GDPR Compliant

Data Processing Agreement

Data protection terms for educational institutions

Version 2.0 - Effective Date: January 15, 2024

Need a signed DPA?

Download, sign, and return to us for countersignature

Table of Contents

This Data Processing Agreement ("DPA") forms part of the Service Agreement between SchoolBench Pro, Inc. ("Processor") and the Customer ("Controller") for the provision of SchoolBench Pro Services.

This DPA reflects the parties' agreement with respect to the Processing of Personal Data in accordance with the requirements of Data Protection Laws and Regulations.

1. Definitions

"Personal Data"

Any information relating to an identified or identifiable natural person as defined under applicable Data Protection Laws.

"Processing"

Any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.

"Data Protection Laws"

All applicable laws relating to data protection and privacy, including the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the Family Educational Rights and Privacy Act ("FERPA"), and any other applicable local laws.

"Data Subject"

An identified or identifiable natural person to whom Personal Data relates, including students, parents, teachers, and staff.

"Sub-processor"

Any third party engaged by the Processor to Process Personal Data on behalf of the Controller.

2. Scope and Application

This DPA applies to all Processing of Personal Data by the Processor on behalf of the Controller in the course of providing the Services, including:

  • Student records and academic information
  • Staff and teacher data
  • Parent/guardian contact information
  • Communication records
  • Usage data and analytics (where it contains Personal Data)

3. Details of Processing

Nature and Purpose

The Processor will Process Personal Data to provide educational management services, including:

  • Student information management
  • Academic record keeping
  • Communication facilitation
  • Reporting and analytics
  • Technical support

Categories of Data Subjects

  • Students (current and former)
  • Parents and legal guardians
  • Teachers and educational staff
  • School administrators
  • Other authorized users

Types of Personal Data

  • Names and identification information
  • Contact details (email, phone, address)
  • Academic records and grades
  • Attendance records
  • Behavioral records
  • Health information (where applicable)
  • Login credentials and usage data

4. Obligations of the Processor

The Processor shall:

  • Process Personal Data only on documented instructions from the Controller, unless required by law
  • Ensure that persons authorized to process Personal Data have committed to confidentiality
  • Implement appropriate technical and organizational measures to ensure security
  • Not engage Sub-processors without prior written authorization from the Controller
  • Assist the Controller in responding to Data Subject requests
  • Assist the Controller in ensuring compliance with security and breach notification obligations
  • Delete or return all Personal Data at the end of the service provision
  • Make available all information necessary to demonstrate compliance

5. Security Measures

The Processor implements and maintains the following security measures:

Technical Measures

  • • Encryption at rest and in transit
  • • Access controls and authentication
  • • Regular security testing
  • • Intrusion detection systems

Organizational Measures

  • • Staff training and awareness
  • • Access on need-to-know basis
  • • Incident response procedures
  • • Regular security audits

6. Sub-processors

The Controller acknowledges and agrees that the Processor may engage the following Sub-processors:

Sub-processor Purpose Location
Amazon Web Services Cloud hosting United States
SendGrid Email services United States
Stripe Payment processing United States

The Processor shall notify the Controller of any intended changes concerning the addition or replacement of Sub-processors, giving the Controller the opportunity to object to such changes.

7. Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligations to respond to Data Subject requests, including:

  • Right of access to Personal Data
  • Right to rectification
  • Right to erasure ("right to be forgotten")
  • Right to restriction of Processing
  • Right to data portability
  • Right to object
  • Rights related to automated decision-making

8. International Transfers

The Processor shall not transfer Personal Data outside the European Economic Area without:

  • Prior written consent from the Controller
  • Appropriate safeguards in place (such as Standard Contractual Clauses)
  • Compliance with Chapter V of the GDPR

Note: For US-based educational institutions, data is primarily processed within the United States in compliance with FERPA and applicable state laws.

9. Audit Rights

The Processor shall:

  • Make available all information necessary to demonstrate compliance with this DPA
  • Allow for and contribute to audits conducted by the Controller or an auditor mandated by the Controller
  • Provide certifications, reports, or extracts from external audits (such as SOC 2)

Audits shall be conducted with reasonable notice and during business hours, minimizing disruption to the Processor's operations.

10. Data Breach Notification

In the event of a Personal Data breach, the Processor shall:

  1. Notify the Controller without undue delay and within 72 hours of becoming aware
  2. Provide detailed information about the nature and scope of the breach
  3. Take immediate measures to mitigate the effects
  4. Cooperate with the Controller in investigating the breach
  5. Document all breaches and measures taken

11. Term and Termination

This DPA shall remain in effect for the duration of the Service Agreement. Upon termination:

  • The Processor shall cease all Processing of Personal Data
  • At the Controller's choice, delete or return all Personal Data
  • Delete existing copies unless legal requirements mandate storage
  • Provide certification of deletion upon request

12. Liability and Indemnification

Each party's liability arising out of or related to this DPA shall be subject to the limitations set forth in the Service Agreement. Each party shall indemnify the other against damages resulting from their violation of Data Protection Laws.

13. Governing Law

This DPA shall be governed by the laws specified in the Service Agreement, without prejudice to Data Protection Laws applicable to the Processing of Personal Data.

14. Contact Information

Data Protection Officer

Captivator Technologies LLC
Attn: Data Protection Officer
Email: info@captivatortechnologies.com
Phone: +1 443 756 3449
Address: 8865 Stanford Blvd, Suite #202, Columbia, MD 21045

Execution

Controller

Processor

SchoolBench Pro, Inc.