FERPA Compliance

1. TRIS and FERPA: Our Position

TRIS (Tygtal Recruiting Intelligence Services) is an independent recruiting intelligence provider. We are not a school official, institutional agent, or contractor acting under the direct control of any educational institution. We do not meet the definition of a “school official” under 34 CFR § 99.31(a)(1), and we do not access education records maintained by schools or colleges.

Because TRIS operates outside the institutional framework, we are not subject to FERPA in the same manner as schools, colleges, or their direct contractors. However, we have elected to align our practices with FERPA principles as a matter of best practice and institutional trust.

2. Data We Collect: Publicly Observable Information Only

All prospect data collected by TRIS is derived from publicly observable sources. Our credentialed field agents attend publicly accessible events to conduct in-person evaluations. No data is sourced from private institutional records.

3. Academic Information in TRIS Evaluations

TRIS evaluations include an “Academic Profile” section. It is important to understand the source and limitations of this data:

• Self-Reported GPA Ranges

  If a prospect voluntarily provides a GPA range during a public event or interaction, it may be noted as “Self-Reported.” This is clearly labeled and is never verified against institutional records. TRIS does not contact schools or registrars to verify academic standing.

• Eligibility Status

  TRIS may note whether an athlete appears to be participating in varsity competition (indicating eligibility), but this is based on public roster observation, not institutional records. We do not access NCAA Eligibility Center data or institutional clearinghouse records.

• Academic Work Ethic

  Evaluators may note observable indicators of academic discipline (such as punctuality, communication skills, and coachability in structured settings). These are behavioral observations, not academic records.

4. Sensitive Data: Family & Character Context

TRIS evaluations may include character assessments, family background observations, and home-life context indicators. While this data is not classified as “education records” under FERPA, we treat it with heightened sensitivity:

• Family and home-life context data is restricted to authorized coaching staff only -- it is never visible to general platform users or non-coaching personnel
• Character trait scores (coachability, leadership, discipline, emotional maturity, etc.) are evaluator-generated assessments, not institutional records
• Social media and NIL data included in evaluations is sourced from public profiles only
• Risk factor assessments (injury history, behavioral flags) are based on public observation and self-disclosure at public events, not medical or disciplinary records
• All sensitive fields can be suppressed at the program level if a compliance office requests it

5. Institutional Access Controls

When a college program subscribes to TRIS, access is governed by strict institutional controls designed to mirror FERPA-compliant access patterns:

• Access is restricted to credentialed coaching staff with verified institutional email addresses
• Each staff member receives an individual seat with role-based permissions
• Recruiting directors see the full prospect board; position coaches see position-filtered views
• Program administrators can add, remove, or modify staff access at any time
• Session management enforces automatic logout after periods of inactivity
• All access events are logged for audit purposes
• Programs can request a full access audit report at any time

6. Data Security & Storage

All TRIS data is processed and stored within the United States using SOC 2 compliant infrastructure. Our security measures include:

• TLS 1.3 encryption for all data in transit between clients and servers
• AES-256 encryption for all data at rest, including database records and backups
• Role-based access controls at the infrastructure level -- no single employee has unrestricted access
• Regular penetration testing and security audits by independent third parties
• Encrypted database backups retained for 30 days with automated destruction thereafter
• Dedicated security incident response procedures with 24-hour notification commitments

7. Field Agent Training & Compliance

All TRIS field agents (evaluators) undergo mandatory training that includes data handling and privacy obligations:

• Agents are trained to only collect publicly observable data -- never request transcripts, grades, or protected records from athletes, coaches, or school staff
• Agents may not photograph or record athletes in settings where a reasonable expectation of privacy exists
• Agents are prohibited from accessing school computer systems, student information systems, or institutional databases
• All evaluation data is submitted through the TRIS platform -- agents do not retain local copies of prospect data
• Agents sign confidentiality and data handling agreements as a condition of engagement
• Compliance violations result in immediate removal from the evaluator network

8. Minors & Parental Rights

Many prospects evaluated by TRIS are high school students under the age of 18. While FERPA rights belong to parents until the student turns 18 or enrolls in a postsecondary institution, TRIS's position is distinct:

• We do not access education records of minors from any school or institution
• Our evaluations are based on publicly observable athletic performance at events where parents, scouts, media, and the general public are present
• If a parent or guardian requests that their child's profile be removed from the TRIS database, we will comply within 30 days upon verified request
• We do not collect personal contact information (phone numbers, home addresses, email addresses) of minor athletes
• We comply with COPPA (Children's Online Privacy Protection Act) as applicable -- no minors under 13 are evaluated

9. Data Retention & Deletion

Prospect evaluation data is retained in the TRIS database for the duration of the athlete's eligibility window (typically 5 years from high school graduation) plus one additional year. This retention period serves multiple subscribing programs that may evaluate the same prospects at different times.

Subscribing programs may request deletion of their own program-specific data (watchlists, notes, custom tags) at any time. Upon subscription cancellation, program-specific data is deleted within 90 days. Core evaluation data generated by TRIS evaluators remains available to other subscribers.

Athletes, parents, or guardians may request review or deletion of an athlete's profile by contacting privacy@trissystems.com. Verified requests are processed within 30 business days.