Data Processing Agreement
Last updated: March 21, 2026
1. Definitions
For the purposes of this Data Processing Agreement (“DPA”), the following terms shall have the meanings set forth below:
- “Controller”– The educational institution or organization that determines the purposes and means of processing Personal Data (the “Customer”).
- “Processor”– Ludwitt, Inc., which processes Personal Data on behalf of the Controller pursuant to this DPA and the Master Service Agreement.
- “Personal Data”– Any information relating to an identified or identifiable natural person (“Data Subject”), including but not limited to student records, educator records, and account information.
- “Processing”– Any operation or set of operations performed on Personal Data, whether by automated means or otherwise, including collection, recording, organization, storage, adaptation, retrieval, use, disclosure, erasure, or destruction.
- “Sub-Processor”– Any third party engaged by Ludwitt to process Personal Data on behalf of the Controller.
- “Data Subject”– An identified or identifiable natural person whose Personal Data is processed, including students, educators, and administrators.
2. Scope & Purpose
This DPA governs the processing of Personal Data by Ludwitt on behalf of the Controller in connection with the provision of adaptive learning services. The purpose of processing includes:
- Providing adaptive K–12 learning experiences across Math, Reading, Logic, Latin, Greek, and Writing
- AI-powered difficulty adjustment and personalized content generation
- Progress tracking, analytics, and reporting for educators and administrators
- Authentication and account management for authorized users
- Billing and license management for institutional accounts
Ludwitt shall process Personal Data only to the extent necessary to fulfill the purposes described in this DPA and the Master Service Agreement.
3. Processor Obligations
Ludwitt, as the Processor, shall:
- Process only on documented instructions– Process Personal Data solely in accordance with the Controller’s documented instructions, unless required by applicable law to do otherwise. Ludwitt shall promptly inform the Controller if, in its opinion, an instruction infringes applicable data protection legislation.
- Confidentiality– Ensure that all personnel authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- Data Subject Access Requests (DSARs)– Assist the Controller in responding to requests from Data Subjects exercising their rights (access, rectification, erasure, portability, restriction, and objection) by providing appropriate technical and organizational measures, insofar as this is possible.
- Data Protection Impact Assessments (DPIAs)– Provide reasonable assistance to the Controller in conducting DPIAs and prior consultations with supervisory authorities, where required.
- Deletion and return– Upon termination of the Agreement or upon the Controller’s request, delete or return all Personal Data to the Controller and delete existing copies unless applicable law requires continued storage.
- Documentation and audit– Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.
4. Sub-Processors
Ludwitt engages the following Sub-Processors to deliver the Services. The Controller grants general authorization for the use of these Sub-Processors, subject to Ludwitt’s obligation to notify the Controller of any intended changes concerning the addition or replacement of Sub-Processors, giving the Controller the opportunity to object.
Important: AI Data Isolation
Student identity (name, email, userId) is NEVER sent to Anthropic. Only educational content (questions, answers) is transmitted for AI grading.
| Sub-Processor | Purpose | Data Shared | Data NOT Shared | Retention |
|---|---|---|---|---|
| Anthropic | AI grading & content generation | Educational content only (questions, answers) | Student names, emails, userIds | Not retained after processing |
| Stripe | Billing & payment processing | Billing contact information | Learning data, academic records | Per Stripe data retention policies |
| Google / Firebase | Database, authentication, storage | All platform data | N/A (primary infrastructure) | Controlled by Ludwitt |
| Daily.co | Video study rooms | Video and audio streams | Academic data, learning records | Not recorded by default |
| Vercel | Application hosting | Request metadata | Database contents | 30 days (logs) |
| Sentry | Error tracking & monitoring | Error context | PII (scrubbed before transmission) | 90 days |
5. Data Security Measures
Ludwitt implements and maintains appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
- Encryption at rest– All Personal Data stored in Firestore and Firebase Storage is encrypted using AES-256 encryption.
- Encryption in transit– All data transmitted between clients and servers is protected using TLS 1.3 or higher.
- Role-Based Access Control (RBAC)– Access to Personal Data is restricted based on user roles (student, educator, administrator, institution admin) with least-privilege principles.
- Multi-Factor Authentication (MFA)– MFA is available for all user accounts and required for administrative access.
- Regular security assessments– Ludwitt conducts periodic vulnerability assessments and penetration testing of its infrastructure.
- Access logging– All access to Personal Data is logged and monitored for unauthorized activity.
6. Breach Notification
In the event of a Personal Data breach, Ludwitt shall:
- Notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach.
- Provide the Controller with sufficient information to allow the Controller to meet any obligations to report or inform Data Subjects of the breach.
- Cooperate with the Controller and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of the breach.
- Document the breach, including the facts relating to the breach, its effects, and the remedial action taken.
7. Data Return & Deletion
Upon termination or expiration of the Agreement, or upon the Controller’s written request:
- Data export– Ludwitt shall provide a complete export of all Personal Data in a structured, commonly used, machine-readable format (JSON) within 30 days of the request.
- Data deletion– Ludwitt shall securely delete all Personal Data, including all copies and backups, within 90 days of the export or upon written confirmation from the Controller, unless applicable law requires continued storage.
- Certification– Upon request, Ludwitt shall provide written certification that all Personal Data has been securely deleted.
8. FERPA Compliance
For institutions subject to the Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. § 1232g:
- Ludwitt operates as a “school official” with a legitimate educational interestin the education records it accesses, as defined under 34 CFR § 99.31(a)(1)(i)(B).
- Ludwitt shall use education records solely for the purpose of providing the contracted adaptive learning services.
- Ludwitt shall not disclose education records to any third party except as permitted under FERPA or as directed by the Controller.
- Ludwitt shall not use education records for any purpose other than the purpose for which the disclosure was made.
- The Controller retains full control over and ownership of all education records.
9. COPPA Compliance
For users under the age of 13, in compliance with the Children’s Online Privacy Protection Act (COPPA), 15 U.S.C. §§ 6501–6506:
- Parental consent workflow– Ludwitt provides mechanisms for institutions to obtain and manage verifiable parental consent for the collection and use of personal information from children under 13.
- Data minimization– Ludwitt collects only the minimum personal information necessary to provide the adaptive learning services for users under 13. No behavioral advertising data is collected.
- Parental access– Parents may review, request deletion of, and refuse further collection of their child’s personal information through the institution or by contacting Ludwitt directly.
- Reasonable security– Ludwitt maintains reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children.
10. International Data Transfer
Ludwitt’s primary infrastructure is located in the United States. Where Personal Data is transferred from a jurisdiction outside the United States (including transfers from the European Economic Area, United Kingdom, or Switzerland):
- Ludwitt shall ensure that appropriate safeguards are in place, including the execution of Standard Contractual Clauses (SCCs) as approved by the European Commission, where applicable.
- Ludwitt shall implement supplementary measures as necessary to ensure that the level of protection of Personal Data is not undermined by the transfer.
- The Controller may request information about the specific safeguards applied to any international data transfer.
11. Audit Rights
The Controller has the right to audit Ludwitt’s compliance with this DPA, subject to the following conditions:
- Frequency– The Controller may conduct up to one audit per year (annual audit), unless a data breach or material concern necessitates an additional audit.
- Notice – The Controller shall provide at least 30 days’ written notice prior to conducting an audit.
- Scope– Audits shall be limited to Ludwitt’s processing of Personal Data on behalf of the Controller and shall not unreasonably interfere with Ludwitt’s business operations.
- Costs– The Controller shall bear the costs of any audit, except where the audit reveals a material breach of this DPA by Ludwitt.
- Third-party reports– Ludwitt may satisfy audit requests by providing relevant third-party audit reports (e.g., SOC 2 Type II) where available.
12. Contact
For questions, requests, or concerns regarding this Data Processing Agreement or Ludwitt’s data processing practices:
- Data Protection Officer: dpo@ludwitt.com
- General inquiries: support@ludwitt.com
- Enterprise support: enterprise@ludwitt.com
This Data Processing Agreement is incorporated into and forms part of the Ludwitt Master Service Agreement. It applies to all institutional license holders processing Personal Data through the Ludwitt platform.