top of page

Data Processing Addendum (DPA)

(Student Data Privacy Framework)

Last Updated: June 9, 2026
 

This Data Processing Addendum ("DPA") supplements and is formally incorporated into the Master SaaS Agreement (the "Agreement") entered into by and between Better Speech, LLC. ("Streamline") and the school district, charter school, local educational agency, or public educational entity executing an Order Form referencing this DPA ("District" or "Customer").

This DPA governs the privacy, security, and processing of Student Data uploaded by the District and its Authorized Users into the Streamline platform. In the event of any operational conflict between the terms of this DPA and the commercial terms of the Agreement, the terms of this DPA shall govern solely with respect to the privacy and security of Student Data.
 

1. Definitions

  • "Student Data" means any personally identifiable information (PII), student records, institutional data, or student-generated content protected under the Family Educational Rights and Privacy Act (FERPA) or applicable state student data privacy laws, that is submitted, uploaded, or stored within the Services by the District or its Authorized Users.

  • "Applicable Privacy Laws" means all United States federal and state laws, rules, and regulations governing student data privacy, protection, and security applicable to the Services, including, without limitation, the Family Educational Rights and Privacy Act (20 U.S.C. § 1232g; 34 CFR Part 99) ("FERPA"), the Children's Online Privacy Protection Act (15 U.S.C. §§ 6501–6506) ("COPPA"), the Individuals with Disabilities Education Act (20 U.S.C. §§ 1400 et seq.) ("IDEA"), and state-specific student privacy statutes including Ohio Revised Code ("ORC") Section 3319.321.

  • "Security Incident" means any confirmed unauthorized access, acquisition, alteration, disclosure, or destruction of active Student Data maintained within Streamline’s production cloud environments.

  • "Subprocessor" means any third party engaged by Streamline to process, host, store, transmit, or otherwise access Student Data in connection with providing the Services.
     

2. Regulatory Status and Scope of Processing

  • 2.1 School Official Status under FERPA. The parties acknowledge and agree that, for the purposes of this DPA and federal compliance, Streamline operates as a "School Official" with a "legitimate educational interest" in the institutional data it processes under 34 CFR § 99.31(a)(1)(i)(B). Streamline performs an institutional service or function for which the District would otherwise deploy its own internal employees. Streamline explicitly acknowledges that it remains under the "direct control" of the District with respect to the use, maintenance, and protection of Student Data.

  • 2.2 Purpose Specification. Streamline shall collect, process, host, and transmit Student Data solely to provide, maintain, support, and execute the operational functions of the software Services as authorized under the Agreement and specified in an active Order Form. Streamline is strictly prohibited from using Student Data for any commercial purpose, targeted advertising, behavioral profiling, or marketing secondary products to students, parents, or guardians. Streamline shall process Student Data solely on behalf of and under the instructions of the District, except as otherwise required by applicable law.

  • 2.3 Ohio Statutory Compliance Addendum. To the extent the District is an Ohio public school district, community school, or educational service center, Streamline explicitly covenants to handle all student records in strict compliance with the mandate of Ohio Revised Code Section 3319.321. All Student Data remains the administrative property of, and under the ultimate direction of, the District.
     

3. Data Ownership and Operational Use Restrictions

  • 3.1 Retention of Proprietary Rights. All right, title, and interest in and to Student Data remains the sole and exclusive property of the District. Streamline acquires no intellectual property ownership, express or implied, in the Student Data or records provided by the District.

  • 3.2 De-Identified Data Optimization. Subject to Applicable Privacy Laws, Streamline may aggregate, anonymize, and de-identify Student Data so that the information can no longer reasonably be linked to an identifiable individual student, teacher, or educational campus. Streamline may utilize such completely de-identified operational metadata for lawful data analysis, service performance measurement, platform benchmarking, security monitoring, and internal operational diagnostics. Streamline shall not attempt to re-identify de-identified data and shall not disclose de-identified data in a manner that would reasonably permit re-identification of an individual student.

  • 3.3 Artificial Intelligence and Machine Learning Restrictions. For the avoidance of doubt, Streamline shall not use Customer Data, Student Data, Protected Health Information (PHI), Personally Identifiable Information (PII), education records, therapy records, prompts, inputs, outputs, or other Customer content to train, develop, fine-tune, improve, validate, benchmark, or otherwise enhance any artificial intelligence, machine learning, large language model (LLM), or algorithmic product or service.

  • Streamline shall not sell, license, disclose, or otherwise make available Customer Data, Student Data, PHI, PII, prompts, inputs, outputs, or other Customer content to any third party for purposes of artificial intelligence model training.

4. Data Security and Information Integrity

  • 4.1 Administrative, Physical, and Technical Safeguards. Streamline shall implement, execute, and maintain an information security program featuring administrative, physical, and technical safeguards designed to protect Student Data from unauthorized access, disclosure, or misuse. As detailed in Section 6.1 of the Agreement, these mandatory measures include data encryption in transit and at rest, role-based access controls (RBAC) restricted to authorized engineering personnel, multi-factor authentication, and routine vulnerability patch management. Streamline shall maintain written incident response, disaster recovery, and business continuity procedures appropriate to the nature of the Services.

  • 4.2 Subprocessor Controls. Streamline may engage third-party infrastructure sub-service providers (such as secure cloud hosting facilities or compliant enterprise APIs) to support platform delivery. Streamline ensures that all such subprocessors are bound by written data protection agreements containing privacy, security, and confidentiality obligations substantially identical to those set forth in this DPA. Streamline remains responsible for the acts and omissions of its subprocessors to the extent such acts or omissions would constitute a breach of this DPA if committed directly by Streamline. Upon reasonable written request, Streamline shall make available a current list of subprocessors that materially process Student Data in connection with the Services.

  • 4.3 Security Incident Response. In the event that Streamline confirms a Security Incident has occurred impacting the District's Student Data, Streamline shall notify the District in writing via electronic mail without unreasonable delay, and in no event later than seventy-two (72) hours following Streamline's discovery of or reasonable belief that a Security Incident has occurred, regardless of whether the full scope has been determined. If complete information is not yet available at the time of initial notification, Streamline shall provide a preliminary notice and shall supplement it with additional information as it becomes available, including the categories of Student Data affected, the estimated number of affected records, and the remediation measures implemented or planned. Streamline will provide reasonable cooperation to help the District investigate the event and mitigate risks, provided that the District shall retain sole statutory responsibility for executing any state-mandated parent, user, or regulatory notifications. Upon reasonable request, Streamline shall provide information reasonably available to it regarding the nature of the Security Incident, the categories of affected Student Data, and the remediation measures implemented, provided that Streamline shall not be required to disclose confidential security architecture, proprietary information, or information relating to other customers.

5. Data Access, Correction, and Retention

  • 5.1 Parent and Student Access Interface. Streamline does not directly manage, audit, or respond to access, correction, or deletion requests received directly from parents, legal guardians, or eligible students. In the event a parent or student contacts Streamline directly to access or correct an education record, Streamline will forward such request to the District within ten (10) business days. Streamline will cooperate with the District to facilitate necessary technical modifications or data extractions within the platform dashboard as required by FERPA.

  • 5.2 Data Retention and Certified Destruction. Streamline will maintain Student Data only for the duration of an active Agreement subscription or as legally required. Upon written request by the District within ninety (90) days following termination of the Agreement, Streamline will make Student Data available for secure export. Following the expiration of this 90-day window, Streamline will securely delete, overwrite, or purge all Student Data from its active production environments in accordance with industry-standard data destruction methodologies (NIST SP 800-88 or equivalent) and provide a formal certification of destruction upon written request. This obligation shall not apply to residual data maintained within encrypted backup systems, disaster recovery environments, or archival storage retained in the ordinary course of business, provided such residual data remains protected from further processing and is overwritten or deleted pursuant to Streamline's standard retention schedules. 

  • 5.3 Student and Parent Requests. Except as required by applicable law, Streamline shall not independently respond to requests from students, parents, guardians, or other third parties seeking access to, correction of, deletion of, or information regarding Student Data. Streamline shall promptly forward such requests to the District and shall reasonably cooperate with the District in responding to such requests.

6. Appendix A: National and State-Specific Harmonization

To ensure a scalable procurement process across diverse statutory jurisdictions, Streamline maps its operational workflows to the following localized state rules, which are executed automatically based on the District’s operating address:

  • 6.1 California (SOPIPA): Streamline complies with the Student Online Personal Information Protection Act (California Business and Professions Code § 22584), ensuring zero commercial monetization of student profiles.

  • 6.2 New York (Education Law 2-d): Streamline implements data security controls aligned with the National Institute of Standards and Technology (NIST) Cybersecurity Framework, ensuring protection of student, teacher, and principal data.

  • 6.3 Texas (Texas Education Code § 32.151): Streamline ensures that all data privacy controls meet standard data security criteria established for vendor cloud computing platforms interacting with public school networks.

  • 6.4 Ohio (ORC 3319.321 Addendum): Streamline explicitly agrees that all records received from an Ohio public or community school remain under the direct control of the school board. Streamline shall assist the District in ensuring parents can review and correct errors in their child's records by providing administrative dashboard tools to edit, adjust, or delete erroneous records within the platform.

  • 6.5 Illinois (SOPPA — Student Online Personal Information Protection Act, 105 ILCS 85): Streamline shall not use Student Data for any purpose other than providing the Services, shall not sell Student Data, shall not engage in targeted advertising using Student Data, and shall maintain a written information security program consistent with industry standards.

  • 6.6 Virginia (Virginia Consumer Data Protection Act and VDOE Student Data Requirements): Streamline shall process Student Data solely as a data processor acting on behalf of and under the instructions of the District, and shall comply with applicable data subject rights obligations as directed by the District.

  • 6.7 Florida (Florida Student Data Privacy Act, § 1002.222, F.S.): Streamline shall not use Student Data for any purposes beyond those authorized in this DPA, shall not build a profile of a student for non-educational purposes, and shall implement and maintain a data security plan consistent with state requirements.

  • 6.8 Student Data Sale and Advertising Restrictions. Streamline shall not sell Student Data, rent Student Data, engage in targeted advertising using Student Data, create advertising profiles based upon Student Data, or disclose Student Data except as necessary to provide the Services or as required by applicable law.

7. Limitation of Liability and Miscellaneous

  • 7.1 Integration of Caps. NOTWITHSTANDING ANY PROVISION TO THE CONTRARY CONTAINED IN THIS DPA, ANY MANDATED STATE ADDENDUM, OR ANY APPLICABLE PROCUREMENT DOCUMENT, STREAMLINE’S TOTAL AGGREGATE FINANCIAL LIABILITY FOR ALL CLAIMS, LOSSES, SECURITY INCIDENTS, STATUTORY VIOLATIONS, DATA BREACHES, OR INDEMNIFICATION OBLIGATIONS ARISING OUT OF OR RELATED TO THIS DPA SHALL BE STRICTLY GOVERNED BY AND LIMITED TO THE LIABILITY CAPS ESTABLISHED IN SECTION 14 OF THE MASTER SAAS AGREEMENT.

  • 7.2 Third-Party Beneficiaries. This DPA is entered into strictly for the benefit of the contracting parties. Nothing expressed or implied herein shall be construed to establish or grant any private right of action, legal remedy, or cause of action to any third party, including individual students, parents, guardians, teachers, or union administrators.

  • 7.3 Severability. If any provision of this DPA is held invalid or unenforceable by a court of competent jurisdiction, the remaining provisions shall remain in full force and effect, and the invalid provision shall be modified to the minimum extent necessary to achieve compliance with Applicable Privacy Laws.

  • 7.4 Survival. The obligations relating to Student Data, confidentiality, information security, Security Incident notification, data retention, data destruction, and artificial intelligence restrictions shall survive termination or expiration of this DPA for so long as Streamline retains Student Data.

  • 7.5 Cybersecurity Super-Cap. Notwithstanding Section 7.1 of this DPA and Section 14.2 of the Master SaaS Agreement, Better Speech LLC's aggregate liability for direct, documented out-of-pocket costs resulting from a verified Security Incident caused by Better Speech LLC's ordinary negligence in failing to meet its obligations under Sections 4 and 5 of this DPA shall be subject to a separate, dedicated "Cybersecurity Super-Cap." This Super-Cap shall be limited to an amount equal to two times (2x) the total annual fees paid or payable by the District to Better Speech LLC under the applicable Order Form in the twelve (12) months preceding the Security Incident. In no event shall this Super-Cap expand Better Speech LLC's liability to include indirect, incidental, special, or consequential damages, including but not limited to loss of administrative productivity, district reputational harm, or regulatory penalties imposed on the District by third-party authorities. This Super-Cap constitutes the District's sole and exclusive financial remedy for data-security or privacy-related claims arising from ordinary negligence. This Super-Cap replaces and supersedes the liability cap in Section 14.2 of the Master SaaS Agreement solely for claims falling within its scope; Section 14.2 continues to govern all other claims

Streamline logo-png_edited.png
  • Linkedin
  • YouTube

Copyright © 2025 Streamline | All Rights Reserved | Legal 

bottom of page
Retell Chat Widget