Data Processing Agreement
This Data Processing Agreement ("DPA") is entered into between RAIWTID AI, LLC, operator of AI Explorers Academy ("Provider"), and the school or district identified at execution ("Educational Institution").
aiexplorersacademy.com
burchell.porter@raiwtid.com
Represented by an authorized
school or district official.
1. Definitions
- "Student Data" means any data about students that is submitted to, generated by, or stored in AI Explorers Academy in connection with the Educational Institution's use of the Service.
- "Service" means the AI Explorers Academy web application available at aiexplorersacademy.com.
- "FERPA" means the Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g.
- "COPPA" means the Children's Online Privacy Protection Act, 15 U.S.C. §§ 6501–6506.
- "Subprocessor" means a third-party service provider engaged by Provider that processes Student Data.
- "School Official" has the meaning given in FERPA regulations at 34 C.F.R. § 99.31(a)(1).
2. Scope and Purpose
This DPA governs the processing of Student Data by Provider on behalf of the Educational Institution in connection with the delivery of the Service for educational purposes. Provider processes Student Data solely as a service provider acting on the Educational Institution's documented instructions.
3. Student Data Processed
The following categories of Student Data may be processed through the Service:
| Data Element | Purpose | Where Stored |
|---|---|---|
| Student nickname (not required to be real name) | Personalize learning experience | Student's device (localStorage) |
| Grade band (grades 2–5 or 6–8) | Deliver age-appropriate curriculum | Student's device (localStorage) |
| Lesson progress, mission completions | Track curriculum progress | Student's device (localStorage) |
| Quiz scores, XP, badges | Gamified progress tracking | Student's device (localStorage) |
| Class code check-in (nickname, grade, mission count, XP, badges, streak, date) | Teacher progress visibility | Netlify Forms (U.S. servers) |
| AI chat messages (ARIA) | Generate tutoring responses | Transmitted to Anthropic; not retained by Provider |
4. Roles of the Parties
The Educational Institution is the data controller with respect to Student Data. Provider acts as a data processor (or "school official" as defined under FERPA) processing Student Data solely on behalf of and under the instructions of the Educational Institution.
The Educational Institution retains all rights to Student Data at all times. Provider acquires no ownership interest in Student Data.
5. COPPA — School Official Exception
By executing this DPA, the Educational Institution confirms that:
- It is deploying the Service for educational purposes only;
- It acts as the authorized agent for parental consent under COPPA's school official exception (16 C.F.R. § 312.5(b)(1)) for students under 13;
- It has provided appropriate notice to parents and students regarding the use of the Service;
- Provider's collection of Student Data is limited to what is necessary for the educational purpose and does not require separate direct parental consent for each student.
6. FERPA Compliance
Provider agrees to:
- Use Student Data only for the purpose of providing the Service as directed by the Educational Institution;
- Not re-disclose Student Data to any third party without the Educational Institution's written consent, except as required by law or to Subprocessors listed in Section 9;
- Allow the Educational Institution to review, correct, and request deletion of Student Data upon written request;
- Maintain Student Data confidentiality consistent with FERPA's requirements;
- Return or destroy Student Data upon contract termination as described in Section 13.
7. Processing Instructions
Provider shall process Student Data only in accordance with the Educational Institution's documented instructions, which are set forth in this DPA and any applicable order form or service agreement. Provider shall promptly inform the Educational Institution if it believes any instruction violates applicable law.
8. Confidentiality
Provider shall ensure that all personnel who have access to Student Data are bound by appropriate confidentiality obligations. Provider shall not use Student Data for any purpose other than providing the Service, including:
- No behavioral or targeted advertising to students;
- No sale, rent, or lease of Student Data to any third party;
- No use of Student Data to build profiles on students for non-educational purposes;
- No use of Student Data for Provider's own commercial benefit beyond delivering the Service.
9. Subprocessors
Provider currently uses the following Subprocessors that may process Student Data. Provider will notify the Educational Institution of any changes to this list at least 30 days in advance.
| Subprocessor | Purpose | Data Location | Privacy Policy |
|---|---|---|---|
| Netlify, Inc. | Application hosting; class check-in form submissions | United States | netlify.com/privacy |
| Anthropic, PBC | ARIA AI tutoring responses (chat messages processed; not retained for training) | United States | anthropic.com/privacy |
| Pollinations AI | Fallback AI responses; AI art generation (safety filters enabled) | European Union | pollinations.ai/privacy |
Provider shall impose data protection obligations on Subprocessors equivalent to those in this DPA and shall remain liable to the Educational Institution for any Subprocessor's failure to fulfill its obligations.
10. Security Measures
Provider implements and maintains reasonable technical and organizational measures to protect Student Data, including:
- Encryption in transit: All data transmitted between students and Provider's servers is encrypted via HTTPS/TLS.
- Minimal server-side storage: Student progress is stored on the student's own device (localStorage). Only class check-in submissions (limited fields) are stored on Provider's servers via Netlify Forms.
- Access controls: Class check-in data is accessible only through the teacher's class code and Provider administrative accounts.
- No passwords stored: The Service does not use passwords or user accounts; there is no password database to breach.
- Content safety filters: ARIA chat is filtered before transmission to AI providers to prevent submission of sensitive personal information.
11. Security Breach Notification
In the event Provider becomes aware of a security breach that affects Student Data, Provider will:
- Notify the Educational Institution within 72 hours of becoming aware of the breach;
- Provide a written description of the nature of the breach, categories of data affected, approximate number of students affected, and steps taken to mitigate the breach;
- Cooperate with the Educational Institution's investigation and response.
Notification shall be sent to the contact email provided by the Educational Institution at execution.
12. Student Data Rights
The Educational Institution may exercise the following rights with respect to Student Data held by Provider (i.e., class check-in submission data):
- Access: Request a copy of all Student Data associated with the Educational Institution's class code(s).
- Correction: Request correction of inaccurate Student Data.
- Deletion: Request deletion of all Student Data for specific students or the entire institution. Provider will complete deletion within 30 days of written request.
Note: Student Data stored on students' own devices (via browser localStorage) is not accessible to or controlled by Provider. The Educational Institution should instruct students or parents to use the in-app reset function to clear device-based data.
13. Data Retention and Return
- During the agreement: Provider retains class check-in submission data for up to 12 months or until a deletion request is received.
- On termination: Within 30 days of the end of the agreement or written request, Provider will delete all Student Data held on its servers associated with the Educational Institution and provide written confirmation of deletion.
- Legal hold exception: Provider may retain Student Data beyond these periods if required by law, court order, or regulatory authority, and will notify the Educational Institution of any such requirement.
14. Audit Rights
No more than once per calendar year, the Educational Institution may request written confirmation from Provider regarding its data protection practices as they relate to Student Data. Provider will respond to such requests within 30 business days.
15. Prohibited Uses
Provider expressly agrees that it will not:
- Sell Student Data;
- Use Student Data for advertising or to amass a profile on a student for non-educational purposes;
- Disclose Student Data to third parties other than authorized Subprocessors without written consent of the Educational Institution;
- Retain Student Data beyond the periods specified in Section 13.
16. Term and Termination
This DPA is effective upon execution and remains in force for the duration of the Educational Institution's use of the Service. Either party may terminate this DPA with 30 days' written notice. Sections 6 (FERPA), 8 (Confidentiality), 13 (Data Retention), and 15 (Prohibited Uses) survive termination.
17. Indemnification
Each party agrees to indemnify and hold harmless the other party from claims, damages, and expenses (including reasonable legal fees) arising from that party's breach of this DPA or violation of applicable law, including FERPA and COPPA.
18. Governing Law
This DPA is governed by the laws of the United States and, where applicable, the laws of the state where the Educational Institution is located. Any dispute arising under this DPA shall be resolved by good-faith negotiation before resorting to formal dispute resolution.
19. Entire Agreement
This DPA, together with any applicable service agreement or order form, constitutes the entire agreement between the parties with respect to the processing of Student Data and supersedes all prior agreements on this subject.
20. Signatures
By signing below (or by email confirmation), both parties agree to the terms of this Data Processing Agreement.
Questions? burchell.porter@raiwtid.com · Privacy Policy · Terms of Service