Data Processing Agreement (DPA)

Sign a Data Processing Agreement with Ed.ai

NDPA v2.1 pre-signed with General Offer (Exhibit E) — your district can piggyback on the same terms already accepted by other LEAs, with state-specific exhibits ready to attach.

• Get your state's data privacy packet) — select your state and download the NDPA v2.1 (pre-signed, General Offer) together with the relevant state exhibit.

Why Ed.ai uses NDPA

The National Data Privacy Agreement (NDPA), version 2.1, published by the Student Data Privacy Consortium (SDPC) and A4L, is the most widely adopted national template for student data privacy contracts. It is:

• Pre-accepted by most US districts

• Maintained and updated by an education-focused consortium (not a single vendor)

• Compatible with state-specific requirements via modular Exhibits

• Reusable across multiple districts through Exhibit E — General Offer

By standardizing on NDPA, we eliminate weeks of back-and-forth for districts.

What's in our DPA

Our DPA package consists of the following documents, available via ed.ai/en/forms/data-privacy:

NDPA v2.1 main agreement

Pre-signed by Ed AI Technologies, Inc. Covers:

• Definitions (student data, school official, operator, etc.)

• Data ownership and purpose limitation

• Security and breach notification

• Parent/student rights

• Term, termination, and data destruction

• Miscellaneous provisions

A

The district fills in:

• Which Ed.ai products will be used

• Grade levels and schools covered

• Data elements to be exchanged

A template is included with our pre-signed PDF.

E

This is the critical clause for scaling: by signing Exhibit E, Ed.ai makes the same terms available to any other LEA in the same state without renegotiation.

For a district, this means:

• If another district in your state has already signed with Ed.ai and accepted Exhibit E, you can piggyback on that same contract — no redlines, no legal review cycles.

• Your district's legal counsel reviews standard terms, not bespoke ones.

State-specific Exhibits

Several states require additional provisions beyond the NDPA base. We have pre-prepared state exhibits for:

• California (SOPIPA + CCPA/CPRA + AB 2013 provisions)

• Texas (FERPA-aligned + district contract provisions)

• Florida (student data privacy provisions)

• New York (Education Law §2-d Parents' Bill of Rights, data security and privacy plan)

• North Carolina (NC Gen. Stat. §115C-402.5 hooks)

• Pennsylvania (Chapter 8 school regulations alignment)

• Alabama (state data privacy provisions)

Other states: our base NDPA v2.1 + Exhibit E is typically sufficient. Contact privacy@ed.ai for state-specific questions.

How to sign

The process is a few simple steps:

• 1. Get the NDPA v2.1 + relevant state exhibit from [ed.ai/en/forms/data-privacy](https://ed.ai/en/forms/data-privacy) — District

• 2. Fill in Exhibit A (products, grades, data elements) — District

• 3. District signs (authorized signatory) — District

• 4. Return to `privacy@ed.ai` — District

• 5. Ed.ai counter-signs and returns a fully executed PDF — Ed.ai

Already using NDPA via General Offer? Send us your Exhibit E participation request — no re-signature needed.

What the DPA covers

• Ed.ai's role as "school official" under FERPA — Article II

• Student data ownership (school owns it) — Article II §2

• Purpose limitation (educational use only) — Article IV §1

• No advertising, no sale, no behavioral profiling — Article IV §3

• Sub-processor obligations — Article IV §4 + Exhibit F

• Security standards — Article V

• Breach notification (timeline, content, coordination) — Article V §4

• Data retention and destruction — Article VI

• Parental rights, access, correction, deletion — Article II §3

• Audit rights (district) — Article VII

• Term and termination — Article VIII

FAQ

We already use the NDPA via another vendor — do we need to resign with Ed.ai?

No — you sign a new agreement with Ed.ai, but the body of the agreement is the same NDPA v2.1 you already know. Only Exhibits A, E, and state exhibits are Ed.ai-specific.

Our district has its own DPA template. Can we use that instead?

We strongly prefer NDPA v2.1 because it's standardized, maintained, and widely reviewed. We'll review district-specific templates on request, but this adds time to the cycle. Reach out to privacy@ed.ai to discuss.

Does signing the DPA change anything about how Ed.ai processes data?

No — the DPA formalizes and audits our existing practices (FERPA school-official role, US hosting, no-training, no-advertising). The commitments in the DPA mirror our Privacy Policy and Trust Pledge.

What happens at the end of the contract?

All student data is deleted from production within 90 days of contract end (backups within 12 months), per the DPA and our retention schedule.

What if I'm in a state not listed (e.g., Georgia, Oregon, Ohio)?

Our base NDPA v2.1 + Exhibit E is designed to satisfy most state frameworks. For states with specific additional requirements we haven't pre-drafted, we'll work with your counsel to add a short state addendum.

Can a private school sign?

Yes — private schools can sign the same NDPA v2.1. Reach out to privacy@ed.ai.

Can a charter school management organization sign on behalf of its schools?

Yes, with appropriate authority delegation. Exhibit E then extends to the network's other schools.

Contact

• DPA, privacy, and legal questions: privacy@ed.ai

• Phone: +1 617 545 7366