Data Processing Agreement
Between [School/District Name] (“Controller”) and Brace Yourself Solutions LLC (“Processor”)
1. Scope of Processing
This Data Processing Agreement (“DPA”) governs the processing of personal data by Brace Yourself Solutions LLC (“Processor”) on behalf of the Controller in connection with the Extra Credit AI grading service (“Service”). The Processor shall process personal data only in accordance with this DPA and any documented instructions from the Controller.
The subject matter of processing is AI-powered grading of student work submitted by authorized teachers of the Controller’s institution.
2. Data Categories
The Processor may process the following categories of personal data:
- Student work content (text, images, PDFs) submitted by authorized teachers
- Teacher-entered student names (used for session management; stripped before AI transmission)
- AI-generated grades and feedback associated with student submissions
- Teacher account information (name, email address, institution) for account management
The data subjects are students whose work is submitted for grading and teachers who operate the Service.
3. Purpose Limitation
The Processor shall process personal data solely for the purpose of providing the AI grading service as described in this DPA and the applicable service agreement. The Processor shall not process personal data for any other purpose without the prior written consent of the Controller, except as required by applicable law.
4. Sub-processors
The Processor uses the following sub-processors in delivering the Service:
| Sub-processor | Purpose | Location |
|---|---|---|
| Anthropic, PBC | AI processing (grading analysis) | United States |
| Clockwork Labs, Inc. | Real-time database (SpacetimeDB) | United States |
| Cloudflare, Inc. | Hosting and content delivery | United States / Global |
| Stripe, Inc. | Payment processing and billing | United States |
The Processor shall notify the Controller of any intended changes to the sub-processor list and provide the Controller with the opportunity to object to such changes.
5. Security Measures
The Processor implements the following technical and organizational security measures:
- Encryption in transit: All data transmitted between the Service and end users is encrypted using TLS 1.2 or higher.
- Encryption at rest: Data stored by the Service is encrypted at rest.
- Access controls: Access to personal data is restricted to authorized personnel on a need-to-know basis.
- PII stripping: Student names and identifying information are stripped from data before transmission to AI sub-processors. The AI receives anonymized content only.
- Authentication: Teacher access requires Google OAuth authentication.
- Audit logging: Access and modification events are logged for security monitoring.
6. Data Retention and Deletion
- Active accounts: Personal data is retained for the duration of the active service agreement.
- Account deletion: Upon termination, personal data will be deleted within 30 days of the termination date, subject to legal retention requirements.
- Data export: Prior to deletion, the Controller may request an export of their data in a machine-readable format.
- Audit logs: Security and audit logs are retained for a period of 3 years as required for compliance purposes.
- Backups: Data in backups will be purged within 90 days of the primary deletion.
7. Breach Notification
In the event of a personal data breach, the Processor shall notify the Controller without undue delay, and where feasible within 72 hours of becoming aware of the breach. Notification shall include the nature of the breach, categories and approximate number of data subjects concerned, likely consequences of the breach, and measures taken or proposed to address the breach.
8. Controller Rights
The Processor shall assist the Controller in responding to requests from data subjects exercising their rights, including:
- Access: The right to obtain confirmation of whether personal data is being processed and to access that data.
- Correction: The right to have inaccurate personal data corrected.
- Deletion: The right to have personal data erased (“right to be forgotten”).
- Portability: The right to receive personal data in a structured, commonly used, machine-readable format.
- Audit: The Controller has the right to conduct audits or inspections of the Processor’s data processing activities, with reasonable notice.
9. Term and Termination
This DPA is co-terminus with the service agreement between the Controller and Processor. Upon termination of the service agreement, the Processor shall, at the Controller’s election, return or delete all personal data processed under this DPA within 30 days of termination. Obligations under this DPA that by their nature should survive termination shall continue in effect after termination.
10. Governing Law
This DPA shall be governed by and construed in accordance with the laws of the State of [State], without regard to conflicts of law principles. The parties consent to the exclusive jurisdiction of the courts located in such state for resolution of any disputes arising under this DPA.
Signatures
By signing below, the parties agree to the terms of this Data Processing Agreement.
Controller (School/District)
Processor (Brace Yourself Solutions LLC)
Ethan Brace
Founder
Brace Yourself Solutions LLC