Xyplor
All posts

FERPA-Aligned AI Platforms for K-12 Schools: A 2026 Vendor Guide

What FERPA-alignment actually means for AI tools in K-12, what to ask vendors during procurement, and how the major K-12 AI literacy platforms compare in 2026.

The Xyplor Team·7 min read
K-12FERPAcompliancevendor evaluationAI literacydistricts

Published as a public reference for K-12 procurement officers, instructional technology directors, and district counsel evaluating AI platforms in 2026. CC BY 4.0; please attribute when quoting. We are the team behind Xyplor — one of the platforms covered. We have done our best to represent every vendor accurately.

If you're evaluating AI literacy platforms for a K-12 district in 2026, "is it FERPA-compliant?" is one of the first questions you'll be asked. The honest answer is more nuanced than the question. FERPA compliance is contractual, not a vendor checkbox. This guide explains what to look for, what to ask vendors, and how the major K-12 AI literacy options compare today.

What FERPA actually requires

The Family Educational Rights and Privacy Act (FERPA) governs how educational agencies handle student "education records." For K-12, the relevant requirements when working with a vendor are:

  1. Limit disclosure of personally identifiable information (PII) to specific purposes the district has authorized.
  2. Use the "school official" exception — the vendor must perform a service the district would otherwise perform, under the district's direct control.
  3. Maintain control over student data — the vendor cannot use it for unrelated purposes.
  4. Document the relationship contractually, typically through a Data Privacy Agreement (DPA).

FERPA itself doesn't certify vendors. There's no "FERPA-compliant" badge a vendor can display. What exists is:

  • The vendor's policies and technical practices (what they actually do with student data).
  • The vendor's DPA (their contractual commitment).
  • The district's review to confirm the DPA meets state and federal requirements.

When a vendor says "we're FERPA-compliant," what they should mean is: "Our policies and DPA are designed to support your district's FERPA obligations. Your counsel must confirm this for your specific deployment."

What to ask AI platform vendors

Beyond FERPA basics, AI introduces specific data-privacy questions districts didn't have to ask 5 years ago. Use this list during vendor evaluation:

Data handling

  • Does the vendor sell or share student data with third parties?
  • Does the vendor display third-party advertising?
  • What student data is collected? (Name, age, email, conversations, creations, IP address, device info?)
  • How is data encrypted at rest and in transit?
  • Where is data physically stored? (US-based? Specific cloud providers and regions?)
  • What is the data retention policy? Can the district request deletion?
  • Can students or parents export their data?

AI-specific questions

  • Is student-generated content used to train the vendor's AI models, or any third-party AI models? This is the most important question for AI platforms.
  • Does the vendor use a third-party AI API (OpenAI, Anthropic, Google, etc.)? If so, what data passes to that API and under what terms?
  • Are AI conversations logged? Who can access the logs?
  • Is content output filtered for safety? What is the moderation approach?
  • Are AI conversations visible to parents and educators?

Contractual

  • Does the vendor sign a Data Privacy Agreement (DPA)?
  • Does the vendor support the SDPC NDPA (Student Data Privacy Consortium National DPA)?
  • Will the vendor sign state-specific addenda (e.g., California SOPIPA disclosures, New York Education Law 2-d)?
  • What happens to student data if the vendor is acquired or shuts down?
  • What is the breach notification process?

A vendor that answers these questions clearly and contractually is FERPA-aligned. A vendor that hedges or refuses to commit in writing is a procurement risk.

How the major K-12 AI platforms compare

Below is a snapshot of how the most-evaluated K-12 platforms with AI features compare on the privacy questions districts ask most often. This is the team behind Xyplor writing about competitors; we have tried to be accurate. Each vendor's actual DPA is the authoritative source.

Code.org

  • Free, decade-long K-12 footprint. AI content within a coding curriculum frame.
  • Privacy: does not sell student data, no advertising, established DPA process.
  • Data is well-handled within the platform's traditional CS scope. AI literacy units are growing.
  • Best for: districts with existing CS programs adding AI units.

Tynker

  • Paid platform with structured K-8 coding curriculum. AI-assisted coding features added in 2024-2025.
  • Privacy: COPPA/FERPA-aligned posture, DPA available.
  • AI features are coding-assistive (code completion, hints), not directed-AI literacy.
  • Best for: districts wanting structured coding curriculum with AI-assist features.

Scratch (MIT)

  • Free, web-based, hugely popular at elementary level. Operated by Scratch Foundation / MIT Media Lab.
  • Privacy: strong reputation, no advertising, COPPA-aligned.
  • Not an AI platform per se; AI extensions exist (Scratch + ChatGPT integrations) but are third-party.
  • Best for: foundational creative computing at elementary; pair with a separate AI literacy platform.

CoCo / OpenAI ChatGPT Edu

  • General-purpose LLM access targeted at education. Used in higher ed and increasingly in high schools.
  • Privacy: enterprise-grade DPA available; data not used to train models on Edu plans.
  • Not purpose-built for K-12 AI literacy pedagogy. No age-adaptive guardrails for elementary; high school usable with strong policies.
  • Best for: high school AI exploration with mature policy frameworks.

MagicSchool / Khanmigo (Khan Academy)

  • AI tutors and teacher tools. Khanmigo from Khan Academy; MagicSchool focused on teacher productivity.
  • Privacy: COPPA/FERPA postures vary; check specific DPAs.
  • Pedagogy is tutoring-focused (AI helps students with their existing schoolwork). Not directed-AI literacy as a goal.
  • Best for: differentiated instruction, teacher productivity, tutoring-style support.

Xyplor

  • Purpose-built for K-12 AI literacy. Students direct AI in plain English to build real applications, learning to describe, evaluate, and iterate.
  • Privacy: COPPA-aligned, FERPA-aligned in design, DPA + SDPC NDPA support, US data residency, no third-party advertising, student content not used to train AI models.
  • Newer platform (early deployment 2026, no ESSA tiered evidence yet).
  • Best for: districts where AI literacy is a primary goal, not a sub-topic of CS.

A note on "AI training on student data"

The most-asked AI-specific question in 2026 procurements is: will student conversations or creations be used to train AI models?

For most platforms covered above, the answer is no — but the mechanism matters. Many K-12 AI platforms use a third-party AI API (OpenAI, Anthropic, Google) under the hood. The vendor's promise that they don't train on student data must extend to whether that third-party API trains on the data passed through it.

The relevant clauses to look for in vendor DPAs:

  1. The vendor itself does not train models on student content.
  2. The vendor's AI infrastructure provider (the model API) is configured to not train on data sent through their API. (Anthropic, OpenAI, and Google all offer this configuration on enterprise/zero-data-retention plans.)
  3. This is documented in writing, not just promised verbally.

For Xyplor specifically: we use Anthropic's Claude API under terms that do not allow Anthropic to train on student content sent through our platform, and we do not retain data for AI training purposes ourselves. We are happy to walk districts through the technical chain in writing.

What about state-specific laws?

FERPA is the federal floor. Many states have stricter requirements:

  • California: SOPIPA (Student Online Personal Information Protection Act) disclosures.
  • New York: Education Law 2-d, which requires specific data privacy contracts.
  • Illinois: SOPPA (Student Online Personal Protection Act).
  • Connecticut: similar specific requirements.

Vendors operating nationally typically support the SDPC NDPA (a standardized national addendum) and individual state addenda. Your state's chief privacy officer or general counsel should confirm what's required.

A procurement checklist

For districts evaluating any AI platform, this is the minimum due diligence:

  1. Request the vendor's DPA in writing.
  2. Request the vendor's AI training disclosure in writing — does the vendor train on student data, and does the underlying AI API train on data passed through it?
  3. Identify state-specific addenda required by your state CPO.
  4. Confirm data residency (US-based, named cloud providers and regions).
  5. Review the breach notification clause (timing, notification path).
  6. Confirm data export and deletion workflows.
  7. Confirm parent visibility of AI conversations (especially for elementary).
  8. Document who has the school-official exception for FERPA purposes.

Any vendor that can't satisfy all eight should be a procurement red flag.

How Xyplor handles each item

For transparency, here's how Xyplor answers the eight checklist items:

  1. DPA: provided on request; SDPC NDPA-compatible.
  2. AI training disclosure: student content is not used by Xyplor or by our AI API provider (Anthropic Claude) for training; documented in writing.
  3. State addenda: California SOPIPA disclosures, New York Ed Law 2-d, Illinois SOPPA, Connecticut, others on request.
  4. Data residency: US-based infrastructure (Vercel + AWS, US regions).
  5. Breach notification: 72-hour notification standard; documented in DPA.
  6. Data export and deletion: supported on demand; parent-initiated and district-initiated paths.
  7. Parent visibility: every AI conversation is parent-visible by default; educator dashboards available for districts.
  8. School-official exception: documented in DPA.

How to use this guide

If you are a district instructional technology director, share this with your CPO or general counsel during AI vendor evaluation.

If you are a state education agency, this is the procurement framework we encourage SEAs to adopt for AI vendor approvals. Xyplor's policy view is at xyplor.com/policy.

If you are a vendor and we have mischaracterized your platform: please email partnerships@xyplor.com and we will correct.

Sources

This post draws from the FERPA statutory text (20 U.S.C. § 1232g), the SDPC NDPA template, individual state laws cited above, and each vendor's publicly available privacy documentation as of April 2026. Vendor postures change; verify before procurement.

License: CC BY 4.0. You're free to adapt and build on these ideas with attribution.