ChapterOps

Data Processing Agreement

Many school districts require a signed Data Processing Agreement (DPA) before advisors can use a third-party tool that handles student data. We have one ready.

Draft template — confirm with your district and legal counsel before signing. This template is based on the SDPC (Student Data Privacy Consortium) standard DPA framework and is offered as a starting point. It has not yet been reviewed by an attorney. Ben will refine this with counsel before ChapterOps scales beyond the pilot.

What is a DPA?

A Data Processing Agreement is a contract between your school or district (the data “controller”) and ChapterOps (the data “processor”). It documents:

  • What student data ChapterOps can access
  • How we protect it
  • Who we share it with (sub-processors)
  • What happens to the data when the agreement ends
  • How to report and respond to a data breach

FERPA permits schools to use a third-party tool without individual parental consent when the provider is operating as a “school official” under a legitimate educational interest — but that designation is only solid when backed by a DPA.

What our DPA covers

1

Parties and purpose

Identifies the district, the school, and ChapterOps. Describes the purpose: operating a CTSO chapter management and competition trip logistics platform.

2

Data classification

Lists the categories of student data covered: directory information, education records, health and safety information (allergies, medical notes), and parent contact information.

3

Permitted uses

ChapterOps may use student data only to provide the contracted service. We may not use it for advertising, sale to third parties, or AI model training.

4

Sub-processors

Incorporates our sub-processor list by reference (Vercel, Supabase, Stripe, Twilio, Resend, Sentry, Anthropic). Districts are notified of changes.

5

Security measures

Documents encryption at rest, encryption in transit, 2FA, per-chapter RLS, audit logging, and app-layer encryption for sensitive fields.

6

Breach notification

ChapterOps will notify the district within 72 hours of discovering a breach involving student data.

7

Data return and deletion

On termination, ChapterOps will provide a full data export and delete all district student data within 30 days.

8

Signatures

Signature blocks for an authorized district representative and a ChapterOps representative. Placeholder fields for legal entity name and date.

Download the DPA

The PDF is generated on demand with placeholder fields that ChapterOps fills in per district before execution.

Download ChapterOps DPA (PDF)

Need a countersigned copy for your district? Email ben@chapterops.com with subject “DPA — [District Name].”

Placeholder fields in the template

The PDF uses bracketed placeholders that ChapterOps fills in for each district before signing:

  • {DISTRICT_NAME} — full legal name of the school district
  • {SCHOOL_NAME} — specific school, if applicable
  • {DISTRICT_CONTACT_NAME} — authorized district signatory
  • {DISTRICT_CONTACT_TITLE}
  • {VENDOR_LEGAL_ENTITY} — ChapterOps legal entity (pending LLC formation)
  • {SIGNATURE_DATE} — execution date
  • {EFFECTIVE_DATE} — agreement start date
  • {TERM_END_DATE} — typically end of the academic year