Data Processing Agreement

1. Parties & Effective Date

This Data Processing Agreement (the "DPA") is entered into between:

• Mr. A's Writing Tools ("Service Provider," "we," or "us"), the operator of the AI-coached writing platform at mraswritingtools.com; and
• [School / District / LEA name] ("School," "you," or "the LEA").

This DPA takes effect on the date last signed below (the "Effective Date") and supplements the Service Provider's Terms of Service and Privacy Policy. In the event of conflict between this DPA and those documents, this DPA controls with respect to the processing of Student Data.

2. Definitions

• "Student Data" means information about an identified or identifiable Student that the School (or a Student or parent on its behalf) provides to or generates within the Service. Includes the Student's name, email, grade level, written submissions, scores, feedback, and activity logs.
• "FERPA" means the Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g.
• "COPPA" means the Children's Online Privacy Protection Act, 15 U.S.C. §§ 6501–6506.
• "School Official" has the meaning given under FERPA § 99.31(a)(1) and the Service Provider qualifies as a "school official with a legitimate educational interest" when processing Student Data on the School's behalf.
• "Sub-processor" means a third party engaged by the Service Provider to process Student Data on its behalf.

3. Scope & Nature of Processing

The Service Provider processes Student Data solely to deliver the AI-coached writing platform: collecting written submissions, generating step-by-step coaching feedback aligned to academic standards, tracking student progress, and surfacing teacher dashboards.

The Service Provider does not:

• Sell Student Data, ever, under any circumstance;
• Use Student Data for advertising or to build advertising profiles;
• Use Student Data to train third-party large language models for general use outside the Service;
• Disclose Student Data to third parties except as expressly permitted in this DPA.

4. Categories of Data & Data Subjects

Data subjects: students enrolled in classes created by School-affiliated teachers; teachers employed by the School; parents linked to those students.

Categories of Student Data processed:

• Identifiers: name, email, grade level, Google account ID (when SSO is used);
• Educational records: assignment submissions, scores, AI feedback, teacher comments, learning path progress, journals;
• Engagement metadata: timestamps, session duration, paste-detection signals, AI integrity flags;
• Voluntary self-identification (when provided): English Learner level, home language, interests.

The Service Provider does not knowingly collect biometric data, geolocation data, government identifiers, financial information, or health information.

5. Purpose Limitation & Permitted Uses

The Service Provider will process Student Data only for the following purposes:

1. Delivering the educational service to the School and its Students;
2. Maintaining, securing, and improving the Service in ways that are not directed to identifiable individuals;
3. Generating aggregate, de-identified analytics that cannot reasonably be re-identified;
4. Complying with legal obligations (subpoenas, court orders, statutory requirements).

Any other use requires the School's prior written consent.

6. Security Measures

The Service Provider maintains administrative, physical, and technical safeguards reasonably designed to protect Student Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These include:

• Encryption in transit: all client-server traffic uses TLS 1.2 or higher;
• Encryption at rest: the production database is encrypted at rest by the cloud provider;
• Access control: role-based authorization (student / teacher / parent / superuser); session timeouts; soft-delete with grace period for parent-requested deletion;
• Audit logging: account/data deletion events are recorded in an internal audit log retained for compliance review;
• Authentication: Google OAuth 2.0 with no plaintext password storage by the Service Provider;
• Application security: Content Security Policy, X-Frame-Options, HSTS, output escaping, parameterized queries, and rate limiting on submission and authentication endpoints;
• Vendor diligence: Sub-processors are vetted for educational-technology-appropriate security practices.

The Service Provider periodically reviews and updates these measures.

7. Sub-processors

The Service Provider engages the following Sub-processors to deliver the Service:

• OpenAI — AI evaluation and feedback generation. Student submissions are sent to OpenAI's API for inference. Per OpenAI's API data-usage policy, API inputs are not used to train OpenAI's general models.
• Google (OAuth) — identity provider for sign-in only; no Student Data flows back to Google beyond what's required to authenticate.
• Application hosting and database provider (currently Render) — runs the Service infrastructure under encryption-at-rest defaults.
• Sentry (when enabled) — error monitoring; configured to scrub Student Data from event payloads.

The Service Provider will provide reasonable advance notice of changes to its Sub-processor list. The School may object to a new Sub-processor in writing, in which case the parties will work in good faith to find an alternative.

8. Data Subject Rights

The School retains all rights of access, correction, and deletion over Student Data and is the entity responsible for responding to requests from Students or parents under FERPA, COPPA, and applicable state law.

The Service Provider will, on the School's reasonable written request, assist the School in:

• Providing access to a Student's records;
• Correcting inaccurate Student Data;
• Deleting Student Data per Section 11.

Parent-initiated deletion requests received directly by the Service Provider are honored as a 30-day soft-delete with grace period; the Service Provider notifies the relevant teacher's School where applicable.

9. Breach Notification

If the Service Provider becomes aware of an unauthorized acquisition or disclosure of unencrypted Student Data, or any other security incident that materially compromises the confidentiality, integrity, or availability of Student Data ("Security Incident"), the Service Provider will:

1. Notify the School without undue delay and in any event within seventy-two (72) hours of confirmed discovery;
2. Provide the School with information reasonably needed to assess and respond to the incident, including the nature of the data involved, the affected Students (when identifiable), and remediation steps taken;
3. Cooperate with the School in any required notifications to parents, regulators, or other third parties.

The Service Provider's notification of a Security Incident is not an acknowledgement of fault or liability.

10. Audit & Review

Once per calendar year and on reasonable written notice, the School (or its independent auditor bound to comparable confidentiality) may request a written summary of the Service Provider's data-protection practices, including a description of security controls, the current Sub-processor list, and any material changes since the last review. The Service Provider will respond within thirty (30) days.

On-site audits are not available for Service Providers of this scale; written documentation, security questionnaires, and vendor-attestation forms are the typical mechanisms.

11. Return & Deletion of Data

On termination of the underlying service relationship, or at any time upon the School's written request, the Service Provider will, at the School's election:

• Return all Student Data to the School in a structured, commonly used, machine-readable format (CSV/JSON ZIP exports as currently supported by the Service); and/or
• Delete all Student Data from production systems within thirty (30) days, with database backups purged on the next routine rotation cycle (typically within sixty (60) days).

The Service Provider will provide written confirmation that deletion has occurred. De-identified, aggregated analytics that cannot reasonably be re-identified may be retained.

12. Term & Termination

This DPA remains in effect for as long as the Service Provider processes Student Data on the School's behalf. Either party may terminate this DPA with thirty (30) days' written notice. Termination triggers the data-return-or-deletion process in Section 11.

Sections 6 (Security Measures — for data not yet returned/deleted), 9 (Breach Notification — for incidents predating termination), 11 (Return & Deletion), 13 (Liability), and 14 (Governing Law) survive termination.

13. Liability & Indemnification

Each party is responsible for its own negligent or wrongful acts to the extent permitted by applicable law. The Service Provider's aggregate liability under this DPA is capped at the greater of (a) the fees paid by the School to the Service Provider in the twelve (12) months preceding the event giving rise to the claim, or (b) one thousand U.S. dollars ($1,000) for free-tier accounts.

Nothing in this DPA limits liability for fraud, willful misconduct, or any other liability that cannot be limited under applicable law.

14. Governing Law

This DPA is governed by the laws of the State in which the School is located, without regard to its conflict-of-laws principles. The parties consent to the exclusive jurisdiction of the state and federal courts located in that State for any dispute arising out of or related to this DPA.

15. Signatures

By signing below, each party agrees to be bound by this Data Processing Agreement.