Last updated: May 24, 2026
This Data Processing Agreement (“DPA”) forms part of the agreement between Scholara and the school, district, or institution (“Data Controller”) that uses our educational services.
1. Definitions
- Personal Data: Any information relating to an identified or identifiable student, parent, or teacher.
- Processing: Any operation performed on Personal Data, including collection, storage, use, and deletion.
- Data Controller: The school or institution that determines the purposes and means of processing.
- Data Processor: Scholara, which processes data on behalf of the Data Controller.
2. Scope of Processing
Scholara processes Personal Data solely for the purpose of providing educational services as described in our Terms of Service. This includes storing student learning progress, managing classroom rosters, and generating performance reports.
3. Data Controller Obligations
The Data Controller agrees to:
- Obtain all necessary consents and permissions for the processing of student data
- Ensure that data shared with Scholara is accurate and up-to-date
- Comply with all applicable data protection laws, including FERPA and COPPA
- Notify Scholara promptly of any data subject access requests
4. Data Processor Obligations
Scholara agrees to:
- Process Personal Data only in accordance with documented instructions from the Data Controller
- Implement appropriate technical and organizational security measures
- Not sub-process data without prior written consent of the Data Controller
- Assist the Data Controller in responding to data subject rights requests
- Delete or return all Personal Data upon termination of the agreement
- Make available all information necessary to demonstrate compliance
5. Security Measures
Scholara implements the following security measures:
- Encryption of data in transit (TLS 1.2+) and at rest
- Access controls with role-based permissions
- Regular security assessments and vulnerability testing
- Incident response procedures with notification within 72 hours
- Employee training on data protection practices
6. Data Breach Notification
In the event of a data breach that affects Personal Data, Scholara will notify the Data Controller without undue delay and no later than 72 hours after becoming aware of the breach. The notification will include the nature of the breach, categories of data affected, and measures taken to address it.
Have a Data Processing Question?
Submit your inquiry below and our team will get back to you.