Data Processing Agreement

1. Parties

This Data Processing Agreement ("DPA") is entered into between the educational institution ("School") and FrameProof Education ("Provider") to establish the terms under which Provider processes Student Data on behalf of School in compliance with the Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. § 1232g, and applicable state student data privacy laws.

2. Definitions

• Student Data — Any information directly related to an identifiable student that is maintained by the School or by Provider on behalf of the School, including but not limited to: student names, ages, grade levels, assessment responses, scores, and educational records.
• Education Records — Records directly related to a student maintained by the School or by a party acting on behalf of the School, as defined by FERPA.
• Authorized Users — School administrators, teachers, and staff who have been granted access to Student Data through the Provider's platform.

3. Purpose of Data Processing

Provider processes Student Data solely for the purpose of providing educational assessment services to School, including:

• Generating personalized educational assessments
• Evaluating student responses and producing learning reports
• Tracking student progress and engagement metrics
• Detecting educational bias in assessment content
• Providing classroom and school-level analytics to authorized personnel

4. FERPA Compliance

Provider agrees to the following FERPA obligations:

• Provider acts as a "school official" with a "legitimate educational interest" under FERPA
• Provider will not use Student Data for any purpose other than providing the contracted educational services
• Provider will not disclose Student Data to any third party without School's written consent, except as required by law
• Provider will not use Student Data for advertising, marketing, or any commercial purpose unrelated to the educational service
• Provider will maintain an audit trail of all access to Student Data by Provider personnel

5. Data Security

Provider maintains the following security measures:

• AES-256-GCM encryption for all sensitive student data at rest
• TLS 1.2+ encryption for all data in transit
• Role-based access controls limiting data visibility to authorized personnel
• Audit logging of all data access and modifications
• bcrypt password hashing for all user accounts
• httpOnly cookie-based authentication to prevent token theft
• Regular security reviews and updates

6. Access Controls

• Teachers can only access data for students assigned to their classrooms
• School administrators can access data for all students in their school
• No cross-school data access is permitted
• School is responsible for managing and revoking teacher access

7. Third-Party Sub-Processors

Provider uses the following sub-processor for assessment generation:

• Anthropic (Claude AI) — Used to generate and evaluate educational assessments. Student age, grade level, and learning focus areas are transmitted to this service. Anthropic's data processing terms prohibit use of this data for model training or any purpose other than providing the requested service.

Provider will notify School before engaging any new sub-processor that will have access to Student Data.

8. Data Retention and Deletion

• Student Data is retained only for the duration of the School's active subscription
• Upon contract termination, Provider will delete all Student Data within 60 days
• School may request deletion of specific student records at any time
• Provider maintains automated data minimization processes for temporary data

9. Breach Notification

In the event of a data breach involving Student Data, Provider will notify School within 72 hours of discovering the breach. Notification will include the nature of the breach, the data affected, steps taken to contain the breach, and recommended actions for the School.

10. Parent/Guardian Rights

Provider supports the following rights of parents and eligible students:

• Right to inspect and review their child's education records
• Right to request correction of inaccurate records
• Right to request deletion of their child's data
• Right to export their child's data in a portable format

11. Contact

For questions about this DPA or to request a signed copy:

FrameProof Education — Data Privacy Office
Email: dpa@frameproof.education