Data Processing Agreement

Standard form · Last updated May 3, 2026

Parties

This Data Processing Agreement (the "Agreement") is entered into between:

• Tag-a-Tutor, operated by Jack Cleveland, an individual sole-proprietorship located in Dallas, Texas (the "Provider"); and
• The educational institution identified in the signature block below (the "School").

Provider and School are each a "Party" and collectively the "Parties." This Agreement governs the Provider's processing of student, teacher, and parent data on behalf of the School in connection with the Tag-a-Tutor peer-tutoring platform (the "Service").

1. Definitions

• "Education Records" has the meaning given in the Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g, and its implementing regulations at 34 CFR Part 99 ("FERPA").
• "Student Data" means any personally identifiable information ("PII") about a student, including Education Records, that is provided by the School to the Provider, or generated by a student through use of the Service.
• "School Data" means Student Data plus any other PII about the School's teachers, staff, and parents that the Provider processes on the School's behalf.
• "Subprocessor" means any third party engaged by the Provider to process School Data.
• "COPPA" means the Children's Online Privacy Protection Act, 15 U.S.C. §§ 6501–6506, and its implementing regulations.

2. Roles and FERPA Designation

2.1. The School is the "educational agency or institution" with respect to all Education Records held in the Service. The Provider acts as the School's service provider with respect to all School Data.

2.2. The School designates the Provider as a "school official" with a "legitimate educational interest" in Education Records under 34 CFR § 99.31(a)(1)(i)(B). The Provider:

• performs an institutional service or function for which the School would otherwise use its own employees;
• is under the direct control of the School with respect to the use and maintenance of Education Records; and
• is subject to the requirements of 34 CFR § 99.33(a) governing the use and redisclosure of PII from Education Records.

2.3. Data ownership. All School Data is and remains the property of the School. The Provider acquires no rights in School Data other than the limited license to process it as set forth in this Agreement.

3. Permitted and Prohibited Uses

3.1. The Provider shall process School Data only:

• to provide the Service to the School and its authorized users;
• to maintain, secure, and improve the Service in ways that do not involve identifying any individual student;
• to comply with the Provider's legal obligations; and
• as otherwise expressly instructed in writing by the School.

3.2. The Provider shall not:

• sell, rent, or trade School Data;
• use School Data, or any data derived from it, for behavioral advertising, targeted advertising, or building advertising profiles;
• use School Data to train artificial-intelligence or machine-learning models that are made available to anyone other than the School;
• redisclose PII from Education Records, except as authorized by the School in writing or as required by valid legal process; or
• permit any individual at the Provider to access School Data except as needed to deliver the Service or fulfill the School's instructions.

4. COPPA Authorization (for Students Under 13)

4.1. The School represents that it has authority to provide consent on behalf of parents for its students' use of online educational services, consistent with FTC guidance for school-authorized educational technology.

4.2. The School authorizes the Provider to collect and process the categories of Student Data identified in Schedule A from students under 13, solely for educational purposes within the Service.

4.3. The Provider will not knowingly collect any data from students under 13 beyond what is described in Schedule A, and will not use such data for any purpose other than providing the Service to the School.

5. Subprocessors

5.1. The Provider engages the following Subprocessors to deliver the Service:

5.2. The Provider will give the School at least 30 days' written notice before adding or replacing a Subprocessor. The School may object on reasonable grounds; if the Parties cannot resolve the objection in good faith, the School may terminate this Agreement without penalty under Section 10.

5.3. The Provider will impose written obligations on each Subprocessor that are no less protective of School Data than those in this Agreement.

6. Security

6.1. The Provider will maintain administrative, physical, and technical safeguards reasonably designed to protect School Data, including at minimum:

• HTTPS/TLS encryption for all connections to the Service;
• encryption at rest for all School Data stored in the production database;
• one-way salted password hashing for any user passwords;
• session cookies flagged Secure, HttpOnly, and SameSite;
• storage of all secrets (database credentials, API keys, OAuth secrets) as encrypted environment variables, separate from source code;
• access controls limiting production-system access to named operators using personal credentials and, where supported, two-factor authentication;
• routine logical separation of one school's data from another via a tenant identifier on every record.

6.2. The Provider will conduct an internal security review of the Service at least annually and address any material findings.

7. Breach Notification

7.1. The Provider will notify the School's designated security contact (Schedule B) in writing within 72 hours of confirming a Security Incident affecting the School's data. "Security Incident" means any unauthorized access to, acquisition of, disclosure of, loss of, or destruction of School Data.

7.2. The notification will include, to the extent known: the nature of the incident, the categories and approximate number of records affected, the likely consequences, the steps the Provider has taken or will take to mitigate, and a designated point of contact for further questions.

7.3. The Provider will reasonably assist the School in fulfilling any parent, regulatory, or legal-notice obligations arising from the incident, at the Provider's cost where the Provider was the source of the incident.

8. Parent and Student Rights

8.1. The Provider will support the School in fulfilling parents' rights under FERPA and COPPA, including the rights to inspect, review, correct, and delete Education Records and information collected from students under 13.

8.2. The Provider will respond to such requests, when received directly, by either (a) directing the requester to the School, or (b) processing the request as instructed by the School. The Provider will complete School-instructed access, correction, and deletion requests within 30 days of receipt.

9. Data Retention and Return

9.1. During the term of this Agreement, the Provider will retain School Data only for as long as needed to provide the Service.

9.2. Upon termination of this Agreement, and on the School's written request:

• within 30 days, the Provider will export all of the School's tenant data to the School in machine-readable form (CSV or JSON);
• within 60 days following termination (or such longer period as the School and Provider agree in writing), the Provider will permanently delete all School Data from production systems and from any backups, except where retention is required by applicable law;
• the Provider will, on request, certify in writing that the deletion has been completed.

10. Term, Termination, Survival

10.1. This Agreement begins on the date of last signature below and continues until the School ceases to use the Service or the Parties otherwise agree in writing.

10.2. Either Party may terminate this Agreement for material breach by the other Party that is not cured within 30 days of written notice. The School may also terminate this Agreement under Section 5.2 (Subprocessor objection).

10.3. Sections 3 (Permitted Uses), 6 (Security), 7 (Breach Notification), 8 (Rights), 9 (Retention and Return), 11 (Liability), and 13 (Governing Law) survive termination of this Agreement.

11. Liability

11.1. Each Party will indemnify the other against third-party claims to the extent caused by the indemnifying Party's breach of this Agreement, subject to the limitations set forth in any separate services agreement between the Parties.

11.2. Neither Party will be liable for indirect, incidental, special, consequential, or punitive damages arising out of this Agreement, except for breaches of confidentiality, the prohibitions in Section 3.2, or willful misconduct.

12. Audit and Cooperation

12.1. Once per year, on reasonable advance notice and during business hours, the School (or a qualified third-party auditor it engages, subject to confidentiality obligations) may review the Provider's policies, procedures, and reasonable evidence of compliance with this Agreement, at the School's cost.

12.2. The Provider will reasonably cooperate with regulatory or governmental inquiries that relate to its processing of School Data on the School's behalf.

13. Governing Law and Disputes

13.1. This Agreement is governed by the laws of the State of Texas, without regard to its conflict-of-law principles, except where the School is a public agency in another U.S. state, in which case the laws of that state govern.

13.2. The Parties agree to attempt to resolve any dispute through good-faith negotiation before initiating formal proceedings.

14. Order of Precedence

If there is a conflict between this Agreement and any other agreement between the Parties (including the Tag-a-Tutor Terms of Service or Privacy Policy), this Agreement controls with respect to the processing of School Data.

15. Modification

This Agreement may be modified only by a written amendment signed by both Parties. The Provider may update Schedule A or Schedule B by written notice with the School's reasonable consent (not to be unreasonably withheld).

Schedule A — Categories of School Data Processed

• Student account data: name, school email address, profile picture URL (from Google sign-in), grade level, free blocks/periods, subjects offered or sought, optional bio, optional availability/blocked dates.
• Teacher account data: name, school email address, profile picture URL, role within school.
• Parent account data: email address, hashed password, child's name, optional child notes, school identifier.
• Activity data: tutoring session bookings (date, time, subject, location, notes), session ratings and reviews, in-app messages, help-board posts, TAG (Tutoring Across Grades) request details.
• Technical data: IP address and basic browser/device information from server logs (retained 30 days), session cookies (retained up to 7 days).
• Push-notification subscriptions: opaque endpoint URL and cryptographic keys provided by the user's browser when they opt in, associated with their account email.

The Provider does not collect Social Security numbers, government IDs, biometric data, precise geolocation, financial-account numbers, or health/medical records, except to the extent a parent voluntarily includes a learning-difference description in a TAG request.

Schedule B — Designated Contacts

Provider's contact for security and privacy: Jack Cleveland — info@tagatutor.org

School's designated security/privacy contact: _______________________________________ (to be filled in at signature)

© 2026 Tag-a-Tutor. This DPA is provided as a starting point. Schools are encouraged to have their own counsel review it before signing.