Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between My Academy HQ (“Processor”) and the school or school district (“Controller”) that subscribes to the My Academy HQ platform (“Service”). This DPA governs the processing of student data and other personal information that the Controller provides to the Processor through the Service.

This DPA is intended to satisfy the requirements of state student data privacy laws, including but not limited to the Illinois Student Online Personal Protection Act (SOPPA), New York Education Law § 2-d, the California Student Online Personal Information Protection Act (SOPIPA), and similar statutes, as well as the Family Educational Rights and Privacy Act (FERPA).

• Student Data: Any personally identifiable information (PII) from student education records as defined by FERPA, as well as any information that identifies or is linked to a student and is provided to the Processor through the Service.
• School Data: All data provided by the Controller to the Service, including Student Data, staff data, family data, and operational data.
• Processing: Any operation performed on School Data, including collection, storage, use, disclosure, and deletion.
• Sub-processor: A third-party service provider engaged by the Processor to process School Data on behalf of the Controller.

The Controller retains full ownership and control of all School Data, including Student Data. The Processor is a custodian of School Data and processes it only on behalf of and as directed by the Controller. The Processor acquires no rights to School Data beyond those necessary to provide the Service.

The Processor processes School Data solely for the purpose of providing the Service as described in the Terms of Service. The Processor does not:

• Use Student Data for targeted advertising, behavioral profiling, or marketing of any kind.
• Sell, rent, or trade Student Data to any third party.
• Use Student Data to build commercial profiles of students or families.
• Use Student Data for any purpose unrelated to the educational service provided to the Controller.
• Use Student Data to train machine learning or artificial intelligence models.

The Processor may process the following categories of data as directed by the Controller:

• Student identifiers (names, dates of birth, enrollment information, class assignments)
• Parent/guardian identifiers (names, email addresses, phone numbers, mailing addresses)
• Staff identifiers (names, email addresses, roles)
• Educational records (attendance, assessments, observations, progress reports, portfolios, behavior records, daily reports)
• Health-related information entered by the school (as configured by the Controller)
• Financial records (invoices, payments, tuition schedules)
• Communications (in-app chat messages, newsletter content)
• Uploaded files (photos, documents, signed agreements)
• Electronic signature metadata (IP address, user agent, timestamps)

The Processor implements and maintains reasonable administrative, technical, and physical safeguards to protect School Data, including:

• Encryption of data in transit (TLS 1.2+).
• Encryption of data at rest in the database and file storage.
• Role-based access controls ensuring each school's data is logically isolated and accessible only to that school's authorized users.
• Secure authentication with hashed passwords and session-based access controls.
• Audit logging of administrative actions within the Service.
• Rate limiting and bot protection on public-facing endpoints.

The Processor uses the following categories of sub-processors. Each sub-processor is contractually bound to process data only as necessary to provide services to the Processor and to maintain appropriate security measures:

• Vercel: Application hosting, serverless compute, and file storage (United States).
• Neon: PostgreSQL database services (United States).
• Stripe: Payment processing (PCI-DSS compliant).
• Anthropic: AI-assisted content generation for optional teacher tools (observation drafts, portfolio captions, charter document extraction). Data is not retained beyond API request duration.
• Telnyx: SMS delivery for two-factor authentication codes, app install links, school invoice and meeting reminders, and the one-time transactional invite SMS sent alongside the email invite.
• Firebase Cloud Messaging (Google): Push notification delivery.
• Centrifugo: Real-time messaging delivery for in-app chat.
• Cloudflare: Bot protection on public forms.
• SMTP provider: Transactional email delivery (school may configure their own provider).

The Processor will notify the Controller at least thirty (30) days before engaging a new sub-processor that processes Student Data. The Controller may object to a new sub-processor by providing written notice within the 30-day period. If the objection cannot be resolved, the Controller may terminate the agreement.

In the event of a security breach affecting School Data, the Processor will:

• Notify the Controller within seventy-two (72) hours of confirming the breach.
• Provide a description of the breach, the categories and approximate number of records affected, the likely consequences, and the remedial measures taken.
• Cooperate with the Controller to fulfill notification obligations to parents, students, and regulatory authorities under applicable laws.
• Take immediate steps to contain and remediate the breach.

The Processor retains School Data for the duration of the Controller's subscription. Upon termination or expiration of the agreement:

• The Controller may export School Data in structured, machine-readable formats (CSV, JSON) during a thirty (30) day post-termination window.
• The Processor permanently deletes School Data from active systems within thirty (30) days of the end of the retention window.
• Backup systems may retain encrypted copies for up to ninety (90) additional days before automatic purging.
• Billing records may be retained for seven (7) years as required by tax and accounting regulations.

The Controller may request deletion of specific Student Data at any time during the subscription by contacting contact@myacademyhq.com. The Processor will fulfill such requests within thirty (30) days.

The Controller retains the right to:

• Access, inspect, and export School Data at any time through the Service's administrative tools.
• Request information about the Processor's data protection practices, security measures, and sub-processor arrangements.
• Request deletion of Student Data at any time.
• Direct the Processor regarding the handling of School Data, within the capabilities of the Service.
• Receive notice of material changes to the Processor's data processing practices, security measures, or sub-processor list.

The Processor functions as a “school official” with a “legitimate educational interest” under FERPA. The Processor:

• Uses student education records solely to provide the Service as directed by the Controller.
• Does not disclose student education records to third parties except as directed by the Controller, required by law, or permitted by FERPA.
• Does not use student education records for advertising, marketing, profiling, or any non-educational purpose.
• Returns or deletes student education records upon termination, subject to the data retention provisions in Section 9.
• Maintains reasonable safeguards to protect student education records from unauthorized access, disclosure, or misuse.

This DPA is incorporated by reference into the Terms of Service and takes effect upon the Controller's use of the Service. For schools and school districts that require a separately executed copy of this DPA or a state-specific addendum (such as the SDPC National Data Privacy Agreement), please contact us at contact@myacademyhq.com to arrange execution.