# Data Processing Addendum (Template)

**Between:** MJE Part Shop ("Processor")
**And:** _____________________________________ ("School", a Local Educational Agency)
**Effective date:** _______________

This Data Processing Addendum supplements MJE Part Shop's [Terms of Service](/terms.html) and [Privacy Policy](/privacy.html). It governs the Processor's handling of student personal information on behalf of the School under the Children's Online Privacy Protection Act (COPPA), the Family Educational Rights and Privacy Act (FERPA), the Student Online Personal Information Protection Act (SOPIPA, Cal. Bus. & Prof. Code § 22584), New York Education Law § 2-d, Illinois SOPPA, Colorado HB21-1273, and any other applicable state student data-protection laws.

## 1. Definitions

- **Student Data** means any personal information provided by the School, a student, or a parent to the Processor, or created by the Processor in the course of operating the Service for the School. This includes student IDs, student names, screenshots, designs, print requests, and teacher feedback.
- **Service** means the MJE Part Shop 3D design application and related APIs.
- **School Official** means a teacher or administrator authorized by the School to use the Service.

## 2. Role of the parties

The School is the data controller / educational agency responsible for student records. The Processor acts solely as a "school official" under FERPA § 99.31(a)(1)(i)(B) and an authorized agent of the School under COPPA's school-authorization exception (FTC guidance, 2013; updated 2023).

## 3. Scope and purpose

The Processor may use Student Data only to:
- Provide the Service to the School and its students
- Maintain security and prevent abuse
- Comply with legal obligations

The Processor shall not:
- Sell or rent Student Data
- Use Student Data for targeted advertising
- Build profiles of students for commercial purposes
- Disclose Student Data except as required to operate the Service or as required by law

## 4. Data elements

Processor collects the data elements described in Section 2 of the [Privacy Policy](/privacy.html), which is incorporated here by reference.

## 5. Subprocessors

Processor uses the following subprocessors:

- **Cloudflare, Inc.** — hosting, edge compute, and persistent key-value storage. Cloudflare is certified under the EU-US Data Privacy Framework and offers student-data terms on request.

Processor will notify the School at least 30 days before adding or changing subprocessors.

## 6. Security

Processor implements reasonable administrative, technical, and physical safeguards, including:

- TLS 1.3 for all in-transit data
- HMAC-SHA256-signed authentication tokens with server-side verification on every data endpoint
- Per-school tenant isolation in storage
- Input sanitization and allowlisted-character filters on student-supplied fields
- Role-based access control (teacher vs student)
- 30-day token expiration
- No logging of student screenshots, design content, or free-text notes in server logs

## 7. Incident response

Processor will notify the School within 72 hours of confirming a security incident that may have exposed Student Data. Notification will include the scope, likely affected students, containment measures, and remediation plan.

## 8. Parent rights

Parents may, through the School, request to:
- Review Student Data about their child
- Delete their child's Student Data
- Halt further collection of their child's Student Data

Processor will fulfill verified School-forwarded requests within 10 business days.

## 9. Retention and deletion

- Student work (projects, screenshots, print requests): retained no longer than 400 days after last modification, or as directed by the School
- Roster entries: retained until the School requests deletion or the School's access code expires
- Authentication tokens: expire 30 days after issuance

Upon termination of this DPA, Processor will delete or return all Student Data within 30 days, except as required by law.

## 10. No commercial use

Processor represents that it does not and will not:
- Sell Student Data
- Use Student Data for advertising, marketing, or building non-educational profiles
- Allow third-party trackers, analytics, or advertising pixels to operate in the Service in contexts that transmit Student Data

## 11. Audit and compliance

Upon reasonable notice (not more than once per 12 months), the School may request a summary of Processor's security controls, subprocessor list, and incident history.

## 12. Governing law

This DPA is governed by the laws of the State in which the School is located.

## 13. Signatures

**School (LEA) Representative**
Name: _______________________________________
Title: _______________________________________
Signature: ___________________________________
Date: _______________________________________

**MJE Part Shop**
Name: Michael Ehlers
Title: Owner
Signature: ___________________________________
Date: _______________________________________

---

*Contact for questions about this DPA: privacy@part-shop.pages.dev*