School Data Processing Agreement
Version: 1.0
Effective Date: [TO BE SET BEFORE PUBLISHING]
LULL School Data Processing Agreement (DPA)
1. DEFINITIONS
"Student Data" means personally identifiable information (PII) from education records as defined under FERPA, 20 U.S.C. § 1232g, and 34 C.F.R. Part 99, that is provided to or collected by Provider from or on behalf of School or its students.
"Covered Information" means personally identifiable student information as defined under applicable state student privacy laws including but not limited to SOPIPA, and including Student Data as defined above.
"Educational Purpose" means providing the Lull journaling application as a growth journaling and social-emotional learning tool for use by students at School, as more fully described in the Licensing Agreement.
"Provider" means Rhetoric Innovations LLC, operator of the Lull application.
"School" means the educational institution identified on the cover page of this DPA.
2. SCOPE OF DATA PROCESSING
2.1 Purpose Limitation
Provider shall process Student Data solely for the Educational Purpose described in this DPA. Provider shall not process Student Data for any commercial purpose unrelated to providing the Lull service to School.
2.2 Categories of Student Data Processed
- Student first name (for application personalization)
- Student account activity and journaling frequency
- Journal entry content (stored securely, accessible only to the student and Provider's automated systems)
- Safety detection event metadata (not including journal content)
- General emotional theme categories derived from journal content
2.3 Categories of Student Data NOT Processed
3. FERPA COMPLIANCE
School represents that it has the authority to enter into this DPA and to provide consent under FERPA, 20 U.S.C. § 1232g, on behalf of parents for educational purposes. Provider shall act as a school official with a legitimate educational interest as permitted under 34 C.F.R. § 99.31(a)(1) solely to the extent necessary to provide the Lull service under this DPA.
Provider shall:
- Use Student Data only for the Educational Purpose
- Not re-disclose Student Data to third parties except as necessary to provide the Service (see Section 7)
- Maintain Student Data with reasonable security measures
- Return or destroy Student Data upon termination of this DPA in accordance with Section 10
4. COPPA SCHOOL CONSENT
Pursuant to 16 C.F.R. § 312.5(b)(1), School provides consent on behalf of parents for Provider to collect personal information from students under 13 solely for the Educational Purpose. School represents that it has provided appropriate notice to parents regarding the use of Lull in accordance with applicable law.
School consent under this section applies only to use of Lull for the Educational Purpose at School. School consent does not extend to any other use of student information by Provider.
5. STATE STUDENT PRIVACY LAW COMPLIANCE
Provider represents and warrants compliance with applicable state student privacy laws, including but not limited to:
- Student Online Personal Information Protection Act (SOPIPA) and equivalent state laws
- California Student Privacy Alliance (CSPA) requirements
- [STATE-SPECIFIC LAWS TO BE IDENTIFIED PER JURISDICTION]
Provider shall not:
- Use Covered Information to build a personal profile of a student for purposes other than the Educational Purpose
- Sell, lease, trade, or otherwise monetize Covered Information
- Use Covered Information for targeted advertising
- Disclose Covered Information to third parties except as described in Section 7
6. SCHOOL COUNSELOR DASHBOARD
School administrators and designated counselors may access an institutional dashboard providing aggregate activity data for the school's student population. The institutional dashboard displays:
- Number of active student users
- Aggregate journaling frequency data
- General emotional theme distributions across the student population (aggregate only)
- Safety alert notifications for individual students at defined threshold levels
7. SUBPROCESSORS
Provider uses the following subprocessors to provide the Service. School authorizes Provider to engage these subprocessors subject to the data protection requirements of this DPA:
8. SECURITY MEASURES
Provider shall maintain reasonable and appropriate administrative, physical, and technical safeguards to protect Student Data, including:
- Encryption of Student Data in transit and at rest
- Access controls and authentication requirements
- Regular security assessments
- Employee training on data privacy and security
- Incident response procedures
Provider shall notify School within 72 hours of becoming aware of a security incident that compromises the confidentiality, integrity, or availability of Student Data.
9. STUDENT AND PARENT RIGHTS
Provider shall support School's obligations to respond to student and parent rights requests under FERPA and applicable state law, including requests to:
- Access Student Data
- Correct inaccurate Student Data
- Delete Student Data
Provider shall respond to verified rights requests within 10 business days.
10. TERM AND DATA RETURN/DESTRUCTION
This DPA is effective as of the Effective Date and continues for the term of the Licensing Agreement. Upon termination:
- Provider shall, at School's election, return all Student Data in a commonly used electronic format or securely destroy all Student Data within 30 days of termination
- Provider shall certify in writing the completion of data return or destruction
- Safety event logs may be retained for up to 7 years as required by applicable law
- Aggregate, de-identified data may be retained for service improvement purposes
11. AUDIT RIGHTS
School may request, no more than once per calendar year, written certification from Provider of compliance with this DPA. Provider shall respond to such requests within 30 days.
12. GOVERNING LAW
This DPA is governed by the laws of the State of Missouri. In the event of conflict between this DPA and applicable federal or state student privacy law, the more protective standard shall apply.
13. SIGNATURES
By signing below, the parties agree to the terms of this Data Processing Agreement.
| This Data Processing Agreement ("DPA") is entered into between Rhetoric Innovations LLC ("Provider") and the educational institution identified below ("School"). This DPA supplements and is incorporated into the Lull School Licensing Agreement between the parties. |
|---|
| School / Institution Name | [___________________________________] |
|---|---|
| School Contact Name | [___________________________________] |
| School Contact Title | [___________________________________] |
| School Contact Email | [___________________________________] |
| School Address | [___________________________________] |
| Effective Date | [___________________________________] |
| Agreement Term | [___ years from Effective Date] |
| Provider does NOT process the following for school deployments: student social security numbers, student financial information, student disciplinary records, biometric data, precise geolocation data, or any student data for advertising or marketing purposes. |
|---|
| The institutional dashboard does NOT provide access to individual student journal content under any circumstances. Individual student journal entries are private to the student. Safety notifications describe only the general nature of a concern, not the specific content of a student's journal entry. |
|---|
| Subprocessor | Purpose | Data Shared |
|---|---|---|
| Anthropic, PBC | AI response generation | Journal content for real-time processing only |
| Supabase, Inc. | Database and auth infrastructure | All student account and journal data |
| Resend, Inc. | Email notifications | Student/guardian email for notifications only |
| Rhetoric Innovations LLC (Provider):
Signature
Printed Name
Title
| Date |
|---|
| School / Educational Institution:
Signature
Printed Name
Title
| Date |
|---|