IEP CASEMATE — DATA PROCESSING AGREEMENT (TEMPLATE OUTLINE) ============================================================ This outline summarizes key terms for school and district procurement review. Request a countersigned copy at privacy@iepcasemate.com. 1. PARTIES & PURPOSE - Educational agency (School/District) and IEP Casemate, Inc. - Provider processes student education records solely to deliver the Casemate IEP caseload management service under the agency's direction and control. 2. FERPA — SCHOOL OFFICIAL DESIGNATION - Provider acts as a "school official with a legitimate educational interest" under 34 CFR § 99.31(a)(1). - Processing limited to contracted educational purposes. - No use of student data for advertising, profiling, or model training. 3. DATA CATEGORIES PROCESSED - Student identifiers (name, grade, school, case manager assignments) - IEP goals, services, accommodations, and present levels - Service delivery logs, schedules, and progress monitoring records - Assessment results and uploaded IEP documents (when provided by users) - Staff account information (name, email, role, school/district affiliation) 4. DATA USE LIMITATIONS - Provide, maintain, and improve the contracted service - Security monitoring, support, and legal compliance - No sale or unauthorized re-disclosure of student data 5. SECURITY MEASURES - Encryption in transit (TLS) and at rest (Google Cloud) - Role-based access controls and Firebase security rules - Audit logging for sensitive operations - Incident response and breach notification procedures 6. SUBPROCESSORS (REPRESENTATIVE LIST) - Google Cloud / Firebase (hosting, database, authentication, storage) - Stripe (subscription billing — no student education records) - Anthropic / Google Vertex AI (AI features — PII scrubbed before inference) - Resend (transactional email — invite and account notifications) Subprocessor list maintained at https://iepcasemate.com/trust 7. DATA RETENTION & DELETION - Data retained for the subscription term and as required by contract - Upon termination: return or delete student data within agreed timeframe - Users may request account deletion via in-app settings 8. AUDIT & COMPLIANCE - Agency audit rights upon reasonable notice - State privacy exhibits available (e.g., NY Ed Law § 2-d, SOPPA, California) 9. CONTACT - Privacy & DPA requests: privacy@iepcasemate.com - Security inquiries: security@iepcasemate.com