This Data Processing Agreement ("Agreement") is entered into between the above-named District (the "LEA" or "District") and EnhanceED LLC ("Operator"), collectively the "Parties," effective as of _____________, 2026 ("Effective Date").

This Agreement governs the collection, processing, storage, and protection of student and educator data in connection with the Operator's AI Literacy Platform (the "Platform"), accessible at mt-innovations-ai-literacy.netlify.app and any associated custom domain. This Agreement is incorporated into and supplements the Parties' service agreement or license arrangement.

1. Definitions

For purposes of this Agreement:

• "Student Data" means personally identifiable information directly related to a student that is maintained by the District, including information collected by the Platform on the District's behalf.
• "Covered Information" means the personal data described in Section 3 of this Agreement.
• "FERPA" means the Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g, and its implementing regulations at 34 C.F.R. Part 99.
• "SOPPA" means the Illinois Student Online Personal Protection Act, 105 ILCS 85.
• "COPPA" means the Children's Online Privacy Protection Act, 15 U.S.C. §§ 6501–6506.
• "Subprocessor" means any third-party service provider engaged by the Operator to process Covered Information on its behalf.

2. Scope and Purpose

The Operator will process Covered Information solely for the purpose of providing the Platform's educational services to the District, including:

• Authenticating and managing user accounts for educators, students, and district administrators
• Tracking learning progress and module completion for reporting and certificate generation
• Administering placement assessments and storing scores
• Generating district-level completion reports accessible to district administrators
• Operating the AI practice sandbox for educational skill-building

The Operator shall not process Covered Information for any purpose beyond what is necessary to provide the Platform's educational services as described in this Agreement.

3. Categories of Covered Information

The following categories of information may be collected and processed under this Agreement:

AI sandbox prompts are transmitted to Google Gemini for response generation and are not retained by the Operator after the session response is returned. No student personally identifiable information is transmitted to Google in connection with sandbox prompts. See Section 7 for Subprocessor details.

4. Operator Obligations

The Operator agrees to the following obligations with respect to Covered Information:

1. Confidentiality. The Operator shall maintain the confidentiality of all Covered Information and shall not disclose it to any third party except as expressly permitted by this Agreement or required by law.
2. No Sale of Student Data. The Operator shall not sell, rent, or trade Student Data or use it for any commercial purpose unrelated to the educational services provided under this Agreement.
3. No Targeted Advertising. The Operator shall not use Student Data to target advertising to students or to build advertising profiles about students or their households.
4. No Unauthorized Disclosure. The Operator shall not disclose Student Data to any other school, district, or third party without the express written consent of the District, except as required by applicable law or court order.
5. Access Controls. The Operator shall implement role-based access controls ensuring that District administrators can access only the data of users within their own district, enforced at the database level through Row Level Security policies.
6. Security Measures. The Operator shall implement and maintain reasonable technical and organizational security measures as described in Section 6.
7. Subprocessor Management. The Operator shall ensure that all Subprocessors are bound by data protection obligations no less protective than those in this Agreement.
8. Breach Notification. The Operator shall notify the District without unreasonable delay — and in no event later than 72 hours after discovery — of any confirmed or reasonably suspected unauthorized access to, disclosure of, or loss of Covered Information.
9. Legal Compliance. The Operator shall comply with FERPA, SOPPA, and other applicable federal and Illinois state privacy laws in its processing of Covered Information.

5. District Obligations

The District agrees to the following:

1. Authority. The District represents that it has the legal authority to enter into this Agreement and to share Covered Information with the Operator for the purposes described herein.
2. FERPA Designation. The District designates the Operator as a "school official" with a legitimate educational interest for purposes of FERPA, limited to the services described in this Agreement.
3. Appropriate Use. The District shall ensure that users access the Platform only for lawful educational purposes consistent with this Agreement.
4. Age Requirements. The District acknowledges that the Platform is recommended for students age 13 and older. Districts deploying the Platform to students under 13 are responsible for obtaining any required parental consents under COPPA prior to access.
5. Accuracy. The District is responsible for the accuracy of information provided to the Operator for account creation and administration.

6. Security Measures

The Operator shall maintain the following security measures to protect Covered Information:

• All data transmitted between users and the Platform is encrypted in transit using HTTPS/TLS
• Data is stored on Supabase infrastructure (SOC 2 Type II certified) in the United States
• Database access is governed by Row Level Security (RLS) policies enforced at the database engine level, not solely at the application layer
• Passwords are hashed using industry-standard algorithms and are never stored in plaintext
• API keys and credentials are stored server-side and are not exposed to client browsers
• Access to production data by Operator staff requires super_admin role authentication and is logged
• The Operator performs periodic reviews of access controls and security configurations

7. Subprocessors

The Operator uses the following Subprocessors in connection with the Platform. By signing this Agreement, the District provides general authorization for the use of these Subprocessors. The Operator will notify the District of any material changes to this list.

8. Data Retention and Deletion

1. Retention Period. The Operator shall retain Covered Information for the duration of the District's active license and for a period of up to 90 days following expiration or termination to facilitate data export.
2. Export. District administrators may export their district's user and progress data in CSV format at any time using the Admin Dashboard. The Operator will assist with data export requests upon written request.
3. Deletion. Upon written request from the District, or upon expiration of the 90-day post-termination period, the Operator shall delete or destroy all Covered Information in its possession, except as required to be retained by applicable law. Deletion will be completed within 30 days of the request.
4. Individual Deletion. The District may request deletion of individual student or educator records at any time by contacting contact@mtinnovations.ai. Such requests will be honored within 30 days.
5. Sandbox Data. AI sandbox prompts and responses are not retained by the Operator following the completion of the API transaction and are therefore not subject to export or deletion requests.

9. FERPA and SOPPA Compliance

FERPA: The Operator acknowledges that Student Data constitutes education records under FERPA. The Operator agrees to: (a) use Student Data only for the purposes set forth in this Agreement; (b) not re-disclose Student Data without the written consent of the District or applicable parent/student; and (c) comply with the District's reasonable requests to access, correct, or delete Student Data consistent with FERPA requirements.

Illinois SOPPA (105 ILCS 85): The Operator agrees to comply with all applicable requirements of the Illinois Student Online Personal Protection Act, including the prohibition on selling Student Data, the prohibition on using Student Data for targeted advertising, the requirement to implement reasonable security practices, and the requirement to notify the District of unauthorized disclosures. The Operator further agrees to delete Student Data as provided in Section 8 upon request or upon termination of this Agreement.

10. Term and Termination

This Agreement is effective as of the Effective Date and remains in effect for the duration of the District's license or service agreement with the Operator, unless terminated earlier by mutual written consent or as provided herein.

Either Party may terminate this Agreement upon 30 days' written notice. Upon termination, the Operator's obligations regarding data retention and deletion as set forth in Section 8 shall survive.

The following sections shall survive termination of this Agreement: Sections 1, 4 (with respect to data already collected), 8, 9, and 11.

11. General Provisions

Governing Law. This Agreement shall be governed by and construed in accordance with the laws of the State of Illinois, without regard to conflict of law principles.

Entire Agreement. This Agreement, together with any applicable service or license agreement between the Parties, constitutes the entire agreement between the Parties with respect to data processing and supersedes all prior discussions and agreements on this subject.

Amendment. This Agreement may be amended only by a written instrument signed by authorized representatives of both Parties. The Operator will provide at least 30 days' advance written notice of any material changes to this Agreement.

Severability. If any provision of this Agreement is found to be unenforceable, the remaining provisions shall continue in full force and effect.

No Waiver. Failure by either Party to enforce any provision of this Agreement shall not constitute a waiver of that Party's right to enforce such provision in the future.

Notices. All notices under this Agreement shall be in writing and delivered by email to the addresses provided by each Party, with confirmation of receipt.

12. Signatures

By signing below, the authorized representatives of each Party agree to the terms of this Data Processing Agreement.