DrawSplatTM Open Whiteboard

For District Reviewers

DrawSplatTM NDPA / DPA Review Packet

Everything a K–12 district reviewer typically asks for in one place. The Student Data Privacy Consortium’s National Data Privacy Agreement (NDPA) is a standardized contracting framework whose standard clauses are not meant to be redlined — changes belong in exhibits. This page is the exhibit packet: product description, data elements by deployment mode, data flow, subprocessor list, security controls, breach SOP, retention, parent workflow, accessibility, and the FERPA / COPPA / SCOPE / CIPA crosswalks.

1. Product description & approved educational purpose

DrawSplatTM is a self-contained interactive whiteboard for K–16 classrooms. It runs as a static web app and can optionally save boards, templates, collaboration rooms, and student turn-ins to a Google Apps Script + Sheets backend the district controls, or to a self-hosted Node + MySQL backend the district runs on its own infrastructure.

Approved educational purpose: classroom drawing, notes, diagrams, charts, sticky notes, audio notes, collaboration, turn-in workflows, and supporting classroom activities. DrawSplatTM is not used for advertising, behavioural profiling, or AI training. Full feature list.

2. Three deployment modes and what each collects

ModeWhere data livesStudent identifiers collected
Browser-only The visitor’s browser. Optional local .drawsplat.json file the user explicitly saves. None. No account, no upload, no server-side storage.
Google Apps Script (supported production) The teacher or district’s own Google Workspace tenant — Drive folders and a Sheet that the script creates inside the operator’s account. What a teacher chooses to enter: student name on a turn-in, class section name, age band the admin assigns. No password storage, no biometric data, no precise location, no advertising identifiers.
Self-hosted MySQL (district pilot) A MySQL database running on the district’s own infrastructure, fronted by a Node + Express API the district hosts. Same as the Apps Script row. Email + scrypt+pepper hashed password if the district opts into local email/password accounts. OAuth subjects if Google or Microsoft SSO is enabled. Optional Clever roster sync if the district connects it.

3. Data flow diagram

Browser-only mode:
  [Student browser] <-- everything stays here. No external requests by default.

Google Apps Script mode:
  [Student / teacher browser]
      |
      |  HTTPS POST/GET, only when the teacher has configured a script URL
      v
  [script.google.com /macros/s/.../exec]  (the district's own Apps Script project)
      |
      v
  [Google Sheet]  (Boards / Rooms / TurnIns / Audit / ParentRequests / Users etc.)
      and
  [Google Drive]  (per-board JSON + PNG files in the district's Drive)

Self-hosted MySQL mode:
  [Student / teacher browser]
      |
      |  HTTPS to the district's own domain
      v
  [district.example.org/api/drawsplat/mysql]  (Node + Express in the district's infra)
      |
      v
  [MySQL]  (users, sessions, boards, audit_events, parent_requests, time_usage, ...)

4. Subprocessors

DrawSplatTM as a product has no required subprocessors. Subprocessors only enter the picture when a district opts into a feature that needs them, and the relationship is between the district and that subprocessor — not between the vendor and that subprocessor:

SubprocessorUsed whenData exposedWhose contract
Google Workspace (Drive, Sheets, Apps Script)District chooses the Google Apps Script storage modeBoard JSON, sheet rows, audit log — lives in the district’s own Workspace tenantDistrict’s existing Google Workspace agreement
Google Identity ServicesDistrict enables Google sign-in on the Community Board or self-hosted backendGoogle ID token verification (email, sub, display name)District’s existing Google identity agreement
Microsoft Identity (MSAL)District enables Microsoft sign-inMicrosoft Graph /me token verification (email, oid, display name)District’s existing Microsoft tenant agreement
Clever / ClassLinkDistrict wires the self-hosted backend’s Clever connectorRoster pull (teacher / student / section) under the district’s own SIS agreementDistrict’s existing Clever / ClassLink contract
Static-host CDN (Cloudflare Pages by default; can be any static host)Always — the static site has to live somewhereStandard HTTP request metadata (IP, UA, URL) at the edgeWhoever the district / operator picks

5. Security controls matrix

ControlImplementationWhere to verify
Transport encryptionHTTPS required for all production deployments. referrer meta set to no-referrer.Inline <meta> tags on every public page
Content Security Policydefault-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self' [+ optional backend host]; object-src 'none'; base-uri 'none'; form-action 'self'; frame-ancestors 'none'Inline CSP meta on every page
AuthenticationEmail + scrypt-with-pepper passwords (self-hosted backend), or Google / Microsoft OAuth with HMAC-bearer sessions. Apps Script Web App uses Google’s own auth.server/mysql-backend/oauth-routes.js and compliance-routes.js
Authorization (RBAC)Five-role tree: district admin, campus admin, teacher, student, parent. Enforced via requireRoles / requirePermission middleware on every protected endpoint (self-hosted backend); admin-passcode gate on the Apps Script endpoints.server/mysql-backend/rbac.js and apps-script/Code.gs requireAdmin_
Server-side safety scanText keyword filter + link allowlist run on every board save and turn-in. Hits write a TEXT_FILTER_HIT audit row and (by default) reject the save.safety.js / scanBoardForSafety_
Board / room freezeFrozen flag on rooms / boards blocks all writes (HTTP 423 on the self-hosted backend; rejected save in Apps Script).freezeBoard_ / compliance-routes.js
Audit logAppend-only sheet tab (Apps Script) or audit_events table (MySQL). Includes actor, role, action, entity, before/after, timestamp.Activity Records in Teacher Admin
RetentionConfigurable archive / delete / audit-keep windows. Scheduled trigger (Apps Script) or in-process cron (Node) prunes data and writes a RETENTION_ACTION audit row.runRetentionCleanup_ / cron-jobs.js
Data exportPer-student ZIP of every board + turn-in + the user row (no hashed credentials). Logs DATA_EXPORT.exportStudentData_
Data deletionAdmin button trashes Drive files and removes rows. Logs DATA_DELETED.deleteStudentData_
Image upload approval queueShipped. Student image uploads land in ImageQueue with status pending and stay hidden on the student board until a teacher approves them in the Compliance Console. Reject trashes the Drive file and replaces the student board image with a rejection placeholder. Both decisions log IMAGE_APPROVED / IMAGE_REJECTED events.apps-script/Code.gs uploadImage_ / setImageStatus_; admin/admin.html Image Approval Queue section

6. Breach notification SOP

  1. Discovery. A teacher, admin, parent, or external researcher reports a suspected breach via Contact / Information Request or the audit log surfaces an anomaly.
  2. Triage within 24 hours. Operator confirms scope: which deployment mode, which records, which audit trail rows are affected.
  3. Contain. Freeze affected boards / rooms (server-enforced write block). Revoke active sessions on the self-hosted backend. Disable affected Apps Script deployment if necessary.
  4. Notify within 72 hours. Operator notifies the named district Privacy / Security Contact from the District Data Privacy Addendum using the breach notice contact method declared there. Notice includes: what happened, what data was involved, what containment was done, what the district should do next.
  5. Investigate & remediate. Operator investigates root cause, patches, re-tests. The Activity Records audit log is preserved for the investigation.
  6. Post-incident report. Written summary delivered within 30 days, including timeline, scope, remediation, and any changes to security controls.

7. Retention schedule

ModeBoards archiveBoards deleteAudit logParent requests
Browser-onlyn/a — user-managed filesn/an/an/a
Apps ScriptDefault 90 days — configurable in Compliance ConsoleDefault 365 days — configurableDefault 365 days — configurableDefault 3 years — configurable
Self-hosted MySQLSame defaults; cron in server/mysql-backend/cron-jobs.jsSameSameSame

All retention windows are district-configurable from Teacher Admin → Compliance Console → Retention. Every cleanup writes a RETENTION_ACTION audit row with counts.

8. Parent / student request workflow

  1. Parent visits Family Access Tools and submits a request (view, export, correct, delete, pause, safety report, privacy question).
  2. Request lands in the ParentRequests sheet tab / DB table as pending_verification.
  3. Compliance admin gets an email notification (Apps Script MailApp.sendEmail) and reviews the request in Teacher Admin.
  4. Identity verified via teacher-issued one-time 8-character code (SHA-256 hashed, 14-day expiry, single-use).
  5. Verified request transitions to verified, then approved / denied / completed by an admin click.
  6. Export: one-click ZIP of the student’s boards + turn-ins + user row (no hashed credentials), emailed as a 15-minute download link.
  7. Delete: admin button trashes Drive files, removes rows, logs DATA_DELETED.
  8. Acknowledged within 10 school days; completed within 30 calendar days when feasible.

9. FERPA / COPPA / SCOPE / CIPA crosswalks

FERPA school-official crosswalk

When DrawSplatTM is engaged as a service provider, the district designates the vendor as a school official under FERPA’s school-official exception. Conditions:

COPPA school-consent notice (for under-13 users)

Under COPPA the district may provide consent on behalf of parents when the service is for an educational purpose and the district retains direct control. The district’s notice to parents typically says, in plain language:

Our school uses DrawSplatTM, a free interactive whiteboard for classroom drawing, notes, and collaboration. The school controls all storage and access. DrawSplatTM does not show ads, does not sell student data, does not use student work to train AI, and does not require student accounts in browser-only use. If you would like to view, correct, export, or delete your child’s data, use Family Access Tools at /parents/ on the school’s DrawSplatTM site.

Texas SCOPE / TEC 32.151+

See legal/texas-compliance.html for the plain-language explainer.

CIPA

CIPA is a school / library E-rate internet-safety and filtering obligation, not a vendor privacy law. DrawSplatTM supports CIPA via link allowlists, board freeze, text filtering, the moderation + image-approval queues, and the audit log, but does not replace the district’s network-level filter or its internet safety policy. Full statement: CIPA support statement.

10. District contracting documents

11. Recommended production posture

For classroom production use today, the supported path is Google Apps Script + Sheets + Drive in the district’s own Google Workspace tenant. The MySQL self-hosted path is feature-complete in code but has not yet been exercised against a live database in production. Districts that want to pilot the MySQL path should run a technical review (integration test against a non-production database, single-instance only, manual cron monitoring) before student production use. See server/mysql-backend/README.md for the production checklist.

12. Evidence gallery (district reviewer)

These are the screens a district reviewer typically needs to see — the live Compliance Console, the Family Access Tools queue, the District Privacy Packet download, and the audit log. The CAPTURE.md checklist in the repo describes exactly where to find each one and what state to put the app in before capturing. Operators are expected to drop in their own deployment’s screenshots before sharing this page with a district reviewer, since each capture should reflect the district’s own configuration.

Compliance Console overview — capture from Teacher Admin → Compliance Console with every <details> closed except the header.
1. Compliance Console — overview. Demonstrates that every safeguard is one page, expandable per district reviewer interest.
Image Approval Queue — capture the queue with two pending images, the thumbnail visible, the Approve / Reject buttons visible.
2. Image Approval Queue (Days 1.3 / 1.4). Demonstrates the moderation step between student upload and student-visible image.
Family Access Tools request queue — capture one verified request with the Approve / Decline / Note controls visible.
3. Family Access Tools queue. Demonstrates the parent-request workflow end-to-end.
Activity Records (audit log) — capture filtered to the last seven days, showing at least one row each of BOARD_FREEZE, TEXT_FILTER_HIT, IMAGE_APPROVED, PARENT_REQUEST_CREATED, DATA_EXPORT.
4. Activity Records / audit log. Demonstrates that every compliance-relevant action leaves an immutable trail.
District Privacy Packet download — capture the “Download District Privacy Packet” button with the resulting toast showing the zip size and audit-row count.
5. District Privacy Packet. Demonstrates the one-click ZIP that bundles the compliance config + last 90 days of audit + parent-request log.
Per-student Export / Delete — capture the user row in Student Age Band Lock with the Export Data and Delete Data buttons visible.
6. Data export and deletion. Demonstrates FERPA-style inspect / correct / delete rights.

Operator note: replace each .evidence-placeholder div with an <img src="evidence/capture-key.png"> once you’ve captured the screen. The data-capture attribute matches the filename in docs/CAPTURE.md.

Working with us

This packet plus the District Data Privacy Addendum is the contracting surface. If your district’s review process needs a specific format, screenshot evidence, or a custom exhibit, send the request through the Contact / Information Request form and we’ll respond within five business days.