Data Processing Agreement (DPA)

1. Roles & relationship

The District is the Data Controller (and the FERPA-protected entity holding educational records). iTeachWise is the Data Processor / 'school official' under the FERPA school-official exception. iTeachWise processes data only on documented District instructions and only to deliver the iTeachWise service.

2. Categories of data processed

(a) Teacher account data: name, work email, school affiliation, role, password hash. (b) Teacher-generated content: lessons, assessments, rubrics, notes, prompts the teacher submits. (c) Usage telemetry: feature use, generation counts, login times. (d) Optional: any student-identifying details a teacher voluntarily enters into a prompt or artifact. Categories (a)–(c) are the default operating set; (d) is contingent and discouraged in product copy.

3. Data minimization

iTeachWise does not require a student roster, student logins, or any student PII to deliver any core feature. The Parent and Student touchpoints (anonymous link-based assignment submission) collect only the responses the student types — no name, address, demographic, biometric, or location data.

4. Use of AI / no-training commitment

iTeachWise uses third-party AI providers (currently Anthropic Claude and OpenAI GPT-4o) under enterprise API contracts that include zero-data-retention and no-training-on-customer-data terms. iTeachWise itself does not host a foundation model and does not use any District data to train, fine-tune, or improve any AI model.

5. Security

All data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Access is restricted to a named on-call engineering group under signed confidentiality agreements with audit-logged access. Production secrets are managed via Replit's encrypted secrets store and rotated on a fixed schedule. SOC 2 Type II audit is in progress with target completion Q3 2026.

6. Sub-processors

The current Sub-Processor List is published at /legal/sub-processors. iTeachWise will give the District at least 30 days' notice (via email to the technical contact on the Order Form and via update to that page) before adding or replacing any sub-processor that processes District data. The District may object in writing within 30 days; unresolved objections give either party the right to terminate the affected Order Form for material breach with pro-rated refund.

7. Sub-processor binding

Every sub-processor is bound by a written contract imposing data protection obligations no less protective than those in this DPA. iTeachWise remains fully liable for the acts and omissions of its sub-processors with respect to District data.

8. Data subject rights

iTeachWise will assist the District in fulfilling requests from teachers, parents, and students (or their authorized representatives) to access, correct, or delete data, including in response to FERPA, GDPR, COPPA, CPRA, and state student-privacy law requests. Standard turnaround is 30 days from a verified request received at district-compliance@iteachwise.com.

9. Breach notification

iTeachWise will notify the District's designated security contact within 72 hours of confirmed unauthorized access to or acquisition of District data. Notice will include scope, accounts affected, root cause once known, and remediation steps. iTeachWise will cooperate with District-led breach response and any regulatory reporting obligations.

10. Audit rights

The District may request, no more than once per twelve-month period, a copy of iTeachWise's most recent SOC 2 report (once available) and a written summary of security controls. On reasonable advance notice and during business hours, the District may also conduct, at its own expense, an audit of iTeachWise's compliance with this DPA, subject to a mutually-agreed scope and confidentiality terms.

11. International transfers

Default storage is on US-based infrastructure (Neon Postgres, AWS us-east region). For Districts in the European Economic Area, the United Kingdom, or Switzerland, iTeachWise relies on the European Commission's Standard Contractual Clauses (Module Two: Controller-to-Processor) and the UK International Data Transfer Addendum, both incorporated by reference here and reproduced in full at /legal/eu-uk-compliance.

12. Return & deletion

On termination, iTeachWise will at the District's election (a) return District data in a structured, commonly-used machine-readable format within 30 days, or (b) delete District data within 30 days, in either case providing written certification of deletion. Generation logs (telemetry) are purged on a 90-day rolling cycle as part of normal operations.

13. Term & termination

This DPA is effective on signature and remains in force for the duration of any active Order Form and any post-termination return/deletion period. Either party may terminate this DPA on 30 days' written notice, provided no Order Form remains active.

14. Governing law

This DPA is governed by the laws of the District's home jurisdiction for District-side disputes; iTeachWise's obligations and liabilities are governed by the laws of the State of Delaware, USA, except where the District's home jurisdiction has mandatory student-privacy or consumer-protection rules that apply notwithstanding choice of law.

15. Notices & signatures

Notices to iTeachWise must be sent to district-compliance@iteachwise.com. Notices to the District must be sent to the technical and legal contacts listed on the executed Order Form. Signed DPAs may be returned by email or via DocuSign.

Frequently asked questions