Data Processing Addendum

Last Revised 7-20-2025
Table of Contents

This Data Processing Addendum ("DPA") supplements and forms part of the Master Services Agreement between ClassCloud, Inc., a Mississippi corporation ("ClassCloud"), and the Educational Institution identified in the applicable Service Order ("Customer") (the "Agreement"). This DPA governs ClassCloud's processing of Personal Data on behalf of Customer.

For the avoidance of doubt, in the event of any conflict between the terms of the Agreement and this DPA with respect to the processing of Personal Data, this DPA shall control.

1. Definitions

1.1. "Data Subject" means an identified or identifiable natural person to whom Personal Data relates, including students, educators, parents, and other individuals whose Personal Data is processed under this Agreement.

1.2. "Educational Institution" means a public or private K-12 school, school district, or other educational agency that provides educational services to students.

1.3. "Personal Data" means any information relating to a Data Subject that is provided by Customer to ClassCloud or collected by ClassCloud on Customer's behalf in connection with the Services, including Student Data and any other personally identifiable information as defined under applicable Privacy Laws.

1.4. "Privacy Laws" means all applicable federal, state, and local laws, regulations, and industry standards relating to privacy, data protection, and data security, including but not limited to FERPA, COPPA, state student privacy laws, and applicable consumer privacy laws such as: the California Consumer Privacy Act (CCPA), the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), the Utah Consumer Privacy Act (UCPA), the Texas Data Privacy and Security Act (TDPSA), and the Delaware Personal Data Privacy Act (DPDPA).

1.5. "Security Incident" means any confirmed unauthorized access, use, disclosure, modification, or destruction of Personal Data under ClassCloud's control that has a reasonable likelihood of resulting in harm to Data Subjects or Customer.

1.6. "Student Data" means Personal Data relating to students, including education records as defined by FERPA, and any data descriptive of students as defined in the Agreement.

1.7. "Subprocessor" means any third party engaged by ClassCloud to process Personal Data on behalf of Customer in connection with the Services.

1.8. Capitalized terms used but not defined in this DPA (including "Services") have the meanings given to them in the Agreement.

2. Scope and purpose of processing

2.1. Processing Authorization. Customer appoints ClassCloud as a data processor to process Personal Data solely for providing the Services as described in the Agreement, fulfilling ClassCloud's obligations under the Agreement, complying with Customer's lawful written instructions, complying with applicable Privacy Laws, and other purposes explicitly authorized or requested by Customer in writing

2.2. Processing Limitations. ClassCloud shall process Personal Data only as necessary to fulfill the authorized purposes and shall not: (a) use Personal Data for any purpose other than those specified in Section 2.1; (b) sell, rent, lease, or otherwise monetize Personal Data; (c) use Personal Data for advertising, marketing, or commercial purposes unrelated to the Services; (d) disclose Personal Data except as permitted by this DPA and applicable Privacy Laws; or (e) retain Personal Data longer than necessary to fulfill the authorized purpose

3. Customer Obligations and Representations

3.1. Legal Basis and Authority. Customer represents, warrants, and covenants that (a) it has the legal authority to provide Personal Data to ClassCloud for processing; (b) it has obtained all necessary consents, authorizations, and notices required under Privacy Laws; (c) for Student Data, it has the authority to act on behalf of parents/guardians or has obtained appropriate parental consent where required; (d) its instructions to ClassCloud comply with applicable Privacy Laws; and (e) it will immediately notify ClassCloud if any required authorization or consent is revoked.

3.2. Data Accuracy and Lawfulness. Customer shall ensure that Personal Data provided to ClassCloud is accurate, complete, and lawfully collected. Customer is solely responsible for determining the lawfulness of any instructions provided to ClassCloud.

4. ClassCloud obligations

4.1. Lawful Processing. ClassCloud shall process Personal Data only in accordance with Customer's documented instructions and this DPA, ensure that personnel authorized to process Personal Data are bound by appropriate confidentiality obligations, implement and maintain appropriate technical and organizational security measures as described in Exhibit A, not transfer Personal Data outside the United States without Customer's prior written consent, and assist Customer in fulfilling Customer's obligations under Privacy Laws

4.2. FERPA Compliance. When processing Student Data, ClassCloud acknowledges and agrees that ClassCloud is designated as a "school official" under FERPA with legitimate educational interests, ClassCloud is under the direct control and supervision of Customer, ClassCloud shall use Student Data solely to perform services that Customer would otherwise perform itself, ClassCloud shall not further disclose Student Data except as directed by Customer or required by law, and Customer retains full ownership and control of all Student Data.

4.3. AI-Specific Protections. With respect to AI processing services, ClassCloud warrants that:

  • No AI Training on Student Data: ClassCloud shall not use Student Data or Personal Data to train, improve, or develop AI models accessible to other customers
  • Third-Party AI Providers: ClassCloud ensures that third-party AI service providers are contractually prohibited from using Customer's Personal Data for model training or any purpose other than providing the requested AI services
  • Data Minimization: Only the minimum necessary Personal Data is transmitted to AI service providers, with personally identifiable information filtered or removed when possible
  • Limited Retention by AI Providers: While we maintain a zero customer data retention policy (ZDR) with our AI service providers, we may occasionally enable logging to resolve service issues. In that case, the service provider will retain data only for the minimum period necessary (no longer than 30 days) solely for security monitoring, abuse prevention, and issue resolution.
  • Safety Measures: ClassCloud maintains commercially reasonable safeguards to prevent jailbreaking, prompt injection, and other attempts to circumvent AI safety measures
  • Output Review: ClassCloud implements reasonable content filtering and monitoring to ensure AI outputs are appropriate for educational use
  • No Commercial Profiling: Personal Data is not used to create commercial profiles or for behavioral targeting

5. Subprocessors

5.1. Authorization. Customer authorizes ClassCloud to engage Subprocessors to assist in providing the Services, provided that ClassCloud ensures each Subprocessor (a) is bound by written data protection obligations no less restrictive than those in this DPA; (b) implements appropriate technical and organizational security measures; (c) processes Personal Data only as necessary to provide services to ClassCloud; and (d) does not further subcontract Personal Data processing without ClassCloud's authorization.

5.2. Current Subprocessors; Notice of Changes. ClassCloud maintains a current list of Subprocessors at www.classcloud.ai/subprocessors. ClassCloud shall provide Customer with at least thirty (30) days' prior notice of any new Subprocessor that will process Personal Data, which notice may be provided by updating the foregoing list and offering a subscription or notification mechanism. Customer may object in writing to a proposed Subprocessor on reasonable data-protection grounds during the notice period. If the parties cannot resolve the objection in good faith, Customer's sole remedy is to terminate the affected Services without penalty.

5.3. Liability. ClassCloud remains fully liable to Customer for the performance of Subprocessors and any breach of this DPA by a Subprocessor.

6. Security measures

6.1. Security Program. ClassCloud shall implement and maintain appropriate technical, administrative, and physical security measures to protect Personal Data, as detailed in Exhibit A.

6.2. Security Updates. ClassCloud may update its security measures as needed to maintain appropriate protection levels and comply with evolving security standards.

7. Security incident response

7.1. Notification. ClassCloud shall notify Customer without unreasonable delay, but in no event later than seventy-two (72) hours after becoming aware of a Security Incident. The notification shall include a description of the Security Incident and its cause, categories, and approximate number of affected Data Subjects and Personal Data records, likely consequences of the Security Incident, measures taken or proposed to address the Security Incident and mitigate harm, and contact information for further inquiries.

7.2. Cooperation. ClassCloud shall provide reasonable assistance to Customer in investigating and responding to the Security Incident, take immediate steps to mitigate the Security Incident and prevent recurrence, preserve relevant evidence and documentation, cooperate with Customer's notification obligations to affected individuals and regulatory authorities, and not make public statements about the Security Incident without Customer's prior written consent, except as required by law.

8. Data subject rights

8.1. Assistance with Requests. ClassCloud shall provide reasonable assistance to Customer in responding to requests from Data Subjects to exercise their rights under Privacy Laws, including requests for access, correction, deletion, or restriction of processing.

8.2. Referral of Direct Requests. If ClassCloud receives a direct request from a Data Subject, ClassCloud shall promptly refer the request to Customer and shall not respond directly unless legally required to do so.

8.3. Government Requests. If ClassCloud receives any legal process, subpoena, warrant, or government request for Personal Data, ClassCloud shall notify Customer promptly unless legally prohibited, refer the requesting party to Customer, when possible, provide Customer a reasonable opportunity to seek protective orders or other legal remedies, and limit any required disclosure to the minimum necessary.

9. Audits and compliance

9.1. Audit Rights. Customer may, no more than once per year with reasonable advance notice, conduct audits of ClassCloud's compliance with this DPA, subject to execution of appropriate confidentiality agreements, conducting audits during ClassCloud's normal business hours, not unreasonably interfering with ClassCloud's operations, Customer bearing all costs of the audit, and reasonable cooperation from ClassCloud personnel.

9.2. Enhanced Rights for Educational Institutions. Educational Institution customers may request additional audits following any Security Incident affecting Student Data, with the scope limited to security and privacy measures protecting Student Data.

9.3. Certifications. Upon reasonable request, ClassCloud shall provide Customer with relevant security certifications, assessment reports, and compliance documentation.

10. Data retention and return

10.1. Retention Period. ClassCloud shall retain Personal Data only for as long as necessary to provide the Services and fulfill its obligations under this DPA and applicable Privacy Laws.

10.2. Data Return/Deletion. Upon termination or expiration of the Agreement, or upon Customer's written request, ClassCloud shall provide Customer with the ability to export Personal Data in a commonly used, machine-readable format for sixty (60) days. After the sixty-day period, ClassCloud shall securely delete all Personal Data from ClassCloud's systems and those of its Subprocessor and provide written certification of deletion upon Customer's request.

10.3. Legal Retention. ClassCloud may retain Personal Data to the extent required by applicable law or necessary for the establishment, exercise, or defense of legal claims, provided such retention complies with applicable Privacy Laws.

11. Liability and indemnification

11.1. ClassCloud Indemnification. ClassCloud shall defend, indemnify, and hold harmless Customer from any third-party claims arising from:

  • ClassCloud's material breach of this DPA;
  • ClassCloud's unauthorized use or disclosure of Personal Data in violation of this DPA; or
  • ClassCloud's violation of Privacy Laws in its capacity as a data processor.

11.2. The limitations of liability in Section 11.3 (as modified herein) apply to all indemnification obligations under this Section 11.

11.3. Customer Indemnification. To the extent permitted by applicable law, Customer shall defend, indemnify, and hold harmless ClassCloud from any third-party claims arising from:

  • Customer's breach of this DPA or violation of Privacy Laws
  • Customer's failure to obtain required consents or provide required notices
  • Inaccuracy or unlawfulness of Personal Data provided by Customer; or
  • Customer's instructions that violate applicable Privacy Laws; or
  • any claim that Customer's or its users' content, prompts, inputs, or outputs generated through Customer's use of the Services infringe or misappropriate any third-party intellectual property right or violate any applicable law (including, without limitation, claims arising from Customer-directed generation of infringing images, text, or other content)

11.4. Enhanced Cap. Notwithstanding the aggregate liability cap in MSA §13.2, each party's aggregate liability shall be the greater of (i) the cap set forth in MSA §13.2 or (ii) two (2) times the fees paid or payable by Customer to ClassCloud in the twelve (12) months preceding the claim, for liability arising from:

  • breach of either party's confidentiality obligations; ClassCloud's unauthorized use or disclosure of Personal Data in violation of this DPA; and either party's indemnification obligations under this DPA.

11.5. Nothing in this DPA limits a party's liability for fraud, willful misconduct, or any liability that cannot be limited under applicable law.

12. General Provisions

12.1. Survival. The following provisions shall survive termination of the Agreement: Sections 4.3 (AI-Specific Protections), 7 (Security Incident Response), 10 (Data Retention and Return), 11 (Liability and Indemnification), and 12 (General Provisions).

Exhibit A: Security Measures

ClassCloud implements and maintains the following technical and organizational security measures to protect Personal Data:

Technical Measures

1. Encryption

  • All Personal Data encrypted at rest using AES-256 or equivalent encryption
  • All data transmissions encrypted using TLS 1.3 or higher
  • Encryption key management following industry best practices

2. Access Controls

  • Role-based access control (RBAC) with the principle of least privilege
  • Multi-factor authentication for administrative accounts
  • Regular access reviews and automated deprovisioning
  • Single sign-on (SSO) integration available

3. Network Security

  • Firewalls and intrusion detection/prevention systems
  • Network segmentation and monitoring
  • DDoS protection and threat detection
  • Virtual private networks for remote access

4. System Security

  • Regular vulnerability assessments and penetration testing
  • Automated security patching and updates
  • Malware protection and endpoint security
  • Secure software development lifecycle

Administrative Measures

1. Personnel Security

  • Background checks for employees with access to Personal Data
  • Confidentiality agreements and security training
  • Regular security awareness training
  • Disciplinary procedures for security violations

2. Policies and Procedures

  • Written information security policies and procedures
  • Incident response and breach notification procedures
  • Data retention and disposal policies
  • Regular policy reviews and updates

3. Vendor Management

  • Security assessments of Subprocessors
  • Contractual data protection requirements
  • Regular monitoring of Subprocessor compliance

Physical Measures

1. Facility Security

  • Restricted physical access to data centers
  • Environmental controls and monitoring
  • Video surveillance and security personnel
  • Secure disposal of hardware and media

2. Business Continuity

  • Disaster recovery and backup procedures
  • Business continuity planning and testing
  • Redundant systems and failover capabilities
  • Regular backup testing and restoration procedures

Organizational Measures

1. Data Governance

  • Data classification and handling procedures
  • Privacy impact assessments
  • Data minimization practices
  • Regular compliance audits

2. Monitoring and Logging

  • 24/7 security monitoring and alerting
  • Comprehensive audit logging
  • Regular log review and analysis
  • Automated anomaly detection

3. Compliance

  • SOC 2 Type II certification
  • Regular third-party security assessments
  • Compliance with industry security frameworks
  • Continuous improvement of security posture

ClassCloud reviews and updates these security measures regularly to ensure they remain appropriate and effective for protecting Personal Data processed under this DPA.

Lead your district in the AI era

Purpose-built AI for every role in your district, in a single platform.

Schedule Consultation