Student Data Privacy Agreement

Between Growing Standard LLC
and [District Name]

This template follows the Student Data Privacy Consortium (SDPC) National Data Privacy Agreement (NDPA) v1.0 structure. Fields marked [like this] are placeholders for district-specific information. Growing Standard will also sign state-specific SDPC variants and state-issued DPAs (CA, NY, CO, IL, TX, MA, NJ, WA, CT, etc.) on request.

Growing Standard LLC · privacy@potatoclass.com · growingstandard.com

§1.1 Purpose

This DPA governs the collection, use, disclosure, and protection of Student Data by Provider in connection with the Service.

§1.2 Order of precedence

If there is a conflict between this DPA and any other agreement between the parties, this DPA controls with respect to Student Data.

§1.3 Term

This DPA begins on the Effective Date and continues for the Term of the underlying service agreement, plus any period during which Provider retains Student Data.

§2.1 Ownership

All Student Data, including any derivative data or information, is and remains the property of the LEA. Provider holds no right, title, or interest in Student Data except the limited license to use it solely to deliver the Service under this DPA.

§2.2 Parental access

Provider will make Student Data reasonably available to parents, legal guardians, or eligible students as directed by the LEA, consistent with FERPA.

§2.3 No secondary use

Provider will not use Student Data for advertising, for targeted advertising, to sell or rent, to train generative models, or for any purpose other than providing the Service.

§3.1 Compliance

Provider will comply with FERPA, COPPA, and applicable state student data privacy laws.

§3.2 Data minimization

Provider will collect only the Student Data listed in Exhibit A and will collect no additional categories without written LEA approval.

§3.3 Subprocessors

Provider will use only the subprocessors listed in Exhibit B. Provider will notify LEA at least 30 days before adding a new subprocessor that handles Student Data.

§3.4 Training

Provider will provide annual privacy and security training to employees with access to Student Data.

§4.1 Safeguards

Provider will maintain administrative, physical, and technical safeguards designed to protect the confidentiality, integrity, and availability of Student Data. Safeguards include encryption in transit (TLS 1.2+) and at rest (AES-256), least-privilege access controls, regular vulnerability scanning, and annual penetration testing.

§4.2 Hosting

Student Data is hosted on Google Cloud Platform (Firebase) in US-region data centers certified to SOC 2 Type II and ISO 27001 (sub-processor certifications). Growing Standard LLC has not pursued SOC 2 Type II certification of its own application layer; Provider will engage an auditor when a customer contract requires it or when revenue justifies the engagement. See Exhibit B for complete subprocessor list.

§4.3 Audit

Growing Standard LLC has not pursued SOC 2 Type II certification of its own application layer; Provider will engage an auditor when a customer contract requires it or when revenue justifies the engagement. In the interim, Provider's compliance posture is demonstrated through (a) this DPA, (b) a HECVAT-Lite self-assessment (available on request), (c) quarterly admin-access reviews, (d) a documented incident-response runbook, and (e) a multi-state privacy addendum aligned with CA SOPIPA, NY Ed Law 2-D, IL SOPPA, TX, CO, CT, NJ, MD, and WA statutes. Provider will make its most recent SOC 2 attestation (or equivalent third-party report) available to LEA once issued. LEA may audit Provider's data-handling practices on reasonable written notice, not more than annually, at LEA's expense.

§5.1 Notification

Provider will notify LEA in writing within 72 hours of discovering any unauthorized acquisition, access, use, or disclosure of Student Data.

§5.2 Notice contents

Notice will include, to the extent known: the date of discovery; nature and scope of the incident; categories and approximate number of affected individuals; Provider's response and mitigation; and a point of contact for further information.

§5.3 Cooperation

Provider will cooperate with LEA's reasonable investigation and remediation efforts, and will cover reasonable costs of notification to affected individuals where Provider is responsible for the breach.

§6.1 Termination for convenience

LEA may terminate this DPA at any time on 30 days' written notice, with or without cause.

§6.2 Data return

Within 14 days of a written request, Provider will export Student Data to LEA in CSV or JSON format.

§6.3 Data destruction

Within 30 days of termination or LEA's written deletion request, Provider will securely delete all Student Data from production systems. Backups taken before the deletion request retain a snapshot of the data for the duration of each backup lane's retention window — up to 7 days for Firestore Point-in- Time Recovery, 14 days for Firebase-managed daily snapshots, and 30 days for the project-isolated Google Cloud Storage export lane (which carries a bucket-level retention lock that cannot be expedited; this immutability is a load-bearing security control against credential-compromise destruction of recovery surfaces). All backup copies of deleted Student Data age out of all lanes within 30 days of the deletion request. Restore operations exclude any data that has been the subject of a deletion request. Purchase entitlement records (containing only user identifier and license flags, no Student Data) are retained to support purchase restoration.

§6.4 Certification

Provider will, on request, provide written certification that deletion has been completed.

§7.1 Governing law

This DPA is governed by the laws of [State of LEA].

§7.2 Amendment

Any amendment to this DPA must be in writing and signed by authorized representatives of both parties.

§7.3 Severability

If any provision of this DPA is held invalid, the remainder continues in full force.

§7.4 Entire agreement

This DPA, together with the underlying service agreement, constitutes the entire agreement of the parties concerning Student Data.