FERPA & Compliance
CoStudy is built for institutional procurement. Here's everything your IT, legal, and compliance teams need to know.
CoStudy is fully FERPA-compliant. We act as a school official with a legitimate educational interest under 34 CFR 99.31(a)(1). We collect only the minimum student data necessary to deliver peer evaluation services, and we never use student education records for any purpose beyond what the institution authorizes. We sign institutional Data Processing Agreements (DPAs) and Business Associate Agreements (BAAs) on request.
CoStudy integrates with Canvas via LTI 1.3, the current standard for secure tool interoperability in learning management systems. LTI 1.3 uses OAuth 2.0 and JWT-based authentication, which means student credentials never pass through CoStudy. Roster and grade data are exchanged through secure, scoped API calls that your IT team controls. We support LTI Advantage services including Names and Role Provisioning and Assignment and Grade Services.
All data is stored in the United States on SOC 2-compliant infrastructure. Data is encrypted at rest (AES-256) and in transit (TLS 1.2+). We maintain strict access controls, conduct regular security reviews, and follow the principle of least privilege across our infrastructure. We do not store student data longer than necessary to deliver our service.
CoStudy is free for individual professors and their students. We will never charge students to use a tool their professor assigned. We will never sell, rent, or monetize student data. Our revenue comes from institutional department-level subscriptions, not from exploiting the students we serve. This is a foundational commitment, not a marketing line.
Institutions can request deletion of all associated student data at any time. We honor deletion requests within 30 days and provide written confirmation when the process is complete. Individual students can also request deletion of their personal data by contacting us directly. When a course ends, professors can choose to export and then delete all evaluation data.
CoStudy is built to meet WCAG 2.1 AA standards. Our interface is keyboard-navigable, screen-reader compatible, and designed with sufficient color contrast throughout. We continuously test with assistive technologies and welcome feedback from users who encounter accessibility barriers. If you find an issue, we want to know about it.
Questions from IT or procurement?
We're happy to complete your institution's security questionnaire, sign a DPA, or walk your team through our architecture. We work with IT and procurement teams regularly and can typically turn around documentation within a few business days.