University Partner Privacy FAQ

Under FERPA and applicable state privacy laws:

• Your university is the data controller: Your university owns and is ultimately responsible for student education records, including data entered into the uConnect platform. They control what data is collected and how it is used.
• uConnect is the data processor/service provider: uConnect processes student data solely as directed by your university, under the terms of your Data Processing Agreement (DPA). uConnect does not use student data for its own business purposes.

Both parties share responsibility for implementing appropriate security and privacy safeguards.

The DPA governs uConnect’s obligations as your data processor. It addresses data access limitations, security requirements, breach notification timelines, subprocessor oversight, data deletion procedures, and compliance with applicable state and federal laws. Contact your University legal department to obtain a copy or to request a review of specific provisions.

Yes. uConnect operates as a ‘school official with legitimate educational interest’ under FERPA, which permits sharing education records with service providers without additional student consent. uConnect processes student data only for the purpose of providing career services on your behalf and is contractually prohibited from using that data for any other purpose. Your institution maintains ultimate responsibility for ensuring that its use of the platform is consistent with its FERPA obligations.

uConnect complies with student data privacy laws in all states where it operates, including the California Consumer Privacy Act/California Privacy Rights Act (CCPA/CPRA), New Jersey’s Student Data Privacy Law, and other applicable state regulations. uConnect monitors legislative developments and updates its compliance program accordingly. For questions about a specific state, contact uConnect’s Privacy Officer at security@gouconnect.com.

Universities that provide uConnect access to students under 18 are responsible for obtaining any required parental or guardian consent prior to granting platform access, consistent with FERPA, COPPA (for students under 13), and applicable state laws. uConnect does not knowingly collect data from children under 13 without appropriate institutional consent mechanisms in place. If your institution serves a significant population of minors, contact uConnect at security@gouconnect.com to discuss appropriate platform configuration and data handling.

uConnect collects the following categories of data on behalf of your university:

• Personal identification information: name, university-issued email, academic program, major, class year, and other information your institution provides
• Affinity group memberships (voluntary, but may reveal sensitive identity information)
• Platform usage and career search data: login activity, resources accessed, searches, saved content
• Technical information: IP address, browser type, device information, cookies
• Employment outcomes data (voluntary, or provided by your institution on students’ behalf)

uConnect collects only information necessary for platform services. Your University’s DPA specifies the specific data elements and services applicable to your institution.

uConnect may use de-identified and aggregated data for cross-university research, benchmarking, and platform improvement. This data has all personally identifiable information removed and cannot be used to identify individual students. uConnect does not use identifiable student data for its own research or marketing purposes.

No. uConnect configures Google Analytics with IP anonymization enabled and all advertising and data-sharing features disabled. As configured, uConnect has determined that its use of Google Analytics does not constitute a “sale” or “sharing” of personal information under CCPA/CPRA. If your institution requires documentation of this configuration for compliance purposes, contact your uConnect account representative.

uConnect does not sell or share student data with third parties for marketing or commercial purposes. uConnect engages the following subprocessors with access to student data:

• Pagely, Inc. — managed WordPress hosting (hosts platform infrastructure; runs on AWS infrastructure, listed separately)
• Google LLC (BigQuery) — data warehouse and analytics
• Google LLC (Google Analytics) — web analytics and performance monitoring, configured with advertising features disabled
• SendGrid — email communications
• MongoDB, Inc. (MongoDB Atlas) — cloud database platform storing student profiles, activity, affinity group memberships, and outcomes data on US-based servers
• Amazon Web Services, Inc. (AWS) — cloud infrastructure provider for data storage and transmission underlying the platform; US-based regions only
• Anthropic, PBC (Claude API) — AI language model provider used for the AI Search feature; query data only, no direct student identifiers transmitted; prohibited from using data for model training
• Langfuse (Finto Technologies, Inc.) — AI observability and monitoring platform used to measure and monitor AI Search quality and system reliability; receives student first and last name, internal uConnect user IDs, query data, and model inputs/outputs for performance monitoring purposes; email addresses are not transmitted; prohibited from using data for any purpose other than platform monitoring

uConnect maintains a current subprocessor list and will notify university partners at least 30 days before adding any new subprocessor with access to student data. You have the right to object to new subprocessors under the terms of your DPA. A full subprocessor list with data access levels is available upon request from your account representative.

Student data is stored and transmitted within the United States through two primary infrastructure providers:

• MongoDB Atlas stores application data (profiles, activity, affinity group memberships, outcomes) in US-based clusters.
• Amazon Web Services (AWS) provides the underlying cloud infrastructure for the platform in US-based regions.

Data is not transferred outside the United States as part of normal platform operations. Both providers are bound by Data Processing Agreements with uConnect that require US-based data residency. If your institution has specific data residency requirements — such as state laws requiring in-state storage — contact your uConnect account representative to discuss your configuration.

uConnect recommends that institutions designate a primary contact for data requests (typically the registrar, FERPA officer, or career center director). When a student submits a request:

• Your institution should process the request in accordance with FERPA and applicable state law timelines
• If the request requires action on data within uConnect’s systems, contact uConnect at security@gouconnect.com with your institution’s authorization
• uConnect will coordinate with your institution to execute approved actions (access, correction, or deletion)

uConnect will not take action on direct student requests without coordinating with your institution, except where required by law.

Students have the following rights, exercisable through your institution:

• Right to Data Portability: Applicable in California, Colorado, Connecticut, Virginia, and other states with comprehensive privacy laws
• Right to Access: Receive a copy of their personal information within 45 days
• Right to Correction: Have inaccurate information corrected within 30 days
• Right to Deletion: Request deletion of personal information (results in loss of platform access)
• Right to Manage Affinity Group Membership: Join or leave groups at any time

uConnect maintains the following certifications and assessments:

• TX-RAMP Certification: Texas Risk and Authorization Management Program, demonstrating compliance with rigorous state cloud security standards
• HECVAT Completion: The Higher Education Community Vendor Assessment Toolkit is available to university partners upon request

uConnect also implements encryption (in transit and at rest), role-based access controls, regular security audits, continuous monitoring, and mandatory employee training.

In the event of a confirmed breach involving student personal information, uConnect will notify affected university partners within 72 hours of discovering the breach, or as required by applicable law, whichever is sooner. Notification will include the nature of the breach, categories of data affected, approximate number of students impacted, and the steps uConnect is taking to contain and remediate the incident. Your institution may have independent breach notification obligations under state law and FERPA — uConnect’s notification to you starts the clock on those obligations. Contact security@gouconnect.com immediately for breach-related matters.

Note on active subscription data retention: uConnect does not automatically delete or archive student data upon a student’s graduation or departure while your institution’s subscription is active. Student data persists in the platform until your institution explicitly requests deletion, configures a SIS integration to remove users, or your contract with uConnect ends. If your institution has specific data retention requirements for post-graduation data — such as annual cohort purges — please contact your uConnect account representative to discuss implementation options.

Upon contract termination with a University, uConnect will securely archive all student data associated with your institution following your data retention policies and procedures. The specific timeline and process will be governed by your university DPA. Contact your uConnect account representative to initiate the offboarding process.

For contract and DPA questions, contact your uConnect account representative. For privacy compliance questions, contact the Privacy Officer at security@gouconnect.com. For security incidents, contact security@gouconnect.com. uConnect responds to all inquiries within 10 business days.

Both subprocessors maintain industry-leading security certifications relevant to higher education data:

• AWS holds SOC 1/2/3, ISO 27001, FedRAMP, and numerous other certifications. AWS’s infrastructure is also covered under its FERPA-compliant Data Processing Addendum.
• MongoDB Atlas holds SOC 2 Type 2, ISO 27001, and is covered under MongoDB’s Data Processing Agreement.

Certification documentation for both providers is available upon request and can be provided to your institution’s security or procurement team as part of a vendor review.

When students use AI Search, query data is transmitted to Anthropic’s Claude API for processing. Anthropic operates as a subprocessor under a Data Processing Agreement with uConnect that prohibits use of student data for model training or any purpose beyond fulfilling the search request. uConnect does not transmit student names, email addresses, or other direct identifiers to the AI processing layer unless directly included in the student’s query.

Under FERPA, uConnect’s engagement of Anthropic as a subprocessor is permissible under the “school official with legitimate educational interest” exception, as Anthropic processes data solely on behalf of uConnect in support of your institution’s career services. Your institution’s existing DPA with uConnect covers this arrangement. If you require a specific addendum addressing AI Search data flows, contact your uConnect account representative.

No. uConnect’s agreement with Anthropic prohibits the use of student data for model training or any commercial purpose beyond processing the immediate query. This commitment is reflected in uConnect’s subprocessor agreement with Anthropic and is consistent with Anthropic’s enterprise data handling terms.