Data Processing Addendum

This Data Processing Addendum ("DPA") supplements and forms part of the Master Services Agreement or other written agreement between ClassCloud, Inc., a Mississippi corporation ("ClassCloud"), and the Educational Institution identified in the applicable Service Order ("Customer") (the "Agreement"). This DPA governs ClassCloud's processing of Personal Data on behalf of Customer.

In the event of any conflict between the terms of the Agreement and this DPA with respect to the processing of Personal Data, this DPA shall control.

Definitions

"Data Subject" means an identified or identifiable natural person to whom Personal Data relates, including students, educators, parents, and other individuals whose Personal Data is processed under this Agreement.

"Educational Institution" means a public or private K-12 school, school district, or other educational agency that provides educational services to students.

"Personal Data" means any information relating to a Data Subject that is provided by Customer to ClassCloud or collected by ClassCloud on Customer's behalf in connection with the Services, including Student Data and any other personally identifiable information as defined under applicable Privacy Laws.

"Privacy Laws" means all applicable federal, state, and local laws, regulations, and industry standards relating to privacy, data protection, and data security, including but not limited to FERPA, COPPA, state student privacy laws, and applicable consumer privacy laws such as CCPA, VCDPA, CPA, CTDPA, UCPA, TDPSA, and DPDPA.

"Security Incident" means any confirmed unauthorized access, use, disclosure, modification, or destruction of Personal Data under ClassCloud's control that has a reasonable likelihood of resulting in harm to Data Subjects or Customer.

"Student Data" means Personal Data relating to students, including education records as defined by FERPA, and any data descriptive of students as defined in the Agreement.

"Subprocessor" means any third party engaged by ClassCloud to process Personal Data on behalf of Customer in connection with the Services.

Scope and purpose of processing

SCOPE AND PURPOSE OF PROCESSING

Processing Authorization. Customer appoints ClassCloud as a data processor to process Personal Data solely for the following purposes:

• Providing the Services as described in the Agreement;
• Fulfilling ClassCloud's obligations under the Agreement;
• Complying with Customer's lawful written instructions;
• Complying with applicable Privacy Laws; and
• Other purposes explicitly authorized by Customer in writing.

Processing Limitations. ClassCloud shall process Personal Data only as necessary to fulfill the authorized purposes and shall not:

• Use Personal Data for any purpose other than those specified in Section 2.1;
• Sell, rent, lease, or otherwise monetize Personal Data;
• Use Personal Data for advertising, marketing, or commercial purposes unrelated to the Services;
• Disclose Personal Data except as permitted by this DPA and applicable Privacy Laws; or
• Retain Personal Data longer than necessary to fulfill the authorized purposes.

Customer obligations and representations

Legal Basis and Authority. Customer represents, warrants, and covenants that:

• It has the legal authority to provide Personal Data to ClassCloud for processing;
• It has obtained all necessary consents, authorizations, and notices required under Privacy Laws;
• For Student Data, it has the authority to act on behalf of parents/guardians or has obtained appropriate parental consent where required;
• Its instructions to ClassCloud comply with applicable Privacy Laws; and
• It will immediately notify ClassCloud if any required authorization or consent is revoked.

Data Accuracy and Lawfulness. Customer shall ensure that Personal Data provided to ClassCloud is accurate, complete, and lawfully collected. Customer is solely responsible for determining the lawfulness of any instructions provided to ClassCloud.

ClassCloud obligations

Lawful Processing. ClassCloud shall:‍

(a) Process Personal Data only in accordance with Customer's documented instructions and this DPA; (b) Ensure that personnel authorized to process Personal Data are bound by appropriate confidentiality obligations; (c) Implement and maintain appropriate technical and organizational security measures as described in Exhibit A; (d) Not transfer Personal Data outside the United States without Customer's prior written consent; and (e) Assist Customer in fulfilling Customer's obligations under Privacy Laws.

FERPA Compliance. When processing Student Data, ClassCloud acknowledges and agrees that:

ClassCloud is designated as a "school official" under FERPA with legitimate educational interests; (b) ClassCloud is under the direct control and supervision of Customer; (c) ClassCloud shall use Student Data solely to perform services that Customer would otherwise perform itself; (d) ClassCloud shall not further disclose Student Data except as directed by Customer or required by law; and (e) Customer retains full ownership and control of all Student Data.

AI-Specific Protections. With respect to AI processing services, ClassCloud warrants that:

No AI Training on Student Data: ClassCloud shall not use Student Data or Personal Data to train, improve, or develop AI models accessible to other customers; (b) Third-Party AI Providers: ClassCloud ensures that third-party AI service providers are contractually prohibited from using Customer's Personal Data for model training or any purpose other than providing the requested AI services; (c) Data Minimization: Only the minimum necessary Personal Data is transmitted to AI service providers, with personally identifiable information filtered or removed when possible; (d) Limited Retention by AI Providers: AI service providers retain data only for the minimum period necessary (not to exceed 30 days) solely for security monitoring and abuse prevention; (e) Safety Measures: ClassCloud maintains appropriate safeguards to prevent jailbreaking, prompt injection, and other attempts to circumvent AI safety measures; (f) Output Review: ClassCloud implements reasonable content filtering and monitoring to ensure AI outputs are appropriate for educational use; and (g) No Commercial Profiling: Personal Data is not used to create commercial profiles or for behavioral targeting.

Subprocessors

Authorization.

Customer authorizes ClassCloud to engage Subprocessors to assist in providing the Services, provided that ClassCloud ensures each Subprocessor:

a) Is bound by written data protection obligations no less restrictive than those in this DPA; (b) Implements appropriate technical and organizational security measures; (c) Processes Personal Data only as necessary to provide services to ClassCloud; and (d) Does not further subcontract Personal Data processing without ClassCloud's authorization.

Current Subprocessors.

‍ClassCloud maintains a current list of Subprocessors at [www.classcloud.ai/subprocessors]. ClassCloud may update this list as reasonably necessary for business operations.

Liability.

ClassCloud remains fully liable to Customer for the performance of Subprocessors and any breach of this DPA by a Subprocessor.

Security measures

Security Program.

ClassCloud shall implement and maintain appropriate technical, administrative, and physical security measures to protect Personal Data, as detailed in Exhibit A, including:

(a) Encryption of Personal Data at rest and in transit; (b) Access controls and authentication mechanisms; (c) Regular security assessments and monitoring; (d) Employee training and background checks; and (e) Incident response and business continuity procedures.

Security Updates.

ClassCloud may update its security measures as needed to maintain appropriate protection levels and comply with evolving security standards.

Security incident response

Notification.

ClassCloud shall notify Customer without unreasonable delay, but in no event later than seventy-two (72) hours after becoming aware of a Security Incident. The notification shall include:

(a) Description of the Security Incident and its cause; (b) Categories and approximate number of affected Data Subjects and Personal Data records; (c) Likely consequences of the Security Incident; (d) Measures taken or proposed to address the Security Incident and mitigate harm; and (e) Contact information for further inquiries.

Cooperation. ClassCloud shall:

(a) Provide reasonable assistance to Customer in investigating and responding to the Security Incident; (b) Take immediate steps to mitigate the Security Incident and prevent recurrence; (c) Preserve relevant evidence and documentation; (d) Cooperate with Customer's notification obligations to affected individuals and regulatory authorities; and (e) Not make public statements about the Security Incident without Customer's prior written consent, except as required by law.

Data subject rights

Assistance with Requests.

ClassCloud shall provide reasonable assistance to Customer in responding to requests from Data Subjects to exercise their rights under Privacy Laws, including requests for access, correction, deletion, or restriction of processing.

Referral of Direct Requests.

If ClassCloud receives a direct request from a Data Subject, ClassCloud shall promptly refer the request to Customer and shall not respond directly unless legally required to do so.

Government Requests.

If ClassCloud receives any legal process, subpoena, warrant, or government request for Personal Data, ClassCloud shall:

(a) Notify Customer promptly unless legally prohibited; (b) Refer the requesting party to Customer when possible; (c) Provide Customer reasonable opportunity to seek protective orders or other legal remedies; and (d) Limit any required disclosure to the minimum necessary.

Audits and compliance

Audit Rights.

Customer may, no more than once per year with reasonable advance notice, conduct audits of ClassCloud's compliance with this DPA, subject to:

(a) Execution of appropriate confidentiality agreements; (b) Conducting audits during ClassCloud's normal business hours; (c) Not unreasonably interfering with ClassCloud's operations; (d) Customer bearing all costs of the audit; and (e) Reasonable cooperation from ClassCloud personnel.

Enhanced Rights for Educational Institutions.

Educational Institution customers may request additional audits following any Security Incident affecting Student Data, with the scope limited to security and privacy measures protecting Student Data.

Certifications.

Upon reasonable request, ClassCloud shall provide Customer with relevant security certifications, assessment reports, and compliance documentation.

Data retention and return

Retention Period.

ClassCloud shall retain Personal Data only for as long as necessary to provide the Services and fulfill its obligations under this DPA and applicable Privacy Laws.

Data Return/Deletion.

Upon termination or expiration of the Agreement, or upon Customer's written request, ClassCloud shall:

(a) Provide Customer with the ability to export Personal Data in a commonly used, machine-readable format for sixty (60) days; (b) After the sixty-day period, securely delete all Personal Data from ClassCloud's systems and those of its Subprocessors; and (c) Provide written certification of deletion upon Customer's request.

Legal Retention.

ClassCloud may retain Personal Data to the extent required by applicable law or necessary for the establishment, exercise, or defense of legal claims, provided such retention complies with applicable Privacy Laws.

Liability and indemnification

Customer Indemnification.

To the extent permitted by applicable law, Customer shall defend, indemnify, and hold harmless ClassCloud from any third-party claims arising from:

(a) Customer's breach of this DPA or violation of Privacy Laws; (b) Customer's failure to obtain required consents or provide required notices; (c) Inaccuracy or unlawfulness of Personal Data provided by Customer; or (d) Customer's instructions that violate applicable Privacy Laws.

Mutual Limitations.

The liability limitations set forth in the Agreement shall apply to this DPA, except that such limitations shall not apply to:

(a) Either party's breach of confidentiality obligations; (b) ClassCloud's unauthorized use or disclosure of Personal Data; or (c) Either party's indemnification obligations under this DPA.

Term and termination

Term.

This DPA shall commence on the effective date of the Agreement and shall continue until termination of the Agreement or until ClassCloud no longer processes Personal Data on Customer's behalf.

Survival.

The following provisions shall survive termination: Sections 4.3 (AI-Specific Protections), 7 (Security Incident Response), 10 (Data Retention and Return), 11 (Liability and Indemnification), and 13 (General Provisions).

General provisions

Governing Law.

This DPA shall be governed by the laws of the State of Mississippi, without regard to conflict of law principles. However, if Customer is a public institution whose governing law prohibits or conflicts with this choice of law, then the laws of Customer's jurisdiction shall apply to the extent necessary to resolve such conflict.

Amendments.

This DPA may only be modified by written agreement signed by both parties, except that ClassCloud may update Exhibit A (Security Measures) to maintain appropriate protection levels, provided such updates do not materially reduce the level of protection.

Severability.

If any provision of this DPA is found to be unenforceable, the remainder shall continue in full force and effect.

Precedence.

In case of conflict between this DPA and the Agreement regarding the processing of Personal Data, this DPA shall control.

Exhibit A: Security Measures

ClassCloud implements and maintains the following technical and organizational security measures to protect Personal Data:

Technical Measures

1. Encryption

• All Personal Data encrypted at rest using AES-256 or equivalent encryption
• All data transmissions encrypted using TLS 1.3 or higher
• Encryption key management following industry best practices

2. Access Controls

• Role-based access control (RBAC) with principle of least privilege
• Multi-factor authentication for administrative accounts
• Regular access reviews and automated deprovisioning
• Single sign-on (SSO) integration available

3. Network Security

• Firewalls and intrusion detection/prevention systems
• Network segmentation and monitoring
• DDoS protection and threat detection
• Virtual private networks for remote access

4. System Security

• Regular vulnerability assessments and penetration testing
• Automated security patching and updates
• Malware protection and endpoint security
• Secure software development lifecycle

Administrative Measures

1. Personnel Security

• Background checks for employees with access to Personal Data
• Confidentiality agreements and security training
• Regular security awareness training
• Disciplinary procedures for security violations

2. Policies and Procedures

• Written information security policies and procedures
• Incident response and breach notification procedures
• Data retention and disposal policies
• Regular policy reviews and updates

3. Vendor Management

• Security assessments of Subprocessors
• Contractual data protection requirements
• Regular monitoring of Subprocessor compliance

Physical Measures

1. Facility Security

• Restricted physical access to data centers
• Environmental controls and monitoring
• Video surveillance and security personnel
• Secure disposal of hardware and media

2. Business Continuity

• Disaster recovery and backup procedures
• Business continuity planning and testing
• Redundant systems and failover capabilities
• Regular backup testing and restoration procedures

Organizational Measures

1. Data Governance

• Data classification and handling procedures
• Privacy impact assessments
• Data minimization practices
• Regular compliance audits

2. Monitoring and Logging

• 24/7 security monitoring and alerting
• Comprehensive audit logging
• Regular log review and analysis
• Automated anomaly detection

3. Compliance

• SOC 2 Type II certification
• Regular third-party security assessments
• Compliance with industry security frameworks
• Continuous improvement of security posture

ClassCloud reviews and updates these security measures regularly to ensure they remain appropriate and effective for protecting Personal Data processed under this DPA.