Data Processing Agreement

Read it. Sign it. The platform enforces it.

CurioPilot’s standard DPA is GDPR Article 28-compliant, with optional UK, CCPA, and US state-specific addenda. School admins sign once during onboarding; the platform’s enforceAiConsent() check refuses every AI call without a signed DPA.

The summary

What our DPA commits us to.

Processor relationship. MoizLabs is a data processor under GDPR Article 28; the school or parent tenant is the controller.
Purpose limitation. We use your data only to provide the service. We don’t train models on it; we don’t sell it.
Sub-processors. Listed in full at /curiopilot/compliance. 30 days advance notice before adding a new one; tenants can opt out during the notice window.
DSAR + erasure. Article 15 (export) and Article 17 (erasure) flows are one-click in the tenant admin. Active data removed in seconds; backups purged within 90 days.
Audit + breach. 24-hour breach-notification window. Annual penetration test (NDA-gated results). TraceLayer makes processing auditable on demand.
International transfers. Standard contractual clauses (SCCs) for EU → US sub-processors. Transfer-impact assessment available on request.

Get the current DPA.

We don’t publish the signed PDF on the open web — it’s versioned per-tenant and dated. Email us with your school name and DPO contact; we send the current version (PDF, with an editable Word counterpart if your legal team needs one) within one business day.

Request the DPA Read the compliance overview

Districts with custom DPA templates: link us your template and we’ll redline it. Available on the Campus plan.