Data Processing Addendum (DPA)

This Data Processing Addendum (“DPA”) forms part of the agreement between Sycamore Leaf Solutions, LLC (“Processor”) and the customer educational institution (“Controller”) and governs the processing of personal data in connection with the use of Sycamore’s services.

1. Roles of the Parties

1. Controller: The Customer determines the purposes and means of processing personal data.
2. Processor: Sycamore processes personal data solely on documented instructions from the Controller and in accordance with this DPA.

2. Scope of Processing

Sycamore processes personal data for the purpose of providing student information system (SIS) services, including but not limited to: - Student records - Parent/guardian information - Staff and administrator data - Attendance, enrollment, academic, and compliance records - Student immunization records as provided by the educational institution

Processing activities include hosting, storage, retrieval, transmission, and display of data as required to deliver the services.

3. Categories of Data Subjects

• Students
• Parents and guardians
• School staff and administrators

4. Types of Personal Data

• Identifying information (e.g., name, student ID, contact information)
• Educational records protected under FERPA
• Compliance-related student health records maintained by schools (e.g., immunization status)

Note: Data processed under this DPA does not constitute HIPAA-regulated Protected Health Information (PHI) when maintained as part of an education record subject to FERPA.

5. Compliance with FERPA and Applicable Privacy Laws

Sycamore agrees to: - Act as a “school official” with a legitimate educational interest under FERPA - Use education records only for authorized educational purposes - Not disclose education records except as permitted by the Controller or required by law

6. Data Security

Sycamore implements reasonable and appropriate administrative, technical, and physical safeguards designed to protect personal data against unauthorized access, disclosure, alteration, or destruction. These measures include, but are not limited to:

• Encryption in Transit: End-to-end TLS/SSL encryption is enforced for data transmitted between end users, edge security services, load balancing components, and application infrastructure.
  
  
• Network Security: Use of perimeter security controls, traffic filtering, and threat mitigation technologies to protect systems and data from unauthorized access.
  
  
• Secure Hosting Environment: Hosting within secure data center environments utilizing enterprise-grade physical, environmental, and logical security controls.
  
  
• Access Controls: Role-based access controls and authentication mechanisms to restrict access to personal data to authorized personnel only.
  
  
• Monitoring and Logging: System monitoring and logging designed to detect, analyze, and respond to potential security events.
  
  

These safeguards are designed to align with industry best practices for protecting education records and personal data.

7. Subprocessors

Sycamore may engage subprocessors to assist in providing the services (e.g., hosting providers). Sycamore remains responsible for subprocessors’ compliance with this DPA and ensures subprocessors are bound by appropriate confidentiality and data protection obligations.

A current list of subprocessors will be made available upon request.

8. Data Breach Notification

Sycamore will notify the Controller without undue delay upon becoming aware of a personal data breach affecting customer data and will provide information reasonably required to assist the Controller in meeting legal notification obligations.

9. Data Retention and Deletion

Upon termination of the services, Sycamore will, at the Controller’s direction, delete or return personal data unless retention is required by law.

10. Data Subject Rights

Sycamore will reasonably assist the Controller in responding to requests from data subjects to exercise their rights under applicable data protection laws.

11. Audits and Assessments

Upon reasonable notice, Sycamore will provide information necessary to demonstrate compliance with this DPA and applicable privacy obligations.

12. Governing Law

This DPA is governed by the same law and jurisdiction as the primary agreement between the parties.

Accepted and agreed to as of the effective date of the primary agreement.