For schools and districts.

What this is

A standing data privacy agreement between OrganizeClass and any school or district whose teachers use our service. It mirrors the SDPC National Data Privacy Agreement structure so it's familiar to district counsel, while being concrete enough that you can adopt it as-is or use it as the starting point for your district's standard form.

If your district uses a custom DPA template (Oregon districts often standardize on the SDPC NDPA or the Oregon ODE template), email privacy@organizeclass.com with the document and we will counter-sign within five business days.

Article 1. Purpose and definitions

Provider. OrganizeClass, the operator of www.organizeclass.com, an online K–5 classroom assessment service.

LEA. Local Education Agency, meaning a school, school district, or other educational institution that adopts the Service for use by its teachers.

Student Data. Personally identifiable information from student records as defined under FERPA (20 U.S.C. § 1232g; 34 C.F.R. § 99) and "covered information" as defined under Oregon SB 187 (ORS 326.700–326.715), entered into the Service by a teacher employed by the LEA.

Service. The OrganizeClass web application and supporting infrastructure.

Article 2. Data ownership and use

The LEA owns and controls all Student Data. Provider acts as a school official under FERPA with a legitimate educational interest, processing Student Data only on behalf of the LEA.

Provider will not:

• Sell, rent, or trade Student Data
• Use Student Data for targeted advertising on or off the Service
• Build profiles of students for non-educational purposes
• Use Student Data to train artificial intelligence or machine-learning models
• Disclose Student Data to any third party except the subprocessors listed in Exhibit A, who are contractually bound to the same restrictions

Article 3. Data security

Provider implements and maintains the safeguards set out in Exhibit B. Provider's security program is designed to be consistent with industry standards for K-12 ed-tech providers, and includes encryption of Student Data both in transit and at rest, audit logging of access, and operational controls to limit abuse.

Provider will notify the LEA without unreasonable delay, and in any event within 30 days, of any security incident that compromises the confidentiality or integrity of Student Data.

Article 4. Data retention and deletion

Provider retains Student Data only as long as necessary to provide the Service to the LEA. Upon written request from the LEA, Provider will delete some or all Student Data, including any backups and any files in storage, within 30 days, and confirm completion in writing.

Upon termination of the LEA's use of the Service, Provider will delete all Student Data within 30 days unless the LEA requests a final export first.

Article 5. Parental rights

Provider supports the LEA in fulfilling parental rights under FERPA, including access, correction, and deletion. Parents should direct requests to the LEA, who may forward them to privacy@organizeclass.com. Provider will fulfill verified requests within 30 days.

Article 6. Compliance with applicable law

Provider complies with the Family Educational Rights and Privacy Act (FERPA), the Children's Online Privacy Protection Act (COPPA), the Oregon Student Information Protection Act (SB 187, ORS 326.700–326.715), and any other state student-privacy laws applicable to the LEA's jurisdiction.

Article 7. Term

This Agreement is effective when adopted by the LEA and continues until the LEA stops using the Service or either party terminates with 30 days' written notice. Articles 3, 4, and 5 survive termination as needed to complete deletion and notification obligations.

Exhibit A. Subprocessors

Provider may use third-party subprocessors to deliver the Service, including providers for application hosting, managed databases, object storage, and transactional email. Each subprocessor is bound by its own enterprise data-processing terms and the restrictions in Article 2.

A current list of named subprocessors is available on request to privacy@organizeclass.com. Provider will notify the LEA of material changes to the subprocessor list within 30 days.

Exhibit B. Data elements collected and security controls

Student Data elements: first name (required), last name (optional), district student ID (optional), grade level (set per class), assessment scores and performance levels, free-text observation notes, evidence files (photos and documents) attached by the teacher.

Teacher data elements: email address (login), name, school, district, role.

Security controls:

• Data in transit is encrypted using current industry standards. Data at rest is encrypted at the storage layer.
• Sensitive student information, including names, identifiers, and written observations, is encrypted at the application level using customer-managed encryption keys. Access to those keys is logged.
• Evidence files are stored in encrypted object storage with the same customer-managed key.
• User passwords are stored using industry-standard one-way hashing.
• Access to Student Data is logged so the LEA can answer questions about who read a student's records and when. Logs are retained for at least 12 months.
• User sessions expire after a period of inactivity, and authentication and write endpoints are rate-limited.
• Backups are encrypted. Provider can perform a hard delete on request that removes both database records and any associated files in storage.