Template: 1EdTech DPSA v1.0 (2024)
Supplier: Kudos4Kids LLC
Effective Date: Date of last signature / date of digital acceptance
This DPSA is entered into by and between the institution entity defined in the signature block below ("Institution") and Kudos4Kids LLC ("Supplier") (individually a "Party", together the "Parties"). This DPSA is effective as of the last signature date below (the "Effective Date"). In the event of a conflict between this DPSA or any other writing between the Parties, this DPSA shall control with respect to the subject matter herein.
The Parties agree as follows.
This DPSA shall commence on the Effective Date and shall continue for the term of the Service Agreement, unless terminated earlier in accordance with this DPSA.
(a) During the term of the Service Agreement, this DPSA may be terminated by either Party upon thirty (30) days prior written notice to the other Party. In the event of such termination, Supplier shall stop Processing Institution Data and dispose of Institution Data as described in Section 4.9.
(b) In the event of an incurable breach of this DPSA by the Supplier, Institution may terminate this DPSA immediately. In the event of such termination, Supplier shall stop Processing Institution Data and dispose of Institution Data as described in Section 4.9.
(c) This DPSA shall automatically terminate upon the same date as the Service Agreement unless otherwise agreed to by the Parties. In the event of such termination, Supplier shall stop Processing Institution Data and dispose of Institution Data as described in Section 4.9.
As between Institution and Supplier, Institution owns and controls all Institution Data provided to, or generated by Supplier under this DPSA and the Service Agreement. All rights and intellectual property in and to Institution Data shall remain the exclusive property of the Institution. Any modifications, copies, additions to or any portion of the Institution Data are subject to the provisions of this DPSA.
Supplier will store or host all Educational Records and Personally Identifiable Information in the continental USA.
To the extent that the Institution is subject to FERPA, the Parties agree that Supplier operates as a School Official under FERPA and has a legitimate educational interest in Personally Identifiable Information from Education Records received from the Institution pursuant to this DPSA. For purposes of the Agreement and this DPSA, Supplier: (a) provides a service or function for which the Institution would otherwise use its employees; (b) is under the direct control of the Institution with respect to the use and maintenance of Education Records; and (c) is subject to the requirements of FERPA governing the use and re-Disclosure of Personally Identifiable Information from the Education Records received from Institution.
As required and defined by applicable Data Protection Laws, if Student Generated Content is created, stored, or maintained by Supplier or the Services, Supplier shall, at the request of the Institution, transfer or provide a mechanism for the Institution to transfer such Student Generated Content to a separate account created by the student or parent.
De-Identified data may be used by Supplier for those purposes permitted under FERPA and the following purposes: (a) assisting the Institution or other governmental agencies in conducting research and other studies; research and development of the Supplier's educational sites, services, or applications, and (b) to demonstrate the effectiveness of the Services; and for adaptive learning purpose and for customized student learning. Supplier's use of De-Identified Data shall survive termination of this DPSA or any request by Institution to return or destroy Student Data. Supplier agrees not to attempt to re-identify De-Identified Data, and not to transfer De-Identified Student Data to any third party unless that third party agrees in writing not to attempt re-identification.
The Supplier shall complete Exhibit A to describe the Institution Data elements Processed by the Services. The Supplier agrees to update Exhibit A as necessary when Institution Data elements are added or removed.
Supplier shall only use Institution Data as provided in this DPSA and the Service Agreement to provide the Services. Except as expressly permitted herein, Supplier shall not disclose Institution Data to any third party without the prior written consent of Institution. Supplier may only share Institution Data with its Affiliates to provide the Services under the Agreement and any such access shall be on a need-to-know basis.
In its provision of the Services, Supplier agrees to comply with all Data Protection Laws applicable to its Processing of Institution Data.
Supplier shall not sell, transfer, share, or otherwise disclose Personally Identifiable Information, Education Records, unique identifiers, or any Institution Data to targeted advertising providers or develop a profile of a student or parent or guardian for the purpose of advertising. Supplier will not use Institution Data for its own advertising or for third-party advertising. This does not prohibit Supplier from using Institution Data to provide adaptive learning services, customized student learning services, making product recommendations to Institution employees, and notify account holders of updates about the Services or new features of the Services.
Supplier shall ensure that its employees, Subprocessors, subcontractors, and agents (collectively "Personnel") involved in the Processing of Personally Identifiable Information or Education Records are subject to either contractual or statutory obligations of confidentiality, and that access is strictly limited to those Personnel who require access to perform the Services. Supplier shall ensure that its Personnel are informed of the confidential nature of the Institution Data and have received appropriate training on their responsibilities and applicable Data Protection Laws. As required by Data Protection Laws or Institution policy, Supplier shall ensure that its Personnel have gone through appropriate background checks prior to accessing Personally Identifiable Information or Education Records.
(a) Security and Privacy Program. Supplier shall implement and maintain a security and privacy program that includes appropriate physical, administrative, technical, and operational controls to protect the confidentiality, integrity, privacy, and availability of Institution Data Processed by Supplier aligned with an industry standard framework, for example such as the NIST Cybersecurity Framework, AICPA SOC 2 Type 2, ISO/IEC 27001, or other recognized industry standards. Supplier shall describe its security standards in Exhibit A. These measures shall include protection against unauthorized or unlawful access, processing, loss, alteration, damage of Institution's Personally Identifiable Information. Supplier shall regularly monitor its compliance with its program and not materially decrease its privacy and security controls during the term of this DPSA.
(b) Incident Response Plan. Supplier shall implement, maintain, and regularly test an incident response plan consistent with industry standard practices and Data Protection Laws. This incident response plan shall include processes for responding to a Data Breach, breach of the security, privacy, or unauthorized acquisition or use of Institution Data or any portion thereof, including PII and agrees to provide Institution with a summary of said written incident response plan so long as a valid non-disclosure agreement is in place between the parties.
In the event of a Data Breach, Supplier shall promptly, but in no more than seventy-two (72) hours, notify Institution of any such Data Breach unless prohibited by an applicable law enforcement authority. Supplier shall provide such notification to Institution's Security Contact as described in Section 7.5 or other contact as provided by Institution. In such notification Supplier shall provide the following information, to the extent such information becomes available to Supplier; (a) a general description of the Data Breach; (b) the categories and approximate number of records or individuals affected by the Data Breach; (c) actions taken by Supplier to remediate the Data Breach; and (d) Supplier shall (i) take reasonable steps to mitigate the effects and minimize any damage resulting from the Data Breach; (ii) cooperate with Institution's reasonable requests for assistance in remediating a Data Breach; and (iii) maintain records of information related to the Data Breach. If such information is not available within the timeframe specified, the Supplier shall include an estimated timeline to provide a complete detail of the above aspects.
No more than once every twelve (12) months Institution may audit Supplier's compliance with this DPSA and applicable Data Protection Laws for the purpose of meeting its obligations under Data Protection Laws or Institution's policies. Institution shall provide at least thirty (30) days written notice to the Supplier of such an audit.
(a) In lieu of an Institution audit, Supplier agrees to conduct an annual security and privacy audit of its Services and program. Upon receipt of a written request and execution of an appropriate confidentiality agreement, Supplier will provide copies of its most recent audit summary or bridge letter to Institution. Supplier agrees to have a third-party conducted penetration test, dated within the last twelve (12) months, with all high and above findings remediated.
(b) In the event of a Data Breach, or inquiry by any governmental agency, Institution (or the applicable governmental agency) may perform an audit of Supplier upon written notice to Supplier. Institution shall send any such audit request to the Security Contact identified in Section 7.5 (Notice). In the event that Institution engages a third party to perform the audit, such third party shall execute a non-disclosure agreement with Supplier. Institution agrees to promptly notify the Supplier of any non-compliance discovered during such an audit.
(c) The Supplier agrees in good faith to remediate any critical or high security findings, or known exploitable findings identified by the Institution.
Institution agrees that Supplier may use Subprocessors in connection with the provision of the Services and permit Subprocessors to Process Institution Data, provided that:
(a) Supplier shall ensure that obligations not materially less protective than those set out in this DPSA, and applicable Data Protection Laws are imposed on its Subprocessors;
(b) Supplier shall be responsible for the acts and omissions of its Subprocessors if and to the same extent Supplier would be liable if performing the services of each Subprocessor directly;
(c) Supplier shall provide Institution of a list of its current Subprocessors in Exhibit B or by providing a link to a website where information about its list of Subprocessors are kept up to date; and
(d) Supplier shall inform the Institution of any changes or additions to its Subprocessors at least thirty (30) days prior to such addition or change.
(a) Supplier shall (and procure that its Subprocessors shall) securely delete Institution Data stored in the Services (i) within ninety (90) days after termination of this DPSA; or (ii) within thirty (30) days upon written request from Institution. Upon written request from Institution, Supplier shall provide written certification of such deletion substantially in the form of Exhibit C. Until such deletion occurs, the Supplier will ensure compliance with this DPSA.
(b) Supplier shall provide functionality for Institution to download Institution Data from the Services, to the extent possible provided by the Services. If the Services do not provide a download functionality, the Supplier shall return to Institution all Institution Data in the Services in an industry standard format within ninety (90) days after termination of this DPSA.
(c) If Supplier believes that it cannot comply with the foregoing deletion requirement because applicable law requires the retention of such data, then Supplier shall provide written notice to Institution within thirty (30) days of termination of this DPSA informing of such requirement and protect such data in accordance with this DPSA.
If the Supplier receives a request for access to Institution Data from a legally authorized entity, the Supplier shall promptly notify Institution of such request unless prohibited from such notification by applicable law.
Institution shall, in its use or receipt of the Services, Process Institution Data in accordance with the Data Protection Laws. Institution will ensure that its instructions for the Processing comply with applicable Data Protection Laws. Institution shall have sole responsibility for the accuracy, quality, and legality of Institution Data, the means by which Institution obtained the Institution Data, and for fulfilling all requirements under Data Protection Laws necessary to make the Institution Data available to Supplier. Institution shall promptly notify Supplier of any known unauthorized access to the Services. Institution will assist Supplier in any efforts by Supplier to investigate and respond to any unauthorized access to the Services.
Children under 13 may only use the Services with prior consent of a parent or an educational institution acting on behalf of the child's parent. Institution agrees that it has obtained such consent prior to permitting any child under 13 from accessing or using the Services.
In addition to any insurance requirements under the Service Agreement, Supplier shall secure and maintain at Supplier's sole expense the insurance coverages described in Exhibit E.
Should any provision of this DPSA be invalid or unenforceable, then the remainder of this DPSA shall remain valid and in force. The invalid or unenforceable provision shall be either amended as necessary to ensure its validity and enforceability, while preserving the Parties' intentions as closely as possible or, if this is not possible, construed in a manner as if the invalid or unenforceable part had never been contained therein.
This DPSA and the Service Agreement constitutes the entire agreement of the Parties with respect to the subject matter hereof and supersedes any prior or contemporaneous representations, understandings, writings, or agreements by the Parties. This DPSA may only be amended by the Parties in writing.
This DPSA shall be governed by and construed in accordance with the laws of the state of Institution without regard to conflicts of laws principles. The Parties agree to submit to the jurisdiction of the state and federal courts located in the state of the Institution.
Supplier may not assign its rights and obligations under this DPSA without the consent of the Institution which shall not be unreasonably withheld. Any such assignment without consent shall be considered null and void. Notwithstanding the foregoing, Supplier may assign its rights and obligations under this DPSA, in whole or part, in connection with the transfer or sale of all or substantially all of the assets or business of Supplier. This DPSA will be binding upon, inure to the benefit of, and be enforceable by the Parties and respective successors and permitted assigns.
Any notice required or permitted to be given under this DPSA shall be in writing and shall be addressed to the appropriate Party at the address specified below. Notices shall be deemed to have been given for all purposes (a) when delivered if sent by a reputable courier service, or (b) five (5) days after mailing, or (c) upon receipt when delivered by email provided that the recipient acknowledges such delivery.
Supplier Legal Notice & Security Representative:
Kudos4Kids LLC — Devan Jones, Owner / Authorized Representative
7301 N State Highway 161, #148, Irving, TX 75039-2803
Email: support@mykudos4kids.com
For schools that require a traditionally signed copy, please email support@mykudos4kids.com to request a countersigned PDF.
Services Name: Kudos4Kids
| Data Element | Required / Optional | Purpose for Use |
|---|---|---|
| Educator Name (First/Last) | Required | Staff identification and display within the platform |
| Educator/Staff Email Address | Required | Login credential and system notifications |
| Educator/Staff ID Number | Optional | Unique identifier imported via OneRoster/ClassLink |
| Data Element | Required / Optional | Purpose for Use |
|---|---|---|
| Student Name (First/Last) | Required | Display in leaderboards, records, and reports |
| Student Email Address | Required | Student login credential |
| Student Grade Level | Optional | Filtering and reporting |
| Student SIS Identifier | Optional | Unique identifier from OneRoster/ClassLink |
| Student School Enrollment | Optional | House team assignment |
| Services Usage Statistics | Optional | Engagement and participation analytics |
| Data Element | Status |
|---|---|
| Student phone number or SMS | Not collected |
| Parent/Guardian name, address, email, or phone | Not collected |
| Student health data or disability information | Not collected |
| Student financial data or lunch eligibility | Not collected |
| Student demographic data (race/ethnicity, gender, ELL status) | Not collected |
| Student conduct or disciplinary records | Not collected |
| Student photographs or biometric data | Not collected |
Kudos4Kids LLC implements and maintains security controls aligned with the NIST Cybersecurity Framework. Specific measures include:
| Subprocessor Name | Address | Processing Activities | Data Processed | Location |
|---|---|---|---|---|
| Microsoft Azure (Microsoft Corporation) |
One Microsoft Way Redmond, WA 98052 |
Application hosting, web server, and database storage | All Institution Data | USA (continental) |
| Sentry (Functional Software, Inc.) |
45 Fremont St San Francisco, CA 94105 |
Error monitoring and application diagnostics | Application error logs only — student PII is not transmitted (send_default_pii=False) | USA |
The undersigned hereby certifies that all copies of Institution Data collected, created, or processed by Kudos4Kids LLC on behalf of _________________________ [Institution Name] have been securely deleted from Supplier's Services on _________________________ [Date].
By signing this certificate, Supplier confirms that all Institution Data, including copies, derivatives, subsets, manipulated files, system backups, temporary files, including non-electronic media, held by Supplier, its employees, subcontractors, agents, and Subprocessors have been properly disposed of in accordance with the Data Privacy and Security Agreement.
Signature: _____________________________
Name: Devan Jones
Title: Owner / Authorized Representative
Supplier Name: Kudos4Kids LLC
Address: 7301 N State Highway 161, #148, Irving, TX 75039-2803
Date: _____________________________
Any school-specific data handling requirements, additional restrictions, or agreed-upon variations from the standard DPSA terms should be documented here prior to execution. Schools requiring institution-specific terms should contact support@mykudos4kids.com.
Insurance coverages shall be with an admitted carrier having at least an "A" BEST rating. The Supplier shall include the Institution as an additional insured and provide evidence of such coverages upon request by Institution.
Cyber liability coverage providing protection against (i) privacy breaches; (ii) system breach; (iii) denial or loss of service; (iv) introduction, implantation, or spread of malicious software code; and (v) unauthorized access or use of computer systems.
Any variations to the DPSA agreed to between the Parties shall be listed below. No variations are currently in effect. Schools requiring variations should contact support@mykudos4kids.com.
Kudos4Kids LLC
Email: support@mykudos4kids.com
Mail: 7301 N State Highway 161, #148, Irving, TX 75039-2803
To request a countersigned PDF copy of this agreement, email us at the address above.
Based on the 1EdTech DPSA Template v1.0 © 2024 1EdTech Consortium, Inc. All Rights Reserved.
Completed by Kudos4Kids LLC.