# Student Data Privacy Agreement — Template

**DRAFT — NOT FOR SIGNATURE. Pending review by outside counsel (legal-review-districts-2026-06-10).**

**IMPORTANT — READ BEFORE USE:**
This template has not been reviewed by legal counsel. It must be reviewed and approved by Princess (Plio Academy's executive director) and legal counsel **before any external signature**. Template ≠ legal advice. See [README.md](./README.md).

---

## STUDENT DATA PRIVACY AGREEMENT

**Between:**

Plio Academy, Inc. ("Provider"), a nonprofit corporation organized under the laws of [STATE], located at [ADDRESS], and

[DISTRICT NAME] ("District"), a public school district located at [ADDRESS]

*(collectively, "the Parties")*

**Effective Date:** ___________________________

**Term:** [START DATE] through [END DATE], with annual renewal unless either party gives 30 days' written notice of non-renewal.

---

## PART I — DEFINITIONS

**1.1 "Student Data"** means any information, in any medium or format, that is directly or indirectly linked or linkable to an identified or identifiable student, created or provided by the District to the Provider, or collected by the Provider in connection with the Services. Student Data collected by Provider is limited to:

- **Display Name** — for district-rostered students, the student's first name only, as provided by the district's roster system; no surname is stored on the Plio platform. Consumer-path (guardian-enrolled) students may use a chosen display name or nickname;
- **Avatar** — an emoji character selected by the guardian or student from a fixed set;
- **Date of Birth** — used solely to recommend an age-appropriate learning tier (Explorer/Builder/Innovator); never displayed publicly or transmitted to third parties for non-educational purposes;
- **Grade Band** — a coarse grouping (e.g., K–2, 3–5, 6–8, 9–12) derived from the district's roster; no individual grade is stored beyond the band mapping;
- **Learning Activity Data** — lesson completion records, quiz responses, placement quiz results, time-on-task, and skill mastery indicators;
- **Account Identifiers** — internal platform UUIDs and, for district-rostered students, Clever student identifiers (cleverId) used only to reconcile roster updates;
- **Roster Sync Metadata** — timestamps, status codes, and record counts generated during each Clever roster sync event; no additional student PII;
- **AI-Tutor Chat Transcripts** — text of student interactions with the Lio AI tutor, transmitted to Anthropic, PBC on a per-request basis for response generation and discarded from Anthropic infrastructure after response delivery (transient; no training use; see Part VII). Provider retains transcripts for up to 30 days for safety review and then deletes them; and
- **Lio Learning-Memory Fields** — `lioSummary` and `lioProfile`, which are automated behavioral summaries (e.g., preferred learning pace, recently mastered topics) generated by the AI system; these fields contain no personally identifiable information by policy and are subject to automated PII-scrubbing before storage.

No email address, phone number, street address, photograph, Social Security number, government-issued identifier, biometric data, or geolocation data is collected from students.

**1.2 "De-identified Data"** means Student Data from which all direct and indirect personally identifiable information has been removed or obscured such that the remaining data cannot reasonably be used to identify an individual student. De-identified Data may be used by Provider for product improvement, research, and aggregated reporting, provided that Provider implements reasonable safeguards against re-identification and does not attempt to re-identify such data.

**1.3 "Education Records"** has the meaning given under the Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g ("FERPA"), and its implementing regulations at 34 C.F.R. Part 99.

**1.4 "Services"** means the Plio Academy learning platform accessible at [learn.plio.academy] and associated administrative interfaces, as described in any Statement of Work, Order Form, or pilot agreement between the Parties.

**1.5 "Subprocessors"** means third-party vendors engaged by Provider to process Student Data on Provider's behalf in connection with the Services, as listed in Part VII of this Agreement.

---

## PART II — FERPA SCHOOL OFFICIAL DESIGNATION

**2.1 School Official Status.** The District hereby designates Provider as a "school official" under FERPA (34 C.F.R. § 99.31(a)(1)(i)(B)) for the purpose of performing the Services. Provider acknowledges that it performs an institutional service or function for which the District would otherwise use its own employees, and that Provider is under the direct control of the District with respect to the use and maintenance of Education Records.

**2.2 Annual Notification Representation.** The District represents that its annual FERPA notification to parents and eligible students, as required by 34 C.F.R. § 99.7, designates or describes the criteria for identifying operators like Provider as "school officials" with a legitimate educational interest in Education Records. The District shall update its annual notification as necessary to maintain the accuracy of this representation.

**2.3 Legitimate Educational Interest.** Provider shall access and use Education Records only to the extent necessary to perform the Services and only in furtherance of the legitimate educational interest of the District's students.

**2.4 Prohibition on Unauthorized Re-disclosure.** Consistent with 34 C.F.R. § 99.33, Provider shall not disclose Education Records received from the District to any third party except: (a) to Subprocessors as permitted under Part VII, under written agreements that impose re-disclosure limitations no less restrictive than those required by 34 C.F.R. § 99.33; (b) as directed in writing by the District; or (c) as required by applicable law, in which case Provider shall give the District prompt notice before disclosure to the extent permitted by law. Provider confirms that each executed Subprocessor agreement imposes equivalent re-disclosure limitations.

**2.5 Direct Control and Audit Rights.** Provider acts only on documented District instructions with respect to District student data. The District may exercise its direct-control rights through the following operational mechanism: Provider maintains a FERPA access log (the `logDistrictAccess` audit trail) that records every access to district student data via the district dashboard and roster sync operations, including timestamps, the accessing user or system actor, the action type, and the student record counts involved. The District may request a copy of this log at any time by written request to compliance@plio.academy under Section 5.2; Provider shall deliver the requested log records within ten (10) business days.

**2.6 Parental Inspection Rights (34 C.F.R. § 99.10).** For school-rostered students, FERPA inspection and correction rights are exercised through the District. The District may submit parent-initiated record inspection requests to Provider. Provider shall fulfill such requests within **30 days** of receipt of a written request from the District (the FERPA maximum is 45 days; Provider commits to the shorter period). Provider's records-request fulfillment process is documented in the operational runbook available to the District upon request.

---

## PART III — COPPA — SCHOOL CONSENT PROVISION

**3.1 Operator Status.** Provider is an "operator" under the Children's Online Privacy Protection Act, 15 U.S.C. § 6501 et seq. ("COPPA"), and its implementing rule at 16 C.F.R. Part 312. Provider's school-authorization COPPA notice, describing what Provider collects from students, how it is used, and the school's review and deletion rights, is published at **https://plio.academy/for-districts/coppa-school-notice** ("School Authorization Notice"). Provider shall maintain this notice at a stable URL and shall provide a copy to the District for distribution to parents.

**3.2 School as Agent of Parental Consent — Plio's Affirmative Notice Obligation.** Consistent with FTC guidance on schools acting as intermediaries for parental consent (FTC COPPA FAQ §§ Q-38–Q-45), the District, by executing this Agreement and provisioning student accounts through the rostering interface, authorizes Provider to collect limited personal information (as defined in Section 1.1) from students under age 13 **for educational purposes only and within the educational context**.

Provider's obligations:

(a) Provider has published, and shall maintain, the School Authorization Notice at the URL in Section 3.1, which contains the disclosures required by 16 C.F.R. § 312.4(b) as applicable to the school-authorization path: (i) the categories of personal information collected from students and how each category is used; (ii) the school's right to review and request deletion of student data; and (iii) that Provider does not condition a student's participation in any activity on disclosure of more information than is reasonably necessary;

(b) Provider shall provide a copy of the School Authorization Notice to the District upon request and whenever the notice is materially updated, so the District can distribute it to parents; and

(c) The District's obligation under this Section is distribution of the School Authorization Notice to parents, not authorship. The District represents that it has the legal authority, under applicable law and its own technology-use policies, to authorize the collection described herein on behalf of parents for educational purposes.

**3.3 Parent Withdrawal.** The District will notify Provider promptly if a parent withdraws consent, in which case Provider will delete that student's account and all associated Student Data within 30 days.

**3.4 No Behavioral Profiling or Advertising.** Provider does not use Student Data collected under this Agreement for behavioral advertising, interest-based targeting, or the construction of profiles for commercial purposes unrelated to education. This prohibition extends to all Subprocessors.

---

## PART IV — DATA USE RESTRICTIONS AND PROHIBITIONS

**4.1 Permitted Uses.** Provider shall use Student Data solely to:

(a) provide, maintain, and improve the Services for the benefit of District students;

(b) respond to District-initiated queries and generate reports for authorized District personnel;

(c) comply with applicable law and legal process; and

(d) create De-identified Data for internal product research, provided that the safeguards in Section 1.2 are met.

**4.2 Prohibited Uses.** Provider shall not:

(a) **sell or transfer Student Data** for monetary or other consideration to any person or entity, including but not limited to data brokers or marketing firms;

(b) **use Student Data for targeted advertising** directed at students, parents, or guardians, on or off the platform;

(c) **use Student Data to build profiles** of students for purposes other than providing the Services or as expressly permitted by the District in writing;

(d) **use Student Data to discriminate** against students on the basis of race, color, national origin, sex, disability, or other protected characteristic;

(e) **link or associate Student Data with third-party data** for commercial purposes; or

(f) **retain Student Data** beyond the periods specified in Part VI or beyond the Term of this Agreement except as required by law.

---

## PART V — SECURITY MEASURES

**5.1 Administrative Safeguards.** Provider maintains written information security policies appropriate to its size and the sensitivity of Student Data. Employees with access to Student Data receive privacy and security training at onboarding and at least annually thereafter.

**5.2 Technical Safeguards.**

(a) **Encryption in transit** — all data transmitted between users and Provider's systems uses TLS 1.2 or higher;

(b) **Encryption at rest** — Student Data stored in Provider's primary database (Neon/PostgreSQL, hosted on AWS us-west-2) is encrypted at rest using AES-256;

(c) **Access controls** — access to Student Data is restricted to Provider personnel and Subprocessors with a need-to-know for the performance of the Services, governed by role-based access controls (Clerk RBAC);

(d) **Audit logging** — district student data access via the district dashboard and roster sync operations is audit-logged with timestamp, user ID, and action type. Audit logs are retained for a minimum of **twelve (12) months** and are available to the District upon written request per Section 2.5. If the Term end date is blank or has expired, the twelve-month audit-log retention obligation runs from the date of last data receipt; and

(e) **Password and authentication policies** — Provider platform accounts require strong passwords and support multi-factor authentication.

**5.3 Physical Safeguards.** Provider uses cloud infrastructure providers (see Part VII) whose data centers maintain SOC 2 Type II or equivalent certifications.

**5.4 Vulnerability Management.** Provider employs commercially reasonable practices for software development, dependency management, and vulnerability remediation.

---

## PART VI — BREACH NOTIFICATION

**6.1 Discovery and Notice.** Provider shall notify the District in writing no later than **72 hours** after discovering a security incident that results in, or is reasonably likely to result in, unauthorized access to, disclosure of, or use of Student Data ("Security Incident"). This notice period is designed to meet or exceed the requirements of applicable state law, including New York Education Law § 2-d(6)(b), which requires a contractor to notify the educational agency within seven (7) calendar days of the contractor's discovery of a breach.

**6.2 Contents of Notice.** Notification shall include, to the extent then known: (a) a description of the nature of the incident; (b) the categories and approximate number of students affected; (c) the categories and approximate number of Student Data records affected; (d) the likely consequences of the incident; and (e) the measures taken or proposed to address the incident.

**6.3 Cooperation and Cost Allocation.** Provider shall cooperate with the District's investigation and shall take reasonable steps to remediate the cause of the incident. Provider shall provide the District with a written summary of remediation measures within **30 days** of the initial notification. Investigation and remediation costs for Security Incidents attributable to Provider's or its Subprocessors' actions or omissions shall be borne by Provider.

**6.4 No Prior Public Disclosure.** Provider shall not publicly disclose the Security Incident in a manner that identifies the District or its students without the District's prior written consent, except as required by law.

---

## PART VII — SUBPROCESSORS

Provider currently uses the following Subprocessors to process Student Data in connection with the Services. Provider shall maintain an up-to-date version of this list at [plio.academy/trust/compliance] and shall notify the District at least **30 days** in advance of adding or replacing any Subprocessor that will process Student Data.

| Subprocessor | Location | Purpose | Data Processed |
|---|---|---|---|
| **Neon, Inc.** (Neon) | United States (AWS us-west-2) | Primary database (PostgreSQL, serverless) | All Student Data at rest |
| **Vercel, Inc.** | United States | Application hosting and CDN | Request data in transit; session tokens |
| **Clerk, Inc.** | United States | Authentication and identity management | Guardian account identifiers; session tokens (no student PII stored in Clerk) |
| **Stripe, Inc.** | United States | Payment processing (donation flow only) | No Student Data; guardian billing info only |
| **Resend, Inc.** | United States | Transactional email (guardian-only communications) | Guardian email address; no student PII |
| **Anthropic, PBC** | United States | AI tutor response generation and Lio learning-memory summarization | AI-tutor chat transcript text (student message + tutor reply, per request); per Anthropic's commercial API terms, API data is not used to train Anthropic's models; zero-retention addendum status: [CONFIRM WITH COUNSEL before first district signature] |

Provider shall enter into written data processing agreements with each Subprocessor that impose obligations no less protective than those in this Agreement, including re-disclosure limitations consistent with 34 C.F.R. § 99.33. Provider remains responsible for each Subprocessor's compliance with this Agreement.

---

## PART VIII — DATA RETURN AND DELETION

**8.1 District Request.** The District may request, at any time during the Term, a complete export of all Student Data associated with its students. Provider shall deliver the export in a machine-readable format (CSV or JSON) within **15 business days** of the written request at no charge.

**8.2 Termination.** Upon expiration or termination of this Agreement:

(a) Provider shall **return all Student Data** to the District in a machine-readable format within **30 days**; and

(b) Provider shall **securely delete or destroy** all remaining copies of Student Data within **30 days** after delivery of the export (or, if no export is requested, within 30 days of termination), and shall certify such deletion in writing to the District.

**8.3 Retention Backstop.** If the Term start or end dates on the cover page are blank or have expired at the time this Agreement is executed or renewed, Provider's deletion obligations under Section 8.2 shall run from the date of last receipt of Student Data from the District. This backstop prevents indefinite retention in the event of administrative oversight.

**8.4 Legal Hold Exception.** Provider may retain Student Data beyond the periods above to the minimum extent required by applicable law or legal process, provided that it continues to protect such data under the terms of this Agreement and notifies the District of the legal basis for continued retention.

**8.5 De-identified Retention.** Provider may retain De-identified Data indefinitely, subject to the safeguards in Section 1.2.

---

## PART IX — TERM AND TERMINATION

**9.1 Term.** This Agreement commences on the Effective Date and continues for the period specified on the cover page, unless earlier terminated.

**9.2 Termination for Cause.** Either party may terminate this Agreement immediately upon written notice if the other party materially breaches this Agreement and fails to cure the breach within **30 days** of receiving written notice of the breach.

**9.3 Effect of Termination.** Termination does not relieve either party of obligations that accrued before the termination date. Sections 4 (Prohibited Uses), 5 (Security), 6 (Breach Notification), 7 (Subprocessors), and 8 (Return and Deletion) survive termination.

---

## PART X — GOVERNING LAW AND DISPUTE RESOLUTION

**10.1 Governing Law.** This Agreement shall be governed by and construed in accordance with the laws of the State of **[GOVERNING STATE — to be negotiated; typically the District's state]**, without regard to conflict-of-law principles.

**10.2 Dispute Resolution.** The Parties shall attempt to resolve any dispute arising under this Agreement through good-faith negotiation. If negotiation fails within **30 days**, the parties shall submit the dispute to non-binding mediation before initiating litigation.

---

## PART XI — GENERAL PROVISIONS

**11.1 Entire Agreement.** This Agreement, together with any applicable state addenda attached hereto, constitutes the entire agreement between the Parties with respect to Student Data and supersedes all prior agreements and representations concerning the subject matter herein.

**11.2 Amendment.** This Agreement may be amended only by a written instrument signed by authorized representatives of both Parties.

**11.3 Severability.** If any provision of this Agreement is held to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.

**11.4 Notices.** Notices under this Agreement shall be in writing and delivered to:

- **Provider:** Plio Academy, Inc., Attn: Compliance, [ADDRESS], compliance@plio.academy
- **District:** [DISTRICT CONTACT NAME], [TITLE], [ADDRESS], [EMAIL]

**11.5 No Waiver.** Failure by either party to enforce any provision of this Agreement shall not constitute a waiver of that party's right to enforce such provision in the future.

**11.6 Counterparts / Electronic Signatures.** This Agreement may be executed in counterparts, each of which shall be deemed an original. Electronic signatures are accepted and shall have the same legal effect as original signatures.

---

## SIGNATURE BLOCKS

**PLIO ACADEMY, INC.**

By: ___________________________

Name: ___________________________

Title: ___________________________

Date: ___________________________

**[DISTRICT NAME]**

By: ___________________________

Name: ___________________________

Title: ___________________________

Date: ___________________________

---

*Attachments: State Addenda (if applicable — see docs/districts/dpa/state-addenda/)*

---

**Document version:** 1.1-draft | **Last revised:** 2026-06-10 | **Status:** DRAFT — NOT FOR SIGNATURE. Pending review by outside counsel (legal-review-districts-2026-06-10).
