Data Privacy Agreement

What this is

A Data Privacy Agreement (DPA) — sometimes called an SDPA or student-data privacy agreement — is the contract between a school district and a technology vendor that governs how student data is collected, used, protected, and deleted. In K12, this is non-negotiable: no responsible district signs up for a service that touches student data without one on file.

We've chosen the National Data Privacy Agreement (NDPA), v1r6, published by the Student Data Privacy Consortium. It is the de-facto national standard, accepted by every state that publishes a DPA requirement, and we sign it as-is — no vendor redlines, no watered-down deletion commitments, no opt-outs from breach-notification requirements.

How adoption works

1. Download our pre-signed NDPA. We've filled in Exhibit A (services covered), Exhibit E (general offer of privacy terms), and Exhibit H (our subprocessor list). Our signature is already on the page.
   Download NDPA (coming soon)
2. Add your district's info. Fill in the cover page and Exhibit C (district contact). If your state requires a specific exhibit, download it from the state grid below and attach it.
3. Counter-sign and return. Email the signed PDF to [email protected]. We'll counter-sign within 24 business hours and return a fully-executed copy with a signed certificate.
4. Or: adopt directly from the SDPC Registry. Once our listing is live, your district can adopt our NDPA via sdpc.a4l.org — the industry registry many states accept as binding without a separate signing exchange.

State-specific exhibits

Most states require additions to the base NDPA — specific breach-notification windows, parent-access rights, retention schedules, etc. We've pre-signed the exhibits for the states where we have active districts or frequent inquiries. If your state isn't listed, email us — adding one typically takes 48 hours.

Each state exhibit will be available individually once legal review clears. Need a state not listed? Email [email protected].

Subprocessors

Our complete, always-current list of subprocessors lives at supportstudiok12.com/legal/subprocessors. It's a live page (not a PDF frozen at signing time), so it stays accurate as we add or remove vendors. The NDPA's Exhibit H points at this URL — meaning you always see the current state, not whatever was true the day you signed.

View subprocessor list

Commitments we make in the NDPA

Without watering any of them down:

• Data minimization. We only collect what's needed to run the help desk — no advertising profiles, no behavior tracking.
• No secondary use. Student data is never used to train AI, improve unrelated products, or build marketing profiles.
• No data selling. Ever. This isn't just a contract term — it's a business model choice.
• Breach notification within the window your state requires (typically 30-60 days; some states require 72 hours for major incidents).
• Deletion on termination. All tenant data including backups deleted within the window your DPA specifies (default 30-90 days). A final export is offered before the clock starts.
• Parent/student access rights. We'll provide any individual's records on request through the district, within statutory timelines.
• Security controls. Encryption in transit and at rest, tenant isolation, rate limiting, audit logging, backups with 30-day retention.

Questions

DPA-related questions: [email protected]

General privacy inquiries: see our privacy policy and AI policy.

Service uptime and response-time commitments: see our Service Level Agreement.

Your district's tech staff can also reach us through the feedback form inside the help desk itself — platform feedback routes to the super-admin inbox.