Data Processing Agreement

Last updated: January 1, 2025

1. Definitions

In this DPA:

• "Controller" means the entity that determines the purposes and means of processing personal data (typically, your Institution).
• "Processor" means the entity that processes personal data on behalf of the Controller (SMERP Tek).
• "Data Subject" means an identified or identifiable natural person whose personal data is processed.
• "Personal Data" means any information relating to a Data Subject.
• "Processing" means any operation performed on personal data.
• "Sub-processor" means a third party engaged by the Processor to process personal data.
• "Data Protection Laws" means GDPR, UK GDPR, CCPA, FERPA, and other applicable privacy laws.

2. Scope and Roles

2.1 Relationship of the Parties

When you use SMERP EDU to process personal data of your students, staff, or other individuals, you act as the Controller and we act as the Processor. This DPA governs our processing of that personal data.

2.2 Details of Processing

3. Processor Obligations

As your Processor, we shall:

• Process personal data only on your documented instructions
• Ensure persons authorized to process data are bound by confidentiality obligations
• Implement appropriate technical and organizational security measures
• Not engage sub-processors without prior authorization
• Assist you in responding to Data Subject requests
• Assist you with data protection impact assessments when required
• Delete or return personal data upon termination of services
• Make available information necessary to demonstrate compliance
• Allow and contribute to audits conducted by you or your auditor

4. Controller Obligations

As the Controller, you shall:

• Ensure you have a lawful basis to process personal data
• Provide clear, documented processing instructions
• Ensure compliance with Data Protection Laws for your processing activities
• Handle Data Subject requests in accordance with applicable laws
• Notify us promptly of any changes to processing instructions
• Implement appropriate security measures on your systems

5. Sub-processors

5.1 Authorization

You authorize us to engage sub-processors to assist in providing the Service. We maintain a list of current sub-processors, which we will provide upon request.

5.2 Current Sub-processors

5.3 Changes to Sub-processors

We will notify you at least 30 days before adding or replacing sub-processors. You may object to such changes within 14 days. If we cannot accommodate your objection, you may terminate the affected services.

6. Security Measures

We implement and maintain appropriate technical and organizational measures, including:

• Encryption of data at rest (AES-256) and in transit (TLS 1.3)
• Access controls and authentication requirements
• Regular security assessments and penetration testing
• Incident detection and response procedures
• Business continuity and disaster recovery plans
• Employee security training and background checks
• Physical security measures at data centers

See our Security Practices document for more details.

7. Data Subject Rights

We will assist you in fulfilling your obligations to respond to Data Subject requests, including requests to access, correct, delete, or port personal data. We provide self-service tools where possible and will respond to your instructions within a reasonable timeframe.

8. Data Breach Notification

8.1 Notification

We will notify you without undue delay (and in any event within 72 hours) after becoming aware of a personal data breach affecting data we process on your behalf.

8.2 Breach Response

Our notification will include:

• Description of the nature of the breach
• Categories and approximate number of Data Subjects affected
• Categories and approximate number of records affected
• Likely consequences of the breach
• Measures taken or proposed to address the breach
• Contact point for more information

9. International Data Transfers

9.1 Transfer Mechanisms

For transfers of personal data outside the EEA/UK, we rely on:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• UK International Data Transfer Agreement (UK IDTA) where applicable
• Adequacy decisions where available

9.2 Additional Safeguards

Where required, we implement supplementary measures to ensure adequate protection, including encryption, pseudonymization, and contractual commitments with sub-processors.

10. Audits

Upon reasonable notice (at least 30 days), we will make available to you information necessary to demonstrate compliance with this DPA and allow for audits. Audits shall:

• Be conducted during normal business hours
• Not unreasonably interfere with our operations
• Be subject to confidentiality obligations
• Be at your expense unless they reveal material non-compliance

You may also rely on our SOC 2 Type II reports and other third-party certifications as evidence of our security practices.

11. Data Retention and Deletion

Upon termination of the Service, we will, at your election:

• Return all personal data to you in a standard format; and/or
• Delete all personal data within 90 days, unless retention is required by law

We will provide certification of deletion upon request.

12. FERPA Compliance (US Educational Institutions)

For US educational institutions, we acknowledge that student education records may constitute "education records" under FERPA. We agree to:

• Act as a "school official" with a legitimate educational interest
• Use education records only for the purposes specified by the Institution
• Not disclose education records to third parties except as permitted
• Maintain the confidentiality of education records

13. COPPA Compliance

Where personal data of children under 13 is processed, we support your compliance with COPPA by:

• Providing clear disclosures about data collection practices
• Enabling parental consent mechanisms
• Allowing parents to review and delete their children's data
• Maintaining confidentiality, security, and integrity of children's data

14. Liability

Each party's liability under this DPA is subject to the limitations set forth in the Terms of Service. However, neither party excludes or limits liability for breaches of Data Protection Laws to the extent such limitation is prohibited by applicable law.

15. Term and Termination

This DPA commences when you accept our Terms of Service and continues until the Service agreement terminates. Provisions relating to data deletion, confidentiality, and liability survive termination.

16. Changes to This DPA

We may update this DPA to reflect changes in Data Protection Laws or our practices. We will provide at least 30 days' notice of material changes. Continued use of the Service after changes take effect constitutes acceptance of the updated DPA.

17. Contact

For questions about this DPA or to request our sub-processor list: