Data Processing Agreement

1. Parties and Purpose

This Data Processing Agreement ("DPA") is entered into between:

Data Controller ("School"): The educational institution subscribing to KlassKeep services
Data Processor ("KlassKeep"): KlassKeep, operated by [Legal Entity], Kingston, PA 18704

This DPA supplements the KlassKeep Terms of Service and Privacy Policy, and governs the processing of Student Education Records and other personal data by KlassKeep on behalf of the School.

2. Definitions

Student Data	Any personally identifiable information (PII) from student education records as defined by FERPA (34 CFR § 99), including names, grades, attendance, behavior records, medical/allergy information, emergency contacts, and any other information entered into KlassKeep by the School.
Education Records	Records directly related to a student that are maintained by the School or by a party acting for the School, as defined under FERPA.
School Official	A party performing a service that the School would otherwise perform itself, under the direct control of the School regarding the use of education records (FERPA 34 CFR § 99.31(a)(1)).
Processing	Any operation performed on Student Data, including collection, storage, retrieval, use, transmission, and deletion.
Breach	Any unauthorized access to, disclosure of, or loss of Student Data.

3. Scope of Processing

3.1 Purpose Limitation

KlassKeep shall process Student Data solely for the following purposes:

Providing the school management platform services described in the Terms of Service
Storing and displaying student records (grades, attendance, behavior, skills, report cards)
Facilitating school-authorized communications between staff and parents
Generating academic reports and analytics as directed by the School
Maintaining platform security and audit logs

3.2 Prohibited Uses

KlassKeep shall NOT:

Sell, rent, or trade Student Data to any third party
Use Student Data for advertising, marketing, or profiling
Use Student Data to build commercial products or services unrelated to the School's educational purposes
Mine or analyze Student Data for purposes other than providing or improving the educational services
Disclose Student Data except as authorized by this DPA or required by law

4. FERPA Compliance

4.1 School Official Designation

The School designates KlassKeep as a "School Official" with a "legitimate educational interest" under FERPA (34 CFR § 99.31(a)(1)(i)). KlassKeep acknowledges that it:

Performs an institutional service or function for which the School would otherwise use its own employees
Is under the direct control of the School regarding the use and maintenance of education records
Uses education records only for authorized purposes
Meets the criteria set forth in the School's annual FERPA notification regarding school officials

4.2 Re-Disclosure Prohibition

KlassKeep shall not re-disclose Student Data to any third party without the School's prior written consent, except to sub-processors listed in Section 7 of this DPA, or as required by law.

4.3 Parent/Student Rights

KlassKeep will cooperate with the School in responding to parent or eligible student requests to inspect, review, amend, or delete education records, as required by FERPA.

5. Data Security

5.1 Security Measures

KlassKeep maintains the following security safeguards:

Encryption in transit: TLS/SSL (HTTPS) on all connections
Encryption at rest: AES-256 field-level encryption for sensitive credentials
Password hashing: Industry-standard one-way hashing (never stored in plaintext)
Access controls: Role-based permission system with 7 hierarchical roles and 50+ configurable permissions
Multi-tenant isolation: School data is logically separated at the application layer; all queries are scoped by school
Audit logging: All access to student records is logged with user identity, action, timestamp, and IP address
CSRF protection: Cross-site request forgery protection on all forms
Session management: Automatic session timeout (configurable by school)

5.2 Breach Notification

In the event of a Breach affecting Student Data, KlassKeep shall:

Notify the School within 72 hours of discovering the Breach
Provide a description of the nature of the Breach, including the categories and approximate number of records affected
Describe the measures taken or proposed to address the Breach
Cooperate with the School's investigation and notification obligations
Take immediate steps to contain and remediate the Breach

5.3 Incident Cooperation

KlassKeep shall assist the School in meeting its obligations under applicable breach notification laws, including providing information necessary for the School to notify affected parents and regulatory authorities.

6. Data Ownership and Return

6.1 Ownership

The School retains full ownership of all Student Data. KlassKeep acquires no rights to Student Data beyond those necessary to provide the contracted services.

6.2 Data Export

The School may request a complete export of its data at any time. KlassKeep will provide the export in standard formats (CSV and/or Excel) within 30 days of the request at no additional cost.

6.3 Data Deletion Upon Termination

Upon termination of the School's subscription or at the School's written request:

KlassKeep will provide the School an opportunity to export all data
Active data will be deleted within 30 days of the termination date or deletion request
Backup copies will be purged within 90 days
KlassKeep will provide written confirmation of data deletion

6.4 Survival

The obligations regarding data security, confidentiality, and deletion survive the termination of this DPA.

7. Sub-Processors

7.1 Current Sub-Processors

KlassKeep uses the following sub-processors:

Railway (Railway Corp)	Application hosting and PostgreSQL database — United States
Cloudflare (Cloudflare, Inc.)	DNS management and DDoS protection — United States
School-Configured SMTP	Email delivery via the School's own SMTP provider (configured by the School's administrator)

7.2 Sub-Processor Obligations

All sub-processors are bound by written agreements that impose data protection obligations no less protective than those in this DPA.

7.3 Changes to Sub-Processors

KlassKeep will notify the School at least 30 days in advance of adding or replacing a sub-processor. The School may object to a new sub-processor by providing written notice within the 30-day period. If the objection cannot be resolved, the School may terminate the agreement.

8. School Responsibilities

The School agrees to:

Obtain any necessary consents or provide required notifications to parents regarding the use of KlassKeep
Ensure that the School's annual FERPA notification includes KlassKeep (or its category of service providers) as a school official
Maintain appropriate account security practices (strong passwords, account deactivation for departing staff)
Notify KlassKeep promptly if the School becomes aware of any unauthorized access to Student Data
Use KlassKeep only for legitimate educational purposes

9. Term and Termination

This DPA is effective upon the School's acceptance and remains in effect for the duration of the School's use of KlassKeep services. Either party may terminate this DPA:

By providing 30 days' written notice to the other party
Immediately if the other party materially breaches this DPA and fails to cure within 15 days of written notice

Upon termination, Section 6 (Data Ownership and Return) governs the handling of Student Data.

10. Governing Law and Disputes

This DPA is governed by the laws of the Commonwealth of Pennsylvania and applicable federal laws, including FERPA (20 U.S.C. § 1232g) and COPPA (15 U.S.C. §§ 6501-6506).

Any disputes arising under this DPA shall be resolved through good-faith negotiation. If a resolution cannot be reached within 30 days, either party may pursue remedies available under law.

Execute This Agreement

To execute this DPA or request modifications, please contact us:

KlassKeep Privacy Team

Email: privacy@klasskeep.com

Address: Kingston, PA 18704

We typically respond within 2 business days and can execute a DPA within one week.