Data Processing Agreement (DPA)

This Data Processing Agreement (“Agreement”) is made and entered into as of [Date], by and between:

SchooledTech, LLC (“Processor”), with its principal place of business at [Address], and
[School Name] (“Controller”), with its principal place of business at [Address].

Together, the Parties.

“Personal Data” means any information relating to an identified or identifiable individual, as defined under applicable data protection laws.
“Processing” means any operation or set of operations performed on Personal Data, including collection, storage, use, disclosure, and deletion, as defined under applicable data protection laws.
“Data Subject” means the individual to whom the Personal Data relates, such as students, teachers, and school staff.
“Data Controller” means the entity that determines the purposes and means of processing Personal Data.
“Data Processor” means the entity that processes Personal Data on behalf of the Data Controller.
“Services” means the educational tools and software provided by the Processor to the Controller, as detailed in the Agreement between the Parties.

The Processor shall process Personal Data solely on the instructions of the Data Controller and in accordance with the terms of this Agreement.
The types of Personal Data processed include names, email addresses, job titles, student grades, attendance records, and other educational data necessary for the operation of the Services.
The Processing is carried out for the purpose of providing the Services to the Controller, as outlined in the underlying service agreement between the Parties.

Compliance with Instructions: The Processor will process Personal Data only in accordance with the written instructions provided by the Controller.
Confidentiality: The Processor will ensure that all personnel authorized to process Personal Data are bound by confidentiality obligations and are trained in data protection matters.
Data Security: The Processor will implement appropriate technical and organizational measures to ensure the security of Personal Data, including protection against unauthorized access, disclosure, alteration, and destruction.
Data Breach Notification: In the event of a data breach affecting Personal Data, the Processor will notify the Controller without undue delay, and assist the Controller in meeting its obligations under applicable laws, including breach reporting and risk mitigation.
Subprocessors: The Processor may engage subprocessors to assist in providing the Services. The Processor will ensure that any subprocessors are bound by equivalent data protection obligations as set out in this Agreement. A list of subprocessors, including any changes to the list, will be provided to the Controller upon request.

Data Controller Responsibilities: The Controller is responsible for ensuring that it has obtained all necessary consents from Data Subjects (e.g., students, parents, staff) as required by applicable data protection laws.
Data Integrity: The Controller will ensure that the Personal Data provided to the Processor is accurate, complete, and up-to-date.
Data Subject Rights: The Controller is responsible for responding to any requests from Data Subjects to exercise their rights under applicable data protection laws (e.g., access, correction, deletion, etc.). The Processor will assist the Controller in responding to such requests, as necessary.

The Processor will assist the Controller in fulfilling its obligations to respond to requests from Data Subjects exercising their rights under applicable data protection laws, such as access, correction, deletion, and objection to processing.
The Processor will promptly inform the Controller of any request it receives from a Data Subject regarding their Personal Data.

The Processor may transfer Personal Data outside the European Economic Area (EEA) to the United States or other countries where the Processor operates, provided that such transfers are in compliance with applicable data protection laws, including implementing appropriate safeguards (e.g., Standard Contractual Clauses or Privacy Shield).

The Processor will retain Personal Data only for as long as necessary to provide the Services or as required by applicable law. Upon termination of the Services, the Processor will securely delete or return the Personal Data, as requested by the Controller.

The Controller has the right to audit the Processor’s compliance with this Agreement, including its security practices, at reasonable intervals. The Processor agrees to provide the Controller with access to the relevant records and systems for this purpose.

The Processor will be liable for any damage caused by the Processing of Personal Data that does not comply with this Agreement or applicable data protection laws.
The Controller will be liable for any damage caused by the failure to obtain necessary consents from Data Subjects or failure to provide appropriate instructions regarding the Processing of Personal Data.

The Processor agrees to indemnify and hold the Controller harmless from any claims, losses, or damages arising out of the Processor’s breach of this Agreement or its obligations under applicable data protection laws.

This Agreement will terminate upon termination of the underlying service agreement between the Parties, or as otherwise agreed in writing.
Upon termination, the Processor will return or delete all Personal Data, as requested by the Controller.

This Agreement will be governed by and construed in accordance with the laws of [State/Country], without regard to its conflict of law principles.

Amendments: This Agreement may be amended only in writing, signed by both Parties.
Severability: If any provision of this Agreement is found to be invalid, the remaining provisions will remain in full force and effect.

Processor (SchooledTech, LLC)

Signature: ___________________________
Name: [Your Name]
Title: [Your Title]
Date: [Date]

Controller ([School Name])

Signature: ___________________________
Name: [School Representative Name]
Title: [School Representative Title]
Date: [Date]