← Back to RoboBuddy13
Legal — DPA
Data Processing Agreement
Version 1.0.0 • Compliant with FERPA, COPPA, GDPR, SOPIPA, NY Ed Law §2-d
Summary: This DPA Template outlines how DREAMwithAI Inc. processes student data on behalf of educational institutions using the RoboBuddy13 platform. Interested districts should contact legal@dreamwithai.com to execute a customized agreement.
1. Definitions
- “Education Records” — Records directly related to a student maintained by or on behalf of a school, as defined by FERPA (34 CFR §99.3).
- “Student Data” — Any data, including Education Records, PII, metadata, and user-generated content collected through the Service.
- “Service” — The RoboBuddy13 educational platform, including all features for adaptive learning, progress tracking, assessment, tutoring, and reporting.
- “Data Incident” — Any unauthorized access, acquisition, use, or disclosure of Student Data.
2. Scope and Purpose
The Controller engages DREAMwithAI (“Processor”) to process Student Data solely for providing educational services through RoboBuddy13. The Processor acts as a “school official” under FERPA §99.31(a)(1)(i)(B) with a legitimate educational interest in the Student Data.
The Processor shall not process Student Data for any purpose beyond the specific services outlined in this DPA.
3. Student Data Categories
| Category | Data Elements | Purpose |
|---|
| Identity | Name, email, grade level, student ID | Account creation & identification |
| Academic | Reading progress, quiz scores, mastery levels | Adaptive learning & assessment |
| Behavioral | Session times, engagement metrics, streaks | Personalization & reporting |
| Content | Bookmarks, highlights, notes | User-generated learning tools |
| Technical | IP address, browser, device type | Security & support |
4. Data Security Obligations
4.1 Technical Safeguards
- ✓ AES-256 encryption for data at rest (Google Cloud SQL)
- ✓ TLS 1.3 for all data in transit
- ✓ Firebase Authentication with multi-factor authentication support
- ✓ Role-based access control (RBAC) with per-request authorization
- ✓ Database connection pooling with credential rotation
- ✓ Automated backup with 90-day retention
4.2 Administrative Safeguards
- ✓ Annual security awareness training for all personnel
- ✓ Background checks for employees with data access
- ✓ Documented incident response procedures
- ✓ Regular third-party penetration testing (annual minimum)
4.3 Physical Safeguards
- ✓ SOC 2 Type II certified data centers (Google Cloud Platform)
- ✓ ISO 27001 certified infrastructure
- ✓ US-based data processing (us-central1 region)
5. Data Access and Rights
5.1 Controller Rights
- Access all Student Data at any time via API or data export
- Request modification or deletion of any Student Data
- Audit the Processor’s data handling practices
- Receive annual compliance reports
5.2 Parent/Student Rights (FERPA)
- Right to Inspect: Complete data export within 48 hours (JSON format)
- Right to Amend: Corrections processed within 5 business days
- Right to Delete: Cascade deletion within 72 hours
- Right to Complain: File complaint with US DOE FPCO
5.3 COPPA Provisions (Students Under 13)
- Verifiable parental consent required before data collection
- Parents may review, request deletion, and revoke consent
- Minimum data collection principle enforced
6. Subprocessors
| Subprocessor | Service | Location | DPA Status |
|---|
| Google Cloud Platform | Infrastructure, storage, compute | USA (us-central1) | Active |
| Firebase (Google) | Authentication, identity | USA | Active |
| Google Vertex AI | Educational AI features | USA (us-central1) | Active |
The Processor shall notify the Controller at least 30 days before engaging any new subprocessor that will have access to Student Data.
7. Data Retention and Return
7.1 During Agreement
- Active Student Data retained throughout the term of the agreement
- Inactive accounts (no activity for 3+ years): PII anonymized
7.2 Upon Termination
- Controller receives complete data export within 10 business days
- All Student Data permanently deleted within 30 days of export
- Written confirmation of deletion provided
- Backup copies purged within 90 days
8. Data Incident Notification
8.1 Timeline
- Processor notifies Controller within 72 hours of discovering a Data Incident
- Preliminary report within 5 business days
- Full investigation report within 30 business days
8.2 Notification Content
- Description of the incident and data affected
- Estimated number of records involved
- Remediation steps taken and planned
- Contact information for follow-up
9. Compliance and Audit
The Processor will provide annual SOC 2 Type II audit reports upon request. The Controller may request a compliance audit with 30 days written notice, conducted during normal business hours.
10. Term and Termination
This DPA is effective from the Effective Date and continues for one (1) year, automatically renewing for successive one-year terms unless terminated. Either party may terminate with 60 days written notice.
Contact
For DPA inquiries or to execute an agreement, contact: legal@dreamwithai.com