NEWSADA Title II web deadlines: April 24, 2026 (50k+ pop) · April 26, 2027 (under 50k) — Is your site compliant?ADA Title II: April 2026 & 2027 deadlinesLearn more →
Legal · Schools

Data Processing Agreement

Template version 1.0 — April 14, 2026

This page describes the standard terms of our Data Processing Agreement (DPA). A signed DPA is required before any Schools tier feature that processes student data is activated. To request, review, or execute a DPA, email [email protected]. See also our FERPA Compliance and Privacy Policy.

1. Definitions·2. Scope & Duration·3. Roles & Responsibilities·4. Permitted Purposes·5. Data Processed·6. Security Measures·7. Sub-Processors·8. Retention & Deletion·9. Data Subject Rights·10. Breach Notification·11. International Transfers·12. Audits & Certifications·13. FERPA & COPPA Terms·14. Liability·15. Execution

This is a summary of our standard DPA terms. The legally binding agreement is the executed document signed by both parties. Schools tier subscribers receive a DPA at no additional cost. Contact [email protected] to initiate the DPA process. Student-linked features are locked until a DPA is countersigned.

Regulatory note. The FTC's 2024–2025 COPPA Final Rule takes effect April 22, 2026. It codifies the school-consent exception at 16 C.F.R. § 312.5(c)(6), tightens retention limits, and adds a separate consent for third-party advertising. This DPA is aligned with the 2024–2025 Final Rule; schools signing before the effective date are already in compliance.

1. Definitions

TermMeaning
ControllerThe School — the legal entity that determines the purposes and means of processing Student Data.
ProcessorAngstroma — processes Student Data on behalf of and under instruction from the Controller.
Student DataAny personal data relating to students that is provided to or accessed by Angstroma under the Agreement, including education records as defined by FERPA.
AgreementThe Angstroma Terms of Service and Schools tier subscription, together with this DPA.
ProcessingAny operation performed on Student Data, including collection, storage, retrieval, transmission, alteration, or deletion.
Sub-ProcessorA third-party engaged by Angstroma to process Student Data on its behalf.
EEAThe European Economic Area.
FERPAThe Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g, and 34 C.F.R. Part 99.
COPPAThe Children's Online Privacy Protection Act, 15 U.S.C. §§ 6501–6506, and 16 C.F.R. Part 312.
IDEAThe Individuals with Disabilities Education Act, 20 U.S.C. § 1400 et seq.
LEALocal Education Agency — the school district or equivalent authority.

2. Scope & Duration

This DPA applies to all processing of Student Data by Angstroma on behalf of the School in connection with the delivery of accessibility services under the Schools tier subscription.

The DPA takes effect on the date countersigned by an authorized representative of the School and remains in force for the duration of the Schools tier subscription, plus any applicable data retention period thereafter (Section 8). Termination of the subscription triggers the obligations in Section 8 (deletion).

Scope limitation: This DPA covers only student-linked features — IEP document processing, student accessibility profiles, and teacher compliance dashboards. General widget analytics collected from non-authenticated visitors are covered by the standard Privacy Policy and are out of scope.

3. Roles & Responsibilities

3.1 School (Controller)

The School is the data controller for all Student Data. The School:

  • Determines what Student Data is provided to Angstroma and for what purpose
  • Ensures it has a lawful basis to share Student Data (FERPA § 99.31, COPPA school consent authority, or applicable state law)
  • Is responsible for notifying parents of data sharing with Angstroma (including in the Annual FERPA Notice — see Section 13)
  • Remains solely responsible for compliance with FERPA, COPPA, IDEA, ADA, and applicable state student privacy laws
  • Provides written instructions to Angstroma regarding processing; Angstroma will not process outside those instructions unless required by law

3.2 Angstroma (Processor)

Angstroma is the data processor. Angstroma:

  • Processes Student Data only on documented instructions from the School
  • Maintains appropriate technical and organizational security measures (Section 6)
  • Does not determine the purposes or means of processing Student Data
  • Does not sell, rent, share, or use Student Data for any purpose other than delivering contracted accessibility services
  • Ensures that personnel with access to Student Data are bound by confidentiality obligations

4. Permitted Purposes

Angstroma is authorized to process Student Data solely for the following purposes:

  1. IEP Accommodation Extraction. Processing uploaded IEP documents to identify accessibility accommodation types and configure corresponding platform features for the student.
  2. Accessibility Profile Management. Storing and retrieving the student's accessibility preferences (feature toggles and values) to deliver a consistent accessible experience across sessions.
  3. Teacher Compliance Dashboards. Providing authorized school staff with aggregated views of accommodation implementation rates and feature usage for enrolled students.
  4. Service Improvement (Aggregated Only). Using de-identified, aggregated data to improve service reliability, performance, and accommodation mapping accuracy. No individual student is identifiable in this processing.
  5. Legal Compliance. Processing necessary to comply with applicable law, including responding to court orders, provided Angstroma notifies the School unless legally prohibited.

Prohibited purposes: Angstroma will not use Student Data for advertising, behavioral profiling, sale to third parties, training commercial AI models, or any purpose not listed above.

5. Categories of Student Data Processed

CategoryExamplesRetention
Opaque Student IdentifierSchool-assigned ID (e.g., "student_4821") — not name or SSNDuration of subscription + 90 days
Accommodation TypesTextToSpeech, LargeFont, HighContrast — anonymized category codesDuration of subscription + 90 days
Accessibility Feature PreferencesFeature toggle states and values configured by or for the studentDuration of subscription + 90 days
IEP Document Text (transient)Full document text — redacted before external processing; source file deleted immediately after parsingZero — deleted within minutes of upload; never stored in database
Usage Telemetry (aggregated)Counts of feature activations per student per week — no content or keystrokesDuration of subscription + 90 days
Audit LogsWho accessed what records, when, and for what purpose2 years (SOC 2 requirement)

Minimum necessary principle: Angstroma processes only the Student Data strictly necessary to deliver the contracted service. PII from IEP documents (student names, dates of birth, addresses, SSNs, parent names) is automatically redacted before any processing and is never stored.

6. Technical & Organizational Security Measures

Angstroma maintains the following security measures, consistent with the sensitivity of Student Data and the requirements of FERPA, COPPA, and applicable state law:

6.1 Encryption

  • All Student Data encrypted at rest (AES-256) in Azure SQL Database
  • All data in transit encrypted with TLS 1.3 minimum
  • IEP files stored encrypted in Azure Blob Storage (server-side encryption with Microsoft-managed keys)

6.2 Access Control

  • Role-based access control — Student Data accessible only to authorized school personnel and Angstroma operations staff with a documented need
  • Multi-factor authentication required for all Angstroma personnel with access to production systems
  • Least-privilege principle enforced; access reviewed quarterly

6.3 Infrastructure

  • Hosted on Microsoft Azure in the United States (East US region)
  • Cloudflare WAF and DDoS protection on all endpoints
  • Network segmentation; database not publicly reachable
  • Automatic patching and vulnerability scanning

6.4 Procedures

  • Documented incident response plan with 48-hour notification SLA (Section 10)
  • Background screening for personnel with Student Data access
  • Annual security training for all staff
  • Immutable audit logs retained for 2 years

7. Approved Sub-Processors

By executing this DPA, the School provides general authorization for Angstroma to engage the following sub-processors for the listed purposes. Angstroma will notify the School at least 30 days in advance of adding or replacing a sub-processor that handles Student Data, providing the School with the opportunity to object.

Sub-ProcessorPurposeData CategoriesLocation
Microsoft AzureCloud infrastructure, encrypted database, blob storage, managed identity, secrets management (Key Vault), application performance monitoring (Application Insights)All student data categories (encrypted at rest)United States (East US)
Anthropic PBC (Claude AI)IEP accommodation extraction from redacted document textRedacted IEP text ONLY — no direct identifiersUnited States
Cloudflare, Inc.DNS, WAF, DDoS protection, TLS termination, bot mitigation (Turnstile CAPTCHA)IP addresses and request metadata only — no education record contentGlobal (edge; configuration data stored in US)
Vercel Inc.Hosting for marketing site and customer portal; TLS termination; edge request routingIP addresses, request metadata, and authenticated session cookies — no student data persisted on VercelGlobal (edge; primary region US)
Bunny CDN (BunnyWay d.o.o.)Widget SDK and static asset deliveryIP addresses and user-agent only — no education record contentGlobal (edge)
Stripe, Inc.Payment processing, subscription management, tax calculation, customer billing portalSchool billing contact details, tokenized payment method, invoice metadata — no student dataUnited States
Resend (Resend.com, Inc.)Transactional email delivery (account verification, password reset, team invites, 2FA codes, billing notifications). Links are time-limited and single-use.Recipient email address and message content — no student data is sent by email by defaultUnited States
Have I Been Pwned (Superlative Enterprises Pty Ltd)Password breach screening at registration and password changeFirst five characters of the SHA-1 hash of the chosen password only (k-anonymity per RFC 9796 pattern) — the password itself never leaves the user’s browserAustralia
Sentry (Functional Software, Inc.)Application error monitoring and debuggingError context — student identifiers suppressed from error payloadsUnited States

Angstroma maintains its own Data Processing Agreements with each sub-processor listed above, imposing equivalent data protection obligations. Contact [email protected] for copies of applicable sub-processor DPAs.

8. Retention & Deletion

8.1 Standard Retention

Student Data is retained for the duration of the active Schools tier subscription plus a 90-day wind-down period following termination or expiry. This period allows the School to retrieve any required data before permanent deletion.

8.2 IEP Documents

Source IEP files are deleted immediately and permanently upon completion of accommodation extraction — typically within minutes of upload. In no case are IEP source files retained longer than 24 hours after upload. This deletion is logged in Angstroma's immutable audit trail.

8.3 Individual Deletion Requests

The School may request deletion of all data associated with a specific student at any time via [email protected]. Angstroma will complete deletion within 30 days and provide written confirmation. Deletion cascades to all linked records including accommodation types, feature preferences, and usage telemetry. Audit log entries recording that a deletion occurred are retained for compliance purposes.

8.4 Termination Deletion

Within 90 days of subscription termination, Angstroma will permanently delete (or, on written request, return) all Student Data. Written confirmation of deletion will be provided within 10 business days of completion.

IDEA-aligned accommodation retention:Schools subject to IDEA should ensure their own student records systems retain accommodation history for the mandatory period (typically 3–5 years post-exit, plus any applicable state requirement) before requesting deletion from Angstroma. Angstroma's 90-day wind-down retention is not a substitute for the school's own IDEA record-keeping obligation.

9. Data Subject Rights

Under FERPA, parents and eligible students (age 18+) have the following rights with respect to Student Data held by Angstroma on behalf of the School:

  • Inspect & Review: Request access to all Student Data Angstroma holds for the student
  • Correct: Request amendment of inaccurate or misleading records
  • Delete: Request deletion of all Student Data (subject to Section 8.4)
  • Portability: Receive a copy of Student Data in a machine-readable format (JSON)

These rights are exercised through the School. The School submits the request to Angstroma at [email protected] with the subject line "FERPA Rights Request — [School Name] — [Student ID]". Angstroma responds within 30 days.

For Schools with EU/EEA students, the GDPR rights enumerated in Article 15–22 apply additionally. Requests should be submitted through the same channel.

10. Breach Notification

In the event of any actual or reasonably suspected unauthorized access to, disclosure, loss, or alteration of Student Data, Angstroma will:

  1. Notify the School within 48 hours of becoming aware of the incident. Notification may be preliminary if investigation is ongoing — Angstroma will not delay notification to complete the full investigation.
  2. Include in the notification: the nature of the incident; the categories and approximate volume of Student Data involved; the likely consequences; the measures taken or proposed to address the incident and mitigate its effects.
  3. Cooperate fully with the School's incident response and any regulatory investigation (including by the U.S. Department of Education, FTC, or applicable state authority).
  4. Provide updates at least every 48 hours until the incident is fully resolved and remediated.
  5. Assist with regulatory notifications to the extent required — including providing information needed for the School to notify parents under FERPA or applicable state law.

To report a security incident: [email protected] (monitored 24/7).

11. International Data Transfers

Angstroma processes and stores Student Data in the United States (Microsoft Azure East US region). If the School is located in a jurisdiction with cross-border data transfer restrictions (e.g., EU/EEA member states, UK), the following mechanisms apply:

  • EU/EEA: The European Commission Standard Contractual Clauses for the transfer of personal data to third countries (Commission Implementing Decision (EU) 2021/914 of 4 June 2021), Module Two — Controller to Processor, are incorporated into this DPA by reference. Annex I (parties & processing description), Annex II (technical and organisational measures), and Annex III (sub-processors) are populated by Sections 1, 9, and 7 of this DPA respectively. Docking clause (Clause 7) is accepted; optional Clause 11(a) (independent dispute resolution) is not selected. Governing law: Ireland; forum: Irish courts. Full SCC text is available on written request to [email protected].
  • United Kingdom: The ICO's International Data Transfer Addendum (IDTA) issued under s.119A of the Data Protection Act 2018 is appended to the EU SCCs above and incorporated by reference.
  • Other jurisdictions: Angstroma will enter into any transfer mechanism required by applicable law on written request.

For U.S. K–12 schools, Student Data remains within the United States at all times and no cross-border transfer restrictions apply.

12. Audits & Certifications

Angstroma is pursuing SOC 2 Type II certification (target: Q4 2026). Upon completion, SOC 2 reports will be made available to Schools under NDA on written request.

In the meantime, Angstroma will:

  • Respond to reasonable written security questionnaires from Schools within 20 business days
  • Provide evidence of security controls (penetration test summaries, access control policies) under NDA on written request
  • Allow Schools to conduct on-site audits (at School's expense, with 30 days' notice, no more than once per year) provided such audits do not compromise other customers' data security

13. FERPA & COPPA Specific Terms

13.1 FERPA School Official Designation

By executing this DPA, the School formally designates Angstroma as a school official under 34 C.F.R. § 99.31(a)(1) with a legitimate educational interest in Student Data limited to the purposes in Section 4. Angstroma agrees to be subject to the same conditions on use of education records as the School itself under FERPA.

Schools must include Angstroma in their Annual FERPA Notice. The notice must identify the criteria used to determine who constitutes a school official and what constitutes a legitimate educational interest. Contact [email protected] for suggested Annual FERPA Notice language.

13.2 FERPA Re-Disclosure Prohibition

Angstroma agrees not to re-disclose Student Data to any party without the School's prior written authorization, except to sub-processors listed in Section 7 as necessary to deliver contracted services, or as required by law.

13.3 COPPA — School Consent Authority

Angstroma's Schools tier is provided to schools and LEAs acting in loco parentis. The School represents and warrants that it has obtained, or is authorized under COPPA's school consent exception (16 C.F.R. § 312.5(b)(1)), to consent on behalf of parents to Angstroma's collection and use of personal information from children under 13 for the educational purpose of providing accessibility accommodations.

Angstroma will not:

  • Collect more information from students under 13 than reasonably necessary for the educational purpose
  • Condition participation in any activity on disclosure of more personal information than strictly necessary
  • Use information collected from students under 13 for any commercial purpose, including advertising or marketing

13.4 School Warranties

The School represents and warrants that:

  • It has the authority under FERPA, COPPA, IDEA, and applicable state law to provide Student Data to Angstroma for the purposes described in this DPA
  • All student consent, parental consent, or other authorizations required by applicable law have been obtained or are covered by the school consent exception
  • It will not provide Student Data beyond what is necessary for the contracted accessibility services
  • It will promptly notify Angstroma if it becomes aware of any breach of these warranties

14. Liability

Each party's liability under this DPA is subject to the liability limitations in the Angstroma Terms of Service. However, the following carve-outs apply to Student Data:

  • Angstroma's liability for unauthorized disclosure of Student Data caused by Angstroma's breach of this DPA or applicable security measures is uncapped (i.e., the standard Terms of Service cap does not apply).
  • The School indemnifies Angstroma for any claims arising from the School's breach of its warranties in Section 13.4 (e.g., FERPA violations caused by the School providing data without authorization).
  • Neither party is liable for failures caused by the other party's breach of this DPA.

15. How to Execute a DPA

To receive, review, and countersign a binding DPA:

  1. Email [email protected] with the subject line "DPA Request — [School/District Name]".
  2. Angstroma will send a pre-populated DPA within 3 business days, including the School's name, contact details, and the specific sub-processors relevant to your subscription.
  3. Review the DPA and return a countersigned copy to [email protected]. Angstroma countersigns and returns a fully executed copy within 2 business days.
  4. Upon execution, student-linked features are activated in your Angstroma portal.

No charge: The DPA is provided at no additional cost to all Schools tier subscribers. DPA execution is a prerequisite, not an add-on.

Contact

DPA requests & execution[email protected]
FERPA & student privacy[email protected]
Security incidents[email protected]
Legal inquiries[email protected]