This Data Processing Agreement ("DPA") is entered into between:
Data Controller: The school, district, or educational institution ("Controller") that has authorized teachers to use GradingPen
Data Processor: GradingPen ("Processor"), the operator of the AI grading platform at gradingpen.com
1. Definitions
"Personal Data" means any information relating to an identified or identifiable student, including education records as defined under FERPA.
"Processing" means any operation performed on Personal Data, including collection, storage, analysis, and deletion.
"Data Controller" means the school or district that determines the purposes and means of processing student data.
"Data Processor" means GradingPen, which processes student data on behalf of and as directed by the Controller.
"Sub-Processor" means a third-party service provider engaged by GradingPen to assist in processing Personal Data.
"Education Records" means records directly related to a student that are maintained by an educational agency or institution, as defined under FERPA (20 U.S.C. § 1232g).
2. Scope of Processing
The Processor shall process Personal Data solely for the purpose of providing AI-powered grading services as requested by authorized teachers employed by or contracted with the Controller. Processing includes:
Receiving student assignments submitted by authorized teachers
Analyzing assignment text against teacher-provided rubric criteria using AI
Generating grades and personalized feedback
Storing assignments, grades, and feedback for teacher review
Providing analytics and reporting on grading patterns
3. Data Processed
Category
Data Elements
Purpose
Student Identifiers
Student names or student IDs
Assignment identification
Student Work
Essay / assignment text
AI grading and feedback
Assessment Results
AI-generated grades and scores
Grading output
Feedback
AI-generated written feedback
Learning improvement
Teacher Data
Name, email, school, rubrics
Account management
4. Purpose Limitation
The Processor shall:
Process Personal Data only for the purpose of providing grading services as described in this DPA
Not use Personal Data for advertising, marketing, or profiling
Not sell, rent, or lease Personal Data to any third party
Not use Personal Data to train, improve, or develop AI models
Not mine or analyze Personal Data for purposes unrelated to providing the Service
5. Sub-Processors
The Processor engages the following sub-processors to provide the Service:
Sub-Processor
Purpose
Location
Certifications
Anthropic
AI grading engine (Claude API)
United States
SOC 2 Type II
Supabase
Database and authentication
United States (AWS)
SOC 2 Type II
Stripe
Payment processing
United States
PCI DSS Level 1
Amazon Web Services (AWS)
Cloud infrastructure (via Supabase)
United States
SOC 2, ISO 27001
The Processor shall notify the Controller at least 30 days before engaging any new sub-processor. The Controller may object to a new sub-processor within 14 days of notification.
6. Security Measures
The Processor implements the following technical and organizational security measures:
Encryption in transit: TLS 1.2+ for all data transfers
Encryption at rest: AES-256 encryption for all stored data via AWS/Supabase
Access controls: Role-based access; teachers can only access their own students' data
Employee access: Minimal access principle; only authorized personnel can access production data for support purposes
AI data handling: Anthropic API does not retain or train on submitted data per their API terms
7. Data Breach Notification
The Processor shall notify the Controller of any confirmed data breach involving Personal Data within 72 hours of becoming aware of the breach.
Notification shall include: nature of the breach, categories of data affected, estimated number of records affected, measures taken to mitigate the breach, and contact information for follow-up.
The Processor shall cooperate with the Controller in investigating and remediating any breach.
The Processor shall maintain an incident response plan and test it regularly.
8. Data Deletion
Upon termination of the agreement or upon written request from the Controller, the Processor shall delete all Personal Data within 30 days.
The Processor shall provide written confirmation of deletion upon request.
The Controller may request a full data export before deletion.
Teachers may delete individual student data or all data at any time via their account settings.
9. Audit Rights
The Controller has the right to audit the Processor's compliance with this DPA.
The Processor shall provide reasonable cooperation for audits, including access to relevant documentation and responses to security questionnaires.
Audits shall be conducted with reasonable notice (at least 30 days) and during normal business hours.
The Processor shall make available relevant certifications and audit reports from sub-processors (e.g., Supabase SOC 2 report) upon request.
10. FERPA-Specific Provisions
In accordance with the Family Educational Rights and Privacy Act (20 U.S.C. § 1232g; 34 CFR Part 99):
The Processor acts as a "school official" with a "legitimate educational interest" in the student data it processes, as defined under FERPA § 99.31(a)(1).
The Processor is under the direct control of the Controller with respect to the use and maintenance of education records.
The Processor shall use education records only for the purposes for which the disclosure was made (providing AI grading services).
The Processor shall not disclose education records to any third party without the Controller's written consent, except to sub-processors identified in this DPA for the sole purpose of providing the Service.
The Processor shall comply with all FERPA requirements regarding the protection of education records.
The Controller retains full ownership and control of all education records.
11. Term & Termination
This DPA is effective as of the date the Controller's teachers begin using GradingPen and remains in effect for the duration of the Service.
Either party may terminate this DPA with 30 days' written notice.
Obligations regarding data deletion, confidentiality, and FERPA compliance survive termination.
Upon termination, the Processor shall delete all Personal Data in accordance with Section 8.