Data Processing Agreement
Between EasyClass AI and Educational Institution
Overview
This Data Processing Agreement ("DPA") forms part of the agreement between EasyClass AI ("Provider," "we," "us") and the educational institution executing this agreement ("School," "District," "Institution," "you") for the use of the EasyClass AI platform and services (the "Service").
This DPA reflects the parties' commitment to comply with applicable data protection laws, including the Family Educational Rights and Privacy Act (FERPA), the Children's Online Privacy Protection Act (COPPA), and applicable state student privacy laws.
Provider Contact Information
- Privacy Office: privacy@easyclass.ai
- Support: support@easyclass.ai
- Website: https://easyclass.ai
Table of Contents
1. Definitions
"Education Records" means records directly related to a student that are maintained by an educational agency or institution, as defined by FERPA (34 CFR § 99.3).
"Student Data" means any information, in any format, that is directly related to an identifiable current or former student, including but not limited to Education Records, Personally Identifiable Information (PII), metadata, and user-generated content.
"Personally Identifiable Information (PII)" means information that can be used to distinguish or trace an individual's identity, either directly or indirectly, through linkages with other information.
"School Official" means a contractor, consultant, volunteer, or other party to whom an educational agency or institution has outsourced institutional services or functions, as described in 34 CFR § 99.31(a)(1).
"Service" means the EasyClass AI educational technology platform and all related services.
"Authorized Users" means teachers, administrators, and staff of the Institution who are authorized to use the Service.
"De-identified Data" means data that has been stripped of all direct and indirect identifiers and from which no reasonable person could identify an individual student.
2. Scope and Purpose
2.1 Purpose Limitation
Provider shall use Student Data solely for the purpose of providing the Service to Institution, including:
- Enabling teachers to create and share educational content
- Collecting and storing student assessment responses
- Providing AI-assisted grading and feedback
- Generating educational reports and analytics for teachers
- Integrating with Institution's learning management systems
2.2 Legitimate Educational Interest
Provider acts as a School Official with a legitimate educational interest in Student Data. Provider's use of Student Data is limited to the educational purposes specified in this Agreement.
2.3 Prohibited Uses
Provider shall NOT:
- Sell Student Data to any third party
- Use Student Data for targeted advertising
- Use Student Data to create marketing profiles
- Share Student Data with third parties except as specified in this Agreement
- Use Student Data for any purpose other than providing the Service
3. Student Data Elements
3.1 Data Collected
Provider collects and processes the following categories of Student Data:
| Category | Data Elements | Purpose |
|---|---|---|
| Identifiers | Student name (as entered) | Identify student work to teacher |
| Academic Work | Responses to quizzes, assignments, assessments | Educational assessment |
| Performance Data | Scores, grades, completion status | Academic evaluation |
| Technical Data | Hashed IP address, submission timestamp | Duplicate detection, audit trail |
3.2 Data NOT Collected
Provider does NOT collect:
- Social Security numbers
- Student email addresses (not required)
- Home addresses or phone numbers
- Biometric data
- Financial information
- Health records
- Precise geolocation
- Behavioral tracking or advertising identifiers
3.3 Complete Data Inventory
See Exhibit A for a complete inventory of data elements collected.
4. Use of Student Data
4.1 Permitted Uses
Provider may use Student Data only to:
- Provide the Service functionality
- Store and display student work to authorized teachers
- Process student work through AI grading (with anonymization)
- Generate reports for teachers and administrators
- Maintain and improve the security of the Service
- Comply with legal obligations
4.2 AI Processing
When Student Data is processed by artificial intelligence systems:
- Student names are removed before AI processing
- AI providers have Zero Data Retention (ZDR) enabled
- AI does not learn from or retain student submissions
- Only the submission content is processed, not personal identifiers
4.3 Anonymization and Aggregation
Provider may create De-identified Data or aggregated statistics that cannot identify individual students. Such data is not considered Student Data under this Agreement.
5. Data Security
5.1 Security Program
Provider maintains a comprehensive security program including:
Technical Safeguards
- • Encryption in transit (TLS 1.2+)
- • Encryption at rest (AES-256)
- • Row-level security
- • Secure authentication
- • Regular security updates
Organizational Safeguards
- • Limited employee access
- • Background checks
- • Security awareness training
- • Incident response procedures
Physical Safeguards
- • SOC 2 compliant data centers
- • 24/7 monitoring
- • Redundant systems
- • Secure backups
5.2 Access Controls
- Only Authorized Users can access their own students' data
- Provider employees access production data only when necessary for support
- All access is logged and auditable
5.3 Security Measures
See Exhibit B for detailed security measures.
6. Subprocessors
6.1 Authorized Subprocessors
Provider uses the following subprocessors to provide the Service:
| Subprocessor | Purpose | Data Processed | Location |
|---|---|---|---|
| Supabase | Database and authentication | All Service data | United States |
| OpenRouter | AI processing | Anonymized student work | United States |
| Netlify | Application hosting | Server logs only | United States |
| Stripe | Payment processing | Teacher billing only | United States |
6.2 Subprocessor Obligations
All subprocessors are contractually bound to:
- Process data only as instructed
- Maintain appropriate security measures
- Not further subcontract without authorization
- Delete data upon termination
6.3 Changes to Subprocessors
Provider will notify Institution at least 30 days before adding new subprocessors. Institution may object to new subprocessors by providing written notice.
6.4 Complete Subprocessor List
See Exhibit C for the complete list of subprocessors.
7. Data Retention and Deletion
7.1 Retention Periods
| Data Type | Retention Period | Deletion Method |
|---|---|---|
| Student responses | 90 days from submission | Automatic deletion |
| Assessment content | Until teacher deletes | Manual or account deletion |
| Teacher accounts | Until account deletion | 30 days after deletion request |
| Server logs | 90 days | Automatic rotation |
| Backups | 30 days | Automatic expiration |
7.2 Early Deletion
Teachers may delete student data at any time through the Service interface. Institution administrators may request bulk deletion by contacting privacy@easyclass.ai.
7.3 Deletion Upon Termination
Upon termination of this Agreement:
- All Student Data will be deleted within 30 days
- Institution may request data export before deletion
- Provider will certify deletion upon request
8. Access and Correction
8.1 Parent and Student Rights
Provider supports Institution's obligations to provide parents and eligible students:
- Access to their Student Data
- The ability to correct inaccurate data
- Information about third-party access
8.2 Access Requests
Access requests should be directed to the student's teacher, who can:
- View all student data in the Service
- Export student data
- Delete student data
- Correct student information
8.3 Provider Assistance
Provider will assist Institution in responding to parent requests within 5 business days.
9. Breach Notification
9.1 Definition
A "Security Breach" means any unauthorized access, acquisition, use, or disclosure of Student Data that compromises the security, confidentiality, or integrity of the data.
9.2 Notification Timeline
Upon discovering a Security Breach affecting Institution's Student Data, Provider will:
| Action | Timeline |
|---|---|
| Initial notification to Institution | Within 72 hours |
| Detailed incident report | Within 7 days |
| Final report with remediation | Within 30 days |
9.3 Notification Contents
Breach notifications will include:
- Nature and scope of the breach
- Types of data affected
- Number of students affected (if known)
- Actions taken to contain the breach
- Steps to prevent future incidents
- Contact information for questions
9.4 Cooperation
Provider will cooperate with Institution's investigation and notification obligations, including providing information needed for Institution to notify affected individuals and regulatory authorities.
10. FERPA Compliance
10.1 School Official Designation
Provider is designated as a School Official under FERPA, with a legitimate educational interest in Student Data necessary to provide the Service.
10.2 Direct Control
Institution retains direct control over the use of Education Records. Provider will:
- Use Education Records only for authorized purposes
- Not disclose Education Records except as permitted
- Return or destroy Education Records upon request
10.3 Annual Notification
Institution may include Provider in its annual FERPA notification to parents as a School Official with access to Education Records.
10.4 Re-disclosure Prohibition
Provider will not re-disclose Student Data except as required by law or with Institution's written consent.
11. COPPA Compliance
11.1 Consent Model
Provider relies on Institution to provide consent on behalf of parents for the collection of personal information from students under 13, pursuant to COPPA's school consent exception.
11.2 Institution Representation
Institution represents that it has the authority to consent on behalf of parents and will obtain any additional consents required by law.
11.3 Data Minimization
Provider collects only the minimum data necessary to provide the Service. Students are not required to provide email addresses or other contact information.
11.4 No Behavioral Advertising
Provider does not engage in behavioral advertising to students. No tracking technologies are used on student-facing pages.
12. State Law Compliance
12.1 General Commitment
Provider commits to comply with applicable state student privacy laws, including but not limited to:
- California Student Online Personal Information Protection Act (SOPIPA)
- New York Education Law 2-d
- Colorado Student Data Transparency and Security Act
- Other applicable state laws
12.2 Specific Provisions
Provider agrees to:
- Not use Student Data to engage in targeted advertising
- Not create student profiles except for educational purposes
- Implement reasonable security procedures
- Delete Student Data upon request
- Provide transparency about data practices
12.3 State-Specific Addenda
If required by state law, Provider will execute additional state-specific addenda.
13. Audit Rights
13.1 Institution Audit
Upon reasonable notice, Institution may audit Provider's compliance with this Agreement through:
- Review of Provider's security documentation
- Questionnaires and certifications
- Third-party audit reports (SOC 2 or equivalent)
- On-site inspection (with 30 days' notice, during business hours)
13.2 Provider Certifications
Provider will provide upon request:
- Annual certification of FERPA compliance
- Security assessment summaries
- Incident reports (if any)
- Updated subprocessor lists
13.3 Audit Costs
Each party bears its own costs for audits, unless the audit reveals material non-compliance by Provider.
14. Data Return and Destruction
14.1 Upon Termination
Upon termination of this Agreement or the Service:
Data Export
- • Institution may request export of all Student Data
- • Export will be provided in machine-readable format (JSON)
- • Export must be requested within 30 days of termination
Data Destruction
- • Provider will delete all Student Data within 30 days
- • Deletion includes backups (within backup rotation cycle)
- • Provider will certify destruction upon request
14.2 Survival
Student Data in active backups will be deleted according to normal backup rotation schedules, not to exceed 90 days.
15. Term and Termination
15.1 Term
This DPA is effective upon execution and continues for the duration of Institution's use of the Service.
15.2 Termination for Breach
Either party may terminate this Agreement if the other party materially breaches and fails to cure within 30 days of written notice.
15.3 Termination for Convenience
Institution may terminate this Agreement at any time by discontinuing use of the Service and providing written notice.
15.4 Survival
Sections 7, 9, 14, 15, and 16 survive termination of this Agreement.
16. General Provisions
16.1 Entire Agreement
This DPA, together with the Terms of Service and Privacy Policy, constitutes the entire agreement between the parties regarding Student Data.
16.2 Amendments
This DPA may be amended only by written agreement of both parties, except that Provider may update Exhibits to reflect changes in subprocessors or security measures with 30 days' notice.
16.3 Governing Law
This Agreement is governed by the laws of the state in which Institution is located, except for conflicts of law provisions.
16.4 Assignment
Neither party may assign this Agreement without the other's consent, except that Provider may assign to a successor in the event of a merger or acquisition.
16.5 Severability
If any provision is found unenforceable, the remaining provisions remain in effect.
16.6 Notices
Notices under this Agreement shall be sent to:
- Provider: privacy@easyclass.ai
- Institution: Contact specified on signature page
17. Signatures
This Data Processing Agreement is entered into as of the date last signed below.
Provider: EasyClass AI
Signature
Joshua Riggs
Name
Joshua Riggs
Title
Founder
Date
December 27, 2025
Institution
Institution Name
City, State
Signature
Name
Title
Date
Email for Notices
Exhibit A: Data Elements
Complete Student Data Inventory
| Data Element | Collected | Purpose | Retention |
|---|---|---|---|
| Student Name | Yes | Identify work | 90 days |
| Student Identifier (optional) | Yes | Teacher reference | 90 days |
| Quiz Responses | Yes | Assessment | 90 days |
| Assignment Answers | Yes | Assessment | 90 days |
| Spiral Review Responses | Yes | Assessment | 90 days |
| Scores/Grades | Yes | Evaluation | 90 days |
| Submission Timestamp | Yes | Audit trail | 90 days |
| Hashed IP Address | Yes | Duplicate detection | 90 days |
| Student Email | No | - | - |
| Home Address | No | - | - |
| Phone Number | No | - | - |
| Date of Birth | No | - | - |
| Social Security Number | No | - | - |
| Biometric Data | No | - | - |
| Health Information | No | - | - |
| Financial Information | No | - | - |
Teacher/Administrator Data
| Data Element | Collected | Purpose |
|---|---|---|
| Email Address | Yes | Account authentication |
| Full Name | Yes | Display name |
| School Name | Optional | Context |
| Grade Levels | Yes | Content personalization |
| Subject Areas | Yes | Content personalization |
| Payment Information | Pro users | Billing (via Stripe) |
Exhibit B: Security Measures
Technical Security Controls
| Control | Implementation |
|---|---|
| Encryption in Transit | TLS 1.2+ for all connections |
| Encryption at Rest | AES-256 database encryption |
| Authentication | Secure password hashing (bcrypt), optional 2FA |
| Authorization | Row-level security, role-based access |
| Network Security | Firewall, DDoS protection |
| Vulnerability Management | Regular security updates, dependency scanning |
| Logging and Monitoring | Security event logging, anomaly detection |
| Backup | Daily encrypted backups, 30-day retention |
Organizational Security Controls
| Control | Implementation |
|---|---|
| Access Management | Least privilege, regular access reviews |
| Employee Training | Annual security awareness training |
| Incident Response | Documented incident response plan |
| Vendor Management | Security assessment of subprocessors |
| Change Management | Controlled deployment process |
Infrastructure Security
| Component | Provider | Certifications |
|---|---|---|
| Database | Supabase | SOC 2 Type II |
| Hosting | Netlify | SOC 2 Type II |
| AI Processing | OpenRouter | Security reviewed |
| Payments | Stripe | PCI DSS Level 1 |
Exhibit C: Subprocessors
Current Subprocessors
| Subprocessor | Service | Data Processed | Location | Security |
|---|---|---|---|---|
| Supabase, Inc. | Database, Authentication | All user and student data | United States | SOC 2 Type II |
| Netlify, Inc. | Application Hosting | Server logs, application data | United States | SOC 2 Type II |
| OpenRouter | AI Processing | Anonymized student work (no names) | United States | ZDR enabled |
| Stripe, Inc. | Payment Processing | Teacher billing information only | United States | PCI DSS Level 1 |
| Resend | Email Delivery | Teacher email addresses only | United States | SOC 2 |
| Google LLC | Classroom Integration | As authorized by user | United States | ISO 27001, SOC 2 |
Subprocessor Updates
Provider will notify Institution of any changes to this list at least 30 days before the change takes effect.
Last Updated: December 28, 2025
Quick Reference
| Topic | Information |
|---|---|
| Privacy Contact | privacy@easyclass.ai |
| Support Contact | support@easyclass.ai |
| Data Deletion Request | privacy@easyclass.ai |
| Breach Notification | Within 72 hours |
| Data Retention | 90 days (student data) |
| Subprocessor Changes | 30 days notice |
This Data Processing Agreement is effective as of the date signed by both parties.