Built for education agencies — 14-day free trial

A cert expiry on a school district's parent portal isn't a downtime event — it's a FERPA + state-level student-privacy-law trigger.
Title IV federal funding is conditional on FERPA compliance under HEOA §493. CA SOPIPA, NY Education Law §2-d, and IL SOPPA make encryption-in-transit explicit.

Education agencies building K-12 ed-tech and higher-ed platforms for school districts, state education agencies, and universities deal with parent portal cert expiry triggering FERPA (20 U.S.C. §1232g; 34 CFR Part 99) and state-level student privacy law exposure when grade inquiries, attendance data, IEP documents, and 504 plans transmit over unencrypted connections (CA SOPIPA, NY Education Law §2-d, IL SOPPA explicitly require encryption-in-transit), COPPA (16 CFR Part 312) violations on K-12 learning platforms where students under 13 submit PII over expired certs (FTC enforcement: $1.5M TikTok 2019, $170M YouTube 2019), and CIPA + ESSA reporting endpoint cert dependencies that gate Title IV federal funding and e-Rate funding eligibility. Merlonix monitors every school-district-attached subdomain so the FERPA + COPPA + funding-eligibility exposure surfaces 30 days before the failure window opens.

Start free for 14 days How it works

No credit card for the trial. Cancel any time.

Check cadence (Agency): 5 min
SSL pre-expiry alert: 30 days
Independent DNS resolvers: 3
Vendors watched: 11

Where education agencies get caught out

Three failure modes where SSL expiry creates FERPA + state-level student-privacy-law exposure, COPPA violations on under-13 PII transmission, and CIPA + ESSA reporting endpoint failures that gate federal funding.

Education agencies building K-12 ed-tech and higher-ed platforms for school districts, state education agencies, and universities deal with parent portal cert expiry triggering FERPA (20 U.S.C. §1232g; 34 CFR Part 99) and state-level student-privacy law exposure when grade inquiries, attendance data, IEP documents, and 504 plans transmit over unencrypted connections (CA SOPIPA, NY Education Law §2-d, IL SOPPA explicitly require encryption-in-transit), COPPA (16 CFR Part 312) violations on K-12 learning platforms collecting under-13 PII over expired certs (FTC enforcement: $1.5M TikTok 2019, $170M YouTube 2019, $245M Epic Games 2022), and CIPA + ESSA reporting endpoint cert dependencies that gate Title IV federal funding and e-Rate funding eligibility.

FERPA (20 U.S.C. §1232g) protects student education records. 34 CFR Part 99 implements FERPA. The Department of Education's Family Policy Compliance Office (FPCO) interprets FERPA as requiring "reasonable methods" to protect education records in transit. State-level student-privacy laws are more explicit: CA SOPIPA (Cal. Bus. & Prof. Code §22584, effective 2016) prohibits operators of K-12 services from "using or sharing" student information in non-permitted ways; NY Education Law §2-d (effective 2020) requires "industry best practices" for encryption of student data; IL SOPPA (105 ILCS 85, effective 2021) explicitly requires encryption-in-transit for student PII. Title IV federal funding to higher-ed institutions is conditional on FERPA compliance under HEOA §493 (Higher Education Opportunity Act). State-level enforcement is active: CA Attorney General has opened SOPIPA investigations; NY Education Department has issued §2-d compliance notices to ed-tech vendors

An education agency operates the parent portal (portal.schooldistrictname.edu) for a 22-school K-12 district with 14,000 students. The cert on portal.schooldistrictname.edu expires due to a Let's Encrypt renewal failure caused by an IT-department CAA tightening project (the district's IT director tightened CAA records as part of a state-mandated cybersecurity audit). The cert expires on a Sunday evening; the district's IT on-call doesn't see the alert (the alert routes to an email distribution list that's only checked during business hours). By Monday morning at 7 AM, parents begin checking grades, attendance, and IEP documents through the portal. Mobile Safari hard-blocks; Chrome shows the warning; most parents click through. During the 11-hour cert-expired window, 3,200 parent sessions submit grade-inquiry forms, attendance excuse forms, IEP-meeting acknowledgment forms, and 504-plan signatures

An education agency operates the parent portal for Pacific Coast Unified School District, a 22-school K-12 district in California with 14,000 students and 11,500 active parent portal accounts. The portal handles grade inquiries, attendance excuse submissions, IEP-meeting acknowledgments and document signatures, 504-plan signatures, free/reduced lunch applications (NSLP-eligible household financial information), and parent-teacher conference scheduling. The portal hosts FERPA-protected education records (grades, attendance, special education status under IDEA, 504 status, immunization records, household income for NSLP). The cert on portal.pcusd.edu is provisioned via Let's Encrypt with a 90-day cycle. The district's IT director runs a cybersecurity audit project in early 2026 in response to a state-mandated cybersecurity assessment (CA Ed. Code §49073.6 requires K-12 LEAs to maintain documented cybersecurity practices). The audit recommends CAA tightening; the IT director tightens the CAA at pcusd.edu to pin to commercial CAs only (DigiCert, Entrust). Let's Encrypt is removed from the permitted CA list. The next 90-day cert renewal for portal.pcusd.edu hits the tightened CAA record and is rejected. The agency's renewal automation logs the failure but doesn't alert (the alert routes to an email distribution list that's only checked during business hours; the failure logs Saturday morning). The previous cert expires Sunday evening at 11:47 PM. The district IT department is closed. By Monday morning at 7 AM, parents begin checking the portal as part of the morning routine — review grades, submit absence excuse for a sick child, sign an IEP-meeting acknowledgment. Mobile Safari (the dominant browser for parent traffic) hard-blocks the connection on portal.pcusd.edu because the cert is expired and the portal doesn't have HSTS preload (most school district portals don't). Parents using Chrome see the warning page and most click through. During the 11-hour cert-expired window (Monday 7 AM through Monday 6 PM when the agency engineer is finally paged), 3,200 parent sessions submit forms — including 220 IEP-meeting acknowledgments (containing the child's special education status, current goals, and meeting attendees) and 180 504-plan signatures (containing the child's disability and accommodation plan). Discovery happens Monday afternoon when a parent who's a privacy lawyer notices the cert warning, takes a screenshot, and emails the district superintendent. The superintendent escalates to the district's general counsel. Outside FERPA counsel is engaged. Outside counsel performs the analysis: under 34 CFR §99.30, prior written consent is required for disclosure of FERPA-protected information except in specific circumstances; transmission over an unencrypted connection where the data could be intercepted is not on the permitted-disclosure list. The district may have a FERPA-disclosure event. Additional analysis under CA SOPIPA (Cal. Bus. & Prof. Code §22584): SOPIPA prohibits operators of K-12 services from using student information for "noneducational purposes" — including unauthorized disclosure due to inadequate security. The CA Attorney General has opened SOPIPA investigations against ed-tech vendors; the AG has standing to investigate the agency. Additional analysis under NY Education Law §2-d: if any of the 14,000 students are NY residents (likely given families moving cross-country and online-enrolled students), §2-d applies; §2-d requires encryption-in-transit as "industry best practice." The district's engagement contract with the agency includes a cybersecurity SLA and indemnity; the indemnity is triggered. The agency's E&O policy is triggered. The CA Department of Education may impose corrective-action requirements. Title IV implications for the district's high schools (which have college-bound students with federal financial aid considerations) are reviewed. The agency's reputation with the district and the district's county-level peer network of LEAs is significant exposure.

COPPA (15 U.S.C. §6501-6506) governs collection of PII from children under 13. 16 CFR Part 312 implements COPPA. K-12 ed-tech platforms operating in the school context may collect under-13 PII under the "school authorization" pathway in 16 CFR §312.5(c)(6) — the school provides consent on behalf of parents for the limited educational purpose of the platform. However, the school-authorization pathway requires the platform to maintain "reasonable security" for the collected PII per §312.8 (operator must establish, maintain, and implement reasonable procedures to protect the confidentiality of children's information). When a K-12 learning platform's cert expires and an under-13 student submits PII over an unencrypted connection — name, age, voice recording, photo, IP address, persistent device identifier — the platform may be in COPPA violation under §312.8. FTC enforcement is active: $1.5M against TikTok in 2019, $170M against YouTube in 2019, $20M against Epic Games in 2022. The agency operating the platform under a school district BAA inherits operator obligations

An education agency operates a K-8 reading-comprehension platform (read.k8platform.com) used by 280 elementary schools across 18 states. The platform collects student name, grade level, voice recordings (for reading-aloud assessment), photos (avatar uploads), and persistent device identifiers (per-device session tokens). The cert on read.k8platform.com expires during a holiday weekend; the renewal automation failed two months earlier due to a GA4 measurement-protocol misconfiguration that was breaking a related health-check. During the 72-hour cert-expired window, 18,000+ student sessions submit voice recordings and photos over the expired cert. 14,000+ of those sessions are students under 13

An education agency operates K8Reader, a K-8 reading-comprehension platform used by 280 elementary schools across 18 states. The platform's pedagogical model uses voice recognition (students read passages aloud; AI assesses pronunciation, pace, comprehension) and avatar customization (students choose an avatar appearance to personalize their reading dashboard; avatars can be customized with uploaded photos). The platform collects: student first + last name (used for school-roster mapping), grade level (K-8), voice recordings (1-5 minutes per assessment, stored and analyzed by an AI model), photo uploads (avatar images, optional but commonly used by students), and persistent device identifiers (per-device session tokens that persist across reading sessions). The platform operates under school-district contracts with school-authorization for COPPA purposes — the district provides §312.5(c)(6) consent on behalf of parents for the educational purpose. The cert on read.k8platform.com is provisioned via Let's Encrypt with a 90-day cycle. Two months ago, an unrelated GA4 measurement-protocol integration was added to the platform; the GA4 integration broke a health-check endpoint that the LE renewal automation uses to confirm the renewal succeeded. The renewal automation began silently retrying every renewal for the past 60 days. Each retry consumed an LE rate-limit budget slot (5 duplicate certs per week per FQDN); the rate limit was hit on the third week. From that point, renewals were rejected by LE. The previous cert expires on a Friday afternoon (the Friday before Memorial Day weekend). The agency's on-call coverage is reduced for the holiday weekend; the cert expiry alert routes to a Slack channel that's only monitored during business hours. The agency engineer doesn't see the alert until Tuesday morning. Over the 72-hour cert-expired window (Friday 4 PM through Tuesday 9 AM): 18,000+ student sessions hit the platform. 14,000+ of those sessions are students under 13 (the platform's user mix is K-8, so most users are under 13 except some 7th-8th graders). Each session collects voice recordings, photo avatar selections, and the persistent device identifier. All of this data transmits over the expired cert. Mobile Safari (for tablet-using students) hard-blocks. iOS school-issued iPads with mobile device management (MDM) policies that enforce strict cert validation are also blocked. Chrome OS school-issued Chromebooks show the warning; students under 13 don't reliably click through (they ask their teacher; the teacher tells them to wait). But many sessions proceed via the platform's native iOS/Android apps, which have their own cert handling that varies by app version and may not surface the expiry as clearly as a browser. Discovery happens Tuesday morning when the agency engineer sees the Slack alert backlog. Cert is renewed within 2 hours. The agency's privacy lead is engaged; outside FTC/COPPA counsel is engaged. Outside counsel analyzes: under §312.8, the operator must maintain "reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children." Transmission over an expired cert during a 72-hour window where 14,000+ under-13 sessions occurred may be deemed an unreasonable security lapse. FTC enforcement priority around children's privacy is elevated; the FTC's 2019 YouTube case ($170M) and 2022 Epic Games case ($245M COPPA + $275M FTC Act for related dark-pattern claims) signal active enforcement. State AG enforcement is also active: CA AG has standing under SOPIPA (the platform operates in CA schools); NY AG has standing under §2-d (the platform operates in NY schools). The agency's engagement contracts with the 280 school districts include cybersecurity SLAs and indemnity; multiple indemnities are triggered. The agency's E&O policy is triggered.

CIPA (Children's Internet Protection Act, 47 U.S.C. §254) conditions federal e-Rate funding on Internet safety policies including filtering and monitoring of Internet access. ESSA (Every Student Succeeds Act, P.L. 114-95) requires state reporting on student performance with specific data integrity requirements (data must be "valid and reliable" per 20 U.S.C. §6311(h)). State education agencies (SEAs) operate data-submission endpoints that LEAs use to submit ESSA-required performance data. The federal Office of Educational Technology (OET) at the Department of Education operates additional submission endpoints. Each of these endpoints has specific cert chain requirements. When a school district's submission endpoint cert expires, submissions fail; submissions queue at the LEA side or at the SEA side depending on the protocol; reporting deadlines may be missed. ESSA reporting deadlines are firm (annual; state-defined fall + spring windows). E-Rate funding is conditional on CIPA-compliance certification; if filtering systems can't report cert-validated logs to the SEA, the certification may be at risk

An education agency operates the ESSA data-submission relay (reporting.lea-edu.net) for a regional LEA (Local Educational Agency) covering 8 K-12 districts. The cert on reporting.lea-edu.net expires due to a 90-day Let's Encrypt renewal failure during the state's annual reporting window. The state education agency's submission API caches the TLS failure for 24 hours per its IT operations runbook (a defensive measure against repeated TLS errors). During the cache window, the LEA cannot submit any of the 8 districts' ESSA reports. The state reporting deadline (October 30) is 4 days away. The state education agency's late-submission policy allows a 5-business-day extension but requires written justification to the State Superintendent

An education agency operates the ESSA data-submission relay for a Regional Educational Service Agency (RESA) covering 8 K-12 districts in a Midwest state. The RESA aggregates ESSA-required data from each district (assessment results, attendance, graduation rates, English Learner outcomes, students with disabilities outcomes, post-secondary enrollment) and submits to the state education agency's data-submission API. The state education agency's submission API has specific cert chain requirements: it accepts certs chaining through DigiCert, Sectigo, or InCommon (the higher-ed-focused CA); other CAs are rejected at the TLS layer with HTTP 502. The cert on the RESA's submission relay (reporting.midwestresa.net) is provisioned via Let's Encrypt — which chains through IdenTrust. The state SEA's submission API was originally configured in 2018 with the three-CA list; the SEA hasn't updated the list to include IdenTrust because IdenTrust's ISRG Root X1 (the LE chain anchor) hasn't been widely deployed in K-12 SEA infrastructure. The previous cert (issued through Let's Encrypt → IdenTrust) was working because the SEA's API had an intermediate-cert cache that was populated from a prior cert that happened to chain through Sectigo. The cache expired after 90 days. The new LE-issued cert renewal triggered fresh chain validation, which failed against the three-CA list. The renewal succeeded at the agency's end (the cert installed correctly on reporting.midwestresa.net); submissions began failing at the SEA's end. The state reporting window opens October 1; deadline is October 30. The RESA's data team aggregates and submits district data throughout October. The first few submission attempts on October 5 fail with HTTP 502 from the SEA's API. The RESA's data lead opens a ticket with the agency. The agency engineer triages: identifies the LE-vs-three-CA-list mismatch. Resolution requires obtaining a new cert from one of the three approved CAs — opening an account with Sectigo, validating domain ownership, paying the cert fee, installing alongside the LE cert in a SNI config that serves Sectigo to the SEA API and LE to other consumers. Resolution takes 5 business days due to the Sectigo account-opening process. The RESA's ESSA reporting deadline is October 30. By the time the resolution is complete (October 12), the RESA has lost 7 days of the 30-day reporting window. Two of the 8 districts' data is more complex (special-population subgroup analyses); their submissions extend past October 30. The RESA submits a late-submission justification to the State Superintendent under the state's 5-business-day extension policy. The justification is granted but logged as a "late report" event. Three downstream impacts: (1) the federal Title I funding allocation cycle, which references state-aggregated ESSA data, may be affected if multiple LEAs in the state have late reports (state aggregation can't complete until all LEAs report); (2) the state's ESSA accountability rating for the affected districts may be recalculated using prior-year data; (3) the RESA's county-level peer network is informed of the late report, which has reputational impact. The RESA's engagement contract with the agency includes uptime SLAs; the SLA is triggered.

How it works

SSL and DNS monitoring for education agencies across parent/student portals (FERPA + CA SOPIPA + NY Education Law §2-d + IL SOPPA exposure), K-12 learning platforms (COPPA §312.8 exposure for under-13 PII), and ESSA data-submission relays (CIPA + ESSA reporting deadline + Title IV / e-Rate funding eligibility exposure).

Merlonix monitors SSL expiry and DNS integrity across every school-district-attached subdomain — portal.* (parent/student portal), sso.* (single sign-on), reporting.* (ESSA submission), learn.* (K-12 learning platform) — and catches cert expiry before any FERPA-protected education record can transmit over an unencrypted connection and trigger state-level student-privacy-law exposure, before any K-12 student under 13 can submit PII over an expired cert and trigger COPPA §312.8 exposure, and before any ESSA reporting deadline can be missed due to SEA-side cert chain rejection. Each district subdomain gets independent monitoring because each one carries independent regulatory exposure that flows back to the agency under the engagement's cybersecurity SLA.

Add every school-district-attached subdomain — portal., sso., reporting., learn., plus the district's primary marketing domain — with DNS TXT verification that catches cert expiry on FERPA + COPPA + CIPA + ESSA-scope infrastructure 30 days before the failure window opens

Verify ownership with a DNS TXT record on the apex domain. All school-district-attached subdomains under that apex — portal.* (parent/student portal), sso.* (single sign-on for student app access), reporting.* (ESSA data-submission relay), learn.* (K-12 learning platform) — are added without additional verification. Monitoring every district-attached subdomain catches cert expiry 30 days before the failure window opens — well before any parent can submit IEP-meeting acknowledgments or 504-plan signatures over an unencrypted connection and trigger FERPA + state-level student-privacy-law exposure, well before any K-12 student under 13 can submit PII over an expired cert and trigger COPPA exposure, and well before any ESSA reporting deadline can be missed due to SEA-side cert chain rejection. Under two minutes per district.

CAA inheritance monitoring across district IT cybersecurity audits, state-mandated security reviews, and registrar changes — surfacing the CAA tightening that breaks Let's Encrypt renewal during peak ESSA reporting windows

Three independent DNS resolvers check every CNAME and CAA record on every monitoring interval, walking the CAA inheritance chain from the apex up. When a district IT department tightens CAA records during a state-mandated cybersecurity audit (CA Ed. Code §49073.6, NY Education Law §2-d, IL SOPPA all impose documented-cybersecurity requirements that often result in CAA tightening), the change is detected in the first check cycle — well before the next 90-day cert renewal hits the tightened CAA list and silently fails. The implications are particularly important during ESSA reporting windows (October + March/April for most states) when a cert failure can cause missed reporting deadlines.

SSL monitoring 30 days before expiry across parent/student portals, K-12 learning platforms, and ESSA data-submission relays — independent per-subdomain checks because each one has independent regulatory exposure

Full SSL chain validation on every district-attached subdomain. Independent checks per-subdomain catch cert expiry 30 days before the failure window opens — enough time to coordinate any chain validation requirements with the state SEA's submission API (legacy three-CA lists are common), test the new cert against the SEA endpoint plus parent-portal mobile Safari traffic, and avoid deploy collisions with district IT change-freeze windows during state testing periods. The 30-day lead time covers both the 90-day Let's Encrypt cert cycle and the worst-case Sectigo / DigiCert / InCommon account-opening cycle if the SEA's approved-CA list doesn't include Let's Encrypt's chain anchor.

Vendor status for the major K-12 ed-tech platforms (Google Workspace for Education, Microsoft 365 Education, ClassDojo, Schoology, Canvas, PowerSchool, Infinite Campus), state education agency reporting APIs, and Let's Encrypt — to distinguish vendor-side incidents from per-district SSL configuration failures

Merlonix monitors Google Workspace for Education status, Microsoft 365 Education status, the major K-12 LMS/SIS vendors (Schoology, Canvas, PowerSchool, Infinite Campus, ClassDojo), and the state education agency submission APIs (status pages vary by state) alongside the district's cert state — so when a state SEA reporting API has an incident during ESSA reporting deadline week, you see the vendor event clearly rather than spending hours investigating whether the district's reporting.* subdomain has a cert problem. Vendor status monitoring is also useful for distinguishing a Google Workspace Education-wide SSL incident from a per-district configuration failure.

What the numbers mean for education agencies

Monitoring built for education agencies where one district portfolio means a parent portal (FERPA + state-level student-privacy-law exposure including CA SOPIPA, NY §2-d, IL SOPPA), a K-12 learning platform (COPPA §312.8 exposure for under-13 PII collection), and an ESSA data-submission relay (state SEA reporting deadline + Title IV / e-Rate funding eligibility exposure) — each with independent regulatory implications when a cert silently expires and the agency's engagement contract inherits FERPA-equivalent + COPPA-operator obligations.

Education agencies operating client-facing tech for school districts and universities need monitoring that recognizes each district-attached subdomain has independent regulatory exposure — because the FERPA-side failure is silent (parents click through the browser warning to submit IEP-meeting acknowledgments or 504-plan signatures; FPCO interprets FERPA as requiring "reasonable methods" to protect education records in transit), the COPPA-side failure is silent (the K-12 learning platform's native mobile app may not surface the cert expiry as clearly as a browser; under-13 students continue submitting voice recordings, photos, and persistent device identifiers), and the ESSA reporting failure is silent (the SEA's submission API caches the TLS failure for 24 hours; reporting deadlines pass during the cache window).

< 10 min

Time from DNS change to alert — catches CAA tightening introduced by district IT cybersecurity audits (state-mandated under CA Ed. Code §49073.6, NY Education Law §2-d, IL SOPPA) that silently break Let's Encrypt renewal on parent portals and ESSA reporting relays before the next 90-day cycle, plus registrar nameserver changes during peak reporting windows

30 days

SSL expiry warning lead time — enough time to coordinate any chain validation requirements with state SEA submission APIs (legacy three-CA lists are common; the SEA may not accept Let's Encrypt's ISRG Root X1 chain), test the new cert against parent-portal mobile Safari traffic + ESSA reporting APIs, and avoid deploy collisions with district IT change-freeze windows during state testing periods

11 vendors

Upstream services monitored — Google Workspace for Education, Microsoft 365 Education, ClassDojo, Schoology, Canvas, PowerSchool, Infinite Campus, the state education agency reporting APIs, and Let's Encrypt. Distinguishes a vendor-side ed-tech platform incident from a per-district SSL configuration failure

200 assets

Maximum monitored domains on the Agency plan — covers a full K-12 + higher-ed portfolio: 30+ school districts each with portal.*, sso.*, reporting.*, learn.*, and apex subdomains, plus higher-ed institutions with parent-portal.*, sso.*, lms.*, and apex subdomains. Multi-state RESAs (Regional Educational Service Agencies) with separate subdomains per state are absorbed without per-domain fees

Pricing

Flat monthly fee. Every district-attached subdomain, every K-12 learning platform, every ESSA reporting relay included.

No per-district charges. No per-school fees. Pick the tier that fits your education-vertical portfolio and monitor every regulated subdomain (portal.*, sso.*, reporting.*, learn.*) under each district's apex without billing surprises.

See full feature comparison →

Starter

For solo developers or two-person agencies operating a single school district's parent portal, learning platform, and ESSA reporting relay under one apex domain.

$29/ month

10 monitored assets
1 seat
15-min check cadence
SSL + DNS + vendor monitoring
Email + Slack alerts

Start with Starter

Most chosen

Team

For education agencies managing 5-10 school district clients with separate portal.*, sso.*, reporting.*, and learn.* subdomains per district, plus the district's primary marketing domain.

$79/ month

50 monitored assets
5 seats
10-min check cadence
SSL + DNS + vendor monitoring
Email + Slack alerts

Start with Team

Agency

For agencies with a full K-12 + higher-ed client roster including multi-state RESAs (Regional Educational Service Agencies), K-12 ed-tech platforms operating across 280+ elementary schools, and higher-ed institutions with parent-portal.* + sso.* + lms.* + apex subdomains.

$199/ month

200 monitored assets
15 seats
5-min check cadence
SSL + DNS + vendor monitoring
Email + Slack alerts

Start with Agency

Know when portal.schooldistrictname.edu is approaching cert expiry — 30 days before parents can click through the browser warning and submit IEP-meeting acknowledgments over an unencrypted connection.

Add your first school district subdomain in under two minutes. Parent/student portals, K-12 learning platforms, ESSA data-submission relays, and SSO endpoints across every district in your portfolio are monitored from the same dashboard. 14-day trial, no card required.

Start free for 14 days Read the agency SSL checklist →

A cert expiry on a school district's parent portal isn't a downtime event — it's a FERPA + state-level student-privacy-law trigger.Title IV federal funding is conditional on FERPA compliance under HEOA §493. CA SOPIPA, NY Education Law §2-d, and IL SOPPA make encryption-in-transit explicit.