Data Processing Addendum
Last updated: November 4, 2024
ClassTrack — Data Processing Addendum (DPA)
ClassTrack is a service of Teaching Tomorrow, a division of ZeroPoint Holdings LLC.
NOTICE: This DPA is issued by ZeroPoint Holdings LLC dba Teaching Tomorrow, operating ClassTrack. It supplements and forms part of the Terms of Service between the School (Controller) and ClassTrack (Processor). By accepting the TOS, the School is deemed to have executed this DPA.
For Institutional Records: If your school requires a countersigned copy of this DPA for procurement or compliance purposes, please contact legal@teaching-tomorrow.com and we'll provide an executed version within 2 business days.
Revised November 4, 2024 to reflect corporate restructuring under ZeroPoint Holdings LLC dba Teaching Tomorrow.
Effective Date: November 4, 2024 Controller (School): The educational institution identified in the ClassTrack account or Order Form Processor: ZeroPoint Holdings LLC dba Teaching Tomorrow Principal Address: 2135 E. Independence St. #1160, Springfield, MO 65804, USA Registered Agent: 117 S Lexington St., Ste 100, Harrisonville, MO 64701-2444, USA Contact: dpo@teaching-tomorrow.com | security@teaching-tomorrow.com
A. Subject Matter & Duration
ClassTrack processes Student Data to provide the Service for the Subscription Term plus any post-termination export period (60 days). After that, Student Data will be deleted or de-identified except where retention is required by law or for legal defense. Backups automatically purge within 90 days.
B. Nature and Purpose of Processing
Hosting, storage, synchronization, display, secure transmission, technical support, analytics on De-Identified Data, and related operations necessary to deliver and improve the Service.
No Student Data is used for marketing, profiling, or cross-context behavioral advertising.
C. Categories of Data and Data Subjects
Data Subjects: students, parents/guardians (contact info), teachers and staff (account info). Data Categories:
- Identifiers (name, preferred name)
- Class/grade/year/level and program or track
- Guardian or parent contact information (name, email, phone)
- Attendance records (present/absent/tardy/excused timestamps)
- Class rosters and notes
- Optional interests or hobbies
- Authentication and usage logs
Privacy Enhancement: Date of birth is not collected by default; sensitive fields (allergies/accommodations) are disabled unless enabled by the School.
D. Roles and Documented Instructions
The School acts as Controller; ClassTrack acts as Processor/Service Provider. Processing occurs solely per the School's documented instructions contained in the Agreement, TOS, and in-app configurations. If an instruction appears unlawful, ClassTrack will promptly notify the School. ClassTrack has no duty to verify that the School's instructions, notices, or consents are legally sufficient.
E. Confidentiality and Personnel
All persons authorized to process Student Data are bound by confidentiality obligations and receive privacy + security training. Access to production data is limited by role and least-privilege principles.
F. Security Measures
ClassTrack maintains the technical and organizational measures described in Annex A, including encryption in transit (TLS 1.2+) and at rest (AES-256), MFA, role-based access, logging, vulnerability management, and incident response. Security controls are reviewed annually and after significant changes.
G. Subprocessors
The School grants general authorization for ClassTrack to use approved Subprocessors. Current list (subject to update notice):
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database hosting & authentication | United States |
| Microsoft Outlook / Microsoft 365 | Transactional email delivery | United States |
ClassTrack will: (i) impose equivalent data-protection obligations; (ii) remain liable for Subprocessors; (iii) provide 30-day notice of changes; and (iv) allow reasonable objections. If unresolved, the School may terminate the affected Service and receive a pro-rated refund of prepaid fees.
H. Assistance to Controller
ClassTrack will assist the School with:
- Responding to data-subject requests (as directed by the School);
- Maintaining security of processing;
- Notifying and mitigating breaches; and
- Conducting DPIAs or supervisory consultations as required.
I. Personal Data Breach
ClassTrack will notify the School without undue delay and no later than 48 hours after becoming aware of a Personal Data Breach, providing details on scope, likely impact, and mitigation steps. Follow-up reports will be issued as information emerges.
J. Return and Deletion
Upon termination or request, ClassTrack will return Student Data in CSV/JSON format and/or delete it within 60 days, unless retention is legally required. Backups are purged within 90 days on their normal cycle.
K. Audit and Compliance
At the School's reasonable request (no more than once per 12 months unless legally required or post-incident), ClassTrack will make available independent audit reports (e.g., SOC 2 Type II or ISO 27001). If further audit is requested, it must be limited to security and data-protection controls and conducted under reasonable confidentiality terms. Costs for onsite audits beyond standard reports may be charged at reasonable rates.
L. International Transfers
For data transfers from the EEA or Switzerland to non-adequate countries, the parties incorporate the EU SCCs (2021/914) — Module 2 (C→P) and Module 3 (P→P) — with the selections in Annex B. For UK transfers, the UK ICO Addendum applies. In case of conflict, SCCs/UK Addendum prevail.
M. CPRA (Service Provider Terms)
ClassTrack will not sell, share, or combine Student Data except as permitted for security or Service improvement. It will use Student Data only for defined business purposes and certifies its understanding of CPRA obligations.
N. Liability and Indemnity
Each party's liability under this DPA is subject to the limitation of liability in the Agreement, except that willful misconduct or gross negligence causing unauthorized disclosure is not limited. The School will indemnify ClassTrack for any claim, fine, or investigation arising from the School's failure to provide lawful instructions or consents.
O. Governing Law and Venue
This DPA is governed by the laws of the State of Missouri, USA, and subject to the arbitration clause in the TOS. Venue for any court proceedings shall be in the courts located in Greene County, Missouri.
Annex A — Security Measures (Summary)
- Governance: Security program owned by senior leadership; annual policy review and risk assessment.
- Access Control: SSO/MFA, least-privilege RBAC, quarterly access reviews, session timeouts.
- Encryption: TLS 1.2+ in transit, AES-256 at rest; key management with restricted access.
- Application Security: Secure SDLC, peer review, dependency scanning, SBOM; Critical fix ≤ 7 days, High ≤ 14 days.
- Logging & Monitoring: Centralized logs (12-month retention), tamper resistant, alerting on anomalies.
- BC/DR: Daily backups; tested restoration; RPO ≤ 24 h, RTO ≤ 12 h.
- Vendor Management: Security reviews and DPAs for third parties; SCCs/UK Addendum for cross-border transfers.
- Personnel: Background checks (where lawful), annual training, NDAs.
- Incident Response: Documented plan, roles & responsibilities, tabletop exercises, post-incident reviews.
- Physical: Hosted in secure cloud facilities with industry certifications; access restricted and logged.
Annex B — SCC Selections (Quick Reference)
- Modules: 2 (Controller→Processor), 3 (Processor→Processor).
- Clause 9 (Subprocessors): General authorization, 30-day notice.
- Clause 11: Optional redress not selected.
- Clause 17: Governing law — Ireland (or another EU Member State).
- Clause 18: Forum — Courts of Ireland.
- Annex I.A (Both Parties): School and ClassTrack details.
- Annex I.B (Transfers): As per Sections A–C.
- Annex I.C (Authority): Supervisory authority where data exporter established.
- Annex II: Security measures = Annex A above.
Execution (Optional)
If the School requires a signed copy, complete below or sign digitally.
Controller (School) Name: __________________________ Title: __________________________ Organization: __________________ Signature: _____________________ Date: _________
Processor — ZeroPoint Holdings LLC dba Teaching Tomorrow (ClassTrack) Name: __________________________ Title: __________________________ Signature: _____________________ Date: _________
© 2024-2025 ZeroPoint Holdings LLC dba Teaching Tomorrow. All rights reserved.