Back to legal

Data Processing Agreement

Last updated: April 2026

This Data Processing Agreement ("DPA") is entered into between the charter school ("School" or "Data Controller") and Charter Vision Inc. ("Processor") and supplements the Charter Vision Terms of Service.

1. Definitions

  • "School Data" means any data uploaded, imported, or generated within the Platform by or on behalf of the School, including financial records, governance documents, board meeting materials, and aggregate academic performance data.
  • "Education Records" has the meaning given by FERPA (20 U.S.C. § 1232g).
  • "Platform" means the Charter Vision web application and associated services.
  • "Sub-processor" means a third-party service engaged by the Processor to assist in providing the Platform.

2. Scope of Processing

The Processor will process School Data solely for the purpose of:

  • Providing the Platform features described in the Terms of Service
  • Generating AI-powered governance analysis, training content, and compliance assessments
  • Producing financial dashboards, reports, and trend analysis
  • Storing and retrieving documents for the School's RAG-powered AI assistant
  • Monitoring regulatory changes relevant to the School's jurisdiction

3. Processor Obligations

The Processor agrees to:

  • Process School Data only on documented instructions from the School (as embodied in the Platform's features and the School's configuration).
  • Implement appropriate technical and organizational security measures, including encryption in transit (TLS 1.2+) and at rest (AES-256).
  • Ensure that personnel authorized to process School Data are bound by confidentiality obligations.
  • Not use School Data for model training, advertising, or any purpose other than providing the Platform.
  • Assist the School in responding to data subject access requests and data breach notifications.
  • Delete or return all School Data upon termination of the agreement, at the School's election.

4. Sub-processors

The Processor engages third-party sub-processors to assist in providing the Platform. A current list of sub-processors, including their purposes and data processing locations, is available upon request to the Processor at legal@chartervision.app.

The Processor will notify the School before adding new sub-processors and will ensure each sub-processor is bound by data protection obligations no less protective than those in this DPA. The School may object to a new sub-processor within 30 days of notification.

5. Data Breach Notification

In the event of a data breach affecting School Data, the Processor will:

  • Notify the School without undue delay, and no later than 72 hours after becoming aware of the breach.
  • Provide details of the nature of the breach, categories and approximate number of records affected, and measures taken to mitigate the breach.
  • Cooperate with the School in notifying affected individuals and regulatory authorities as required by applicable law.

6. Data Retention

School Data is retained for the duration of the subscription. Upon termination or expiration:

  • The School may export its data for 30 days following termination.
  • After the 30-day export window, all School Data is permanently deleted.
  • Backups containing School Data are purged within 90 days of deletion.

7. Audit Rights

The School may request, no more than once per year, a summary of the Processor's security practices and compliance measures. The Processor will provide reasonable documentation of its security controls upon request.

Contact

To request a signed copy of this DPA or discuss data processing terms:

Charter Vision Legal
Email: legal@chartervision.app