data on ThinkKits is school-level and district-level aggregate data that is already publicly available through federal open data programs.
FERPA Applicability
Key Point
Because ThinkKits does not access education records as defined under FERPA (34 CFR § 99.3), ThinkKits is not subject to FERPA’s requirements as a school official or third-party service provider. No FERPA-regulated data enters our system.
However, we recognize that district procurement teams must verify this claim. Below we document our practices as if FERPA applied — because transparency builds trust.
What We Process vs. What We Don’t
| Data Category | We Process | We Don’t Process |
|---|---|---|
| School demographics (name, address, type, locale) | ✓ Publicly available via NCES CCD | — |
| Enrollment counts (total, by grade, by race/ethnicity) | ✓ Aggregate counts from NCES | ✗ Individual student enrollment |
| Free/Reduced Lunch percentages | ✓ School-level % from NCES | ✗ Individual student eligibility |
| Federal funding allocations | ✓ Title I, IDEA, E-Rate from public sources | ✗ Individual student funding |
| Assessment proficiency rates | ✓ School-level % proficient from state DOEs | ✗ Individual student scores |
| Board meeting minutes | ✓ Publicly posted agendas/minutes | ✗ Executive session content |
| User account data | ✓ Email, name, org (from Clerk auth) | ✗ Student/parent accounts |
School Official Exception
Even though ThinkKits does not require the school official exception (34 CFR § 99.31(a)(1)), we want to explain it for full transparency.
This FERPA exception allows schools to share education records with contractors who perform institutional services. Since we don’t receive education records, we don’t rely on this exception.
If a district’s DPA template references the school official exception, we will sign it with the understanding that no covered data flows to us.
Data Handling Practices
Even without FERPA-regulated data, we follow best practices:
- Encryption — AES-256 at rest, TLS 1.3 in transit
- Access Control — Role-based access via Clerk with MFA support
- Audit Logging — All data access logged with 3+ year retention
- Data Minimization — We only store data necessary for platform functionality
- Retention — User account data retained while account is active; deleted within 30 days of account closure
- Vendor Assessment — All sub-processors assessed for security practices
Parent Rights Under FERPA
72-Hour Breach Notification
In the unlikely event of a data breach affecting user account information (email, name, organization), ThinkKits commits to:
- Notifying affected users within 72 hours of confirmed breach
- Notifying the relevant district administrator if organizational accounts are affected
- Filing required state breach notifications per applicable state law
- Providing a detailed incident report within 30 days
Data Processing Agreement
We maintain a standard Data Processing Agreement (DPA) template aligned with the Student Data Privacy Consortium (SDPC) National DPA. Districts can:
- Download our pre-signed DPA from the Trust Center
- Submit their own DPA for review (typical turnaround: 5 business days)
- Contact legal@thinkkits.com for custom DPA requests
Contact
For FERPA-related questions: privacy@thinkkits.com | (267) 936-0332