FERPA Compliance

Last Updated: December 12, 2025

1. Our Commitment to FERPA

Quarlo Software LLC ("Quarlo") is committed to protecting student privacy and complying with the Family Educational Rights and Privacy Act (FERPA). We work with higher education institutions to ensure that student data is handled appropriately and in accordance with federal regulations.

This page provides information for institutional partners about our FERPA compliance practices and how to establish a Data Processing Agreement (DPA) with Quarlo.

2. School Official Designation

Under FERPA, Quarlo operates as a "school official" with a "legitimate educational interest" when contracted by an educational institution. This designation allows us to access student education records necessary to provide our services without requiring individual student consent.

Legitimate Educational Interest: Quarlo provides AI-powered interview preparation services that support student career readiness and employment outcomes—a core educational mission of higher education institutions.

3. Student Data We Process

Quarlo processes minimal student data necessary to provide our services:

Data TypePurposeRetention
Institutional EmailAccount authentication, institution verificationUntil account deletion
Resume ContentAI-powered interview prep generationUser-controlled deletion
Job/Company InformationTailored interview preparationUser-controlled deletion
Community ContributionsInterview questions and experiences shared voluntarilyAnonymized upon deletion

4. Data Retention & User Deletion Rights

Students have full control over their data:

  • Delete individual preps: Users may delete any interview preparation at any time from their dashboard
  • Delete account: Users may delete their entire account, removing all personal information

Data Deletion Policy: When a user deletes their account, all interview preps are permanently deleted. Contribution records are scrubbed to minimal data (company name, job title, and interview date only), preserving interview questions for the community research pipeline while removing all personal information. Scrubbed data cannot be traced back to any individual.

Community contributions (interview questions, experiences shared publicly) are anonymous by design and are retained to benefit future students.

5. Sub-processors

Quarlo uses the following sub-processors to deliver our services. All sub-processors are based in the United States and maintain appropriate security measures:

CategoryPurposeData Processed
AI Language Model ProviderAI interview prep generationResume text, job descriptions (not stored by provider)
Backup AI ProviderFallback AI processingResume text, job descriptions (zero retention)
Embedding ServiceText embeddings for searchContent text (converted to vectors)
Database ProviderDatabase and authenticationAll user data (encrypted at rest)
Hosting ProviderApplication hostingRequest logs (anonymized)
Company Research ServiceEmployer intelligence gatheringCompany names, job titles
Email Delivery ServiceTransactional emailEmail addresses
Error Monitoring ServiceApplication healthTechnical metadata (may include email in error context)

We will notify institutional partners of any changes to our sub-processor list with at least 30 days notice.

Our Data Processing Agreement, available to partner institutions upon request, includes a complete list of named sub-processors with their legal names, processing roles, and data handling commitments.

6. Security Measures

Quarlo implements industry-standard security measures to protect student data:

  • Encryption in transit: All data transmitted using TLS 1.3
  • Encryption at rest: Database encryption using AES-256
  • Access controls: Role-based access with row-level security policies
  • Authentication: Secure authentication via institutional email verification
  • Audit logging: Access logs maintained for compliance purposes
  • Regular security reviews: Ongoing assessment of security practices

7. Data Breach Notification

Initial Notification (72 hours): For institutions with a signed Data Processing Agreement, Quarlo will provide an initial breach notification within 72 hours of discovering a Security Breach affecting Student Data, including a preliminary description of the nature of the breach and immediate containment steps taken.

Formal FERPA Notification (45 days): Quarlo will cooperate with the Institution's obligations under FERPA to provide formal institutional notification within 45 days of the breach, supplying all information necessary to fulfill FERPA notification requirements.

Our breach notification will include:

  • Description of the nature of the breach
  • Types of data potentially affected
  • Approximate number of students impacted
  • Steps taken to contain and remediate the breach
  • Recommended actions for the institution
  • Contact information for questions

8. Prohibited Uses of Student Data

Quarlo will never use student data for:

  • Targeted advertising or marketing to students
  • Sale to third parties
  • Building profiles for non-educational purposes
  • Any purpose unrelated to the educational services contracted

9. Request a Data Processing Agreement

Educational institutions interested in partnering with Quarlo can request a formal Data Processing Agreement that includes:

  • FERPA compliance commitments
  • Data security requirements
  • Breach notification procedures
  • Data retention and deletion terms
  • Audit rights
  • Indemnification provisions

Contact us to discuss your institution's requirements

legal@quarlo.co

Subject Line: FERPA DPA Request - [Institution Name]

Related Documents