GraduateSmart

Data Processing Agreement

Version 1.0 · Last updated: April 2, 2026

For School Districts & Educational Institutions

This Data Processing Agreement governs how GraduateSmart processes student data shared by your institution. To execute this agreement, email partnerships@graduatesmart.org with your institution name and contact information.

PARTIES

This Data Processing Agreement ("DPA") is entered into between:

Data Controller ("Institution")

[School / School District Name], a public educational institution operating under the laws of [State]. Contact: [Superintendent / Principal Name], [email], [address].

Data Processor ("GraduateSmart")

GraduateSmart Inc., a 501(c)(3) nonprofit corporation organized under the laws of New York. Contact: partnerships@graduatesmart.org

1. PURPOSE AND SCOPE

This DPA governs the processing of student personal data shared by the Institution with GraduateSmart for the purpose of providing college and career planning services to enrolled students through the GraduateSmart platform at graduatesmart.org.

GraduateSmart processes student data solely on behalf of the Institution and in accordance with the Institution's documented instructions as set forth in this DPA.

2. CATEGORIES OF DATA PROCESSED

GraduateSmart may process the following categories of student data under this DPA:

Category	Examples	Purpose
Identifiers	Name, email address	Account creation and communication
Academic data	Grade level, GPA, test scores	College matching and Roadmap Plan generation
Location data	State, city, ZIP code	In-state tuition matching, school proximity
Career interests	Selected career fields and interests	Career and scholarship matching
CLEP/AP progress	Exam status, scores, planned exams	Tuition savings calculation
Roadmap data	Milestones, schools saved, applications	Academic planning and counselor monitoring

Sensitive Data — Excluded from Institutional Data Sharing

Race, ethnicity, gender identity, disability status, household income, citizenship status, and military/veteran family status are collected directly from students on a voluntary basis and are notshared by institutions under this DPA. These fields are used only within the platform's scholarship matching algorithm and are never visible to counselors, parents, or any third party.

3. FERPA COMPLIANCE

The Institution represents and warrants that it has the legal authority under FERPA to disclose student education records to GraduateSmart as a "school official" with a "legitimate educational interest," as those terms are defined under 20 U.S.C. § 1232g and 34 C.F.R. Part 99.

GraduateSmart agrees to:

Use student data only for the purposes described in this DPA
Not re-disclose student data to third parties without prior written consent from the Institution
Maintain the confidentiality of student education records
Allow the Institution to review the data GraduateSmart maintains about its students upon request
Return or destroy student data upon termination of this DPA

4. DATA SECURITY

GraduateSmart implements the following technical and organizational security measures:

All data encrypted in transit via HTTPS/TLS 1.2+
Data at rest encrypted in Supabase (PostgreSQL) with AES-256
Row Level Security (RLS) enforced on all database tables
Authentication via Supabase Auth with JWT session management
Passwords stored with bcrypt hashing — never in plain text
Access to production database limited to authorized GraduateSmart personnel only
Regular security audits of codebase and database permissions

5. SUBPROCESSORS

GraduateSmart uses the following subprocessors to deliver the service. All subprocessors are bound by data processing agreements consistent with this DPA:

Subprocessor	Purpose	Location
Supabase Inc.	Database, authentication, file storage	USA (AWS us-east-1)
Vercel Inc.	Web hosting and content delivery	USA / Global CDN
Anthropic PBC	AI Roadmap Plan generation (Claude API)	USA
Resend Inc.	Transactional email delivery	USA

GraduateSmart will notify the Institution at least 30 days in advance before adding any new subprocessors that will process student data covered by this DPA.

6. DATA BREACH NOTIFICATION

In the event of a confirmed data breach affecting student data covered by this DPA, GraduateSmart will notify the Institution within 72 hours of becoming aware of the breach. Notification will include:

Description of the nature of the breach
Categories and approximate number of students affected
Categories and approximate number of records affected
Likely consequences of the breach
Measures taken or proposed to address the breach

7. DATA RETENTION AND DELETION

Student data is retained for the duration of the student's active account
Upon termination of this DPA, GraduateSmart will delete all Institution student data within 30 days
The Institution may request deletion of specific student records at any time by emailing privacy@graduatesmart.org
Backup copies are purged within 90 days per GraduateSmart's backup rotation schedule
GraduateSmart will provide written confirmation of deletion upon request

8. STUDENT AND PARENT RIGHTS

Under FERPA, students (or parents of students under 18) have the right to:

Inspect and review their education records held by GraduateSmart
Request correction of inaccurate or misleading information
Request deletion of their account and all associated data

Requests should be directed to the Institution's records office, which will coordinate with GraduateSmart as needed. Students may also submit requests directly to privacy@graduatesmart.org.

9. TERM AND TERMINATION

This DPA is effective upon the date both parties execute it and remains in effect until terminated. Either party may terminate this DPA with 30 days written notice. Upon termination, GraduateSmart will cease processing Institution student data and delete all covered data within 30 days as described in Section 7.

10. GOVERNING LAW

This DPA is governed by the laws of the State of New York, without regard to its conflict of law principles, and in compliance with applicable federal law including FERPA (20 U.S.C. § 1232g), COPPA (15 U.S.C. § 6501), CCPA (Cal. Civ. Code § 1798.100), and the NY Education Law § 2-d.

SIGNATURES

Institution

Authorized Signature

Printed Name

Title

Date

GraduateSmart Inc.

Authorized Signature

Printed Name

Title

Date

Ready to execute this agreement?

Email us to begin the DPA process for your school or district. We typically complete agreements within 5–7 business days.

Request DPA — partnerships@graduatesmart.org

FERPA Compliance Privacy Policy Terms of Service

GraduateSmart