Data Processing Agreement

Controller–Processor Agreement under FERPA, GDPR & CCPA

SafeClass Shield · Last Updated: June 1, 2026

FERPAGDPR Art. 28CCPACOPPA Safe Harbor

This Data Processing Agreement ("DPA") is entered into between the school, district, or parent organization ("Controller") and SafeClass Shield, Inc. ("Processor"). It forms part of the Terms of Service and governs the processing of personal data on behalf of the Controller.

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person, including student education records as defined under FERPA.

"Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.

"Controller" means the school, school district, or parent organization that determines the purposes and means of data processing.

"Processor" means SafeClass Shield, Inc., which processes Personal Data on behalf of the Controller.

"Sub-Processor" means any third party engaged by SafeClass Shield to process Personal Data.

2. Scope and Nature of Processing

SafeClass Shield processes the following categories of data on behalf of the Controller:

Student names and identifiers (for child profile management)
Device identifiers and activity logs (for content filtering)
Educational record data via LMS integrations (Google Classroom, Canvas, etc.)
Browser activity summaries (domains visited, blocked/allowed status)
Assignment and grade status information
Parent/guardian contact information (email, account credentials)

Purpose: Processing is performed solely to provide SafeClass Shield's parental monitoring, content filtering, and educational tracking services as described in the Terms of Service.

SafeClass Shield will process Personal Data only on documented instructions from the Controller, unless required by law.

3. Controller Obligations

The Controller agrees to:

Obtain all necessary consents and authorizations before providing Personal Data to SafeClass Shield
Comply with applicable data protection laws (FERPA, COPPA, GDPR, CCPA as applicable)
Ensure the lawfulness of any data processing instructions given to SafeClass Shield
Promptly notify SafeClass Shield of any changes to processing requirements
Maintain a record of processing activities as required by applicable law
Provide required notices to students, parents, and staff about data processing

4. Processor Obligations

SafeClass Shield agrees to:

Process Personal Data only on Controller instructions and not for its own purposes
Maintain appropriate technical and organizational security measures (see Section 6)
Ensure personnel with access to Personal Data are bound by confidentiality obligations
Assist the Controller in fulfilling data subject rights requests (access, correction, deletion)
Notify the Controller of any Personal Data breach within 24 hours of discovery
Delete or return all Personal Data upon termination of services
Not transfer Personal Data outside the country of origin without Controller consent and adequate safeguards
Make available all information necessary to demonstrate compliance with this DPA

5. Sub-Processors

SafeClass Shield currently engages the following Sub-Processors:

Sub-Processor	Purpose	Location
MongoDB Atlas	Primary database storage	USA (AWS)
Anthropic (Claude)	AI chat fallback — support only	USA
Stripe	Payment processing — no student data	USA
Cloudflare	CDN & DDoS protection	Global

SafeClass Shield will notify the Controller at least 30 days before adding new Sub-Processors.

6. Security Measures

SafeClass Shield implements the following security measures:

Encryption

TLS 1.3 in transit · AES-256 at rest

Access Control

RBAC · MFA for admin accounts

Audit Logging

730-day immutable log retention

Penetration Testing

Annual third-party assessment

Vulnerability Management

Continuous scanning · Patch SLA: 48hr critical

Backups

Daily encrypted backups · 30-day retention

Physical Security

SOC 2-compliant data center (AWS)

Incident Response

Documented plan · 24hr notification SLA

7. Data Breach Notification

SafeClass Shield will notify the Controller within 24 hours of becoming aware of a Personal Data breach affecting Controller data.

Notification will include:

Nature of the breach (categories and approximate number of affected records)
Contact details of the Data Protection Officer
Likely consequences of the breach
Measures taken or proposed to address the breach and mitigate its effects
Interim containment actions already in place

The Controller is responsible for notifying relevant supervisory authorities and data subjects as required by applicable law (FERPA: 24hrs to institution; GDPR: 72hrs to DPA).

8. Data Subject Rights

SafeClass Shield will assist the Controller in responding to data subject rights requests within 5 business days, including:

Right of Access — providing a copy of all Personal Data held
Right to Rectification — correcting inaccurate data
Right to Erasure — deleting all data upon valid request
Right to Data Portability — exporting data in machine-readable format
Right to Restriction — limiting processing on request
Right to Object — ceasing non-essential processing

9. Term and Termination

This DPA remains in effect for the duration of the service relationship. Upon termination:

SafeClass Shield will, at the Controller's choice, return or securely delete all Personal Data within 30 days
Deletion certificates will be provided upon request
Backup copies will be purged within 90 days of service termination
Audit logs may be retained for up to 2 years for legal compliance purposes

10. Governing Law & Contact

This DPA is governed by the laws of the United States. Disputes shall be resolved as specified in the Terms of Service.

Data Protection Officer

Email: dpo@safeclassshield.com

General: compliance@safeclassshield.com

For Legal Review: This DPA should be reviewed by qualified legal counsel before use as a binding agreement, particularly for GDPR Article 28 compliance in EU jurisdictions.

compliance@safeclassshield.com