1. Parties
This Data Processing Agreement ("DPA") is entered into between:
- Kyber Systems LLC ("Processor" or "Company"), a New York limited liability company operating the KyberGate platform; and
- The subscribing School District ("Controller" or "Customer"), the educational institution or local education agency that has entered into a subscription agreement for the KyberGate Service.
This DPA supplements and is incorporated into the Terms of Service between the parties.
2. Definitions
- "Student Data" means any data, whether personally identifiable or otherwise, that is collected, generated, or maintained in connection with the use of the Service by students or on behalf of students.
- "Education Records" means those records that are directly related to a student and maintained by an educational agency or institution, or by a party acting for the agency or institution, as defined under FERPA (20 U.S.C. § 1232g).
- "Personal Information" or "Personally Identifiable Information (PII)" means information that can be used to distinguish or trace an individual student's identity, either directly or indirectly.
- "Processing" means any operation or set of operations performed on Student Data, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, combination, restriction, erasure, or destruction.
- "Sub-Processor" means any third party engaged by Processor to process Student Data on behalf of Controller.
- "Service" means the KyberGate platform, including KyberFilter and KyberPulse, and all associated products, features, and support.
3. Purpose of Processing
Processor shall process Student Data solely for the purpose of providing web filtering, student safety monitoring, classroom management, and related educational technology services as described in the Terms of Service. Processor shall not process Student Data for any purpose other than as instructed by Controller or as required by applicable law.
Processor shall not use Student Data for advertising, marketing, or building commercial profiles of students. Processor shall not sell Student Data to any third party.
4. Categories of Data Processed
The following categories of Student Data may be processed in connection with the Service:
| Category | Description |
|---|---|
| Browsing Activity | URLs, domain names, timestamps, content categories, filtering actions (allowed/blocked) |
| Device Identifiers | Device type, operating system, UDID, IP address, network information |
| User Identifiers | Student name, email, grade, school assignment (as provided by Controller via SIS integration or manual entry) |
| Safety Alerts | Flagged search queries and browsing patterns matching safety keywords (self-harm, cyberbullying, violence, substance abuse) |
| Screenshots | Temporary screen captures for classroom management (auto-deleted after 24 hours) |
5. Processor Obligations
Processor agrees to the following obligations:
- Documented Instructions: Processor shall process Student Data only on documented instructions from Controller, unless required by applicable law. If Processor is required by law to process data beyond Controller's instructions, Processor shall notify Controller before doing so (unless prohibited by law).
- Confidentiality: Processor shall ensure that all persons authorized to process Student Data have committed to confidentiality obligations or are under an appropriate statutory obligation of confidentiality.
- Security Measures: Processor shall implement appropriate technical and organizational security measures to protect Student Data, as described in Section 6 of this DPA.
- Sub-Processors: Processor shall not engage any sub-processor to process Student Data without prior written authorization from Controller. A list of currently authorized sub-processors is provided in Section 9. Processor shall notify Controller of any intended changes to the list of sub-processors, giving Controller the opportunity to object.
- Data Subject Rights: Processor shall assist Controller in responding to requests from parents, students, or regulatory authorities to exercise their rights with respect to Student Data (including access, correction, and deletion requests).
- Deletion or Return: Upon termination of the Service agreement, Processor shall, at Controller's election, return all Student Data to Controller in a standard, machine-readable format or securely delete all Student Data within 30 days. Processor shall certify deletion in writing upon request.
- Compliance Demonstration: Processor shall make available to Controller all information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits and inspections as described in Section 11.
6. Security Measures
Processor implements the following technical and organizational measures to protect Student Data:
- Encryption in Transit: TLS 1.3 for all data transmitted between devices, clients, and servers.
- Encryption at Rest: AES-256 encryption for all stored data (Google Cloud default).
- Access Controls: Firebase IAM with principle of least privilege. Role-based access control for all administrative functions.
- Authentication: All API endpoints require authentication. Multi-factor authentication available for administrator accounts.
- Audit Logging: Comprehensive logging of all data access events, including user identity, timestamp, and action performed.
- Infrastructure Security: Hosted on Google Cloud Platform with SOC 2 Type II certified data centers. Regular vulnerability scanning and security reviews.
- Personnel Security: Background checks and confidentiality agreements for all personnel with access to Student Data.
7. Data Breach Notification
In the event of a confirmed data breach affecting Student Data, Processor shall:
- Notify Controller within 72 hours of becoming aware of the breach.
- Provide a description of the nature of the breach, including the categories and approximate number of data subjects and records affected.
- Describe the likely consequences of the breach.
- Describe the measures taken or proposed to address the breach, including mitigation of potential adverse effects.
- Designate a contact point for ongoing communication regarding the breach.
- Cooperate with Controller's incident response procedures and support any required notifications to affected individuals, parents, or regulatory authorities.
8. Data Retention
Processor shall retain Student Data in accordance with Controller's configured retention policy. Default retention periods are:
- Browsing Logs: 90 days (configurable by Controller from 30 to 365 days).
- Safety Alerts: School year plus 60 days.
- Screenshots: 24 hours (auto-deleted).
- Account Data: Duration of the subscription.
Upon termination of the Service agreement, all Student Data shall be deleted within 30 days unless Controller requests a data export (see Section 5). Controller may request immediate deletion at any time during the term.
9. Authorized Sub-Processors
Controller authorizes Processor to engage the following sub-processors. Each sub-processor is bound by data processing obligations no less protective than those in this DPA:
| Sub-Processor | Purpose | Data Location |
|---|---|---|
| Google Cloud Platform (Firebase) | Hosting, database, authentication, cloud functions | US data centers |
| Stripe | Payment processing | US |
| Resend | Transactional email delivery | US |
| DigitalOcean | Proxy server infrastructure | US regions |
| Vultr | Proxy server infrastructure | US, EU, Middle East regions |
No sub-processor has access to student browsing data content except as strictly necessary for infrastructure operations (e.g., network routing). Student data is encrypted in transit and at rest.
10. Data Location
All Student Data is stored and processed in the United States. Core infrastructure (database, authentication, cloud functions, dashboard) is hosted on Google Cloud Platform in US data centers.
Proxy servers for web filtering operate in US regions: New York City, Atlanta, Chicago, Dallas, San Francisco, and Los Angeles. For international schools, optional proxy regions are available in London and Tel Aviv. International proxy servers process traffic in transit only; all persistent Student Data remains stored in the United States.
11. Audit Rights
Controller may audit Processor's compliance with this DPA upon 30 days' prior written notice. Audits shall be conducted during normal business hours and no more than once per calendar year, unless a data breach or regulatory investigation necessitates an additional audit. Processor shall cooperate fully with any audit and provide access to relevant records, systems, and personnel. Controller shall bear its own costs of the audit.
12. FERPA Addendum
The parties agree to the following with respect to the Family Educational Rights and Privacy Act (FERPA):
- School Official Designation: Processor is designated as a "school official" with a "legitimate educational interest" under FERPA 34 CFR § 99.31(a)(1)(i)(B).
- Direct Control: Processor is under the direct control of Controller with respect to the use and maintenance of education records.
- Purpose Limitation: Processor uses personally identifiable information from education records only for the purpose for which the disclosure was made — specifically, to provide the web filtering, safety monitoring, and classroom management services described in the Terms of Service.
- Re-Disclosure: Processor shall not re-disclose education records or personally identifiable information to any third party except as authorized by Controller, required by this DPA, or compelled by law.
- COPPA Compliance: Processor does not collect personal information directly from students under 13. All student data is collected through the school's use of the Service, with the school acting as the agent of parental consent under COPPA.
13. Term and Termination
This DPA is co-terminus with the Service subscription agreement between the parties. It shall remain in effect for as long as Processor processes Student Data on behalf of Controller. Obligations regarding data deletion, confidentiality, and breach notification shall survive termination.
14. Governing Law
This DPA shall be governed by the laws of the State of New York, consistent with the Terms of Service. Where state-specific student privacy laws impose additional requirements (e.g., Colorado HB 16-1423, New York Education Law §2-d), those requirements are incorporated by reference and shall be complied with.
15. Contact
For questions about this DPA, to request execution, or to report a data concern: