DPAs we sign

Your DPA, countersigned in three to ten business days.

We sign the SDPC Universal DPA, the nine major state DPAs, and district-drafted templates — with published turnarounds so your procurement timeline is never the thing waiting on us.

Agreements we already support

Four paths in. Each one has a published SLA.

Pick whichever your district already uses. The SDPC Universal DPA is the fastest and the one most districts prefer; state and district templates just take a little longer because counsel actually reads them.

SDPC Universal DPA

3 days

Student Data Privacy Consortium's standard national DPA. Fastest path — usually signed within 3 business days.

State DPAs

5 days

CA, NY, CO, IL, TX, MA, NJ, WA, CT state-specific DPAs. Based on SDPC or state-issued templates.

District DPAs

10 days

District-drafted DPAs. We redline, counter-propose, and work with your counsel. Expect 1–2 rounds.

Clever Universal DSA

In progress

Clever's Data Sharing Agreement governs roster import from Clever districts. Signed upon Clever Library certification.

The terms you can expect

What a standard Growing Standard DPA actually says.

No surprises at the table. These are the eleven terms counsel usually looks for first — purpose, data elements, subprocessors, retention, breach notification, insurance, and the rest — written out the way we'd want to read them.

Purpose

K-12 math + reading instruction, assessment, and teacher reporting

Data elements

First name (or display name), grade, school/class, roster ID, learning progress, assessment results

Not collected

Home address, phone, DOB, SSN, biometric data, health data

Subprocessors

Google Cloud (Firebase Auth + Firestore), Cloudflare (Workers — SSO token exchange only), Vercel (static hosting), Clever (optional SSO)

Data retention

Learning data active through contract term + 90 days, then exported and deleted on district request.

Data export

CSV/JSON export within 14 days of written request

Data deletion

Complete PII deletion from production within 30 days of written request. Backups taken before the deletion request age out within an additional 30 days (PITR 7d + Firebase snapshots 14d + project-isolated locked GCS export 30d). All backup copies are gone within 30 days of the deletion request — see DPA §5.3.1.

Breach notification

Written notice within 72 hours of discovery

Audit rights

SOC 2 Type II not pursued today; auditor engagement triggered by customer contract requiring it. In the interim, DPA + HECVAT-Lite + quarterly admin-access review + IR runbook + multi-state privacy addendum on request. On-site audit on reasonable notice.

Insurance

General Liability $2M, Cyber $1M, Errors & Omissions $1M, Media Liability $1M. Certificate of insurance on request.

No secondary use

No advertising, no selling, no model training on student data

How to start a review

Email us. We reply within one business day.

Send your school or district name, state, and preferred template to privacy@potatoclass.com. Attach the template you want us to review, or ask us to send our standard SDPC-based DPA. We return a signed copy or a redlined counter-proposal within the SLA above, then exchange the final document with your procurement team and move to contract.

What we typically redline

We sign most school and district DPAs as-written. These are the exceptions.

On liability caps, we accept 2× annual contract value — the industry standard. On audit scope, Growing Standard LLC has not pursued SOC 2 Type II certification of its own application layer. We will engage an auditor when a customer contract requires it or when revenue justifies the engagement. In the interim, we offer the DPA, HECVAT-Lite self-assessment, quarterly admin-access reviews, a documented incident-response runbook, and a multi-state privacy addendum (CA, NY, IL, TX, CO, CT, NJ, MD, WA) in lieu of an on-site audit wherever possible. On indemnification, we ask for mutual indemnity rather than one-way. And on data export format, we provide CSV/JSON — if your school or district requires a proprietary format, we'll need to scope it.

Send us your template.

Email privacy@potatoclass.com with your DPA (or request ours). We reply within one business day with next steps, and the full context lives in our plain-language privacy summary and the full privacy policy.

Request a quote Email privacy team