Data Processing Addendum (Summary)
This summary is suitable for pilots and early-stage district use. For a signed DPA, please contact us via the contact form.
Roles and scope
When used by educational institutions under a written agreement, Praxly acts as a school official with a legitimate educational interest, processing student data solely to deliver the services requested by the institution.
Data processing instructions
We process customer data only on documented instructions from the school or district, including through administrator settings and product configuration.
Sub-processors
Praxly uses select sub-processors to provide the service. Google Gemini APIs are used for optional paid AI features; Gemini does not use customer data to train models for other customers per Google’s published terms. A current list of sub-processors is available on request.
Security
We apply reasonable safeguards, including authenticated access, role-based controls, and encryption in transit and at rest. Access to production data is limited to authorized personnel with a need to know.
Data subject rights
We support export, correction, and deletion requests submitted by the institution, subject to legal retention requirements and backup integrity windows.
Data retention and deletion
Customer data is retained only as long as necessary to provide the service or as required by law. Upon contract end or written request from the institution, we will delete or return customer data, subject to legal holds.
Data location
Data is hosted in the United States. Any cross-border transfers, if applicable, will follow an appropriate transfer mechanism and be communicated to the institution.
Cooperation
Praxly will reasonably assist institutions in meeting their FERPA and privacy obligations related to the service, including providing available audit or security information upon request.