A Data Processing Agreement is not optional. Under FERPA, before a school can legally share student data with your product, a signed DPA needs to be in place. Without one, most districts won't move forward. Have a DPA template ready before you need it.
What a DPA actually is
A DPA is a contract between you (the edtech vendor) and the school district (the data controller). It defines what student data you receive, what you're allowed to do with it, how long you keep it, and what happens if something goes wrong.
It's the legal document that makes you a FERPA-compliant "school official" — the designation that allows schools to share education records with third-party vendors without individual parental consent.
What your DPA template needs to cover
1. Scope of data — Define exactly what student data your product receives. Be specific.
2. Purpose limitation — Specify you will only use student data for the educational service described. You cannot use it for advertising, product development, or any commercial purpose.
3. Sub-processors — List every third-party service that touches student data. Each needs to be disclosed and contractually bound to the same data protection standards.
4. Data retention and deletion — Specify how long you retain student data and what triggers deletion. Typically 30 to 60 days after contract termination. COPPA now explicitly prohibits indefinite retention.
5. Security measures — Describe your technical controls: encryption, access controls, MFA, audit logging, incident response.
6. Breach notification — Define your process for notifying the district if student data is compromised. Most districts require notification within 72 hours.
7. Parent and student rights — Acknowledge FERPA rights and specify how you'll support the district in responding to access requests.
8. Term and termination — Define the contract duration and what happens to student data when the agreement ends.
Who should write it
Have a lawyer draft your DPA template — specifically one who understands edtech, student privacy, and FERPA. Generic SaaS data processing agreements don't address education-specific requirements and districts will send them back with revisions.
The DPA is a one-time legal investment that unblocks every school deal going forward.
How districts use DPAs
Many districts use platforms like StudentDPA to manage vendor agreements. If your DPA is already in their system, districts can approve you faster. Getting your DPA into platforms like StudentDPA removes a significant procurement hurdle.
FAQ
Can we use a standard SaaS data processing agreement?
No. Standard SaaS DPAs don't address FERPA requirements. Districts will reject them or require significant revisions.
What if a district wants to use their own DPA template?
This happens often. Review carefully and negotiate terms that are operationally problematic while accepting the rest.
Do we need a separate DPA for each district?
Each district signs their own copy, but you're working from the same template.
What's the StudentDPA Student Privacy Pledge?
A voluntary commitment by edtech vendors to specific student data protection practices. Signing it reduces friction during procurement with districts that use it as a screening tool.
Top comments (0)