Data Processing Agreement

This Data Processing Agreement (“DPA”) is entered into between the educational agency executing this agreement (“School” or “District”) and Sparkfield (“Provider”), the operator of the Sparkfield educational platform accessible at sparkfield.app.

The purpose of this DPA is to govern the processing of student personally identifiable information (“Student PII”) by the Provider on behalf of the School in connection with the Provider's educational services.

• “Student PII” means personally identifiable information from student education records as defined under FERPA (34 CFR Part 99) and NY Education Law § 2-d.
• “Educational Services” means the science learning platform, quiz system, essay grading, and related features provided by Sparkfield.
• “Authorized Users” means teachers, administrators, and students enrolled by the School through Sparkfield.
• “Breach” means any unauthorized acquisition, disclosure, use, or destruction of Student PII.

In providing the Educational Services, Provider collects and processes the following categories of Student PII on behalf of the School:

• Student display name and grade level (provided by teacher)
• System-generated username and encrypted password
• Academic performance data: quiz responses, essay submissions, scores, levels, and progress metrics
• In-platform behavior events logged by teachers (e.g., behavior notes)
• Accommodation settings (e.g., text-to-speech, extended time)

Provider does not collect email addresses, home addresses, phone numbers, Social Security numbers, financial information, biometric data, health information, or precise geolocation from students.

Provider shall use Student PII solely to:

• Provide, maintain, and improve the Educational Services contracted by the School
• Allow teachers and authorized administrators to monitor student progress
• Allow parents linked by a teacher to view their child's progress
• Perform automated essay grading via AI (essay text only — no identifying information is included)
• Comply with applicable legal obligations

Provider shall not:

• Sell Student PII or use it for any commercial purpose unrelated to the Educational Services
• Use Student PII for targeted advertising or behavioral profiling
• Disclose Student PII to third parties except as described in Section 6 (Sub-Processors) or as required by law
• Retain Student PII beyond the periods described in Section 7

Provider acknowledges that the School is subject to New York Education Law § 2-d and agrees to the following in connection with its obligations thereunder:

• Provider will not use Student PII for any purpose other than those explicitly authorized in this DPA and the underlying service agreement.
• Provider will adopt and maintain reasonable administrative, technical, and physical safeguards to protect the confidentiality, integrity, and availability of Student PII.
• Provider will notify the School of any Breach or unauthorized release of Student PII in accordance with Section 8 of this DPA.
• Provider will cooperate with the School to enable the School to fulfill its obligations under the Parents' Bill of Rights for Data Privacy and Security.
• Upon termination or expiration of this agreement, Provider will return or securely destroy all Student PII as directed by the School, subject to the retention schedule in Section 7.
• Provider will maintain a list of all sub-processors with access to Student PII and make it available upon request.

Provider may engage the following sub-processors to assist in delivering the Educational Services. All sub-processors are contractually bound to data protection standards consistent with this DPA.

Provider will notify the School at least 30 days before adding a new sub-processor that will have access to Student PII, giving the School the opportunity to object.

• Student accounts and associated data are retained while the student is enrolled in an active class on the platform.
• Upon written request by the School, Provider will delete all Student PII within 30 days.
• Following deletion, data may persist in encrypted system backups for up to 90 days before being permanently purged.
• Upon termination of the service agreement, Provider will return all Student PII in a portable format or securely delete it, at the School's election, within 60 days.

In the event of a Breach affecting Student PII, Provider will:

• Notify the School's designated contact within 5 business days of discovering the Breach
• Provide a written incident report including: nature of the Breach, categories and approximate volume of Student PII affected, likely consequences, and measures taken or proposed to address the Breach
• Cooperate fully with the School's investigation and any required regulatory notifications
• Take prompt steps to contain the Breach and prevent further unauthorized access

The School may request access to, correction of, or deletion of any Student PII held by Provider. Provider will respond to such requests within 30 days. Parents and eligible students may exercise their rights under FERPA and COPPA by contacting their school or emailing hello@sparkfield.app.

Provider implements and maintains the following safeguards:

• All data transmitted between users and the platform is encrypted using TLS 1.2 or higher (HTTPS)
• All passwords are hashed using bcrypt with appropriate work factors; plaintext passwords are never stored
• Database access is restricted to application infrastructure; no direct external database access is permitted
• Access to production systems is limited to authorized personnel on a need-to-know basis
• API keys and credentials are stored as environment variables and never exposed in source code or client-side code

This DPA remains in effect for the duration of the service agreement between the School and Provider. It may be terminated by either party with 30 days written notice, or immediately upon material breach. Upon termination, Section 7 (Data Retention and Deletion) survives.

This DPA is governed by the laws of the State of New York. For New York educational agencies, this DPA is intended to satisfy the requirements of New York Education Law § 2-d and the regulations promulgated thereunder (8 NYCRR Part 121).

To request a countersigned copy of this DPA, use the form at the top of this page or email hello@sparkfield.app directly. We will respond within 5 business days.

General privacy questions: hello@sparkfield.app