Data Processing Addendum
Standard contractual terms for schools and school boards
Why This Document Matters
This DPA is a legally binding contract that puts our privacy commitments in writing. It demonstrates that if we fail to protect student data as promised, your institution has legal recourse. This is your "skin in the game" guarantee.
DATA PROCESSING ADDENDUM
Effective Date: January 2026
1. PARTIES
This Data Processing Addendum ("DPA") is entered into between:
- "Institution" - The school, school board, or educational organization agreeing to these terms.
- "Argraide" - Argraide Inc., the provider of the educational technology platform.
2. DEFINITIONS
- "Student Data" means any information relating to a student that is collected, stored, or processed through the Platform.
- "Personal Information" has the meaning given under MFIPPA, FIPPA, PIPEDA, and other applicable privacy legislation.
- "Platform" means the Argraide educational technology service.
- "Processing" means any operation performed on Student Data.
3. SCOPE OF PROCESSING
Argraide processes the following categories of data:
| Data Category | Collected? | Notes |
|---|---|---|
| Student Names | NO | Random usernames only |
| Student Emails | NO | Emoji-based auth |
| Student Photos | NO | Not collected |
| Learning Progress | YES | Linked to anonymous ID only |
| Activity Scores | YES | For teacher reporting |
| Teacher Nicknames for Students | YES* | *Encrypted client-side; we cannot read |
4. DATA LOCATION
All Student Data is stored exclusively in Canada, specifically in AWS's Montreal data center (ca-central-1). No Student Data is transferred to or processed in the United States or any other jurisdiction without explicit written consent.
5. SECURITY MEASURES
Argraide implements the following security measures:
- Encryption in transit (TLS 1.3)
- Encryption at rest (AES-256)
- Row-level security policies on all database tables
- Regular security audits and penetration testing
- Zero-knowledge encryption for teacher-defined student nicknames
- No persistent logging of student activity details
6. DATA RETENTION & DELETION
- Student Data is retained only while the associated class is active.
- Upon class archival, Student Data is automatically purged within 30 days.
- Institution may request immediate deletion at any time by contacting support@argraide.com.
- Deletion requests are processed within 72 hours.
7. SUBPROCESSORS
Argraide uses the following subprocessors:
| Subprocessor | Purpose | Location | Student Data? |
|---|---|---|---|
| Supabase | Database hosting | Canada (Montreal) | Yes (encrypted) |
| Stripe | Payment processing | USA (PCI-DSS) | No |
| Vercel | Application hosting | Global CDN | No (stateless) |
| Google (Gemini) | AI activity generation | USA | No |
8. INSTITUTION RIGHTS
The Institution has the right to:
- Request a copy of all Student Data associated with their account
- Request deletion of all Student Data at any time
- Conduct or request a security audit (with 30 days notice)
- Receive breach notification within 72 hours of discovery
9. LIABILITY & INDEMNIFICATION
Argraide shall indemnify and hold harmless the Institution from any claims, damages, or expenses arising from Argraide's breach of this DPA or applicable privacy laws, including but not limited to MFIPPA, FIPPA, PIPEDA, and Ontario Bill 194.
10. TERM & TERMINATION
This DPA remains in effect for the duration of the service agreement. Upon termination, Argraide will delete all Student Data within 30 days unless legally required to retain it.
SIGNATURES
For Argraide Inc.:
Signature
Name
Title
Date
For the Institution:
Signature
Name
Title
Date
Need a customized DPA? Contact us at support@argraide.com