1. Introduction
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Genius Learning, Inc., operating as Elective Genius ("Processor," "we," "us"), and the school, institution, or organization ("Controller," "you") that has entered into a School License agreement for the Elective Genius platform.
This DPA applies to the processing of personal data of students and staff that occurs when the Controller uses the Elective Genius platform. For family (non-institutional) users, our Privacy Policy governs data handling.
2. Definitions
- Personal Data: Any information relating to an identified or identifiable student or user of the platform
- Student Data: Personal Data of students provided to or collected by the Service, including educational records, course progress, AI tutor interactions, journal entries, portfolio submissions, and assessment results
- Processing: Any operation performed on Personal Data, including collection, storage, use, transmission, and deletion
- Sub-processor: A third party engaged by the Processor to process Personal Data on behalf of the Controller
3. Scope and Purpose of Processing
We process Student Data solely for the purpose of providing and improving the Elective Genius educational platform, including:
- Delivering course content and AI tutor interactions
- Tracking student progress, grades, and course completion
- Generating certificates, transcripts, and portfolio records
- Providing supervisor dashboards for course oversight and grading
- Maintaining platform security and preventing abuse
- Improving the educational effectiveness of AI-generated content
We will not process Student Data for any purpose beyond what is necessary to provide the Service, and we will never sell, rent, or commercially exploit Student Data.
4. Data Categories
The following categories of Student Data may be processed:
- Identity Data: Name, email address, grade level, role (student/parent/supervisor)
- Educational Records: Course enrollments, lesson progress, quiz scores, assignment submissions, grades
- AI Interaction Data: Conversations with the AI tutor (Meri), including prompts and responses within lesson contexts
- Student-Created Content: Journal entries, portfolio submissions, project work, reflections
- Usage Data: Login timestamps, session duration, pages visited, features used
5. FERPA Compliance
We acknowledge that Student Data may include "education records" as defined by the Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. § 1232g. As a "school official" under FERPA, we agree to:
- Use Student Data only for the educational purposes for which it was disclosed
- Not re-disclose Student Data to third parties except as permitted by FERPA or authorized by the Controller
- Maintain reasonable security measures to protect Student Data
- Return or destroy Student Data upon termination of the agreement, at the Controller's direction
6. COPPA Compliance
For students under 13, the Children's Online Privacy Protection Act (COPPA) requires verifiable parental consent before collecting personal information. When the Controller is a school:
- The school may consent to data collection on behalf of parents for educational purposes, consistent with COPPA's school consent exception
- The school is responsible for providing appropriate notice to parents about data collection
- Parents retain the right to review their child's data and request deletion by contacting the school or us directly
7. Security Measures
We implement and maintain appropriate technical and organizational security measures, including:
- Encryption: Data encrypted in transit (TLS 1.2+) and at rest
- Access Control: Role-based access ensuring students, parents, and supervisors only see data appropriate to their role
- Authentication: Secure authentication via Clerk with support for multi-factor authentication
- Infrastructure: Hosted on Vercel (SOC 2 Type II certified) with database on Turso (encrypted, edge-distributed)
- AI Processing: AI tutor interactions processed via Anthropic's Claude API, which does not retain or train on user data
- Monitoring: Automated monitoring for unauthorized access attempts
8. Sub-processors
We use the following sub-processors to provide the Service:
| Sub-processor | Purpose | Data Processed |
|---|
| Anthropic (Claude API) | AI tutor functionality | Lesson interactions, student responses |
| Clerk | Authentication | Email, name, login credentials |
| Turso (LibSQL) | Database hosting | All platform data |
| Vercel | Application hosting | Application logs, request metadata |
| Stripe | Payment processing | Billing contact info (school admin only) |
| Google Analytics | Usage analytics | Anonymized usage patterns |
We will notify the Controller at least 30 days before adding or replacing a sub-processor that handles Student Data. The Controller may object to a new sub-processor by notifying us in writing within 15 days.
9. Data Retention and Deletion
- During the agreement: Student Data is retained for the duration of the School License
- Upon termination: Within 60 days of agreement termination, we will export all Student Data to the Controller (upon request) and delete all copies from our systems
- Individual deletion: Schools may request deletion of individual student records at any time by contacting support@electivegenius.com
- Backup retention: Backup copies may persist for up to 90 days after deletion, after which they are permanently purged
10. Data Breach Notification
In the event of a data breach affecting Student Data, we will:
- Notify the Controller within 72 hours of becoming aware of the breach
- Provide details of the nature of the breach, categories of data affected, and approximate number of records
- Describe the measures taken or proposed to address the breach
- Cooperate with the Controller in notifying affected individuals and regulatory authorities as required by law
11. Data Subject Rights
We will assist the Controller in responding to requests from parents or eligible students to:
- Access their Student Data
- Correct inaccurate Student Data
- Delete Student Data
- Export Student Data in a portable format
Requests may be submitted to support@electivegenius.com or through the platform's Account Settings.
12. AI-Specific Provisions
Regarding the AI tutor (Meri) and AI-generated content:
- Student interactions with the AI tutor are processed in real-time and are not used to train AI models
- Our AI provider (Anthropic) does not retain conversation data after processing
- AI-generated course content is reviewed for accuracy and appropriateness before publication
- The AI tutor is configured to avoid generating inappropriate content and will not request sensitive personal information
13. Audit Rights
The Controller may, upon reasonable notice (30 days), request documentation of our data protection practices. We will provide:
- Current security certifications of our sub-processors
- Documentation of our data handling procedures
- Evidence of compliance with this DPA
On-site audits may be arranged by mutual agreement at the Controller's expense.
14. Contact
For questions about this DPA or to exercise data rights:
- Email: support@electivegenius.com
- Website: electivegenius.com/legal/dpa