This Data Processing Addendum ("DPA") forms part of the StorylineIQ Subscription Agreement between the customer ("District") and StorylineIQ ("Provider") and governs Provider's processing of Personal Data, including Student Data, on behalf of the District.
1. Definitions
"Student Data" means personally identifiable information about a student maintained in education records, including data covered by FERPA, COPPA, and applicable state student-privacy statutes.
2. Roles
The District is the data controller of Student Data. Provider processes Student Data solely as a school official with a legitimate educational interest (FERPA §99.31(a)(1)) and under the direction of the District.
3. Permitted purposes
Provider shall process Student Data only to (a) provide the contracted service, (b) maintain and improve the service in aggregate, deidentified form, and (c) comply with law. Provider shall not sell Student Data, use it for advertising, or use it to train third-party models on identifiable student information.
4. Security
Provider maintains a written information security program including encryption in transit and at rest, role-based access controls, multi-factor authentication for administrative access, audit logging, and annual review. See Security for current controls.
5. Sub-processors
Provider's current sub-processors are listed at /sub-processors. Provider remains responsible for sub-processor performance.
6. Data subject requests
Provider shall assist the District in responding to parent requests under FERPA §99.10 (inspect & review) and §99.20 (amend) within the timeframes required by law.
7. Breach notification
Provider shall notify the District without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach.
8. Retention & deletion
Districts configure retention windows in the product. On contract termination, Provider shall delete all District data within 30 days of the District's written request and certify deletion upon request.
9. Audit
Provider shall make available to the District all information necessary to demonstrate compliance with this DPA and shall allow for audits by the District or an auditor mandated by the District upon reasonable notice.
10. Governing law
This DPA is governed by the law specified in the underlying Subscription Agreement.
Districts requiring a signed DPA, or a state-specific addendum, please contact legal@storylineiq.com.
