Data Processing Agreement

Last Updated: January 28, 2026

This Data Processing Agreement ("DPA") is aligned with the Student Data Privacy Consortium (SDPC) National Data Privacy Agreement (NDPA) and is designed for use by K-12 schools and districts. For customized DPAs or state-specific addenda, contact us at john@gradewithai.com.

1. Parties

This Data Processing Agreement ("DPA") is entered into by and between:

  • "Provider": GradeWithAI (the "Company", "we", "us", or "our")
  • "Local Education Agency" (LEA): The school, school district, or educational institution entering into this agreement

2. Purpose and Scope

The purpose of this DPA is to describe the duties and responsibilities of the Provider with respect to the protection of Student Data and to ensure compliance with the Family Educational Rights and Privacy Act (FERPA), the Children's Online Privacy Protection Act (COPPA), and applicable state student privacy laws.

This DPA applies to all Student Data that is provided to, accessed by, or collected by the Provider in connection with the delivery of services under the Terms of Service agreement between the parties.

3. Definitions

  • "Student Data" means any information that is directly related to an identifiable current or former student that is maintained by a school, school district, or related entity or organization, or by us. Student Data may include "educational records" as defined by FERPA.
  • "Personally Identifiable Information" (PII) means information that can be used to distinguish or trace an individual's identity, either alone or when combined with other information.
  • "De-Identified Data" means data that has been stripped of all direct and indirect identifiers, with no reasonable basis to believe the information can be used to identify an individual student.
  • "Aggregated Data" means data collected from multiple individuals that has been combined and summarized without containing any PII.

4. Student Data Collection and Use

4.1 Data Elements Collected

The Provider may collect the following categories of Student Data in connection with the Services:

  • Student name (first, last)
  • Student email address (if provided by LMS)
  • Student ID (as assigned by the LMS)
  • Course/class enrollment information
  • Assignment submissions (text, documents, images)
  • Grades and feedback provided by the Service

4.2 Data NOT Collected

The Provider does NOT collect:

  • Social Security numbers
  • Financial or payment information from students
  • Medical or health records
  • Biometric information
  • Geolocation data
  • Student or parent contact information for non-educational purposes
  • Disciplinary records
  • Juvenile delinquency records

4.3 Permitted Uses

The Provider shall use Student Data solely for the following purposes:

  • Providing the contracted grading and feedback services to the LEA
  • Improving and maintaining the educational services
  • Providing technical support to users
  • Ensuring the security and integrity of the platform
  • Complying with legal obligations

4.4 Prohibited Uses

The Provider shall NOT:

  • Sell Student Data or use it for targeted advertising to students
  • Use Student Data to create profiles for non-educational purposes
  • Disclose Student Data to third parties for commercial purposes
  • Use Student Data for any purpose not specified in this DPA or the Terms of Service
  • Use Student Data in any manner inconsistent with FERPA, COPPA, or applicable state laws

5. Data Security

5.1 Security Program

The Provider shall maintain a comprehensive information security program that includes administrative, technical, and physical safeguards appropriate to the nature, size, and complexity of the Provider's activities and the sensitivity of the Student Data.

5.2 Security Measures

At minimum, the Provider shall implement:

  • Encryption of Student Data in transit (TLS 1.2 or higher)
  • Encryption of Student Data at rest (AES-256 or equivalent)
  • Access controls and authentication mechanisms
  • Regular security assessments and vulnerability testing
  • Employee security awareness training
  • Incident response procedures
  • Secure data disposal procedures

5.3 Access Controls

Access to Student Data shall be limited to Provider personnel who require access to perform services under this DPA. All such personnel shall be bound by confidentiality obligations.

6. Data Breach Response

6.1 Notification

In the event of a Security Incident involving unauthorized access to, disclosure of, or acquisition of Student Data, the Provider shall:

  • Notify the LEA within seventy-two (72) hours of discovering the incident
  • Provide the LEA with a description of the incident, including the types of data involved
  • Take immediate steps to investigate and mitigate the incident
  • Cooperate with the LEA to provide required notifications to parents and students
  • Provide regular updates on the investigation and remediation efforts

6.2 Notification Contents

The breach notification shall include:

  • A description of the incident
  • The types of information involved
  • Actions taken in response
  • Steps individuals can take to protect themselves
  • Contact information for questions

7. Data Retention and Deletion

7.1 Retention Period

The Provider shall retain Student Data only for as long as necessary to fulfill the educational purposes for which it was collected, or as required by the LEA, or as required by law.

7.2 Deletion Upon Request

Upon written request from the LEA, the Provider shall:

  • Delete all Student Data within thirty (30) calendar days
  • Provide written certification of deletion to the LEA
  • Ensure that all subprocessors also delete the relevant Student Data

7.3 Deletion Upon Termination

Upon termination or expiration of the service agreement:

  • The LEA may request export of its Student Data before deletion
  • All Student Data shall be deleted within thirty (30) days unless the LEA requests a different timeframe
  • The Provider shall provide certification of deletion upon request

8. Subprocessors

8.1 Authorized Subprocessors

The LEA authorizes the Provider to use the following categories of subprocessors to process Student Data:

  • Cloud infrastructure providers (hosting, storage)
  • AI/Machine learning service providers
  • Security and monitoring tools

8.2 Subprocessor Obligations

The Provider shall ensure that any subprocessor processing Student Data is bound by data protection obligations no less protective than those in this DPA.

8.3 Current Subprocessors

A list of current subprocessors is available at our Security page. The Provider shall notify the LEA of any material changes to subprocessors.

9. FERPA Compliance

The Provider acknowledges that it may receive Student Data that constitutes "education records" under FERPA and agrees to:

  • Act as a "school official" with "legitimate educational interests" under FERPA
  • Be under the direct control of the LEA with respect to the use and maintenance of education records
  • Use Student Data only for the purposes specified in this DPA
  • Not re-disclose Student Data except as permitted by FERPA
  • Support the LEA in responding to parent requests regarding education records

10. COPPA Compliance

For Student Data relating to children under 13, the Provider acknowledges that:

  • The LEA is providing consent on behalf of parents for the collection of Student Data solely for educational purposes
  • The Provider will collect only the minimum information necessary to provide the Services
  • The Provider will not use Student Data for commercial purposes, including targeted advertising
  • Parents retain the right to review their child's information and request deletion through the LEA

11. State Law Compliance

The Provider agrees to comply with applicable state student privacy laws, including but not limited to:

  • California Student Online Personal Information Protection Act (SOPIPA)
  • New York Education Law 2-d
  • Other state-specific student privacy laws as applicable

State-specific addenda are available upon request for LEAs in states with specific contractual requirements.

12. Data Ownership

The LEA retains sole ownership of all Student Data. The Provider acquires no rights in the Student Data other than the limited rights to process it as specified in this DPA.

13. Auditing and Monitoring

Upon reasonable notice and subject to confidentiality obligations, the Provider shall:

  • Allow the LEA to audit the Provider's compliance with this DPA
  • Provide documentation and information necessary to demonstrate compliance
  • Cooperate with any regulatory inquiries regarding Student Data protection

14. Training

The Provider shall ensure that all personnel with access to Student Data receive appropriate training on:

  • Student data privacy requirements
  • FERPA and COPPA obligations
  • Security best practices
  • Incident response procedures

15. Amendments

This DPA may be amended only in writing signed by both parties. Either party may propose amendments to address changes in law or best practices.

16. Term

This DPA shall remain in effect for the duration of the service agreement between the parties. Data protection obligations shall survive termination.

17. Contact

For questions about this DPA or to request a customized agreement, email john@gradewithai.com.

Execution

To execute this DPA, authorized representatives of both parties should sign below. For digital execution, contact us at john@gradewithai.com to receive an electronic signature version.

Provider: GradeWithAI

Signature: ___________________________

Name: ___________________________

Title: ___________________________

Date: ___________________________

Local Education Agency (LEA)

Signature: ___________________________

Name: ___________________________

Title: ___________________________

Date: ___________________________

Related Documents