School Data Processing Agreement

Version: 2.0-draft
Effective Date: 2026-06-01

LULL School Data Processing Agreement (DPA) TEMPLATE — FOR ATTORNEY REVIEW — REQUIRES COMPLETION BEFORE EXECUTION

This Data Processing Agreement ("DPA") is entered into between Rhetoric Innovations LLC ("Provider") and the educational institution identified below ("School"). This DPA supplements and is incorporated into the Lull School Licensing Agreement between the parties.

RECITALS

WHEREAS, Provider operates the Lull journaling application, an AI-powered growth journaling tool designed for student social-emotional learning;

WHEREAS, School desires to deploy Lull for the benefit of its students as a social-emotional learning tool;

WHEREAS, Provider and School desire to establish the terms governing the collection, processing, and protection of Student Data;

NOW, THEREFORE, in consideration of the mutual covenants herein, the parties agree as follows:

1. DEFINITIONS

"Student Data" means personally identifiable information (PII) from education records as defined under FERPA, 20 U.S.C. § 1232g, and 34 C.F.R. Part 99, that is provided to or collected by Provider from or on behalf of School or its students.

"Covered Information" means personally identifiable student information as defined under applicable state student privacy laws including SOPIPA, and including Student Data as defined above.

"Educational Purpose" means providing the Lull journaling application as a growth journaling and social-emotional learning tool for use by students at School, as further described in the Licensing Agreement.

"Counselor Alert" means an automated notification sent to a designated school counselor when the Provider's safety detection system identifies content in a student's journal meeting defined threshold conditions.

"Counselor Portal" means the secure web interface at lulljournal.com/portal through which designated school counselors and administrators access Counselor Alerts and associated student conversation content.

"Conversation Content" means the full text of a student user's journal messages and Lull's AI responses in a given session, as stored in the Provider's conversation corpus.

"Provider" means Rhetoric Innovations LLC, operator of the Lull application.

"School" means the educational institution identified on the cover page of this DPA.

2. SCOPE OF DATA PROCESSING

2.1 Purpose Limitation

Provider shall process Student Data solely for the Educational Purpose. Provider shall not process Student Data for any commercial purpose unrelated to providing the Lull service to School.

2.2 Categories of Student Data Processed

• Student first name (for application personalization)
• Student account activity and journaling frequency
• Journal entry content and AI response content (stored in encrypted conversation corpus)
• Psychological index data derived from journal content (situation index, pattern index, growth index)
• Safety detection event metadata
• Guardian consent records (guardian name, email, digital signature, consent timestamp, documents acknowledged)
• Counselor alert records (alert tier, trigger type, concern categories, Conversation Content for Tier 2 and 3 alerts)
• Counselor access log records (counselor identity, student identifier, timestamp, content accessed)

2.3 Categories of Student Data NOT Processed

3. FERPA COMPLIANCE

School represents that it has the authority to enter into this DPA and to provide consent under FERPA, 20 U.S.C. § 1232g, on behalf of parents for educational purposes. Provider shall act as a school official with a legitimate educational interest as permitted under 34 C.F.R. § 99.31(a)(1) solely to the extent necessary to provide the Lull service under this DPA.

Provider shall:

• Use Student Data only for the Educational Purpose
• Not re-disclose Student Data to third parties except as necessary to provide the Service (see Section 8)
• Maintain Student Data with reasonable security measures as described in Section 9
• Support School's obligations to respond to student and parent rights requests under FERPA
• Return or destroy Student Data upon termination of this DPA in accordance with Section 11

4. COPPA SCHOOL CONSENT

Pursuant to 16 C.F.R. § 312.5(b)(1), School provides consent on behalf of parents for Provider to collect personal information from students under 13 solely for the Educational Purpose. School represents that it has provided appropriate notice to parents regarding the use of Lull in accordance with applicable law.

In addition to school-level consent under this section, Provider independently collects individual guardian consent from each student's designated guardian through the Lull guardian consent system. Individual guardian consent provides an additional, independent basis for COPPA compliance and serves as documentary evidence of parental awareness.

School consent under this section does not extend to any use of student information beyond the Educational Purpose.

5. STATE STUDENT PRIVACY LAW COMPLIANCE

Provider represents and warrants compliance with applicable state student privacy laws, including:

• Student Online Personal Information Protection Act (SOPIPA) and equivalent state laws
• California Student Privacy Alliance (CSPA) requirements where applicable
• Any state-specific student privacy laws applicable to School's jurisdiction [ATTORNEY: INSERT STATE-SPECIFIC LAWS FOR EACH SCHOOL STATE]

Provider shall not:

• Use Covered Information to build a personal profile of a student for purposes other than the Educational Purpose
• Sell, lease, trade, or otherwise monetize Covered Information
• Use Covered Information for targeted advertising
• Disclose Covered Information to third parties except as described in Section 8

6. GUARDIAN CONSENT COLLECTION

6.1 Provider's Consent Collection Obligation

Provider shall collect individual guardian consent for each student enrolled under this DPA through the Lull guardian consent system. Provider shall:

• Send a consent request to the guardian contact information provided by School for each student within 5 business days of student enrollment
• Present the guardian with the current version of all required legal documents (Terms of Service, Privacy Policy, COPPA Compliance Statement, Guardian Terms, and this DPA)
• Collect a digital signature and affirmative acknowledgment of each presented document
• Maintain permanent consent records as described in the Privacy Policy
• Send up to 2 reminder notices for pending consents, spaced at least 5 business days apart

6.2 Student Account Activation Gate

Student accounts will not be activated for journaling until guardian consent is recorded OR School elects to proceed under school-level DPA consent for a specific student. School may authorize Provider to proceed under school-level DPA consent for any student whose guardian does not respond within 14 days of the second reminder notice.

6.3 School's Consent Support Obligations

School shall: provide accurate guardian contact information for each student at enrollment; notify guardians that they will receive a consent request from Lull; and cooperate with Provider to resolve consent issues for individual students as needed.

7. COUNSELOR ALERT SYSTEM

7.1 Three-Tier Alert Framework

Provider's safety detection system generates alerts to designated school counselors under the following conditions:

7.2 Counselor Portal Access

Designated counselors and school administrators access Counselor Alert details through the secure Counselor Portal at lulljournal.com/portal. All Counselor Portal access is:

• Authenticated — only users with Counselor or Administrator account type for this School may access
• Limited to alerts and student data associated with this School only
• Logged — every access to individual student Conversation Content is recorded in a tamper-evident access log with counselor identity, timestamp, alert accessed, and content type accessed

7.3 Counselor Obligations

School agrees to ensure that designated counselors:

• Use Counselor Portal access solely for student wellbeing review and appropriate professional response
• Do not share, export, download, or distribute student Conversation Content outside the Counselor Portal
• Do not use student Conversation Content for any purpose other than supporting the student's wellbeing
• Comply with all applicable federal and state laws governing student privacy including FERPA
• Are individually bound by this Section 7 as a condition of their Counselor account access

7.4 Alert System Limitations

The Counselor Alert system is an automated detection system with inherent limitations. It does not guarantee detection of all expressions of distress. School counselors are solely responsible for making professional determinations about student wellbeing and appropriate interventions. Provider's alert system provides signals only and does not replace professional clinical judgment.

7.5 Student Disclosure to Students

Before any student activates journaling features, Provider shall present each student with a disclosure stating that if they write something suggesting they may be in danger, their school counselor will be notified. This disclosure acknowledgment is a required step in student account activation.

8. SUBPROCESSORS

Provider uses the following subprocessors. School authorizes Provider to engage these subprocessors subject to data protection requirements equivalent to those in this DPA:

Provider will provide School with 30 days advance notice before adding new subprocessors that will process Student Data.

9. SECURITY MEASURES

Provider maintains the following security safeguards for Student Data:

• Encryption of Student Data in transit using TLS 1.2 or higher
• Encryption of Student Data at rest
• Row-level security policies limiting database access to authorized users only
• Role-based access controls for counselor portal access limited to School's designated counselors
• Tamper-evident audit logging for all counselor access to student Conversation Content
• Access controls and authentication requirements for all administrative systems
• Incident response procedures

9.1 Security Incident Notification

Provider shall notify School within 72 hours of becoming aware of a security incident that compromises the confidentiality, integrity, or availability of Student Data. Notice shall describe: the nature of the incident, the categories and approximate number of students affected, the likely consequences, and the measures taken or proposed to address the incident.

10. STUDENT AND PARENT RIGHTS

Provider shall support School's obligations to respond to student and parent rights requests under FERPA and applicable state law, including requests to:

• Access Student Data — Provider will provide Student Data in a commonly used electronic format within 10 business days of a verified request
• Correct inaccurate Student Data — Provider will make corrections within 10 business days of a verified request
• Delete Student Data — Provider will delete within 30 days of a verified request; safety logs and consent records retained per applicable law

11. TERM AND DATA RETURN OR DESTRUCTION

This DPA is effective as of the Effective Date and continues for the term stated on the cover page. Upon expiration or termination:

• Provider shall, at School's election, return all Student Data in a commonly used electronic format or securely destroy all Student Data within 30 days of termination
• Provider shall provide written certification of the completion of data return or destruction within 45 days of termination
• Safety event logs and counselor access audit logs may be retained for up to 7 years as required by applicable law
• Aggregate, de-identified data not attributable to individual students may be retained for service improvement purposes
• Guardian consent records are retained permanently as legal proof of consent

12. AUDIT RIGHTS

School may request, no more than once per calendar year, written certification from Provider of compliance with this DPA. Provider shall respond within 30 days. School may request a summary of the counselor access log for its students at any time.

13. CHANGES TO THE DPA

Provider may update this DPA template from time to time. Material changes affecting the rights of School or its students will be provided with 60 days advance notice. Executed DPAs remain in effect under their terms until the next renewal date, at which point the then-current template governs unless the parties negotiate alternative terms.

14. GOVERNING LAW

This DPA is governed by the laws of the State of Missouri. In the event of conflict between this DPA and applicable federal or state student privacy law, the more protective standard shall apply.

15. ENTIRE AGREEMENT

This DPA, together with the Lull School Licensing Agreement, constitutes the entire agreement between Provider and School with respect to the processing of Student Data. In the event of conflict between this DPA and the Licensing Agreement, this DPA controls with respect to matters specifically addressed herein.

16. SIGNATURES

By signing below, the authorized representatives of both parties agree to the terms of this Data Processing Agreement.

FOR ATTORNEY REVIEW AND APPROVAL — NOT EFFECTIVE UNTIL COUNSEL APPROVES Rhetoric Innovations LLC | lulljournal.app | hello@lulljournal.app