Data Processing Agreement (DPA)

A Data Processing Agreement is the contract that turns vendor marketing claims into legally enforceable promises about your students’ data. Under Article 28 of the GDPR, a controller (the school) cannot let a processor (the AI vendor) touch personal data without one. CurioPilot’s standard DPA is GDPR Article 28-compliant, with optional UK, CCPA, and US state-specific addenda.

School admins sign once during onboarding; the platform’s enforceAiConsent()check refuses every AI call without a signed DPA. The DPA isn’t a PDF in a drawer — it’s enforced on every call via TraceLayer.

• Processor relationship. MoizLabs is a data processor under GDPR Article 28; the school or parent tenant is the controller.
• Purpose limitation.We use your data only to provide the service. We don’t train models on it; we don’t sell it.
• Confidentiality. Personnel with access to personal data are bound by written confidentiality obligations.
• Security measures. The technical and organisational measures in /legal/security are contractually committed under the DPA, not just published.
• Audit + breach. 24-hour breach-notification window. Annual penetration test (NDA-gated results). TraceLayer makes processing auditable on demand.
• Termination.On termination, we return or delete all personal data per the controller’s instruction, with a deletion certificate within 90 days.

The full list — with what each sub-processor does, where it’s hosted, and a link to its DPA — lives at /compliance#sub-processors.

We commit to 30 days advance noticebefore adding or changing a sub-processor that touches student data. During the notice window, tenants can object; if we can’t mitigate, the school may terminate without penalty.

Where personal data leaves the country it was collected in (e.g. EU → US for sub-processor support), we use the EU Standard Contractual Clauses, the UK addendum (International Data Transfer Addendum), the Swiss addendum, or a country-specific equivalent as required.

A Transfer Impact Assessment (TIA) is available on request via compliance@moizlabs.com.

Controllers may audit our processing — either via the TraceLayer export (a self-service audit log scoped to the tenant) or via written request for an annual third-party attestation report under NDA.

For Campus-plan customers we also support on-site audits with reasonable notice. The cost of any on-site audit is borne by the requesting controller unless a material finding is identified.

When a parent or student exercises an Article 15 (access) or Article 17 (erasure) right through the school, the DPA commits us to:

• Provide the export or perform the erasure within 30 daysof the school’s instruction.
• Hard-delete active data immediately and purge backups within 90 days.
• Issue an audit-hash receipt confirming what was deleted, when, and by whom.

Active data removal happens in seconds; the 90-day window covers encrypted backups, which are rotated on a fixed schedule.

Districts with custom DPA templates can link us their template and we’ll redline it. This is available on the Campus plan. State-specific addenda for US schools (NY Ed Law 2-d, California SOPIPA, Illinois SOPPA, etc.) are available on request.

Available addenda today:

• Standard DPA (GDPR Article 28).
• UK addendum (International Data Transfer Addendum).
• CCPA / CPRA addendum.
• US state-specific addenda — see index below or request via sales.

We don’t publish the signed PDF on the open web — it’s versioned per-tenant and dated. Email us with your school name and DPO contact; we send the current version (PDF, with an editable Word counterpart if your legal team needs one) within one business day.