Signature-Ready Template
DrawSplat District Data Privacy Addendum
Use this template when a school or district wants written deployment documentation for browser-only, Google Apps Script, MySQL, standalone, SSO-enabled, hosted, or managed DrawSplat use. Legal teams may adapt it to local requirements.
1. Parties
| School/District/Organization | ____________________________________________ |
|---|---|
| DrawSplat Deployment Owner | ____________________________________________ |
| Effective Date | ____________________________________________ |
| Privacy/Security Contact | ____________________________________________ |
| Privacy/Security Email | privacy@example.org |
| Breach Notice Contact Method | ____________________________________________ |
2. Approved Educational Purpose
DrawSplat will be used only for the following school-authorized educational purpose:
______________________________________________________________________________
______________________________________________________________________________
3. Approved Deployment Configuration
| Storage Mode | Browser-only / Google Apps Script / MySQL / Standalone backend / Hosted or managed service |
|---|---|
| Hosting/Data Location | Country, region, cloud provider, district server, data center, and backup location when known: ____________________________________________ |
| SSO Enabled? | Yes / No. Provider: ____________________________________________ |
| Student Uploads Enabled? | Yes / No |
| Audio Recording Enabled? | Yes / No |
| Turn-ins Enabled? | Yes / No |
| Approved Age/Grade Bands | ____________________________________________ |
4. Data Use Commitments
- Student data will be used only for the school-authorized educational purpose.
- Student data will not be sold, leased, rented, or shared as defined by applicable state student privacy laws.
- Student data will not be used for targeted advertising, behavioral profiling, cross-context advertising, data mining except for authorized educational purposes, or AI model training.
- De-identified or aggregate data will not be re-identified or used to identify students.
5. Retention, Return, and Destruction
| Retention Schedule | ____________________________________________ |
|---|---|
| Temporary Session TTL | 24 hours / Other: _____________________________ |
| Deletion Process | ____________________________________________ |
| Return/Export Process | ____________________________________________ |
| Termination Destruction Timeline | Active systems within 30 calendar days unless otherwise required; backups no later than 90 calendar days when technically feasible. |
6. Security and Breach Notification
- Production deployments must use HTTPS and encrypted transport.
- Hosted, MySQL, and standalone deployments must use encryption at rest for databases, disks, object storage, and backups.
- Least-privilege access, MFA where available, secure backups, patching, and audit logging are required for backend/admin systems.
- Security review is required before student use and at least annually for hosted, MySQL, SSO-enabled, or managed deployments.
- Confirmed breaches involving student personal information must be reported through the breach notice contact method without unreasonable delay and no later than 72 hours after confirmation.
7. FERPA/COPPA and Student Personal Information
For this addendum, student personal information includes information that identifies, relates to, describes, or can reasonably be linked to a student or student household, including student names, account identifiers, student-created board content, uploaded media, audio recordings, submissions, comments, room participation data, and logs tied to a student.
When DrawSplat is used for the approved educational purpose, the deployment owner or service operator may be treated as a school official or authorized service provider under FERPA and similar student privacy laws, acting under the direct control of the school. For COPPA-covered students, the school or district may provide consent on behalf of parents when permitted by law and when DrawSplat is used solely for the approved educational purpose.
8. Subprocessors
Approved subprocessors and service providers:
| Provider | Purpose | Data Processed | Privacy/Security Documentation |
|---|---|---|---|
| Google Apps Script/Drive/Sheets | Optional storage | Board data, templates, turn-ins | ________________________________ |
| PayPal | Optional payments | Payment metadata outside DrawSplat student workspace | ________________________________ |
| Hosting Provider | Optional hosting | Deployment files, logs, backend data where enabled | ________________________________ |
| SSO Provider | Optional authentication | Login identifiers and roles | ________________________________ |
Material new subprocessors for student-data processing require at least 30 calendar days’ notice when feasible and a reasonable opportunity to object, disable the affected integration, or terminate the affected hosted service.
9. Signatures
| School/District Authorized Signature | ____________________________________________ |
|---|---|
| Name and Title | ____________________________________________ |
| Date | ____________________________________________ |
| Deployment Owner / DrawSplat Representative | ____________________________________________ |
| Name and Title | ____________________________________________ |
| Date | ____________________________________________ |