Before any AI tool runs in a school, somebody has to sign a Data Processing Agreement. The DPA is the contract that turns vendor marketing claims into legally enforceable promises about your students’ data. If the vendor balks at signing one, that is the answer.
This walk-through is for school admins, IT directors, and DPOs who’ve been asked to evaluate an AI vendor and aren’t sure which questions are actually load-bearing. We’ll cover what a DPA is, why it exists, the six things every K-12 DPA must contain, and the red flags that mean “don’t sign this.”
What a DPA actually is
Under Article 28 of the GDPR, a controller (the school) cannot let a processor (the AI vendor) touch personal data without a written contract that locks the processor to specific obligations. The same logic applies under FERPA, COPPA, UK GDPR, and most state-level student-privacy laws — different statutes, same principle: get it in writing.
A DPA isn’t a privacy policy. The privacy policy tells you what the vendor saysthey do. The DPA is the lever you pull when they don’t.
The six things every K-12 DPA must contain
1. Purpose limitation
The DPA must explicitly say what the processor can and cannot do with the data. “To provide the service” is the right answer. “To improve our products and services” is a hole the size of a model-training pipeline.
2. Sub-processor list + change-notification window
Every cloud, every ops vendor, every analytics provider that touches student data is a sub-processor. The DPA must list them. It must give you advance notice — typically 30 days — before a new one is added. It must let you object, and let you terminate without penalty if your objection can’t be mitigated.
3. Data subject rights flow-through
When a parent exercises their Article 15 access right (or Article 17 deletion right) through the school, the DPA needs to commit the processor to actioning that request — not just within the active database, but through backups, derived datasets, and any AI model weights trained on the data.
4. Security commitments
Encryption in transit + at rest is table stakes. The DPA should also commit to:
- Multi-tenant isolation (your data doesn’t leak into another school’s view).
- Annual penetration testing with results available under NDA.
- Access controls + auditing.
- A breach-notification window — typically 24-72 hours.
5. International transfers
If the processor or any sub-processor is outside the EEA / UK / your jurisdiction, you need an Article 46 transfer mechanism — usually Standard Contractual Clauses (SCCs), often plus a Transfer Impact Assessment. For UAE schools, a similar mechanism applies under Wadeema. For US districts dealing with EU data, the SCCs do the work.
6. Audit rights
You should be able to verify the processor’s compliance. The DPA should commit them to providing reasonable audit cooperation — typically a documentation review, with on-site audits available for cause.
The red flags
These are the clauses that show up in vendor DPAs that you should push back on:
- “...for our legitimate business purposes.” This is the AI-training escape hatch. Strike it.
- “The processor reserves the right to modify this agreement at any time.” A unilateral DPA isn’t a DPA.
- “The customer is responsible for obtaining all necessary consents.” True for the school’s side, but doesn’t excuse the vendor from their own obligations under Article 28.
- No sub-processor list.If the vendor refuses to tell you who they share your data with, they’re telling you everything you need to know.
- Carve-outs for “de-identified” or “aggregated” data. De-identified data has been re-identified at scale enough times that this clause should be treated as live data.
How CurioPilot signs a DPA
Our standard DPA covers all six items above and rejects all five red flags. We sign it before any pilot starts. Districts with custom student-privacy templates (CA AB 1584, NY Ed Law 2-d, IL SOPPA) — we accept those as the controlling DPA, no fight.
The longer answer is at /legal/dpa. The shorter answer is: request the DPAand we’ll send the current version within one business day.
One last thing
A DPA is necessary, not sufficient. The contract sets the obligations; the platform decides whether they’re actually enforced on every AI call. That’s why we built TraceLayer— so the DPA isn’t a PDF in a folder, it’s a runtime check.