One DPA. Every state law
your district needs.
The right state and regional exhibits activate based on the district’s state code and data region. Below is a plain-language map of every law we cover and how we cover it.
The SDPC framework, in one paragraph
The Student Data Privacy Consortium’s National DPA v2.0 is the de-facto standard contract for K–12 vendor relationships in the United States. We sign the National DPA as our base agreement, then attach the relevant state exhibit(s). For non-U.S. districts, we attach the appropriate regional exhibit (EU GDPR Art. 8 / UK AADC).
The DPA names Angstroma as a school-authorized agent (COPPA), a school official with legitimate educational interest (FERPA), and binds us to the operator obligations of the state law that applies to the district.
U.S. state student-data laws
The five states with the most active K–12 vendor enforcement. We attach the corresponding exhibit at signing.
Student Online Personal Information Protection Act (SOPIPA)
Scope. Operators of websites or services designed and marketed for K–12 school purposes.
What the law requires of operators
- •No targeted advertising based on student data
- •No selling of student information
- •No creating commercial profiles for non-educational purposes
- •Reasonable security and breach notification
- •Delete student data on request from the school district
How Angstroma covers it
No advertising of any kind. No data sale. No commercial profiling. Server-side delete API for districts to purge any student record.
Student Online Personal Protection Act (SOPPA)
Scope. Strictest U.S. state law. Operators serving Illinois K–12 schools.
What the law requires of operators
- •Annual breach notification to schools (within 30 days of discovery)
- •Public-facing list of subprocessors
- •Written contract with each school district
- •Public list of operators on each district website
- •Parents have a direct right of access to data held by operators
How Angstroma covers it
SDPC v2.0 + Illinois SOPPA exhibit signed before processing. Subprocessor list published at /trust. 30-day breach notification clock built into incident-response runbook.
Education Law § 2-d + Part 121 Regulations
Scope. Third-party contractors receiving Personally Identifiable Information (PII) from NY education agencies.
What the law requires of operators
- •Adopt the NY State Education Department Parents’ Bill of Rights
- •Sign a Data Privacy Agreement with each contracting agency
- •Designate a Data Protection Officer
- •NIST Cybersecurity Framework alignment
- •Annual privacy and security training for staff
How Angstroma covers it
NYSED Parents’ Bill of Rights bundled into the SDPC + NY exhibit. DPO designated. NIST CSF mapping documented. Annual staff training tracked in TenantAuditLog.
Senate Bill 820 (Cybersecurity for Schools)
Scope. School districts and their service providers handling student data.
What the law requires of operators
- •Cybersecurity policy aligned with TEA-adopted framework
- •Designation of a cybersecurity coordinator
- •Breach notification to TEA and affected parents
- •Annual cybersecurity risk assessment
How Angstroma covers it
TEA-aligned controls baseline. Coordinator designated. Breach notification SLA matches state requirement. Annual risk assessment via SOC 2 Type II audit.
House Bill 1547 (2023) — Student Online Personal Information Protection
Scope. Operators of websites/services targeted at PreK–12 students or used for school purposes.
What the law requires of operators
- •No targeted advertising based on student data
- •No selling, leasing, or trading student information
- •No use of student data to amass profiles for non-school purposes
- •Reasonable security procedures and practices
- •Delete student data on school request
How Angstroma covers it
Same architectural constraints as CA SOPIPA cover Florida obligations. No commercial use of student data is possible without a code change.
Need an exhibit for a state not listed? Email [email protected] — we cover all 50 states under the SDPC framework, but only the five above ship with a pre-negotiated exhibit.
International children’s data law
For districts outside the U.S., the operator obligations come from data-protection law. We map the same architectural posture to GDPR and the UK Children’s Code.
GDPR Article 8 — Conditions for child’s consent
Scope. Information society services offered directly to children. Member states set the digital age of consent (13–16).
What the law requires of operators
- •Obtain parental consent for direct services to children below the local age of consent
- •Make reasonable efforts to verify parental consent
- •Provide privacy information in clear, age-appropriate language
- •Apply data minimization, purpose limitation, and storage limitation strictly
How Angstroma covers it
School-authorized agent posture mirrors COPPA: districts (the data controller for school operations) consent on behalf of parents. EU data region keeps processing within the EU. Privacy notice translated to age-appropriate language.
Age Appropriate Design Code (AADC) — “Children’s Code”
Scope. Online services likely to be accessed by children in the UK.
What the law requires of operators
- •Best interests of the child as a primary design consideration
- •High-privacy default settings
- •Data minimization and no nudge techniques
- •Detrimental use of children’s data prohibited (advertising profiling, geolocation)
- •Data Protection Impact Assessment (DPIA) required for relevant services
How Angstroma covers it
High-privacy defaults are the only setting. No advertising profiling possible. No geolocation collected. UK data region keeps processing in-region. DPIA template provided to UK districts on the Schools tier.
How the right exhibit activates
When you sign the Schools DPA in your portal, you supply two fields that drive the rest.
State code
Two-letter state code (e.g. CA, IL, NY, TX, FL) determines which state-law exhibit is attached and which operator-list public registry we add you to.
Data region
US, EU, or UK. Pins your tenant’s data residency and selects the regional regulatory exhibit (e.g. GDPR Art. 8 for EU, AADC for UK).
Server-side gate
Until the agreement is recorded with both fields, IEP / teacher / LTI endpoints return 403 with the controlling citation. There is no “forgot to sign” failure mode.
Want the full DPA package?
We’ll send your IT director the SDPC v2.0 base, the relevant state exhibit, and the regional exhibit (if applicable) for review before signing.