About This Document
Many school districts require a signed Data Privacy Agreement ("DPA") as part of their procurement process. A DPA supplements a vendor's general Terms of Service and Privacy Policy with binding commitments that are specifically tailored to the handling of student data.
This page describes SchoolScan's DPA posture and provides downloadable templates that districts can execute as-is or adapt to their own requirements.
If your district or state uses its own standard DPA (for example, the SDPC National Data Privacy Agreement, a state consortium template, or a district-specific form), SchoolScan will review and execute it. Email a copy to legal@schoolscan.ai with your request to contract.
Alignment with the National Data Privacy Agreement (NDPA)
SchoolScan's standard DPA is structured to align with the National Data Privacy Agreement (NDPA) published by the Student Data Privacy Consortium (SDPC). The NDPA has become the de facto standard for K-12 EdTech vendor agreements across the United States.
| NDPA Requirement | SchoolScan Commitment |
|---|---|
| Designation as School Official under FERPA | Acknowledged per 34 CFR § 99.31(a)(1) |
| Student Data is owned by the LEA | Customer retains all ownership |
| Limited use of Student Data for contracted purpose only | No secondary use |
| Prohibition on sale of Student Data | Never sold, rented, or leased |
| Prohibition on targeted advertising | No advertising of any kind |
| No use of Student Data to build student profiles | No profiling beyond contracted purpose |
| Data minimization and purpose limitation | Only data needed for scans |
| Reasonable security practices | Encryption in transit and at rest, access controls, isolated scan environments |
| Subprocessor flow-down obligations | All subprocessors bound by equivalent terms |
| Breach notification with defined timeline | Without undue delay, within 72 hours where feasible |
| Return or destruction of data on termination | Within 60 days of termination, Customer's election |
| Parental/eligible-student rights preserved | Requests routed through the LEA |
| No AI training on Customer content | Contractually prohibited with all AI subprocessors |
State-Specific Supplements
Many states have enacted additional student privacy laws that extend beyond FERPA. SchoolScan supports state-specific DPA addenda, including:
- California — Student Online Personal Information Protection Act (SOPIPA); Assembly Bill 1584; California Consumer Privacy Act / California Privacy Rights Act alignment where applicable
- New York — NY Education Law § 2-d; Parents' Bill of Rights attachment
- Connecticut — Public Act 16-189 (now codified at Conn. Gen. Stat. § 10-234aa et seq.)
- Illinois — Student Online Personal Protection Act (SOPPA), 105 ILCS 85/
- Colorado — Student Data Transparency and Security Act
- Other states — SchoolScan will accommodate state-specific language as required by applicable law
What's In Our Standard DPA
Our standard DPA template includes the following sections:
- Article I — Purpose and Scope. Defines the services, governs the handling of student personally identifiable information ("Student PII"), and establishes the DPA as a controlling document for privacy matters.
- Article II — Student Data Ownership and Authorized Use. Confirms district ownership, limits SchoolScan's use to the contracted purpose, and prohibits secondary uses.
- Article III — Duties of SchoolScan. Details security, confidentiality, subprocessor management, training, and compliance practices.
- Article IV — Data Provisions. Specifies data collection, transmission, storage, retention, and deletion practices with defined timelines.
- Article V — Data Breach. Establishes notification procedures, timelines, cooperation obligations, and remediation commitments.
- Article VI — Termination. Governs data return/destruction and certification at contract end.
- Article VII — General Provisions. Governing law, assignment, notices, and miscellaneous matters.
- Exhibit A — Description of Services. Specifies what SchoolScan is providing.
- Exhibit B — Schedule of Data. Itemizes the categories of Student PII processed.
- Exhibit C — Definitions. NDPA-aligned definitions.
- Exhibit D — Subprocessors. Current list of vendors with access to Student PII, updated as changes occur.
- Exhibit E — State-Specific Supplements. Addenda for states whose laws require additional provisions.
Request the DPA Template
To receive the current SchoolScan DPA template (PDF and editable formats), or to have us execute your district's own DPA form, contact our legal team.
Request DPA TemplateDPA Review Timeline
Our standard commitments on contracting:
- Within 1 business day of receiving your DPA request, SchoolScan's legal team will confirm receipt.
- Within 5 business days of receiving a district's own DPA form, we will return a redlined version or sign as-is.
- No additional fee for executing a district-specific DPA.
- Counter-signatures. Executed DPAs are returned via DocuSign or an equivalent platform; wet signatures are available on request.
Publicly Posted DPAs
Several states and consortiums maintain public registries of executed DPAs (for example, the SDPC Registry). SchoolScan is willing to have its executed DPAs posted publicly on those registries at the district's option, consistent with the commitments in this document.
Questions
For DPA requests, contract questions, or requests to review a district's own form, contact legal@schoolscan.ai. Our legal team responds within one business day.