Data Processing Agreement

1. Definitions

• "Controller", "Processor", "Data Subject", "Personal Information" and "Processing" have the meanings given under Applicable Data Protection Law.
• "Customer Data" (also "Student Data") — personal information about applicants, students, parents or guardians, and your staff that you or your users submit to or generate in the Service, including Education Records.
• "Education Records", "Personally Identifiable Information" and "School Official" have the meanings given under the Family Educational Rights and Privacy Act ("FERPA", 20 U.S.C. § 1232g; 34 CFR Part 99).
• "Sub-processor" — a third party engaged by Udooku to process Customer Data in order to provide the Service.
• "Security Incident" — a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of or access to Customer Data.
• "Applicable Data Protection Law" — FERPA, the California Consumer Privacy Act as amended by the CPRA (to the extent applicable), the California Education Code, and other privacy or data-protection laws applicable to the Processing of Customer Data.

2. Roles of the parties

With respect to Customer Data, you are the Controller and Udooku is the Processor. Udooku processes Customer Data only on your documented instructions. The Terms, this DPA, and your configuration and use of the Service together constitute your complete and documented instructions for the Processing of Customer Data. You are responsible for the accuracy, quality and lawfulness of Customer Data, and for having the rights, notices and consents needed to provide it to us. We will inform you if, in our opinion, an instruction infringes Applicable Data Protection Law (we are not, however, obligated to provide legal advice or to monitor your compliance).

3. Data ownership & data-subject requests

• As between the parties, you own 100% of Customer Data. Udooku obtains no rights to Customer Data except the limited right to Process it to provide and support the Service. We do not access or use Customer Data except as necessary to provide the Service, to comply with law, or as you instruct.
• We will not respond on the merits to data-subject requests. If a student, parent, eligible student, or other individual contacts Udooku directly asking to access, obtain a copy of (for example, a transcript), correct, or delete their records, we will not fulfill that request ourselves. Where permitted, we will refer the individual to you and forward the request to your administrator, because you — not Udooku — are the controller and custodian of those records.
• We will provide you reasonable technical assistance (including the Service's export and administrative tools) to help you respond to such requests yourself.

4. FERPA — Udooku as a "School Official"

Under FERPA, an institution may disclose Education Records, without consent, to a contractor that functions as a "School Official" with a "legitimate educational interest" (34 CFR § 99.31(a)(1)). You designate Udooku as such a School Official for the purpose of providing the Service, and accordingly:

• Udooku performs an institutional service or function for which you would otherwise use your own employees — namely, operating the Service that maintains your student records;
• Udooku is under your direct control with respect to the use and maintenance of Education Records;
• Udooku uses Education Records only for the authorized purpose of providing the Service, and will not re-disclose Personally Identifiable Information from Education Records to any party other than you, except on your instructions or as required by law; and
• Udooku will support your FERPA obligations, including the access and amendment rights FERPA grants to eligible students and parents, by directing such requests to you and assisting you in responding.

5. Permitted processing & confidentiality

Udooku Processes Customer Data only (a) to provide, secure, maintain, support and improve the operation of the Service; (b) as described in the Terms and this DPA; and (c) as you otherwise instruct in writing. We ensure that personnel authorized to Process Customer Data are bound by appropriate confidentiality obligations and access Customer Data only on a need-to-know basis to operate the Service.

6. No sale or monetization of data

This commitment is absolute and survives termination. Udooku will never:

• sell or rent Customer Data;
• use Customer Data for targeted or behavioral advertising, or to build advertising or marketing profiles of any individual;
• use Customer Data to train machine-learning or AI models; or
• use or disclose Customer Data for any purpose other than providing the Service to you.

Udooku does not "sell" or "share" personal information, and does not retain, use, or disclose it for any commercial purpose or outside the direct business relationship with you, as those terms are defined under the CCPA/CPRA.

7. Sub-processors

You authorize Udooku to engage Sub-processors to provide the Service. Each Sub-processor is bound by data-protection obligations no less protective than those in this DPA, and Udooku remains responsible for their performance. Our current Sub-processors are:

• Stripe — payment processing for subscriptions and student payments (card data is tokenized by Stripe; we do not store full card numbers).
• Cloudflare R2 — encrypted document storage for the Digital Vault, served via short-lived signed links.
• Amazon Web Services (AWS) [host to be confirmed] — application hosting, managed and encrypted PostgreSQL database, and backups.

We will give you reasonable prior notice before adding or replacing a Sub-processor. You may object on reasonable data-protection grounds, and the parties will work together in good faith to address the concern.

8. Security

Udooku maintains industry-standard technical and organizational measures appropriate to the risk of the Processing, including:

• encryption of Customer Data in transit (TLS/SSL) and at rest;
• documents served only through short-lived, signed URLs;
• role-based access controls and per-organization tenant isolation, so one institution's data is logically segregated from another's;
• audit logging of sensitive actions;
• reputable cloud infrastructure (AWS) with managed, encrypted databases and redundant backups; and
• least-privilege access for Udooku personnel.

You are responsible for security within your control: managing your users, roles and credentials, keeping them confidential, and promptly removing access for staff who leave.

9. Security Incident notification

If Udooku becomes aware of a Security Incident affecting your Customer Data, we will notify you without undue delay, and no later than 72 hours after we confirm the incident. The notice will describe, to the extent then known, the nature of the incident, the categories and approximate volume of data involved, the likely consequences, and the measures taken or proposed to address it. We will provide updates as more information becomes available and will reasonably assist you in meeting your own obligation to notify affected students, regulators or others. Our notification is made so you can fulfill your legal duties and is not an acknowledgement of fault or liability.

10. Assistance to the Customer

Taking into account the nature of the Processing and the information available to us, Udooku will provide you reasonable assistance to (a) respond to data-subject and FERPA requests; (b) meet your security, breach-notification and, where applicable, data-protection-assessment obligations; and (c) respond to lawful inquiries from regulators. Standard assistance is provided through the Service's export and administrative tools; assistance requiring significant additional engineering effort may be provided on a reasonable-cost basis.

11. Return & deletion of data

• While your subscription is active you can export Customer Data at any time using the Service's compliance-archive export (roster CSV, structured records, documents, and reports).
• On termination or expiration, Udooku follows the retention-and-deletion process in the Terms: your Customer Data remains available for export during a 90-day grace window.
• After those 90 days, Udooku permanently deletes Customer Data from active systems and purges it from encrypted backups on the normal backup cycle, rendering it unrecoverable — including by destroying the relevant encryption keys (cryptographic erasure).
• On your written request, Udooku will certify deletion in writing.
• Udooku is not the permanent custodian of record. You are responsible for exporting and retaining any records you are legally required to keep (for example, the five-year retention California's Bureau for Private Postsecondary Education requires).
• Udooku may retain Customer Data only to the limited extent required by law, kept no longer than required and isolated from active Processing.

12. International transfers

Udooku and its Sub-processors Process Customer Data in the United States. Where Customer Data is transferred across borders, we rely on appropriate safeguards to the extent required by Applicable Data Protection Law.

13. Liability

Each party's liability arising out of or related to this DPA is subject to the disclaimers, exclusions and the aggregate limitation (cap) on liability set out in the Terms. This DPA does not increase those limits.

14. Order of precedence & changes

This DPA is incorporated into and forms part of the Terms. If there is a conflict on a matter of data protection, this DPA controls; otherwise the Terms control. We may update this DPA from time to time consistent with Applicable Data Protection Law; we will post the updated version here with a new "Last updated" date and, for material changes, provide reasonable notice.

15. Contact

Questions about this DPA, or to send a data-protection or breach-related notice, email support@udooku.com.