Data Processing Agreement

Last updated: 05/08/2025

Title

Last updated: 05/08/2025

Overview

This Data Processing Agreement (this "DPA" or "Addendum") supplements the Terms and Conditions (the "Agreement") between Teaching Lab Ventures, Inc. (“EnlightenAI," "us," "we") and the entity that is a party to the Agreement ("Organization" or "you"). We may update this Addendum from time to time, and we will provide reasonable notice of any such updates. Any terms not defined in this Addendum shall have the meaning set forth in the Agreement.

1. Definitions

"Affiliate"

1. means (i) an entity of which a party directly or indirectly owns fifty percent (50%) or more of the stock or other equity interest, (ii) an entity that owns at least fifty percent (50%) or more of the stock or other equity interest of a party, or (iii) an entity which is under common control with a party by having at least fifty percent (50%) or more of the stock or other equity interest of such entity and a party owned by the same person, but such entity shall only be deemed to be an Affiliate so long as such ownership exists.

"Authorized Sub-Processor"

2. means a third-party who has a need to know or otherwise access Organization's Personal Data to enable EnlightenAI to perform its obligations under this DPA or the Agreement, and who is either (1) listed in Exhibit B or (2) subsequently authorized under Section 4.2 of this DPA.

"EnlightenAI Account Data"

3. means personal data that relates to EnlightenAI's relationship with Organization, including the names or contact information of individuals authorized by Organization to access Organization's account, including all Business Contact Data. EnlightenAI Account Data also includes any data EnlightenAI may need to collect for the purpose of managing its relationship with Organization, identity verification, or as otherwise required by applicable laws and regulations.

"EnlightenAI Usage Data"

4. means Service usage data collected and processed by EnlightenAI in connection with the provision of the Services, including without limitation data used to identify the source and destination of a communication, activity logs, and data used to optimize and maintain performance of the Services, and to investigate and prevent system abuse.

"Data Exporter"

5. means Organization.

"Data Importer"

6. means EnlightenAI.

"Data Privacy Laws"

7. means all applicable laws, regulations, and other legal or self-regulatory requirements in any jurisdiction relating to privacy, data protection, data security, breach notification, or the Processing of Personal Information, including without limitation, to the extent applicable, the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. ("CCPA"), the Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g ("FERPA"), the General Data Protection Regulation, Regulation (EU) 2016/679 ("GDPR"), the United Kingdom Data Protection Act (2018) ("UK Data Protection Act"), the Virginia Consumer Data Protection Act ("VCDPA"), and the Swiss Federal Act on Data Protection ("Swiss FADP"). For the avoidance of doubt, if EnlightenAI's Processing activities involving Personal Information are not within the scope of a given Data Privacy Law, such law is not applicable for purposes of this Agreement.

"Consumer"

8. means an identified or identifiable natural person about whom Personal Information relates.

"Personal Information"

9. includes "personal data," "personal information," "personally identifiable information," and similar terms, and such terms shall have the same meaning as defined by applicable Data Privacy Laws.

"Process" and "Processing"

10. mean any operation or set of operations performed on Personal Information or on sets of Personal Information, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

"Sub-Processor"

11. means an entity appointed by EnlightenAI to Process data on its behalf.

"Security Breach"

12. means any accidental or unlawful acquisition, destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Information.

"Services"

13. shall have the meaning of providing the EnlightenAI Platform as set forth in the Agreement.

2. Relationship of the parties; Processing of data

1. The parties acknowledge and agree that with regard to the processing of Personal Data, Organization may act either as a controller or processor and, except as expressly set forth in this DPA or the Agreement, EnlightenAI is a processor. Organization shall, in its use of the Services, at all times process Personal Data, and provide instructions for the processing of Personal Data, in compliance with Data Privacy Laws. The Organization shall ensure that the processing of Personal Data in accordance with Organization's instructions will not cause EnlightenAI to be in breach of the Data Privacy Laws. Organization is solely responsible for the accuracy, quality, and legality of (i) the Personal Data provided to EnlightenAI by or on behalf of Organization, (ii) the means by which Organization acquired any such Personal Data, and (iii) the instructions it provides to EnlightenAI regarding the processing of such Personal Data. Organization shall not provide or make available to EnlightenAI any Personal Data in violation of the Agreement or otherwise inappropriate for the nature of the Services, and shall indemnify EnlightenAI from all claims and losses in connection therewith.

2. EnlightenAI shall not process Personal Data (i) for purposes other than those set forth in the Agreement and/or Exhibit A, (ii) in a manner inconsistent with the terms and conditions set forth in this DPA or any other documented instructions provided by Organization, including with regard to transfers of personal data to a third country or an international organization, unless required to do so by Supervisory Authority to which EnlightenAI is subject; in such a case, EnlightenAI shall inform the Organization of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest, or (iii) in violation of Data Privacy Laws. Organization hereby instructs EnlightenAI to process Personal Data in accordance with the foregoing and as part of any processing initiated by Organization in its use of the Services.

The subject matter, nature, purpose, and duration of this processing, as well as the types of Personal Data collected and categories of Data Subjects, are described in Exhibit A to this DPA.

Following completion of the Services, at Organization's choice, EnlightenAI shall return or delete Organization's Personal Data, unless further storage of such Personal Data is required or authorized by applicable law. If return or destruction is impracticable or prohibited by law, rule or regulation, EnlightenAI shall take measures to block such Personal Data from any further processing (except to the extent necessary for its continued hosting or processing required by law, rule or regulation) and shall continue to appropriately protect the Personal Data remaining in its possession, custody, or control.

CCPA, VCDPA, and FERPA Language. The Parties acknowledge and agree that the processing of personal information or personal data that is subject to the CCPA, VCDPA, or FERPA shall be carried out in accordance with the terms set forth in Exhibit C.

3. Confidentiality

This Data Processing Agreement (this "DPA" or "Agreement") supplements the Terms and Conditions (the "Agreement") between EnlightenAI, Inc. ("EnlightenAI," "us," "we") and the entity that is a party to the Agreement ("Organization" or "you"). We may update this Agreement from time to time, and we will provide reasonable notice of any such updates. Any terms not defined in this Agreement shall have the meaning set forth in the Agreement.

4. Authorized sub-processors

1. Organization acknowledges and agrees that EnlightenAI may (1) engage its Affiliates and the Authorized Sub-Processors to this DPA to access and process Personal Data in connection with the Services and (2) from time to time engage additional third parties for the purpose of providing the Services, including without limitation the processing of Personal Data. By way of this DPA, Organization provides general written authorization to EnlightenAI to engage sub-processors as necessary to perform the Services.

2. A list of EnlightenAI's current Authorized Sub-Processors (the "List") is available on EnlightenAI’s website. Such List may be updated by EnlightenAI from time to time. At least thirty (30) days before enabling any third party other than existing Authorized Sub-Processors to access or participate in the processing of Personal Data, EnlightenAI will add such third party to the List and notify Organization. Organization may object to such an engagement by informing EnlightenAI within ten (10) days of receipt of the aforementioned notice by Organization, provided such objection is in writing and based on reasonable grounds relating to data protection. Organization acknowledges that certain sub-processors are essential to providing the Services and that objecting to the use of a sub-processor may prevent EnlightenAI from offering the Services to Organization.

3. If Organization reasonably objects to an engagement in accordance with Section 4.2, and EnlightenAI cannot provide a commercially reasonable alternative within a reasonable period of time, Organization may discontinue the use of the affected Service by providing written notice to EnlightenAI. Discontinuation shall not relieve Organization of any fees owed to EnlightenAI under the Agreement.

4. If Organization does not object to the engagement of a third party in accordance with Section 4.2 within ten (10) days of notice by EnlightenAI, that third party will be deemed an Authorized Sub-Processor for the purposes of this DPA.

5. EnlightenAI will enter into a written agreement with the Authorized Sub-Processor imposing on the Authorized Sub-Processor data protection obligations comparable to those imposed on EnlightenAI under this DPA with respect to the protection of Personal Data. In case an Authorized Sub-Processor fails to fulfill its data protection obligations under such written agreement with EnlightenAI, EnlightenAI will remain liable to Organization for the performance of the Authorized Sub-Processor's obligations under such agreement.

5. Security of personal data

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, EnlightenAI shall maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing Personal Data. Exhibit B sets forth additional information about EnlightenAI's technical and organizational security measures.

6. Rights of data subjects

1. EnlightenAI shall, to the extent permitted by law, notify Organization upon receipt of a request by a Data Subject to exercise the Data Subject's right of: access, rectification, erasure, data portability, restriction or cessation of processing, withdrawal of consent to processing, and/or objection to being subject to processing that constitutes automated decision-making (such requests individually and collectively "Data Subject Request(s)"). If EnlightenAI receives a Data Subject Request in relation to Organization's data, EnlightenAI will advise the Data Subject to submit their request to Organization and Organization will be responsible for responding to such request, including, where necessary, by using the functionality of the Services. Organization is solely responsible for ensuring that Data Subject Requests for erasure, restriction or cessation of processing, or withdrawal of consent to processing of any Personal Data are communicated to EnlightenAI, and, if applicable, for ensuring that a record of consent to processing is maintained with respect to each Data Subject.

2. EnlightenAI shall, at the request of the Organization, and taking into account the nature of the processing applicable to any Data Subject Request, apply appropriate technical and organizational measures to assist Organization in complying with Organization's obligation to respond to such Data Subject Request and/or in demonstrating such compliance, where possible, provided that (i) Organization is itself unable to respond without EnlightenAI's assistance and (ii) EnlightenAI is able to do so in accordance with all applicable laws, rules, and regulations. Organization shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by EnlightenAI.

7. EnlightenAI's role as a controller

The parties acknowledge and agree that with respect to EnlightenAI Account Data and EnlightenAI Usage Data, EnlightenAI is an independent controller, not a joint controller with Organization. EnlightenAI will process EnlightenAI Account Data and Usage Data as a controller (i) to manage the relationship with Organization; (ii) to carry out EnlightenAI's core business operations, such as accounting, audits, tax preparation and filing and compliance purposes; (iii) to monitor, investigate, prevent and detect fraud, security incidents and other misuse of the Services, and to prevent harm to Organization; (iv) for identity verification purposes; (v) to comply with legal or regulatory obligations applicable to the processing and retention of Personal Data to which EnlightenAI is subject; and (vi) as otherwise permitted under Data Privacy Laws and in accordance with this DPA and the Agreement. EnlightenAI may also process EnlightenAI Usage Data as a controller to provide, optimize, and maintain the Services, to the extent permitted by Data Privacy Laws. Any processing by EnlightenAI as a controller shall be in accordance with EnlightenAI's privacy policy.

8. EnlightenAI's role as a controller

EnlightenAI will notify Organization without undue delay of any Security Breach and will assist Organization in Organization's compliance with its Security Breach-related obligations, including without limitation, by:

Taking steps to mitigate the effects of the Security Breach and reduce the risk to Consumers whose Personal Information was involved; and

Providing Organization with the following information, to the extent known: i. The nature of the Security Breach, including, where possible, how the Security Breach occurred, the categories and approximate number of Consumers concerned, and the categories and approximate number of Personal Information records concerned; ii. The likely consequences of the Security Breach; and iii. Measures taken or proposed to be taken by EnlightenAI to address the Security Breach, including, where appropriate, measures to mitigate its possible adverse effects.

9. Audits

EnlightenAI will make available to Organization all records necessary to demonstrate compliance with this Agreement and will allow for and contribute to audits conducted by Organization or another auditor mandated by Organization, provided that, such audit shall occur no more than once every twelve (12) calendar months, upon reasonable prior written notice, and to the extent EnlightenAI's personnel are required to cooperate thereupon, during EnlightenAI's normal business hours.

10. Return or destruction of personal information

Except to the extent required otherwise by Data Privacy Laws, EnlightenAI will, at the choice of Organization, return to Organization and/or securely destroy all Personal Information upon (a) written request of Organization or (b) termination of the Agreement. Except to the extent prohibited by Data Privacy Laws, EnlightenAI will inform Organization if it is not able to return or delete the Personal Information.

11. Term; Survival

The term of this Agreement shall commence as of the Effective Date and will continue until terminated by the parties upon a 30-day prior written notice or until the underlying Agreement between the parties has been terminated. The provisions of this Agreement shall survive the termination or expiration of this Agreement for so long as EnlightenAI or its subcontractors Process the Personal Information.

12. Conflict

In the event of any conflict or inconsistency among the following documents, the order of precedence will be: (1) the terms of this DPA; (2) the Agreement; and (3) EnlightenAI's privacy policy. Any claims brought in connection with this DPA will be subject to the terms and conditions, including, but not limited to, the exclusions and limitations set forth in the Agreement.

Exhibit A: Details of data processing

Nature and purpose of processing

EnlightenAI will process Organization's Personal Data as necessary to provide the Services under the Agreement, for the purposes specified in the Agreement and this DPA, and in accordance with Organization's instructions as set forth in this DPA. The nature of processing includes, without limitation:

Receiving data, including collection, accessing, retrieval, recording, and data entry to confirm Services are being provided to the correct individuals.

Holding data, including storage, organization and structuring.

Using data, including analysis, consultation, and testing.

Updating data, including correcting, adaptation, alteration, alignment and combination.

Protecting data, including restricting, encrypting, and security testing.

Sharing data, including disclosure, dissemination, allowing access or otherwise making available.

Returning data to the data exporter or data subject.

Erasing data, including destruction and deletion.

Duration of processing

EnlightenAI will process Organization's Personal Data as long as required (i) to provide the Platform to Organization under the Agreement; (ii) for EnlightenAI's legitimate business needs; or (iii) by applicable law or regulation. EnlightenAI Account Data and EnlightenAI Usage Data will be processed and stored as set forth in EnlightenAI's privacy policy.

Categories of data subjects

Organization business contacts, Organization's end users, including students and teachers.

Categories of personal data

EnlightenAI processes Personal Data contained in EnlightenAI Account Data, EnlightenAI Usage Data, and any Personal Data provided by Organization (including any Personal Data Organization collects from its end users and processes through its use of the Services). Categories of Personal Data include:

Account information (such as name, email address, and credentials).

Academic information (such as grades, feedback, and learning data).

Log data, images, audio, text and other data that is provided by Organization.

Sensitive data or special categories of data

None anticipated. EnlightenAI is not responsible for processing any sensitive data unless and until mutually agreed by the parties.

Exhibit B: Technical and organizational security measures

EnlightenAI will implement and maintain the following administrative, technical, physical, and organizational security measures for the Processing of Personal Information:

Information security policies and standards

1. EnlightenAI will maintain written information security policies, standards, and procedures addressing administrative, technical, and physical security controls and procedures. These policies, standards, and procedures shall be kept up to date, and revised whenever relevant changes are made to the information systems that use or store Personal Information.

Physical security

2. EnlightenAI will maintain commercially reasonable security systems at all EnlightenAI sites at which an information system that uses or stores Personal Information is located that include reasonably restricting access to such Processing Locations, and implementing measures to detect, prevent, and respond to intrusions.

Organizational security

3. EnlightenAI will maintain information security policies and procedures addressing data disposal, data minimization, data classification, and incident response protocols.

Network security

4. EnlightenAI maintains commercially reasonable information security policies and procedures addressing network security, including:

All data is encrypted at rest and in transit.

Protection against malicious code.

Vulnerability management.

Access control

5. EnlightenAI agrees that: (1) only authorized EnlightenAI staff can grant, modify or revoke access to an information system that Processes Personal Information; and (2) it will implement commercially reasonable physical and technical safeguards to create and protect passwords.

Virus and malware controls

6. EnlightenAI protects Personal Information from malicious code and will install and maintain anti-virus and malware protection software on any system that handles Personal Information.

Personnel

7. EnlightenAI has implemented and maintains a security awareness program to train employees about their security obligations. Data Personnel follow established security policies and procedures. Disciplinary process is applied if Data Personnel fail to adhere to relevant policies and procedures.

Subcontractor security

8. EnlightenAI shall only select and contract with subcontractors that are capable of maintaining appropriate security safeguards that are no less onerous than those contained in this Agreement.

Business continuity

9. EnlightenAI implements disaster recovery and business resumption plans that are kept up to date and revised on a regular basis. EnlightenAI also adjusts its Information Security Program in light of new laws and circumstances, including as EnlightenAI's business and Processing change.

System resilience

10. EnlightenAI's systems are designed with different components which are independently scalable and redundant. For web servers, additional servers can be started elastically. For the database, hot standby (replicas) exist in different active zones in the primary region and secondary region, which can be promoted to masters.

Data backup and restoration

11. EnlightenAI backs up data daily for the last 7 days. Time to recovery once issues are detected is approximately 5 minutes for same-region database master restart/failover.

Security testing

12. EnlightenAI undergoes regular security assessments and testing, including a combination of manual and technical assessments to determine fitness of security systems.

Exhibit C: U.S. Privacy laws exhibit

This U.S. Privacy Laws Exhibit supplements the DPA and includes additional information required by the CCPA, VCDPA, and FERPA. Any terms not defined in this Exhibit shall have the meanings set forth in the DPA and/or the Agreement.

A. CALIFORNIA

1. Definitions

1. For purposes of this Section A, the terms "Business," "Business Purpose," "Commercial Purpose," "Consumer," "Personal Information," "Processing," "Sell," "Service Provider," "Share," and "Verifiable Consumer Request" shall have the meanings set forth in the CCPA.

2. All references to "Personal Data," "Controller," "Processor," and "Data Subject" in the DPA shall be deemed to be references to "Personal Information," "Business," "Service Provider," and "Consumer," respectively, as defined in the CCPA.

2. Obligations

1. Except with respect to EnlightenAI Account Data and EnlightenAI Usage Data (as defined in the DPA), the parties acknowledge and agree that EnlightenAI is a Service Provider for the purposes of the CCPA (to the extent it applies) and EnlightenAI is receiving Personal Information from Organization in order to provide the Services pursuant to the Agreement, which constitutes a Business Purpose.

2. Organization shall disclose Personal Information to EnlightenAI only for the limited and specified purposes described in Exhibit A to this DPA.

3. EnlightenAI shall not Sell or Share Personal Information provided by Organization under the Agreement.

4. EnlightenAI shall not retain, use, or disclose Personal Information provided by Organization pursuant to the Agreement for any purpose, including a Commercial Purpose, other than as necessary for the specific purpose of performing the Services for Organization pursuant to the Agreement, or as otherwise set forth in the Agreement or as permitted by the CCPA.

5. EnlightenAI shall not retain, use, or disclose Personal Information provided by Organization pursuant to the Agreement outside of the direct business relationship between EnlightenAI and Organization, except where and to the extent permitted by the CCPA.

6. EnlightenAI shall notify Organization if it makes a determination that it can no longer meet its obligations under the CCPA.

7. EnlightenAI will not combine Personal Information received from, or on behalf of, Organization with Personal Information that it receives from, or on behalf of, another party, or that it collects from its own interaction with the Consumer.

3. Consumer rights

EnlightenAI shall assist Organization in responding to Verifiable Consumer Requests to exercise the Consumer's rights under the CCPA as set forth in Section 6 of the DPA.

B. VIRGINIA

1. Definitions

1. For purposes of this Section B, the terms "Consumer," "Controller," "Personal data," "Processing," and "Processor" shall have the meanings set forth in the VCDPA.

2. All references to "Data Subject" in this DPA shall be deemed to be references to "Consumer" as defined in the VCDPA.

2. Obligations

1. Except with respect to EnlightenAI Account Data and EnlightenAI Usage Data (as defined in the DPA), the parties acknowledge and agree that Organization is a Controller and EnlightenAI is a Processor for the purposes of the VCDPA (to the extent it applies).

2. The nature, purpose, and duration of Processing, as well as the types of Personal Data and categories of Consumers are described in Exhibit A to this DPA.

3. EnlightenAI shall adhere to Organization's instructions with respect to the Processing of Organization Personal Data and shall assist Organization in meeting its obligations under the VCDPA.

C. FERPA

1. Definitions

For purposes of this Section C, "Education Records" shall have the meaning set forth in FERPA and its implementing regulations at 34 CFR § 99.

2. Obligations

In the event EnlightenAI has access to Education Records, EnlightenAI agrees to:

Not use or disclose the Education Records other than for the purpose specified in this DPA and the Agreement.

Use reasonable methods to ensure the security and confidentiality of Education Records.

Not re-disclose Education Records to any other party without the prior consent of the Organization, except as permitted by FERPA.

Upon termination, cancellation, expiration, or other conclusion of the Agreement, return or destroy all Education Records collected pursuant to the Agreement.

Exhibit D: Schedule of student data collection

Category of data

Elements

Used by system

Application technology meta data

IP Addresses of users, Use of cookies, etc.

Application use statistics

Meta data on user interaction with application

Assessment

Standardized test scores

Observation data

Other assessment data

Attendance

Student school (daily) attendance data

Student class attendance data

Communications

Online communications captured (emails, blog entries)

Conduct

Conduct or behavioral data

Demographics

Date of Birth

Place of Birth

Gender

Ethnicity or race

Language information (native or primary language spoken by student)

Other demographic information

Enrollment

Student school enrollment

Student grade level

Homeroom

Guidance counselor

Specific curriculum programs

Year of graduation

Other enrollment information

Parent/Guardian contact information

Address

Email

Phone

Parent/Guardian ID

Parent ID number (created to link parents to students)

Parent/Guardian name

First and/or Last

Special indicator

English language learner information

Low income status

Medical alerts/health data

Student disability information

Specialized education services (IEP or 504)

Living situations (homeless/foster care)

Other enrollment information

Student contact information

Address

Email

Phone

Student identifiers

Local (School district) ID number

State ID number

Provider/App assigned student ID number

Student app username

Student app passwords

Student name

First and/or Last

Student in app performance

Program/application performance (typing program-student types 60 wpm, reading program-student reads below grade level)

Student program membership

Academic or extra-curricular activities a student may belong to or participate in

Student survey responses

Student responses to surveys or questionnaires

Student work

Student generated content; writing, pictures, etc.

Other student work data

Transcript

Student course grades

Student course data

Student course grades/performance scores

Other transcript data

Transportation

Student bus assignment

Student pick up and/or drop off location

Student bus card ID number

Other transportation data

Other

Please list each additional data element used, stored, or collected by your application

None

No Student Data collected at this time. Provider will immediately notify LEA if this designation is no longer applicable.

It’s free to try – click below to get started!

We offer a generous free plan for teachers, and are accepting district partners for the 25-26 school year.

Get started for free

Get in touch

Interface displaying a list with checkboxes, buttons, and organized information for user interaction.

It’s free to try – click below to get started!

We offer a generous free plan for teachers, and are accepting district partners for the 25-26 school year.

Get started for free

Get in touch

It’s free to try – click below to get started!

We offer a generous free plan for teachers, and are accepting district partners for the 25-26 school year.

Get started for free

Get in touch