Data Processing Addendum

Last Updated: July 14, 2026

This Data Processing Addendum (“DPA”) is entered into by and between LearningClues, Inc. (“LearningClues”) and the institution or organization identified as “Customer” in the applicable Order Form or Agreement (“Customer”), and is incorporated into and forms part of the Terms of Service or other written agreement between LearningClues and Customer governing Customer’s use of the Services (the “Agreement”). Capitalized terms not defined in this DPA have the meanings given to them in the Agreement. If Customer and LearningClues have separately executed a signed copy of this DPA, that signed copy governs the parties’ relationship in place of the version then posted at learningclues.com/dpa.

LearningClues is committed to protecting the confidentiality, integrity, and availability of the data it processes on behalf of Customer, including personally identifiable information from education records protected by the Family Educational Rights and Privacy Act. This DPA sets out the terms on which LearningClues will process Customer Data in connection with the Services.

This Agreement is divided into the following sections:

  1. Definitions

  2. Roles of the Parties; FERPA School Official Designation

  3. Scope and Purpose of Processing

  4. Confidentiality and Data Security

  5. Security Incident Notification and Response

  6. Artificial Intelligence, Machine Learning, and De-Identified Data

  7. Subprocessors and Offshoring

  8. Assistance with Data Subject and FERPA Rights Requests

  9. Return or Destruction of Customer Data

  10. Audits and Security Documentation

  11. Insurance

  12. Liability

  13. Term and Termination

  14. General

  1. Definitions

Applicable Law” has the meaning given in the Agreement, and includes the Family Educational Rights and Privacy Act (20 U.S.C. § 1232g; 34 C.F.R. Part 99) (“FERPA”) and other applicable data protection, privacy, and education-records laws.

Customer Data” has the meaning given in the Agreement, and includes any Education Records within its scope.

“Education Records” means personally identifiable information from education records, as that term is defined under FERPA, that LearningClues receives, accesses, or processes in connection with the Services.

“Security Incident” means the unauthorized acquisition, access, use, or disclosure of Customer Data that compromises the security, confidentiality, or integrity of Customer Data.

“Subprocessor” means any third party engaged by LearningClues to process Customer Data in connection with providing the Services, including any Offshore Provider.

“Offshore Provider” means a Subprocessor that is located, or whose personnel are located, outside the United States, or that will process Customer Data from a location outside the United States.

“Sensitive Data” means any Customer Data that Customer has classified as confidential, restricted, or similarly sensitive, or that would reasonably be understood under the circumstances to be confidential or sensitive, including Education Records.

  1. Roles of the Parties; FERPA School Official Designation

2.1 Relationship of the Parties. As between LearningClues and Customer, Customer Data remains the property of Customer. LearningClues processes Customer Data solely as a service provider and processor acting on Customer’s behalf and under Customer’s direction, and not as an independent controller or owner of Customer Data, except as otherwise required by Applicable Law.

2.2 FERPA School Official Designation. To the extent LearningClues receives, accesses, or processes Education Records in connection with the Services, Customer designates LearningClues as a “school official” with a “legitimate educational interest” in such Education Records, within the meaning of FERPA and 34 C.F.R. § 99.31(a)(1)(i)(B), and this DPA constitutes the written agreement required by that regulation. With respect to Education Records, LearningClues agrees that it will:

  • use Education Records solely to provide, maintain, and improve the Services on behalf of Customer, and for no other purpose, except as expressly permitted under Section 6 (Artificial Intelligence, Machine Learning, and De-Identified Data);

  • not disclose, sell, rent, or share Education Records with any third party except as directed or authorized by Customer, as necessary to provide the Services (including to Subprocessors under Section 7), or as required by Applicable Law;

  • maintain Education Records under the direct control of Customer with respect to their use, retention, and destruction, consistent with this DPA and the Agreement; and

  • comply with the other requirements of this DPA, including Section 4 (Confidentiality and Data Security) and Section 5 (Security Incident Notification).

Because LearningClues acts as a service provider to Customer with respect to Education Records, students, parents, and eligible individuals seeking to exercise rights under FERPA should direct those requests to Customer, which remains the record custodian; LearningClues will cooperate with Customer as described in Section 8.

  1. Scope and Purpose of Processing

LearningClues processes Customer Data solely to provide, support, and improve the Services described in the Agreement — namely, indexing course materials and recordings, generating adaptive learning activities and instructional feedback, and providing related analytics and dashboards to students, instructors, and administrators — for the duration of the Agreement. The categories of data subjects whose Customer Data LearningClues may process include Customer’s students, instructors, and administrative staff, and the categories of Customer Data may include enrollment and role information, course materials and recordings, coursework and assessment data, and related usage and performance data, as further described in the Privacy Policy.

  1. Confidentiality and Data Security

4.1 Duty to Protect Customer Data. LearningClues shall not, directly or indirectly, access, use, disclose, copy, distribute, store, republish, or allow any third party to have access to Customer Data, except as permitted by the Agreement or this DPA or as pre-approved by Customer in writing. LearningClues represents, warrants, and covenants that it complies with Applicable Law relating to the use, disclosure, storage, handling, and transmission of Customer Data.

4.2 Security Program. LearningClues maintains a documented information security program designed to protect and safeguard Customer Data (the “Security Program”), including administrative, technical, and physical safeguards that reflect commercially reasonable industry practices. Upon Customer’s reasonable written request, no more than once annually (or following a Security Incident), LearningClues will make available documentation regarding its Security Program consistent with Section 10 (Audits and Security Documentation).

4.3 Compliance with Data Protection Laws. LearningClues acknowledges that Customer Data may include personal information covered by FERPA and other federal, state, local, and international data protection laws, and shall ensure that its storage, handling, and transmission of Customer Data complies with such laws.

  1. Security Incident Notification and Response

5.1 Notification. If LearningClues believes or has knowledge that a Security Incident has occurred, LearningClues shall notify Customer in writing without undue delay and in any event within twenty-four (24) hours of discovery, using the security contact designated in the applicable Order Form (or, if none is designated, Customer’s primary institutional contact on file with LearningClues).

5.2 Cooperation. In the event of a Security Incident, LearningClues will fully comply with Applicable Law and will fully cooperate with Customer in fulfilling both parties’ legal obligations, including by providing Customer with information reasonably requested with respect to the Security Incident.

5.3 Cost Reimbursement. Subject to, and without expanding, the limitation of liability set forth in the Agreement, if a Security Incident results from LearningClues’ breach of this DPA, LearningClues will reimburse Customer for reasonable, documented costs directly arising from such Security Incident, including reasonable costs of notifications required by Applicable Law.

  1. Artificial Intelligence, Machine Learning, and De-Identified Data

6.1 No Training on Customer Data. LearningClues does not use Customer Data, including Education Records, to train, fine-tune, or otherwise improve any underlying artificial intelligence or machine learning model — whether LearningClues’ own model or those of its Subprocessors — and does not permit its Subprocessors to do so, except with Customer’s separate, express prior written consent. This commitment is consistent with, and does not limit, the AI-related provisions of the Agreement and the Privacy Policy.

6.2 Aggregated and De-Identified Data. Unless Customer separately agrees otherwise in writing, LearningClues may create and use aggregated or de-identified data derived from Customer Data solely for LearningClues’ internal purposes of operating, supporting, monitoring, and improving the Services, provided such data cannot reasonably be used to identify any individual or Customer. LearningClues will not sell, license, market, or otherwise make available such aggregated or de-identified data to any third party for monetary or other valuable consideration.

6.3 Third-Party AI Subprocessors. Where the Services rely on a Subprocessor’s AI or machine learning infrastructure, LearningClues requires that Subprocessor, by contract, not to use Customer Data to train its own models and to maintain confidentiality and security protections consistent with LearningClues’ obligations under this DPA.

  1. Subprocessors and Offshoring

7.1 Authorized Subprocessors. Customer consents to LearningClues’ engagement of the Subprocessors listed in Exhibit A to process Customer Data in connection with the Services. LearningClues remains responsible for its Subprocessors’ compliance with confidentiality and security obligations materially consistent with this DPA.

7.2 New Subprocessors. LearningClues will provide Customer with written notice (which may be by updating Exhibit A or a corresponding subprocessor list and notifying Customer) of any new Subprocessor within ten (10) business days after engaging that Subprocessor. If Customer has a reasonable data-protection objection to a new Subprocessor, the parties will work in good faith to address it.

7.3 Offshoring. Current Subprocessors and their locations, including any Offshore Providers, are listed in Exhibit A. LearningClues will update Exhibit A, or otherwise provide the Offshoring notice described in Section 7.2, upon engaging any new Offshore Provider.

  1. Assistance with Data Subject and FERPA Rights Requests

Individuals seeking to exercise rights with respect to their Education Records or other Customer Data (including FERPA rights to inspect, review, or request correction of Education Records) should direct those requests to Customer. If LearningClues directly receives such a request, LearningClues will promptly notify Customer and, at Customer’s direction, provide reasonable assistance to help Customer respond, consistent with Applicable Law.

  1. Return or Destruction of Customer Data

At any time during the Term and upon Customer’s written request, or upon termination or expiration of the Agreement, LearningClues shall, within ten (10) business days, return all originals and copies of Customer Data, whether in printed or electronic form, including backups and archived data. In lieu of return, and only with Customer’s written consent, LearningClues will instead promptly destroy all originals and copies of Customer Data, including backups and archived data, consistent with industry standards. This Section 9 does not require LearningClues to alter its standard backup-rotation schedule, provided that any retained backup copies remain subject to this DPA until deleted in the ordinary course.

  1. Audits and Security Documentation

No more than once annually, or following a Security Incident, upon Customer’s reasonable written request, LearningClues will provide Customer with LearningClues’ then-current SOC 2 report (or successor or equivalent third-party audit report) and/or complete a reasonable written security questionnaire. Where that documentation does not reasonably address Customer’s request, the parties will discuss in good faith whether a further review — such as a mutually scheduled remote or on-site security assessment, at Customer’s expense and subject to reasonable confidentiality protections — is appropriate; any such assessment will not include access to other customers’ data or Customer Data belonging to individuals outside the scope of the request. LearningClues will make reasonable, diligent efforts to remediate security deficiencies identified through any such review.

  1. Insurance

LearningClues will obtain and maintain, at its own expense, cyber liability insurance providing coverage for first- and third-party losses arising from media content, security and privacy liability, cyber extortion, and event management, with minimum limits of $1,000,000 per event and $2,000,000 in the aggregate, issued by an insurer rated A- or better by A.M. Best (or an equivalent rating agency). LearningClues will provide Customer with a certificate of insurance evidencing this coverage upon request.

  1. Liability

This DPA does not expand, and remains subject to, the limitation of liability and disclaimers set forth in the Agreement, except to the extent the parties expressly agree otherwise in an applicable Order Form. Nothing in this Section 12 limits either party’s liability for its own willful misconduct.

  1. Term and Termination

This DPA takes effect as of the Effective Date of the Agreement and remains in effect for as long as LearningClues processes Customer Data on Customer’s behalf. This DPA terminates automatically upon expiration or termination of the Agreement, subject to Section 9 (Return or Destruction of Customer Data) and any other provisions that by their nature should survive termination.

This DPA takes effect as of the Effective Date of the Agreement and remains in effect for as long as LearningClues processes Customer Data on Customer’s behalf. This DPA terminates automatically upon expiration or termination of the Agreement, subject to Section 9 (Return or Destruction of Customer Data) and any other provisions that by their nature should survive termination.

  1. General

14.1 Relationship to the Agreement. This DPA supplements, and is incorporated into, the Agreement. In the event of a conflict between this DPA and the Agreement regarding the processing of Customer Data, this DPA controls, except that nothing in this DPA is intended to be less protective of Customer Data than the Agreement.

14.2 Governing Law. This DPA is governed by the same governing law, venue, and dispute-resolution provisions as the Agreement.

14.3 Amendment. LearningClues may update the standard, incorporated-by-reference version of this DPA from time to time to reflect changes in Applicable Law or LearningClues’ practices, provided no such update will materially diminish the protections provided to Customer Data without Customer’s consent to the extent required by Applicable Law. A separately executed DPA may be amended only in writing signed by both parties.

14.4 Entire Agreement. This DPA, together with the Agreement, constitutes the entire agreement between the parties regarding the processing of Customer Data and supersedes any prior or contemporaneous agreements on that subject.

Exhibit A

As of the date of this DPA, LearningClues engages the following Subprocessors to provide the Services. LearningClues does not currently engage any Offshore Provider (i.e., all Subprocessors listed below process Customer Data from within the United States).

Subprocessor

Purpose

Location

United States

Amazon Web Services (AWS)

Cloud hosting infrastructure — compute, storage, and networking for the production environment

Generative AI models powering adaptive learning recommendations and instructional feedback features

Infrastructure supporting content integrations

Microsoft Azure OpenAI Service

Google Cloud Platform (GCP)

United States

United States

This Exhibit A will be updated consistent with Section 7.2 if LearningClues engages a new Subprocessor or Offshore Provider.

LearningClues Logo

Secure, AI-Powered Support for Students & Faculty

ideas@learningclues.com

© 2026 • LearningClues, Inc.

All rights reserved.

LearningClues Logo

Secure, AI-Powered Support for Students & Faculty

ideas@learningclues.com

© 2026 • LearningClues, Inc.

All rights reserved.

LearningClues Logo

Secure, AI-Powered Support for Students & Faculty

ideas@learningclues.com

© 2026 • LearningClues, Inc.

All rights reserved.