Login
Login

Data Processing Agreement

Schooligio.ai — Data Processing Agreement (DPA) Template

Schooligio.ai – Data Processing Agreement (DPA) Template

Effective Date: ____________________

Between:

Controller: [Insert School/Institution Name], [School Address]

Processor: Schooligio.ai, operated by [Your Legal Entity Name], [Your Address]

1. Purpose

This DPA governs the processing of personal data by the Processor on behalf of the Controller in connection with the provision of Schooligio.ai’s college and career counseling platform. The Processor shall process personal data only in accordance with this DPA, the Controller’s documented instructions, and applicable laws including FERPA, GDPR, and COPPA.

2. Definitions

Personal Data: Information relating to an identified or identifiable person (including student, parent, or staff data).
Processing: Any operation performed on personal data (collection, storage, use, disclosure, deletion).
Subprocessor: A third party engaged by the Processor to process personal data.

3. Data Processing Obligations

  • Process personal data only on documented instructions from the Controller.
  • Do not sell, rent, or use personal data for advertising or profiling.
  • Ensure personnel with access are bound by confidentiality obligations.
  • Implement security measures including encryption at rest (AES‑256) and in transit (TLS 1.2+).
  • Use role‑based access control and multi‑factor authentication for administrative access.
  • Segregate Controller data from other clients’ data and apply least‑privilege access.

4. Subprocessing

The Processor may engage Subprocessors (e.g., AWS, Bubble.io) only with prior written consent from the Controller. The Processor shall maintain a list of approved Subprocessors and notify the Controller of changes. Subprocessors must be bound by data protection terms no less protective than this DPA.

5. Data Subject Rights

The Processor shall assist the Controller in responding to requests under FERPA and GDPR (access, correction, deletion, portability) and process them within the applicable timelines (GDPR: 30 days; FERPA: within a reasonable time, not to exceed 45 days).

6. Security Incidents

The Processor shall notify the Controller without undue delay—and within 72 hours for GDPR‑regulated data—upon becoming aware of a personal data breach, including the nature of the breach, affected categories, and mitigation steps.

7. Data Retention & Deletion

Upon termination of services, the Processor shall delete or return all personal data to the Controller within 30 days, unless retention is required by law. Backups containing personal data shall be securely destroyed within 90 days.

8. International Transfers

Transfers of personal data outside the Controller’s jurisdiction shall be subject to appropriate safeguards, including the EU/UK Standard Contractual Clauses (SCCs) where required.

9. Audit Rights

Upon reasonable notice, the Controller may request evidence of compliance (e.g., security summaries, certifications) and conduct an audit (on‑site or remote) under appropriate confidentiality obligations.

10. Governing Law

This DPA is governed by the laws of [Insert Jurisdiction], unless otherwise required by applicable data protection laws.

11. Signatures

For the Controller (School)For the Processor (Schooligio.ai)
Name: ____________________Name: ____________________
Title: ____________________Title: ____________________
Signature: ________________Signature: ________________
Date: _____________________Date: _____________________