Data Processing Agreement
The formal agreement governing how SpEd Coach processes data on behalf of your organization.
Last updated June 2026
1. Definitions
- "Customer Data" means all personal data submitted to SpEd Coach by or on behalf of the Customer through the Services, including educational records, student information, and staff data.
- "Processing" has the meaning given in applicable data protection law and includes any operation performed on personal data.
- "Sub-processor" means any third party engaged by SpEd Coach to process Customer Data in connection with providing the Services.
- "Applicable Data Protection Law" means all applicable laws and regulations relating to processing of personal data, including FERPA, IDEA, and applicable state privacy laws.
2. Roles and Processing Instructions
The Customer is the data controller for Customer Data. SpEd Coach acts as a data processor and processes Customer Data only: (a) in accordance with the Customer's documented instructions as expressed through configuration of the Services; (b) as necessary to provide the Services as described in the Terms of Service; and (c) as required by applicable law, in which case SpEd Coach will notify the Customer unless prohibited by law.
3. Purpose and Scope of Processing
SpEd Coach processes Customer Data for the following purposes:
- Providing the SpEd Coach platform and its workflow, documentation, and AI-assisted features
- Authenticating users and enforcing access controls
- Generating audit logs and operational records
- Processing AI-assisted workflow features as directed by users
- Responding to support requests
- Ensuring platform security and preventing fraud or abuse
4. Confidentiality
SpEd Coach will ensure that personnel authorized to process Customer Data are bound by appropriate confidentiality obligations. SpEd Coach will not disclose Customer Data to any third party except as required to provide the Services or as required by applicable law.
5. Security Measures (Technical and Organizational Measures)
SpEd Coach implements and maintains the following technical and organizational security measures:
Access Control
- Role-based access controls enforced at the database layer via row-level security policies
- Tenant-isolated architecture preventing cross-organization data access
- Multi-factor authentication available; authenticated sessions required for all data access
Encryption
- All data in transit encrypted via TLS 1.2 or higher
- All data at rest encrypted via AES-256 by the managed infrastructure provider
- Uploaded documents stored in access-controlled object storage
Audit and Monitoring
- Comprehensive audit logging of authentication events, administrator actions, module access, and AI invocations
- Infrastructure-level monitoring for operational health and anomaly detection
AI Data Processing Safeguards
- Content passes through a PII detection and reduction pipeline before transmission to AI model providers
- AI model providers operate under data processing agreements prohibiting use of customer data for model training
Incident Response
- Documented incident response procedures covering identification, containment, investigation, remediation, and notification
6. Sub-Processors
SpEd Coach engages the following sub-processors to assist in providing the Services. All sub-processors are bound by data processing agreements requiring appropriate security safeguards:
| Vendor | Purpose | Location |
|---|---|---|
| Supabase, Inc. | Managed database, authentication, and storage | United States |
| Cloudflare, Inc. | Edge delivery, DNS, and runtime infrastructure | United States |
| Stripe, Inc. | Payment processing | United States |
| Anthropic PBC | AI model provider, Claude models | United States |
| Google LLC | AI model provider, Gemini models | United States |
| Resend, Inc. | Transactional email | United States |
SpEd Coach will notify Customers of material changes to sub-processors with reasonable notice before the change takes effect, allowing Customers to object. Sub-processor list is maintained at spedcoach.com/trust.
7. Data Subject Rights
To the extent applicable, SpEd Coach will provide reasonable assistance to enable the Customer to fulfill obligations to respond to requests from data subjects (including students, parents, and staff) to exercise their rights under applicable data protection law, including rights of access, correction, deletion, and portability. Such requests should be directed to support@spedcoach.com with proof of authority.
8. FERPA Obligations
SpEd Coach acknowledges that educational records processed through the Services may be subject to FERPA. SpEd Coach agrees to:
- Use educational records only for the purpose of providing the Services and as permitted by FERPA's "school official" exception (34 C.F.R. § 99.31(a)(1))
- Not disclose educational records to third parties except as directed by the Customer or as permitted by applicable law
- Maintain appropriate safeguards to protect the confidentiality and security of educational records
- Return or destroy educational records upon termination of the Services as described in the Data Retention & Deletion page
9. Data Return and Deletion
Upon termination of the Services, SpEd Coach will make Customer Data available for export for a period of thirty (30) days following termination. Thereafter, SpEd Coach will delete or destroy Customer Data in active systems within a reasonable timeframe. Backup archives will age out on the infrastructure provider's standard schedule. The Customer may request deletion at any time by contacting support@spedcoach.com.
10. Audit Rights
SpEd Coach will provide reasonable information and cooperation to enable Customers to verify SpEd Coach's compliance with this DPA. This may include completion of a standard security questionnaire. On-site audits may be requested with reasonable advance notice and are subject to reasonable conditions to protect SpEd Coach's operational security.
11. Data Breach Notification
SpEd Coach will notify the Customer without undue delay upon becoming aware of a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data. Notification will include: the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.
12. International Data Transfers
SpEd Coach processes Customer Data in the United States. All sub-processors listed above are based in the United States. If your organization requires specific data transfer mechanisms for international operations, contact support@spedcoach.com.
13. Term
This DPA is effective for the duration of the Customer's use of the Services and terminates automatically upon termination of the Terms of Service.
14. Conflict
In the event of conflict between this DPA and the Terms of Service with respect to data processing matters, this DPA controls.
15. Executing a DPA
To execute a signed DPA with SpEd Coach, contact support@spedcoach.com. We will provide a countersigned copy for your records.