Return to Support Center

---

Table of Contents

1. Definitions
2. Scope and Purpose of Processing
3. Legal and Regulatory Compliance
4. Sub-Processors
5. Security Measures
6. Data Breach Notification
7. Data Subject Rights Assistance
8. Data Retention and Deletion
9. Audit Rights
10. Subscriber Obligations
11. Instructional Media and Content Restrictions
12. Term and Termination
13. Miscellaneous
14. Contact

---

This Data Processing Agreement (“DPA”) forms a legally binding agreement between abcAssess (“Provider” or “Processor”) and the educational institution, licensed childcare program, or individual educator (“Subscriber” or “Controller”) using the abcAssess platform. This DPA governs the processing of personal data by abcAssess on behalf of the Subscriber and supplements the abcAssess Terms of Service.

abcAssess is available to educators in the United States, Canada (English-speaking provinces), Australia, New Zealand, the United Kingdom, and Ireland.

Governing Law: State of North Dakota, USA | GDPR Article 28 Compliant

---

1. Definitions

For purposes of this DPA, the following terms have the meanings set forth below:

• “Controller” The Subscriber — the school, institution, or educator who determines the purposes and means of processing student data. Under FERPA, this is the school or district.
• “Processor” abcAssess — the entity that processes personal data on behalf of and under the instructions of the Controller.
• “Personal Data” Any information relating to an identified or identifiable individual, including student first names, last initials, birth month and year, student identifiers, and assessment results.
• “Processing” - Any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, or deletion.
• “Student Data” - Personal Data relating to students that is submitted to or generated within the Service by the Subscriber.
• “Sub-Processor” - Any third-party entity engaged by abcAssess to process Personal Data in connection with providing the Service.
• “GDPR” - The EU General Data Protection Regulation (2016/679).
• “UK GDPR” - The UK General Data Protection Regulation as retained in UK law following the UK’s departure from the European Union.
• “FERPA” - The Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g (United States).
• “COPPA” - The Children’s Online Privacy Protection Act, 15 U.S.C. § 6501 et seq. (United States).
• “PIPEDA” - The Personal Information Protection and Electronic Documents Act (Canada).
• “Australian Privacy Act” - The Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) (Australia).
• “NZ Privacy Act” - The Privacy Act 2020 (New Zealand).
• “CCPA/CPRA” - The California Consumer Privacy Act and California Privacy Rights Act (United States — California).

Back to top ↑

---

2. Scope and Purpose of Processing

abcAssess processes Personal Data solely for the purpose of providing the educational assessment services described in the Terms of Service. The nature, purpose, and categories of data processed are as follows:

Data Category	Purpose	Legal Basis (GDPR)	Retention
Teacher account data (name, email)	Authentication and account management	Contract performance (Art. 6(1)(b))	Duration of account
Student first name / last initial	Identifying students within assessments	Legitimate interests (Art. 6(1)(f))	Duration of account
Student birth month and year	Calculating age for assessment accuracy	Legitimate interests (Art. 6(1)(f))	Duration of account
Student identifiers (ID numbers)	Alternative to name-based identification	Legitimate interests (Art. 6(1)(f))	Duration of account
Assessment results and scores	Delivering core assessment functionality	Legitimate interests (Art. 6(1)(f))	Duration of account
Instructional media (images, audio)	Supporting custom multimodal assessments	Contract performance (Art. 6(1)(b))	Duration of account
Technical / diagnostic logs	Application stability and security monitoring	Legitimate interests (Art. 6(1)(f))	90 days rolling

abcAssess does not process Personal Data for any purpose other than those listed above without the prior written consent of the Subscriber.

Back to top ↑

---

3. Legal and Regulatory Compliance

• 3.1 FERPA — School Official Status (United States)
  abcAssess acknowledges that it operates as a “School Official” with a legitimate educational interest under FERPA, performing services that the Subscriber would otherwise perform using its own staff. abcAssess processes student education records solely under the direction and control of the Subscriber, and only for purposes consistent with the Subscriber’s legitimate educational interests. abcAssess does not disclose student education records to third parties except as permitted by this DPA or required by law.

• 3.2 COPPA — Prohibition on Commercial Use (United States)
  In full compliance with COPPA, abcAssess guarantees that Student Data will never be sold, leased, rented, or otherwise disclosed for commercial purposes. abcAssess explicitly prohibits the use of Student Data for:

  • Behavioral advertising or interest-based profiling of any kind.
  • Training, fine-tuning, or improving any machine learning or artificial intelligence model.
  • Building marketing profiles or user tracking databases.
  • Any purpose unrelated to providing the educational assessment Service to the Subscriber.
    
    

• 3.3 GDPR — Article 28 Compliance (EU Users)
  For Subscribers located in the European Union, or whose students’ data may be subject to GDPR, abcAssess acts as a Data Processor under GDPR Article 28. abcAssess commits to the following obligations required under Article 28:

  • Process Personal Data only on documented instructions from the Controller (the Subscriber), unless required to do so by applicable law.
  • Ensure that all personnel authorized to process Personal Data are subject to appropriate confidentiality obligations.
  • Implement appropriate technical and organizational security measures as described in Section 5 of this DPA.
  • Assist the Controller in fulfilling its obligations to respond to data subject rights requests, as described in Section 7 of this DPA.
  • Delete or return all Personal Data to the Controller upon termination of the service relationship, as described in Section 8 of this DPA.
  • Make available to the Controller all information reasonably necessary to demonstrate compliance with GDPR Article 28 obligations, and allow for and contribute to audits and inspections as described in Section 9 of this DPA.
  • Not engage Sub-Processors without prior notice to the Controller, as described in Section 4 of this DPA.

  abcAssess intends to appoint an EU Representative as required by GDPR Article 27 for non-EU establishments processing EU personal data. This DPA will be updated when that appointment is made. Until that time, EU Subscribers may direct inquiries to legal@abcassess.app.

• 3.4 UK GDPR Compliance (United Kingdom)
  For Subscribers located in the United Kingdom, abcAssess acts as a Data Processor under UK GDPR and commits to the same obligations described in Section 3.3 as applied under UK GDPR. abcAssess intends to appoint a UK Representative as required by UK GDPR Article 27. This DPA will be updated when that appointment is made. Until that time, UK Subscribers may direct inquiries to legal@abcassess.app.

• 3.5 PIPEDA Compliance (Canada)
  For Subscribers located in Canada, abcAssess complies with PIPEDA with respect to the collection, use, and disclosure of personal information. abcAssess collects only the information necessary to provide the Service, uses it only for the purposes described in this DPA, and retains it only for as long as necessary. Canadian Subscribers may direct privacy inquiries to legal@abcassess.app with “Canadian Privacy Request” in the subject line.

• 3.6 Australian Privacy Principles Compliance (Australia)
  For Subscribers located in Australia, abcAssess complies with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). abcAssess handles personal information in accordance with APP obligations including collection, use, disclosure, data quality, security, and access requirements. Australian Subscribers may direct privacy inquiries to legal@abcassess.app with “Australian Privacy Request” in the subject line.

• 3.7 New Zealand Privacy Act Compliance (New Zealand)
  For Subscribers located in New Zealand, abcAssess complies with the Privacy Act 2020. abcAssess collects personal information only for lawful purposes connected with the Service, uses it only for those purposes, and protects it with reasonable security safeguards. New Zealand Subscribers may direct privacy inquiries to legal@abcassess.app with “NZ Privacy Request” in the subject line.

• 3.8 Prohibition on AI Training
  Regardless of jurisdiction, abcAssess explicitly commits that Student Data will never be used to train, fine-tune, or improve any artificial intelligence or machine learning model, whether operated by abcAssess or any third party. This prohibition applies permanently and survives termination of this DPA.

Back to top ↑

---

4. Sub-Processors

• 4.1 Authorized Sub-Processors
  The Subscriber provides general authorization for abcAssess to engage the following sub-processors in connection with providing the Service. Each sub-processor is bound by contractual data processing obligations no less protective than those set forth in this DPA:

Sub-Processor	Role	Data Location	Certification
MongoDB Atlas	Encrypted database storage	Configurable (US default; EU region planned for UK/EU users)	SOC 2 Type II, ISO 27001
Railway	Backend processing and encryption key management	United States	SOC 2 Type II
Vercel	Application UI hosting and edge delivery	Global CDN / US primary	SOC 2 Type II
Google / Apple	Federated authentication (Sign-In)	Per provider policy	ISO 27001, SOC 2
Resend	Transactional email delivery	United States	SOC 2 Type II
Stripe	Payment processing and subscription management	United States / Global	SOC 2 Type II, PCI DSS Level 1
PostHog	Anonymized product analytics and feature usage tracking — no student PII collected	US / EU	SOC 2 Type II
Sentry	Anonymized error monitoring and application stability — no student PII collected	United States	SOC 2 Type II

• 4.2 Sub-Processor Change Notification
  abcAssess will notify Subscribers of any intended addition or replacement of sub-processors at least fourteen (14) days before the change takes effect, by posting an update to this DPA and notifying active account holders by email. The Subscriber may object to a new sub-processor within fourteen (14) days of receiving notice by contacting legal@abcassess.app. If the parties cannot resolve a legitimate objection, the Subscriber may terminate the service relationship without penalty by providing written notice within thirty (30) days of the original sub-processor notification.

• 4.3 International Data Transfers
  Some sub-processors may process Personal Data outside the Subscriber’s home jurisdiction. Where this occurs, abcAssess relies on the following transfer mechanisms as applicable:

  • EU/EEA to non-EEA transfers: Standard Contractual Clauses (SCCs) approved by the European Commission under GDPR Chapter V.
  • UK to non-UK transfers: UK International Data Transfer Agreement (IDTA) or UK addendum to EU SCCs.
  • Canadian transfers: Contractual protections consistent with PIPEDA Schedule 1 principles.
  • Australian transfers: Contractual arrangements consistent with Australian Privacy Principle 8 cross-border disclosure requirements.
  • New Zealand transfers: Contractual arrangements consistent with Privacy Act 2020 information privacy principle 12.

  Documentation of applicable transfer safeguards is available upon written request to legal@abcassess.app.

Back to top ↑

---

5. Security Measures

• 5.1 Encryption
  abcAssess implements the following encryption measures to protect Personal Data:
  • Client-Side Field-Level Encryption (CSFLE): Sensitive student identifiers and assessment results are encrypted at the application layer using AES-256 encryption before being transmitted to or stored in the database. Encryption keys are managed separately from the database, meaning database administrators cannot read student data in plain text.
  • Data in Transit: All data transmitted between the application and our servers is encrypted using TLS 1.3.
  • Data at Rest: All data stored in our database infrastructure is encrypted at rest using AES-256.
    
    

• 5.2 Access Controls
  Access to production systems and Personal Data is restricted to authorized personnel only, protected by multi-factor authentication, and governed by the principle of least privilege. Access permissions are reviewed periodically and revoked promptly upon personnel changes.

• 5.3 Security Assessments
  abcAssess conducts periodic internal security reviews of its platform and infrastructure. We will notify Subscribers of any material changes to our security architecture that could affect the protection of Personal Data.

• 5.4 Prohibited Data
  The Subscriber agrees not to upload, store, or transmit the following categories of data through the Service, as these categories exceed the scope of what the platform is designed to handle securely:

  • Social Security Numbers, Tax File Numbers, National Insurance Numbers, or other government-issued identification numbers.
  • Full legal home addresses or precise geolocation data.
  • Financial records or payment information.
  • Comprehensive medical records or detailed health histories.
  • Student biometric data, including photographs, facial recognition data, video recordings, or voice recordings generated by students.
  • Immigration status or citizenship information.

Back to top ↑

---

6. Data Breach Notification

In the event that abcAssess becomes aware of a confirmed security breach affecting Personal Data, abcAssess will:

• Notify the Subscriber without undue delay and, where feasible, within 72 hours of becoming aware of the breach, consistent with GDPR Article 33, UK GDPR, and other applicable breach notification requirements.
• Provide, to the extent known at the time of notification: a description of the nature of the breach; the categories and approximate number of individuals and records affected; the likely consequences of the breach; and the measures taken or proposed to address the breach.
• Cooperate fully with the Subscriber to enable the Subscriber to meet its own breach notification obligations to supervisory authorities and affected individuals in their jurisdiction.
• Take prompt steps to contain, investigate, and remediate the breach.
• Notify relevant supervisory authorities directly where required by applicable law.

The Subscriber is responsible for notifying abcAssess promptly if the Subscriber becomes aware of any unauthorized access to or misuse of the Service originating from the Subscriber’s account or personnel.

Back to top ↑

---

7. Data Subject Rights Assistance

abcAssess will assist the Subscriber in responding to requests from data subjects (such as students, parents, or guardians) exercising their rights under GDPR, UK GDPR, FERPA, COPPA, PIPEDA, the Australian Privacy Act, the NZ Privacy Act, CCPA/CPRA, or other applicable privacy laws. Such rights may include the right to access, correct, delete, or port Personal Data.

abcAssess provides the following tools to facilitate data subject rights:

• In-app data export: Subscribers may download a complete export of all account and student data at any time through the Reports section of the app.
• In-app deletion: Subscribers may delete individual student records, entire class rosters, or their full account at any time through App Settings.
• Manual assistance: For requests that cannot be fulfilled through the in-app tools, the Subscriber may contact legal@abcassess.app with “Data Request” in the subject line. abcAssess will respond within 30 days.

abcAssess will not respond directly to data subject requests without the Subscriber’s prior authorization, unless required to do so by applicable law.

Back to top ↑

---

8. Data Retention and Deletion

• 8.1 Retention During Service
  abcAssess retains Personal Data for as long as the Subscriber’s account remains active and in use, or as necessary to provide the Service. The Subscriber may delete specific records or the entire account at any time through App Settings.

• 8.2 Deletion Upon Account Termination
  Upon account deletion by the Subscriber, abcAssess immediately initiates an irreversible cascade deletion process that permanently removes the Subscriber’s profile and all associated student records, assessment histories, and uploaded media from active production systems. This process is initiated immediately upon the Subscriber’s confirmation and cannot be undone.

  Following account deletion, Personal Data may persist in encrypted system backups for up to 30 days before being permanently overwritten in the ordinary course of our backup rotation cycle. Data in backups is not accessible or restorable during this period except in the event of a system-wide catastrophic failure.

• 8.3 Return or Deletion Upon DPA Termination
  Upon termination of this DPA or the underlying service relationship for any reason, abcAssess will, at the Subscriber’s election, either return all Personal Data to the Subscriber in a portable format or permanently delete all Personal Data from its systems, subject to the backup retention window described above. The Subscriber must make this election within 30 days of termination. If no election is made, abcAssess will default to permanent deletion.

• 8.4 Record Transfers
  Where the Subscriber initiates a transfer of student records to another verified educator’s account within the Service, data custody transfers to the receiving educator upon confirmation. The original Subscriber’s deletion obligations cease with respect to transferred records, and the receiving educator assumes responsibility as the new Controller for those records. All transfers require acceptance by the receiving educator and expire automatically after 30 days if not accepted.

Back to top ↑

---

9. Audit Rights

abcAssess will make available to the Subscriber all information reasonably necessary to demonstrate compliance with the obligations set forth in this DPA and in applicable privacy law. The Subscriber may exercise audit rights as follows:

• Documentation requests: The Subscriber may request copies of relevant security policies, sub-processor agreements (in redacted form to protect confidential information), and compliance certifications at any time by contacting legal@abcassess.app. abcAssess will respond within 30 days.
• Third-party audits: abcAssess will cooperate with reasonable third-party security assessments or audits commissioned by the Subscriber, provided that:
  • (a) the Subscriber gives at least 30 days written notice;
  • (b) the audit is conducted during normal business hours and does not unreasonably disrupt abcAssess operations;
  • (c) the Subscriber bears the cost of such audit unless the audit reveals a material breach of this DPA by abcAssess; and
  • (d) the auditor signs a confidentiality agreement acceptable to abcAssess.
    
    
• Certification review: Where abcAssess maintains third-party security certifications (such as SOC 2 reports from its sub-processors), copies will be shared with the Subscriber upon request and subject to confidentiality obligations.

Back to top ↑

---

10. Subscriber Obligations

The Subscriber, as the Controller, is responsible for the following:

• Ensuring that the collection and transfer of Personal Data to abcAssess is lawful and that all required consents, notices, or authorizations under applicable privacy law in the Subscriber’s jurisdiction have been obtained prior to entering data into the Service.
• Ensuring that only authorized personnel access the Service, and that access credentials are kept secure and not shared with unauthorized individuals.
• Ensuring that any assistant teachers, co-teachers, or other users granted access to the Subscriber’s account understand and comply with their obligations under this DPA and applicable law.
• Notifying abcAssess promptly if the Subscriber becomes aware of any unauthorized access to the Service, any breach of data security involving Student Data, or any complaint or inquiry from a data subject, parent, guardian, or regulatory authority relating to Student Data processed through the Service.
• Ensuring that data entered into the Service does not exceed the categories described in Section 2 of this DPA and does not include the prohibited data categories listed in Section 5.4.
• Maintaining and implementing appropriate data governance policies within the Subscriber’s organization governing the use of third-party educational technology tools.

Back to top ↑

---

11. Instructional Media and Content Restrictions

The Service permits Subscribers to upload instructional images and audio prompts to support custom and multimodal assessment activities, such as language assessments or visual identification exercises. All uploaded media must be strictly instructional in nature and must not contain:

• Photographs, videos, or other images depicting students or minors.
• Audio recordings generated by or featuring students or minors.
• Any biometric data, including facial images or voice prints, of any individual.

• Any content that violates applicable law or the rights of third parties.

  abcAssess reserves the right to remove uploaded content that appears to violate these restrictions. The Subscriber is solely responsible for ensuring that all uploaded content complies with these restrictions and with any applicable copyright or licensing requirements.

Back to top ↑

---

12. Term and Termination

This DPA takes effect on the date the Subscriber creates an account with abcAssess and remains in effect for the duration of the service relationship between the Subscriber and abcAssess. This DPA automatically terminates upon the termination or expiration of the Subscriber’s account. Sections 3 (Legal Compliance), 6 (Breach Notification), 8 (Data Retention and Deletion), and 10 (Subscriber Obligations) survive termination of this DPA.

Back to top ↑

---

13. Miscellaneous

• 13.1 Order of Precedence
  In the event of a conflict between this DPA and the abcAssess Terms of Service with respect to the processing of Personal Data, this DPA shall control.

• 13.2 Governing Law
  This DPA shall be governed by the laws of the State of North Dakota, USA, without regard to conflict of law principles. For Subscribers subject to GDPR or UK GDPR, this DPA shall also be interpreted in accordance with applicable EU or UK data protection law to the extent required. For Subscribers subject to PIPEDA, the Australian Privacy Act, or the NZ Privacy Act, this DPA shall be interpreted in a manner consistent with those applicable laws.

• 13.3 Amendments
  abcAssess may update this DPA from time to time to reflect changes in applicable law, regulatory guidance, or our data processing practices. Material changes will be communicated to active Subscribers by email at least 14 days before taking effect. The Subscriber’s continued use of the Service after the effective date of any update constitutes acceptance of the revised DPA.

• 13.4 Severability
  If any provision of this DPA is held invalid or unenforceable, the remaining provisions shall remain in full force and effect.

• 13.5 Entire Agreement
  This DPA, together with the abcAssess Terms of Service and Privacy Policy, constitutes the entire agreement between the parties with respect to the processing of Personal Data and supersedes all prior agreements and understandings relating to that subject matter.

Back to top ↑

---

14. Contact

For questions about this DPA, data subject rights requests, security documentation, or audit inquiries, please contact:

General Support	support@abcassess.app
Legal & Data Requests	legal@abcassess.app
Response Time	We aim to respond within 2 business days
Substantive Response	Within 30 days

Back to top ↑

---

Accessibility Statement  -  Privacy Policy  -  Sub-Processor Registry  -  Technical FAQs  -  Terms of Service  -  User Guide

Return to Support Center