Data Processing Agreement

For the purposes of this DPA:

• "Personal Data" means any information relating to an identified or identifiable natural person, including student educational records
• "Processing" means any operation performed on Personal Data
• "Data Subject" means the individual to whom Personal Data relates, including students, parents, and educators
• "Educational Records" means records directly related to a student and maintained by an educational agency or institution
• "Sub-processor" means any third party engaged by ClassroomPulse to process Personal Data

2.1 Scope of Processing

ClassroomPulse processes Personal Data on behalf of the Customer for the following purposes:

• Providing behavior tracking and analysis services
• Generating reports and insights for educational purposes
• Facilitating communication between educators and parents
• Maintaining and improving the service
• Ensuring security and preventing fraud

2.2 Categories of Data

The types of Personal Data processed include:

• Student names and identifiers
• Behavioral observations and assessments
• Educational progress data
• Teacher and staff information
• Parent/guardian contact information
• Communication logs and notes

2.3 Data Subjects

• Students (including minors under 13)
• Parents and legal guardians
• Teachers and educational staff
• School administrators

ClassroomPulse shall:

1. Process Personal Data only on documented instructions from the Customer
2. Ensure that persons authorized to process Personal Data have committed to confidentiality
3. Implement appropriate technical and organizational measures to ensure security
4. Not engage Sub-processors without prior specific or general written authorization
5. Assist the Customer in responding to data subject requests
6. Assist the Customer in ensuring compliance with security obligations
7. Delete or return all Personal Data at the end of the service provision
8. Make available all information necessary to demonstrate compliance
9. Allow for and contribute to audits and inspections

4.1 Technical Measures

• Encryption of data in transit (TLS 1.3) and at rest (AES-256)
• Multi-factor authentication for administrative access
• Regular security updates and patch management
• Intrusion detection and prevention systems
• Regular vulnerability scanning and penetration testing
• Secure backup and disaster recovery procedures

4.2 Organizational Measures

• Background checks for personnel with data access
• Regular security training for all staff
• Strict access controls and principle of least privilege
• Confidentiality agreements with all personnel
• Incident response and breach notification procedures
• Regular security audits and assessments

5.1 Authorized Sub-processors

The Customer agrees to the use of the following Sub-processors:

5.2 New Sub-processors

ClassroomPulse shall notify Customer of any intended changes concerning the addition or replacement of Sub-processors at least 30 days in advance.

ClassroomPulse shall assist the Customer in fulfilling data subject requests for:

• Access to Personal Data
• Rectification of inaccurate data
• Erasure of Personal Data ("right to be forgotten")
• Restriction of processing
• Data portability
• Objection to processing
• Rights related to automated decision-making

For FERPA compliance, ClassroomPulse acknowledges that:

• Parents have the right to inspect and review their child's education records
• Parents may request corrections to inaccurate records
• Schools must obtain written consent before disclosing personally identifiable information

If Personal Data is transferred outside the European Economic Area or the Customer's jurisdiction, ClassroomPulse shall:

• Ensure appropriate safeguards are in place (Standard Contractual Clauses)
• Only transfer data to countries with adequate protection levels
• Implement supplementary measures where necessary
• Maintain records of all international transfers

In the event of a Personal Data breach, ClassroomPulse shall:

1. Notify the Customer without undue delay and within 72 hours of becoming aware
2. Provide details about the nature of the breach, including:
   • Categories and approximate number of data subjects affected
   • Categories and approximate number of records concerned
   • Likely consequences of the breach
   • Measures taken or proposed to address the breach
3. Cooperate with the Customer in investigating the breach
4. Document all breaches and remediation efforts
5. Implement measures to prevent future breaches

The Customer has the right to:

• Request evidence of compliance with this DPA
• Conduct audits no more than once per year (unless required by law)
• Review ClassroomPulse's security certifications (SOC 2, ISO 27001)
• Receive copies of third-party audit reports

Audits shall be conducted:

• With at least 30 days' written notice
• During regular business hours
• In a manner that minimizes disruption
• Subject to confidentiality agreements

10.1 Retention Period

Personal Data shall be retained for:

• Active accounts: Duration of the service agreement
• Inactive accounts: 90 days after last activity
• Deleted accounts: 30 days (for recovery purposes)
• Backups: Maximum 1 year

10.2 Data Deletion

Upon termination of services, ClassroomPulse shall:

• Provide Customer with 30 days to export all data
• Delete or anonymize all Personal Data within 60 days
• Provide written certification of deletion
• Retain only data required by law

11.1 Limitation of Liability

Each party's liability arising out of or related to this DPA shall be subject to the limitations set forth in the Terms of Service.

11.2 Indemnification

ClassroomPulse shall indemnify the Customer against damages incurred by the Customer as a result of ClassroomPulse's breach of this DPA.

This DPA shall:

• Come into effect upon acceptance of the Terms of Service
• Remain in effect for the duration of the service agreement
• Automatically terminate upon termination of the Terms of Service
• Survive termination for provisions that by nature should survive

This DPA shall be governed by the laws of the State of Texas, United States, without regard to conflict of law principles. However, nothing in this DPA shall be construed to limit the applicability of data protection laws in the Customer's jurisdiction.