Data Processing Addendum

The parties recognize that k-12.cloud Processes Personal Data, including, where applicable, education records and information relating to students, on Customer’s behalf in the course of providing the Services. The parties enter into this DPA to set out the data-protection obligations applicable to that Processing and to comply with the Family Educational Rights and Privacy Act (“FERPA”), the Children’s Online Privacy Protection Act (“COPPA”), state student data privacy laws, and other applicable Data Protection Laws.

Capitalized terms used but not defined in this DPA have the meanings given to them in the Agreement.

• “Customer Data”means any data, including any Personal Data, that Customer or its Authorized Users upload to, deploy on, store in, or generate within an Environment, or that k-12.cloud Processes on Customer’s behalf in connection with the Services.
• “Data Protection Laws”means all laws and regulations applicable to the Processing of Personal Data under the Agreement, including FERPA, COPPA, state student data privacy laws referenced in Section 14, the California Consumer Privacy Act as amended by the California Privacy Rights Act (the “CPRA”), other comprehensive U.S. state privacy laws, the General Data Protection Regulation (EU 2016/679) (“GDPR”), and the UK GDPR, in each case to the extent they apply to a given Processing activity.
• “Education Record”has the meaning set forth in FERPA, 20 U.S.C. § 1232g and implementing regulations at 34 C.F.R. Part 99.
• “Personal Data”means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular natural person or household. Personal Data includes personally-identifiable information from Education Records, “covered information” under state student data privacy laws, and “personal information” or “personal data” as those terms are used under other Data Protection Laws.
• “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data Processed by k-12.cloud.
• “Processing”(and “Process”) means any operation performed on Personal Data, whether or not by automated means.
• “School Service Provider”means an entity that provides a school service for K-12 purposes (e.g., as defined under Illinois SOPPA, California AB 1584, New York Education Law § 2-d, and substantially similar laws), to the extent applicable.
• “Subprocessor” means any third party engaged by k-12.cloud (or another Subprocessor) that Processes Customer Data in connection with the Services.

For purposes of this DPA, with respect to Customer Data:

• Customer is the Controller (and, under U.S. law, the business, educational agency or institution, or K-12 school where applicable);
• k-12.cloud is the Processor (and, under U.S. law, the service provider, school service provider, or school officialunder FERPA § 99.31(a)(1) where applicable); and
• k-12.cloud will Process Customer Data only on Customer’s documented instructions and as described in this DPA.

The categories of Data Subjects, types of Personal Data, and nature, purpose, and duration of Processing are set out in Appendix A.

k-12.cloud will Process Customer Data only as instructed by Customer in writing, including through the Agreement, the Services’ standard functionality (configuration, API calls, deployment actions), Orders, support tickets, and subsequent written instructions agreed by the parties. k-12.cloud will not (a) sell or share Personal Data within the meaning of the CPRA or any similar law; (b) retain, use, or disclose Personal Data for any purpose other than the specific purpose of performing the Services for Customer, including retaining, using, or disclosing it for a commercial purpose other than providing the Services; (c) retain, use, or disclose Personal Data outside the direct business relationship between the parties; or (d) combine Personal Data received from or on behalf of Customer with Personal Data from k-12.cloud’s other sources, except as expressly permitted to perform a business purpose authorized by Customer or as permitted by Data Protection Laws.

k-12.cloud will not use Customer Data for advertising, marketing, profiling, the development or improvement of generative artificial intelligence models, or the training or fine-tuning of any other machine-learning model. k-12.cloud will promptly inform Customer if, in its opinion, an instruction violates Data Protection Laws; in such case k-12.cloud is not obligated to follow the instruction until the parties resolve the issue in writing.

k-12.cloud will ensure that personnel and contractors who are authorized to Process Customer Data are bound by appropriate written obligations of confidentiality or are under a statutory obligation of confidentiality. Access to Customer Data within k-12.cloud is limited to personnel with a legitimate operational need on a least-privilege basis.

k-12.cloud will implement and maintain appropriate technical and organizational measures designed to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data, taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of Processing, and the risk of varying likelihood and severity for the rights and freedoms of natural persons. A description of those measures (“TOMs”) is set out in Appendix B. The parties acknowledge that the TOMs are subject to technical progress and development and that k-12.cloud may update them from time to time provided that any update does not materially diminish the overall level of protection.

Customer provides general written authorization for k-12.cloud to engage the Subprocessors listed in Appendix C as of the Effective Date. k-12.cloud will (a) impose data protection obligations on each Subprocessor that are no less protective than those in this DPA; (b) remain liable to Customer for the acts and omissions of its Subprocessors to the same extent k-12.cloud would be liable for performing the Services directly; and (c) provide Customer with at least thirty (30) days’ advance notice (by email to the privacy or billing contact, or by updating the in-portal subprocessor list) before adding or replacing a Subprocessor that Processes Customer Data.

Customer may object on reasonable data-protection grounds to the engagement of a new Subprocessor by notifying k-12.cloud within fifteen (15) days of the notice. The parties will work in good faith to resolve the objection. If the parties cannot resolve the objection within thirty (30) days, Customer may terminate the affected portion of the Services and receive a prorated refund of unused, prepaid fees attributable to that portion as its sole and exclusive remedy.

To the extent legally required, k-12.cloud will assist Customer in fulfilling Customer’s obligations to respond to requests from Data Subjects (or from parents, eligible students, or other persons exercising rights under FERPA or applicable state student data privacy laws), including requests to access, correct, delete, restrict, port, or object to the Processing of their Personal Data, by providing appropriate technical and organizational measures, insofar as this is possible given the nature of the Processing. If k-12.cloud receives a request directly from a Data Subject relating to Customer Data, k-12.cloud will, unless legally prohibited, promptly forward the request to Customer and will not respond substantively except to acknowledge receipt and redirect the request to Customer.

k-12.cloud will notify Customer without undue delay, and in any event within seventy-two (72) hours after becoming aware of a Personal Data Breach affecting Customer Data, by email to the privacy or billing contact of record. The notification will, to the extent then known to k-12.cloud:

• describe the nature of the breach, including, where possible, the categories and approximate number of Data Subjects and records affected;
• describe the likely consequences of the breach;
• describe the measures taken or proposed to address the breach and mitigate its possible adverse effects; and
• provide a point of contact at k-12.cloud from whom Customer may obtain further information.

Where complete information is not available at the time of the initial notification, k-12.cloud will provide subsequent updates as material new information becomes available. k-12.cloud will reasonably cooperate with Customer’s investigation, mitigation, and notification obligations, including under New York Education Law § 2-d, Illinois SOPPA (105 ILCS 85), Connecticut Public Act 16-189, and similar state laws that impose specific timelines on educational agencies. k-12.cloud’s notification of a breach is not an acknowledgment of fault or liability.

k-12.cloud will make available to Customer information reasonably necessary to demonstrate compliance with this DPA, including by providing on request: (a) a summary of the underlying cloud infrastructure provider’s SOC 2 Type II and ISO 27001 certifications and audit reports, subject to customary confidentiality terms; (b) a description of k-12.cloud’s applicable TOMs; (c) responses to industry standard security questionnaires; and (d) reasonable cooperation with Customer questions.

Where Data Protection Laws or a binding directive of a supervisory authority require an on-site audit, Customer may, at its expense and no more than once per twelve (12) month period (except in the event of a confirmed Personal Data Breach), conduct an audit limited to k-12.cloud’s compliance with this DPA. The parties will agree in advance on scope, timing, duration, and the auditor (who must not be a competitor of k-12.cloud and must execute customary non-disclosure undertakings). Audits will be conducted during normal business hours, will not unreasonably interfere with k-12.cloud’s operations, and will not access systems containing other customers’ data.

The primary Processing locations for Customer Data are within the United States. k-12.cloud offers a Canada-residency option where commercially available and identified in an Order. k-12.cloud will not transfer Customer Data outside the United States or Canada (as elected) except as necessary to provide the Services and subject to appropriate safeguards required by applicable law.

To the extent any Processing involves the transfer of Personal Data from the European Economic Area, the United Kingdom, or Switzerland to a country not recognized as providing an adequate level of protection, the parties agree that the EU Standard Contractual Clauses (Module Two, Controller to Processor) approved by the European Commission in Decision (EU) 2021/914 are hereby incorporated by reference, with the appendices populated by Appendices A and C of this DPA, and with the optional docking clause and a docking clause for the UK International Data Transfer Addendum applying as applicable.

On termination or expiration of the Services, or earlier on Customer’s written request, k-12.cloud will return or delete Customer Data in its possession or control in accordance with the Agreement and this DPA. Customer is responsible for exporting Customer Data during the export period stated in the Agreement (which is at least thirty (30) days for paid subscriptions unless otherwise required by law). Following the export period, k-12.cloud will delete Customer Data within thirty (30) days, subject to: (a) backups created in the ordinary course of business, which will be overwritten or purged in line with k-12.cloud’s standard backup-retention schedule of no more than ninety (90) days; and (b) records k-12.cloud is required to retain by applicable law. k-12.cloud will continue to protect any retained Customer Data in accordance with this DPA until deletion.

Where Customer is an educational agency or institution subject to FERPA, the parties acknowledge that to the extent k-12.cloud Processes Education Records on Customer’s behalf, k-12.cloud is a “school official” performing an institutional service or function for which Customer would otherwise use its employees, under 34 C.F.R. § 99.31(a)(1)(i)(B). k-12.cloud (i) is under Customer’s direct control with respect to the use and maintenance of Education Records; (ii) will use Education Records only to perform the Services authorized in the Agreement; and (iii) will not re-disclose Education Records to any third party except as authorized by Customer in writing or as required by law, and only to the extent that the recipient is bound by obligations no less protective than this DPA.

Where Customer’s deployed services are directed to children under thirteen (13) years of age or knowingly collect personal information from such children, Customer is the “operator” for purposes of COPPA. k-12.cloud provides infrastructure-level support and will cooperate reasonably with Customer’s COPPA-compliance obligations, including supporting Customer’s ability to provide notice to parents, obtain verifiable parental consent through Customer’s implementation, honor parental review and deletion requests routed to k-12.cloud by Customer, and refrain from using such information for any purpose other than providing the Services. k-12.cloud does not solicit personal information from children and does not knowingly collect such information independently of Customer instructions.

k-12.cloud commits to the following with respect to information defined as “covered information,” “student data,” or “student personally identifiable information” under U.S. state student data privacy laws, including the Illinois Student Online Personal Protection Act (105 ILCS 85), New York Education Law § 2-d and Part 121 of the Commissioner’s Regulations, California Education Code § 49073.1 (AB 1584) and the Student Online Personal Information Protection Act, Connecticut Public Act 16-189, Colorado Revised Statutes § 22-16-101 et seq., and substantially similar laws (collectively, “State Student Privacy Laws”):

• Customer retains exclusive control of and ownership in covered information and student data; k-12.cloud acquires no ownership rights;
• k-12.cloud will not sell or rent covered information or student data and will not engage in targeted advertising to students, parents, or school personnel using covered information;
• k-12.cloud will not use covered information to amass a profile of a student except in furtherance of legitimate K-12 school purposes authorized by Customer;
• k-12.cloud will provide notice to Customer of unauthorized disclosure of covered information in accordance with Section 8 and will cooperate with notifications to parents, eligible students, and authorities to the extent required by law;
• k-12.cloud will publish or otherwise make available its data handling and security practices, including this DPA, the Privacy Policy, and the security measures described in Appendix B;
• k-12.cloud will provide a parents’ bill-of-rights for data privacy and security as required under New York Education Law § 2-d on request, and will support Customer’s posting of such bill where Customer is a New York educational agency; and
• k-12.cloud will, on Customer’s written request, delete covered information and student data within thirty (30) days in accordance with Section 11.

Each party will comply with the Data Protection Laws applicable to its role and activities. Customer represents and warrants that it has the legal right and authority to Process Customer Data and to authorize k-12.cloud to Process Customer Data as described in this DPA, including by providing all required notices and obtaining all required consents and authorizations (such as parental consents and student-data agreements with the educational agency or institution served by Customer).

The liability of each party under or in connection with this DPA is subject to the exclusions and limitations of liability set out in the Agreement, as if such exclusions and limitations were repeated here. To the extent of any conflict between this DPA and the Agreement, this DPA controls with respect to data-protection matters, and the Agreement otherwise controls.

This DPA is effective on the Effective Date and remains in force for as long as k-12.cloud Processes Customer Data on Customer’s behalf. Provisions that by their nature should survive termination will so survive.

Subject matter of Processing. Provision of managed cloud hosting Services to Customer, including provisioning, configuration, operation, monitoring, support, and (where applicable) backup of Environments.

Nature of Processing.Collection, storage, structuring, retrieval, transmission, hosting, and (in the event of a support request) review of Customer Data, all performed by Customer’s deployed software and by k-12.cloud platform components solely to deliver, secure, and support the Services.

Purpose of Processing. Performance of the Agreement, security of the Services, compliance with legal obligations, and incident response.

Categories of Data Subjects.Authorized Users and other personnel of Customer; billing and procurement contacts; and, where Customer’s deployed software processes such data: students, parents, guardians, alumni, employees, and other community members associated with Customer’s school, district, or organization.

Categories of Personal Data. Account identifiers, authentication tokens, contact information, activity and audit logs of platform actions; and, where present in Customer-deployed software: contact data, roster and enrollment records, academic and attendance records, communications, files and documents uploaded by Customer, and any other Personal Data Customer chooses to store within an Environment.

Special categories of data. k-12.cloud does not require or solicit special-category data. To the extent Customer chooses to Process special-category data within an Environment (for example, accommodations, health information, or other sensitive student data), Customer is responsible for ensuring an appropriate lawful basis and for any additional safeguards required by applicable law.

Duration of Processing. For the term of the Agreement, plus any post-termination retention period described in Section 11.

Frequency of transfers. Continuous, on demand.

Location of Processing. United States; or Canada where elected by Customer in an Order and supported by k-12.cloud.

k-12.cloud implements and maintains the following technical and organizational measures, taking into account the nature, scope, context, and purposes of Processing and the risk to Data Subjects.

B.1 Governance and risk management

• Written information-security program with a designated security owner.
• Annual review of policies, procedures, risks, and remediation plans.
• Vendor risk-management process applied to all Subprocessors, including review of their security certifications.

B.2 Access control

• Single sign-on through an enterprise identity provider for administrative access, with phishing-resistant multi-factor authentication.
• Role-based access control with least-privilege defaults; access rights are reviewed at least quarterly and removed promptly upon termination of employment or change of role.
• Production credentials and API tokens are stored in a managed secrets store and are not committed to source code; credentials are rotated on a defined schedule and on personnel changes.
• Access to Customer Data is logged with user, timestamp, and action; logs are retained for a minimum of one (1) year.

B.3 Network and host security

• Public endpoints are protected by managed TLS 1.2 or higher, with HSTS and modern cipher suites.
• Underlying cloud infrastructure is provided by a vendor certified to SOC 2 Type II and ISO 27001 standards.
• Production hosts are continuously patched and use container-runtime isolation; production deployments are restricted to images built from reviewed source.
• DNS and edge are routed through a managed CDN/DNS provider with DDoS protection.

B.4 Data protection

• All Customer Data is encrypted in transit using TLS 1.2 or higher.
• All Customer Data at rest on managed storage volumes and databases is encrypted at the disk and/or database layer using AES-256 or equivalent.
• Production database access is restricted to network-allowed services and identity-bound operators; ad-hoc data exports require ticketed approval.
• Backups (for production paid Environments) are encrypted at rest and retained for no more than ninety (90) days unless an Order specifies otherwise.

B.5 Change management and software development

• All changes to platform code are reviewed via pull request and tested by automated checks before deployment.
• Deployments are version-controlled and reversible.
• Dependencies are monitored for known vulnerabilities and patched on a risk-prioritized schedule.

B.6 Logging, monitoring, and incident response

• Platform telemetry and security-relevant events are centralized and monitored for anomalies.
• Documented incident-response runbook with defined severity levels, on-call rotation, and post-incident review process.
• Personal Data Breach notification within seventy-two (72) hours per Section 8 of this DPA.

B.7 Business continuity

• Production environments deployed on infrastructure that supports multi-zone redundancy at the platform layer.
• Documented restore procedures with periodic restoration tests.

B.8 Personnel

• All personnel with access to Customer Data are subject to written confidentiality obligations.
• Annual security and privacy awareness training, including FERPA and student-data handling for personnel who may access Customer Data on behalf of K-12 customers.

B.9 Subprocessor diligence

• Pre-engagement diligence on Subprocessors, including review of certifications and data-processing terms.
• Contractual commitments from Subprocessors that are no less protective than those in this DPA.

The following Subprocessors are engaged by k-12.cloud as of the Effective Date. k-12.cloud may add or replace Subprocessors in accordance with Section 6 of this DPA.

The list reflects Subprocessors used in connection with the k-12.cloud platform. Customer’s own deployed software may make use of additional third-party services that are not k-12.cloud Subprocessors; those engagements are the Customer’s responsibility.