DATA PROCESSING ADDENDUM

WHEREAS, the School/District desires to use The Scribe Academy's AI-powered writing education platform (the "Service") for its students and staff;

WHEREAS, the provision of the Service requires the processing of student personal information;

WHEREAS, the parties wish to ensure compliance with applicable data protection laws including FERPA, COPPA, SOPIPA, and state student data privacy laws;

NOW, THEREFORE, the parties agree to the following terms:

1.1 "Student Data" means any information that directly or indirectly identifies a student, including but not limited to: name, email address, educational records, writing submissions, progress data, and usage analytics.

1.2 "Educational Records" means records directly related to a student and maintained by an educational agency or institution, as defined under FERPA (20 U.S.C. § 1232g).

1.3 "Processing" means any operation performed on Student Data, including collection, storage, use, disclosure, or deletion.

1.4 "School Official" means a party to whom the School/District has outsourced institutional services or functions for which the School/District would otherwise use employees.

3.1 The Vendor may process Student Data only to:

• Provide the educational services described in the Service agreement
• Maintain and improve the Service's functionality
• Provide technical support to the School/District
• Generate de-identified, aggregated analytics (with no individual student identification)
• Comply with legal obligations

3.2 The Vendor shall not use Student Data for AI model training unless explicitly authorized in writing by the School/District.

4.1 The Vendor shall implement and maintain appropriate technical and organizational security measures, including:

• Encryption of data in transit (TLS 1.2+) and at rest
• Access controls limiting data access to authorized personnel only
• Regular security assessments and vulnerability testing
• Secure authentication mechanisms (Firebase Authentication)
• Audit logging of data access and modifications

4.2 The Vendor uses Google Cloud Platform (Firebase) infrastructure, which maintains SOC 2 Type II, ISO 27001, and other industry certifications.

5.1 In the event of a security breach involving Student Data, the Vendor shall notify the School/District within 30 days of discovery (per SB 446 / AB 1584 requirements effective January 1, 2026).

5.2 If a breach affects more than 500 California residents, the Vendor shall notify the California Attorney General within 15 days of notifying affected users.

5.3 Notification shall include:

• Description of the nature of the breach
• Categories and approximate number of affected students
• Likely consequences of the breach
• Measures taken or proposed to address the breach
• Contact information for questions

5.4 The Vendor shall cooperate with the School/District in investigating and remediating any breach.

6.1 The School/District may request export of Student Data at any time. The Vendor shall provide data in a commonly used, machine-readable format (JSON) within 30 days of request.

6.2 The Vendor provides an "Export User Data" feature accessible to authorized administrators for FERPA parent request compliance.

6.3 Parents/guardians may request access to their child's data through the School/District, which may use the Vendor's export tools to fulfill such requests.

7.1 Upon termination of the Service agreement, or upon written request, the Vendor shall delete all Student Data within 60 days using irrecoverable destruction methods consistent with NIST 800-88 guidelines.

7.2 The Vendor provides a "Full User Wipe" feature for complete deletion of individual student records (Class 3 Disposable Records under Title 5), including:

• Profile information
• Writing submissions and reports
• Activity logs
• Progress and state data
• Authentication records (optional)

7.3 Data destruction is permanent and irrecoverable. The Vendor uses logical deletion (document removal) combined with Firebase's encryption-at-rest, ensuring data cannot be reconstructed.

7.4 The Vendor shall provide written confirmation of data deletion upon request.

8.1 The Vendor uses the following subprocessors:

8.2 The Vendor shall ensure all subprocessors are bound by data protection obligations no less protective than those in this DPA.

9.1 FERPA: The Vendor agrees to act as a "School Official" under FERPA and to use Student Data only for the educational purposes for which it was disclosed.

9.2 COPPA: For students under 13, the School/District provides consent on behalf of parents pursuant to the COPPA school consent exception.

9.3 SOPIPA: The Vendor certifies that it does not use Student Data for advertising or create advertising profiles.

9.4 State Laws: The Vendor agrees to comply with applicable state student data privacy laws, including but not limited to California AB 1584 and the California Student Data Privacy Agreement (CSDPA).

10.1 This DPA shall remain in effect for the duration of the Service agreement.

10.2 Upon termination, the data deletion provisions of Article 7 shall apply.

10.3 Articles 2 (Data Ownership), 5 (Breach Notification), and 7 (Data Deletion) shall survive termination.