EdCommand

Draft — Pending Legal Review

This Data Processing Agreement is a working draft prepared for attorney review. It is not a final legal agreement and has not been executed. Do not rely on this document for compliance purposes. To initiate a DPA for your institution, contact legal@edcommand.app.

Data Processing Agreement

Draft — Pending Legal Review — Not Executed

1. Parties

This Data Processing Agreement (“DPA”) is between the educational institution, school district, or organization executing this agreement (“Customer”) and EdCommand (“Processor”). This DPA supplements the Terms of Service.

2. Scope and purpose

EdCommand processes information submitted by Customer's authorized users solely to provide the EdCommand educational decision-support service. EdCommand's Terms of Service explicitly instruct users not to submit student personally identifiable information. EdCommand is not designed to function as a system of record for student educational records.

3. Data EdCommand processes

  • Account information: name, email, job role, and school or district information provided during registration
  • Service usage: situation descriptions submitted by users, AI-generated responses, and document drafts
  • Technical data: IP addresses, session information, and error logs

[ATTORNEY NOTE: Annex I — full description of processing activities, data categories, data subjects, and purposes — to be completed during legal review.]

4. Subprocessors

The following subprocessors may process data submitted through the service:

  • Supabase — database and authentication infrastructure
  • Anthropic — AI language model processing of submitted situation descriptions
  • Vercel — application hosting and edge delivery
  • Stripe — payment processing
  • Sentry — error monitoring and logging
  • Resend — transactional email delivery

[ATTORNEY NOTE: Subprocessor agreements, data transfer mechanisms (SCCs or adequacy decisions), and Customer notification procedures to be completed.]

5. Data retention

Customer data is retained for the duration of the active account and for a commercially reasonable period following account closure, unless Customer requests earlier deletion. Customers may request deletion of their data through account settings or by contacting privacy@edcommand.app.

6. Security measures

EdCommand maintains commercially reasonable technical and organizational measures to protect Customer data, including: encryption in transit via TLS, row-level security enforcing tenant isolation in the database, and access controls limiting production data access to authorized personnel.

[ATTORNEY NOTE: Annex II — full technical and organizational measures — to be completed.]

7. Data subject rights

EdCommand will reasonably assist Customer in responding to data subject access, correction, or deletion requests to the extent EdCommand processes data subject to such requests. Submit requests to privacy@edcommand.app.

8. FERPA notice

EdCommand is designed as a professional decision-support tool for individual educators. EdCommand instructs users not to submit student personally identifiable information and is not designed to operate as a “school official” processing education records under FERPA. Institutions requiring a formal FERPA compliance agreement should contact legal@edcommand.app before institutional deployment.

[ATTORNEY NOTE: FERPA analysis, applicable representations, and any required school official agreement language to be reviewed and completed.]

9. International data transfers

[ATTORNEY NOTE: Transfer mechanism — standard contractual clauses, adequacy decision, or other basis — to be specified based on Customer jurisdiction and applicable law.]

10. Contact

Data protection inquiries: privacy@edcommand.app
Legal and DPA execution: legal@edcommand.app