Data Processing Agreement
Effective date: April 24, 2026
This Data Processing Agreement ("DPA") supplements the Terms of Service (the "Agreement") between you ("Customer") and Olsen Bennett and Wright LLC, a Florida limited liability company ("Company"). By accepting the Agreement, Customer enters into this DPA. Terms not defined here have the meanings given in the Agreement.
This DPA is primarily relevant to institutional customers (schools, co-ops, and similar organizations) with obligations under GDPR, CCPA, or similar data protection laws. Individual family accounts are also covered by the data handling commitments described here.
1. Definitions
- "Data Protection Laws"
- All applicable laws and regulations relating to the processing of Personal Data, including the California Consumer Privacy Act (CCPA), the General Data Protection Regulation (GDPR), and the Florida Digital Bill of Rights, each as amended from time to time.
- "Personal Data"
- Any information relating to an identified or identifiable natural person that is processed by the Company on behalf of Customer in connection with the Services.
- "Processing"
- Any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
- "Sub-processor"
- A third party engaged by the Company to process Personal Data in connection with the Services.
- "Customer Data"
- All Personal Data submitted by or on behalf of Customer through the Services, including account data and student/educational data.
- "Student Data"
- Personal Data relating to students, including names and educational records, entered by the account holder on behalf of students in their care.
2. Relationship of the Parties
With regard to the processing of Personal Data, Customer acts as the data controller and the Company acts as a data processor. Customer determines the purposes and means of processing Customer Data; the Company processes Customer Data only as instructed by Customer and as necessary to provide the Services.
Customer is solely responsible for the accuracy, quality, and legality of Customer Data and for obtaining any consents required for the Company to process it. Customer shall not submit Personal Data to the Service in violation of applicable Data Protection Laws.
The Company shall process Personal Data only: (a) to provide the Services as described in the Agreement; (b) to comply with legal obligations; and (c) as otherwise expressly permitted in writing by Customer.
3. Authorized Sub-processors
Customer authorizes the Company to engage the sub-processors listed in Exhibit B. The Company will: (a) enter into written agreements with sub-processors imposing data protection obligations no less protective than those in this DPA; and (b) remain liable for sub-processor acts and omissions to the same extent as if performed by the Company directly.
The Company will provide at least 15 days' prior notice before adding a new sub-processor that will process Personal Data. If Customer reasonably objects to the addition within 10 days of notice and the Company cannot provide a commercially reasonable alternative, Customer may terminate the applicable Services with written notice.
4. Security of Personal Data
The Company implements appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include:
- Encryption of data in transit using HTTPS/TLS
- Encryption of sensitive credentials (passwords and authentication tokens) at rest
- Access controls limiting data access to authorized personnel with a business need
- Multi-factor authentication for internal system access
- Regular monitoring and security testing
- Employee security training and confidentiality obligations
- Daily database backups with tested restore procedures
Customer is responsible for maintaining appropriate security for its own systems, credentials, and access to the Service.
5. Transfers of Personal Data
The Services are hosted and operated in the United States. By using the Services, Customer acknowledges and agrees that Customer Data may be transferred to, stored, and processed in the United States. Customer consents to such transfers as necessary to provide the Services.
For transfers from the European Economic Area (EEA) or United Kingdom to the United States, the parties agree that such transfers are made pursuant to Standard Contractual Clauses (EU SCCs, Module Two: Controller to Processor) as promulgated by the European Commission, which are incorporated into this DPA by reference. To the extent required, the Company will enter into applicable Standard Contractual Clauses with EEA or UK Customers upon written request.
The Company will not transfer Personal Data to any country or organization unless appropriate safeguards are in place in accordance with applicable Data Protection Laws.
6. Rights of Data Subjects
To the extent the Company receives a request from a data subject exercising rights under applicable Data Protection Laws (such as access, rectification, erasure, portability, or objection to processing), the Company will promptly notify Customer and provide reasonable assistance in responding to such requests.
The Company will not respond to data subject requests directly on Customer's behalf without Customer's written authorization, except where required by law. Customer is responsible for ensuring that data subject requests are honored within the timeframes required by applicable law.
7. Data Breach Notification
In the event of a confirmed Personal Data breach affecting Customer Data, the Company will notify Customer without undue delay (and in any event within 72 hours of becoming aware of the breach, to the extent feasible) and will provide: (a) a description of the nature of the breach; (b) the categories and approximate number of individuals and records affected; (c) the likely consequences; and (d) measures taken or proposed to address the breach.
This notification obligation does not apply if the breach results from Customer's own acts or omissions. Notification does not constitute an admission of fault or liability.
8. Data Deletion and Return
Upon termination of the Agreement, the Company will handle Customer Data as described in the Privacy Policy: access ends immediately with no recovery window. By default (AI feature improvement enabled and permanent-deletion preference off), de-identified educational content may be retained to improve AI features. Customers who have enabled the "Permanently delete all data on cancellation" preference, or who have opted out of AI feature improvement, will have their data immediately and permanently deleted upon termination.
Upon written request, the Company will provide Customer with an export of Customer Data in a standard format prior to deletion.
9. CCPA Compliance
For purposes of the California Consumer Privacy Act (CCPA), the Company is a "service provider" and receives Personal Data from Customer solely to provide the Services. The Company shall not:
- Sell or share Personal Data (as those terms are defined in the CCPA)
- Retain, use, or disclose Personal Data for any purpose other than providing the Services
- Retain, use, or disclose Personal Data outside the direct business relationship with Customer
- Combine Personal Data received from Customer with Personal Data received from or collected from other sources, except as permitted under the CCPA
The Company certifies that it understands and will comply with the foregoing restrictions.
10. Conflict
In the event of a conflict between this DPA and the Agreement, this DPA controls with respect to data protection matters. In the event of a conflict between this DPA and applicable Standard Contractual Clauses, the Standard Contractual Clauses control. All other rights and obligations of the parties are governed by the Agreement.
Exhibit A – Details of Processing
| Nature and Purpose of Processing | The Company processes Customer Data as necessary to provide the homeschool management Service, including storing and displaying account information, student records, and educational data to authorized users. |
| Duration of Processing | For as long as Customer has an active account. After termination: immediate permanent deletion if the hard-delete preference is enabled or AI feature improvement is opted out; otherwise de-identified educational content may be retained for AI improvement as described in the Privacy Policy (not user-recoverable). |
| Categories of Data Subjects | Account holders (parents and guardians); students managed by account holders. |
| Categories of Personal Data — Account Data | Username, email address, physical address (city, state, zip, country), IP address, device/browser information, payment card type and last 4 digits, subscription history. |
| Categories of Personal Data — Student/Educational Data | Student names; academic records including curriculum, courses, assignments, grades, progress, and schedules. Student names and direct identifiers are excluded from AI model training. De-identified educational content may be used to improve AI features. |
| Special Categories of Data | Not applicable. Customers should not submit special category data (health, biometric, etc.) to the Service. |
| Frequency of Transfer | Continuous, as initiated by Customer during use of the Services. |
Exhibit B – Authorized Sub-processors
The following sub-processors are authorized as of the effective date of this DPA:
| Company | Purpose | Location |
|---|---|---|
| DigitalOcean, LLC | Database hosting — primary storage for all account and application data | United States |
| Stripe, Inc. | Payment processing and subscription management | United States |
| Resend | Transactional email delivery (password reset, email verification, account notices) | United States |
| Plausible Analytics | Cookieless website analytics — does not process Personal Data | European Union |
AI model training uses de-identified data and is performed using internal tooling only. No Personal Data is sent to any third-party AI provider for training purposes.
Contact
Questions about this DPA should be directed to:
Olsen Bennett and Wright LLC
Email: howdy@homeschoolmanager.com
135 Jenkins St, Ste 105B #185
Saint Augustine, FL 32086