This Data Processing Agreement (“Agreement”) is entered into by and between Erudyte, located at [Company Address] (“Controller”), and [Partner/Processor Name], located at [Partner Address] (“Processor”) (collectively, the “Parties”). This Agreement governs the terms under which Processor will process personal data on behalf of Controller, ensuring compliance with applicable data protection laws, including the Family Educational Rights and Privacy Act (FERPA), Children’s Online Privacy Protection Act (COPPA), Protection of Pupil Rights Amendment (PPRA), General Data Protection Regulation (GDPR), and California Consumer Privacy Act (CCPA).

1. Purpose and Scope

This Agreement establishes the framework for Processor’s handling of personal data on behalf of Controller, ensuring data protection and compliance with all relevant laws. Processor agrees to process personal data only as necessary for the specified services and in accordance with Controller’s documented instructions.

2. Definitions

▫️Personal Data: Any information related to an identified or identifiable person, as defined under applicable laws.

▫️Processing: Any operation performed on personal data, including collection, storage, or modification.

▫️Data Subject: An individual whose personal data is processed, including students and minors, as applicable under FERPA, COPPA, PPRA, GDPR, and CCPA.

▫️Sub-Processor: Any third party engaged by Processor to assist with processing personal data on Controller’s behalf.

3. Data Processing Instructions

Processor shall only process personal data as instructed by the Controller and solely for the purposes defined in this Agreement. Processors may not process data beyond the scope of this Agreement without Controller’s explicit written consent.

4. Processor Obligations

Processor agrees to:

▫️Comply with all applicable data protection laws, including FERPA, COPPA, PPRA, GDPR, and CCPA, to safeguard personal data.

▫️Implement appropriate technical and organizational measures to ensure data security.

▫️Ensure that personnel authorized to process personal data are bound by strict confidentiality obligations.

▫️Assist Controller in meeting its obligations to respond to data subjects’ rights under applicable laws.

▫️Promptly notify Controller of any data breach involving personal data and cooperate fully in breach response.

5. Security Measures

Processor shall implement and maintain robust security measures to protect personal data from unauthorized access, loss, or destruction. Measures may include data encryption, secure access controls, and regular testing of security practices to ensure the highest level of data protection.

6. Sub-Processors

Processor may engage Sub-Processors only with Controller’s prior written approval. Processor is responsible for ensuring that Sub-Processors adhere to the same data protection obligations outlined in this Agreement, and Processor assumes liability for any Sub-Processor breaches.

7. Data Breach Notification

Processor must promptly notify Controller in the event of a data breach involving personal data. The notification shall include sufficient details to allow Controller to meet regulatory reporting requirements, and Processor agrees to assist Controller in responding to and mitigating the breach.

8. Data Subject Rights

Processor shall support Controller in responding to any requests from data subjects to exercise their rights under FERPA, COPPA, PPRA, GDPR, and CCPA, including rights to access, rectify, or delete their data. Processor shall not directly respond to data subjects unless explicitly instructed by Controller.

9. Data Transfer

Processor shall not transfer personal data to third countries or international organizations without Controller’s authorization. Where such transfers are permitted, Processor agrees to implement adequate safeguards, including standard contractual clauses, to ensure compliance with applicable laws.

10. Audit and Compliance

Processor shall allow Controller or its authorized auditor to conduct audits or inspections to verify compliance with this Agreement. Processor shall provide necessary documentation and assistance to demonstrate adherence to relevant data protection obligations.

11. Data Retention and Deletion

Processor shall retain personal data only as necessary to fulfill its obligations under this Agreement. Upon termination of the Agreement or at Controller’s request, Processor shall securely delete or return all personal data, unless otherwise required by law.

12. Liability and Indemnity

Processor shall be liable for damages arising from breaches of this Agreement. Processor agrees to indemnify and hold Controller harmless from any claims, damages, losses, or expenses resulting from Processor’s failure to comply with data protection obligations.

13. Governing Law and Jurisdiction

This Agreement is governed by Florida law. Disputes will be resolved through arbitration in Florida, following the American Arbitration Association’s rules.

14. Amendments

Any amendments to this Agreement must be in writing and signed by both Parties. Processor agrees to implement any necessary changes to maintain compliance with evolving data protection regulations.

15. Termination

This Agreement remains effective for the duration of Processor’s service to Controller. Upon termination, Processor agrees to stop all processing of personal data and to follow Controller’s instructions on data return or deletion.

16. Contact Information

For questions regarding this Agreement, please contact us at info[at]erudtion[dot]com.

By entering into this Agreement, both Parties confirm their commitment to high standards of data protection, maintaining compliance with FERPA, COPPA, PPRA, GDPR, CCPA, and other applicable regulations.