Data Processing Agreement

1. Introduction

This Data Processing Agreement ("DPA") forms part of the agreement between Edudigital AI, Inc. ("Edudigital," "Processor") and the subscribing institution ("Institution," "Controller"). It governs the processing of personal data, including student education records, on behalf of the Institution.

2. Definitions

"Personal Data" means any information relating to an identified or identifiable individual processed by Edudigital on behalf of the Institution.

"Education Records" has the meaning given under FERPA (20 U.S.C. § 1232g).

"Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.

"Sub-processor" means any third party engaged by Edudigital to process Personal Data on the Institution's behalf.

3. Scope of Processing

Edudigital processes Personal Data only as instructed by the Institution and for the purpose of delivering the campus management platform services. The types of data processed may include: student enrollment records, attendance data, financial aid information, admissions records, and staff account information.

4. FERPA Compliance

The Institution designates Edudigital as a "school official" with a "legitimate educational interest" under FERPA for the purpose of providing platform services. Edudigital agrees to: (a) use education records only as directed by the Institution; (b) maintain appropriate safeguards; (c) not re-disclose education records except as permitted by FERPA and the Institution's instructions.

5. Security Measures

Edudigital implements technical and organizational security measures appropriate to the risk, including: encryption in transit (TLS 1.2+) and at rest (AES-256); role-based access controls; audit logging; SOC 2 Type II certified infrastructure; regular security assessments; and incident response procedures.

6. Sub-processors

Edudigital uses third-party sub-processors to provide infrastructure and ancillary services (e.g., cloud hosting, email delivery). A current list of sub-processors is available upon request. Edudigital will notify the Institution of any material changes to sub-processors with reasonable advance notice.

7. Data Subject Rights

Edudigital will assist the Institution in responding to requests from individuals exercising their rights under applicable law. The Institution is responsible for responding to data subject requests; Edudigital will provide reasonable assistance as technically feasible.

8. Data Deletion

Upon termination of the subscription, Edudigital will retain Institution Data for 30 days during which the Institution may export it. Following that period, Edudigital will delete or anonymize all Institution Data unless retention is required by law.

9. Breach Notification

Edudigital will notify the Institution without undue delay, and in any event within 72 hours, upon becoming aware of a personal data breach affecting Institution Data. Notification will include the nature of the breach, categories of data affected, and remediation steps taken.

10. Contact

For DPA-related inquiries, contact our Data Protection contact at privacy@edudigital.app.