School Legal Documents

MASTER SERVICE AGREEMENT

This Master Service Agreement ("Agreement") is entered into between the educational institution ("School") and Chinuch App LLC, DBA Chabad Chinuch ("Company"). This Agreement governs the School's access to and use of the Chabad Chinuch educational software platform ("Platform").

Both parties agree to the following:

1. Services Provided

The Company will provide the School access to the Chabad Chinuch platform and its educational tools, including:

• Attendance tracking
• Behavior incident logs
• Bus and transportation check-in/check-out
• Assessments, standards, and skills tracking
• Gradebook and report cards
• Parent and teacher communication
• Student profiles
• Staff and user management
• Multi-school administration (if applicable)

The Company may update or improve features periodically.

2. Term of Agreement

The Agreement begins on the Effective Date (when signed or when the School first uses the Platform) and continues for one year, renewing automatically unless either party gives written notice.

Either party may terminate with 30 days written notice.

3. Fees & Payment Terms

Fees are determined by:

• School enrollment
• Feature tier
• Annual or multi-year pricing
• Custom development (if applicable)

Payment terms:

• Invoices are due within 30 days
• Late payments may result in suspended access
• Fees are non-refundable unless otherwise stated

4. School Responsibilities

The School agrees to:

• Provide accurate data
• Manage user permissions and accounts
• Obtain all required parental or guardian consents
• Ensure students and staff follow acceptable use standards
• Notify the Company of unauthorized access or issues
• Comply with all applicable laws (e.g., FERPA, COPPA, PPRA)

The School is solely responsible for the accuracy of all student records uploaded.

5. Company Responsibilities

The Company agrees to:

• Provide ongoing access to the Platform
• Maintain secure infrastructure
• Comply with FERPA, COPPA, and state privacy laws
• Provide support for School staff
• Maintain backups and system availability
• Notify the School of any data breach
• Only process Student Data as instructed by the School

6. Data Privacy & Compliance

6.1 FERPA Compliance
The Company is designated as a School Official with a legitimate educational interest under FERPA. Student Data remains solely owned and controlled by the School.

6.2 COPPA Compliance
For users under 13, the School provides consent to use the Platform on behalf of parents, exclusively for educational purposes.

6.3 State Student Privacy Laws
The Company complies with all relevant state laws including CA SOPIPA, NY Ed Law 2-d, CO SB 16-173, Texas Student Privacy Laws, and others.

6.4 Data Processing Agreement Incorporated
The Data Processing Agreement (DPA) is fully incorporated into this Agreement.

7. Security

The Company will maintain industry-standard safeguards, including encryption in transit and at rest, secure authentication, password hashing, role-based access, audit logs, network security filters, regular backups, and system monitoring. A full Security Policy is attached or available upon request.

8. Support & Maintenance

The Company will provide email support, reasonable response times, bug fixes and patching, feature updates, and performance monitoring. Support is available to School administrators and authorized staff.

9. Data Access, Export, and Deletion

9.1 School Access: The School may access, edit, export, or delete Student Data at any time.

9.2 Export Upon Request: The Company will provide an export of all School data upon written request.

9.3 Deletion Upon Termination: Upon termination, all School data will be deleted within 60 days. The School may request an export before deletion.

9.4 Backup Data: Encrypted backups rotate automatically and are deleted on schedule.

10. Subprocessors

The Company may use subprocessors (such as Supabase, email systems, hosting providers) solely to support the Platform. Subprocessors must sign data protection agreements, meet equal or higher security standards, and cannot use Student Data for any purpose outside the Services. A current list is available upon request.

11. Intellectual Property

The Company owns and retains the Platform, codebase, UI/UX, documentation, designs and architecture. The School owns data it uploads, Student Data, and any School-provided assets.

12. Limitations of Liability

To the maximum extent permitted by law, neither party is liable for indirect or consequential damages. The Company's total liability is limited to fees paid in the previous 12 months.

13. Indemnification

School Indemnifies Company: For claims arising from misuse of the Platform, violation of laws by School personnel, improper sharing of data, or inaccurate data entered into the system.

Company Indemnifies School: For claims arising from negligent handling of Student Data or breaches caused by Company systems.

14. Breach Notification

In the event of unauthorized access or disclosure of Student Data, the Company will notify the School within 72 hours, provide details and mitigation steps, and cooperate with investigations.

15. Termination

Either party may terminate for breach of Agreement, failure to pay fees, security concerns, or School request. All rights to data export remain intact.

16. Governing Law

This Agreement is governed by the laws of the state in which Chinuch App LLC is registered.

17. Notices

Notices may be delivered via email, certified mail, or electronic system notifications.

18. Entire Agreement

This Agreement, combined with Privacy Policy, Terms of Service, Data Processing Agreement, and Security Policy, constitutes the entire understanding between the parties.

DATA PROCESSING AGREEMENT (FERPA, COPPA, & State Student Privacy Compliance)

This Data Processing Agreement ("Agreement") is entered into between Chinuch App LLC, DBA Chabad Chinuch ("Company") and the educational institution ("School" or "District"). This Agreement governs the Company's processing of Student Data on behalf of the School in compliance with FERPA, COPPA, PPRA, IDEA, and state student privacy laws.

Both parties agree to the following:

1. Definitions

1.1 "Student Data": Any information provided by the School or collected on behalf of the School relating to an identifiable student, including attendance, behavior logs, assessments, grades, student profiles, bus and transportation data, parent information, emergency contacts, standards/skills data, communications, and metadata.

1.2 "School Official": The Company acts as a School Official with a legitimate educational interest under FERPA.

1.3 "Users": Teachers, staff, administrators, parents, and students authorized by the School.

1.4 "Services": The educational software platform known as Chabad Chinuch.

2. Purpose of Data Processing

The Company processes Student Data solely to provide educational services, including attendance, behavior tracking, assessments and skills, grades and report cards, transportation & bus check-in/check-out, role-based access, parent-teacher communication, administration dashboards, and student records management.

The Company will not use Student Data for profiling, advertising, or any non-educational purpose.

3. Ownership of Student Data

3.1 Student Data is owned exclusively by the School. The Company claims no rights to Student Data.

3.2 The Company may not: Sell Student Data, share Student Data with third parties except as permitted, or use Student Data for commercial or marketing purposes.

4. Security & Safeguards

The Company will maintain industry-standard administrative, technical, and physical safeguards, including encryption in transit (HTTPS/TLS) and at rest, secure Supabase/Postgres infrastructure, role-based access, audit logs, multi-school data separation, password hashing and secure authentication, regular backups, and incident response plan. A full Security Policy is provided separately.

5. Data Access & Authorization

5.1 Access by School: The School controls which Users can access Student Data, what permissions they receive, and when accounts are created or removed.

5.2 Access by Company: The Company may only access Student Data as necessary to provide support or maintenance, upon School request, or for security and troubleshooting. Access is logged.

6. Data Sharing

The Company may share Student Data only with: (A) The School (teachers, staff, administrators, or parents authorized by the School), and (B) Subprocessors (vendors who support the platform). All subprocessors must sign a binding Data Protection Agreement, are prohibited from using Student Data for any other purpose, and must meet equal or stronger security standards. A current list is available upon request.

7. Compliance with Laws

The Company will comply with FERPA, COPPA, PPRA, IDEA, and all state student data privacy laws. If any legal changes arise, the Company will update practices and notify the School.

8. Data Retention & Deletion

8.1 Duration of Processing: Student Data is retained only while the School uses the Service.

8.2 Upon Termination: Within 60 days of contract termination, Student Data will be deleted or returned to the School upon request.

8.3 Partial Deletions: The School may request deletion of individual student records at any time.

8.4 Backups: Residual data in encrypted backups will be removed on the normal backup rotation.

9. Breach Notification

9.1 Definition: A breach includes unauthorized access, acquisition, or disclosure of Student Data.

9.2 Notification: The Company will notify the School within 72 hours of confirming a breach. Notifications will include what happened, what data was affected, steps taken to protect students, and guidance for the School. The Company will cooperate fully in any investigation.

10. Data Export

The School may export all Student Data at any time in machine-readable format (CSV/JSON/SQL or equivalent). The Company will provide reasonable assistance.

11. Subprocessors

The Company may use subprocessors but must maintain an updated list, conduct due diligence, require binding data protection agreements, and ensure equal-level security controls. The School may request the current list at any time.

12. Training & Confidentiality

Company personnel with access to Student Data must sign confidentiality agreements, complete privacy/security training, and access data only when necessary.

13. Modification of Data

Students or parents requesting corrections must do so through the School. The Company will make corrections only upon School instruction.

14. Term & Termination

This Agreement becomes effective when the School first uses the Platform. Either party may terminate with written notice. Upon termination, access will be disabled, data export provided upon request, and permanent deletion will occur within 60 days.

15. Limitation of Liability

Liability is limited to fees paid by the School in the previous 12 months. No party is liable for indirect, punitive, or consequential damages.

16. Governing Law

This Agreement is governed by the laws of the state where Chinuch App LLC is registered.

17. Entire Agreement

This Agreement, together with the Terms of Service and Privacy Policy, constitutes the complete contract between both parties regarding Student Data.

Overview

Chabad Chinuch maintains industry-standard security measures to protect Student Data and school information. This Security Policy outlines our technical, administrative, and physical safeguards.

1. Encryption

• Data in Transit: All data transmitted between users and our platform is encrypted using HTTPS/TLS 1.2 or higher
• Data at Rest: All stored data is encrypted using industry-standard encryption algorithms
• Database Encryption: Student Data stored in our database is encrypted at rest
• Backup Encryption: All backups are encrypted before storage

2. Authentication & Access Control

• Password Security: Passwords are hashed using secure algorithms (bcrypt/argon2)
• Multi-Factor Authentication: Available for school administrators (optional)
• Role-Based Access: Users can only access data appropriate to their role (teacher, parent, student, admin)
• Session Management: Secure session tokens with automatic expiration
• Account Lockout: Protection against brute force attacks

3. Infrastructure Security

• Hosting: Secure cloud infrastructure (Supabase/PostgreSQL)
• Network Security: Firewalls and network segmentation
• DDoS Protection: Protection against distributed denial-of-service attacks
• Regular Updates: Security patches applied promptly
• Monitoring: 24/7 system monitoring and alerting

4. Data Separation

• Multi-School Isolation: Data from different schools is logically separated
• School-Level Access: Users can only access data from their own school
• Database Isolation: Row-level security policies enforce data separation

5. Audit Logging

• All data access is logged with user ID, timestamp, and action
• All data modifications are tracked
• Login attempts and authentication events are logged
• Audit logs are retained for 1 year (or longer if required by contract)

6. Backup & Disaster Recovery

• Regular automated backups
• Backups are encrypted and stored securely
• Backup retention follows our Data Retention Policy
• Disaster recovery procedures are tested regularly

7. Personnel Security

• Background checks for personnel with data access
• Confidentiality agreements required
• Privacy and security training for all staff
• Principle of least privilege access

8. Incident Response

We maintain an Incident Response Plan to quickly identify, contain, and remediate security incidents. See our Incident Response Plan for details.

9. Third-Party Security

• All subprocessors must meet equal or higher security standards
• Data protection agreements required for all vendors
• Regular security assessments of subprocessors

10. Compliance

Our security practices comply with FERPA, COPPA, and applicable state student privacy laws. We regularly review and update our security measures to maintain compliance.

11. Contact

For security questions or to report a security concern:

Overview

Chabad Chinuch stores student and school data only for as long as needed to provide services to the School. This policy outlines how we retain, remove, and permanently delete data in compliance with FERPA, state student privacy laws, and best practices.

1. Data Retention Timeline

1.1 Active Schools (Normal Use): For schools actively using the Platform, Student Data is retained indefinitely while the school's account is active. Schools may request deletion of specific student records at any time.

1.2 When a School Ends Service: When a School terminates its contract or stops using the platform, the School's data is archived for 60 days. The School may request a full export during this period. After 60 days, all School data is permanently deleted.

1.3 Expired or Inactive Accounts: If a school account becomes inactive, we will notify the school. After 12 months without activity, the account may be closed. Data will follow the same 60-day deletion window.

2. Types of Data and Retention Rules

2.1 Student Data (FERPA-protected): Includes attendance, grades & assessments, behavior logs, skills & standards progress, bus check-in/check-out, emergency contacts, and parent info. Retained until the School requests deletion or ends service.

2.2 Teacher & Staff Accounts: Deleted when the School removes access or terminates service.

2.3 Parent & Student Accounts: Deleted automatically when linked student data is removed.

2.4 Audit Logs: Audit logs (logins, data access, edits) are retained 1 year for compliance and security, unless longer retention is required by a School contract.

3. Deletion Upon School Request

A School may request deletion of a specific student, deletion of a class or grade, deletion of user accounts, or full data purge. We will process deletion requests within 10 business days, in compliance with FERPA and state law, after confirming authorization.

4. Backup & Disaster Recovery Copies

Encrypted backups are stored securely. Backup data cannot be accessed for normal operations, is automatically deleted based on our backup rotation schedule, and may persist for up to 90 additional days due to system redundancy.

5. No Indefinite Retention

We do not retain Student Data indefinitely without School permission.

6. Data Deletion Method

Data is deleted using secure, industry-accepted methods including cryptographic erasure, file-level deletion, database-level deletion, and overwrite processes following standard protocols. Deleted data is not recoverable.

7. Contact

For deletions or retention questions:

Overview

This Incident Response Plan outlines how Chinuch App LLC manages, mitigates, and communicates any suspected or confirmed data breach involving Student Data or School information.

1. Purpose

To ensure rapid identification of security incidents, protection of Student Data, timely notification to Schools, clear remediation procedures, and compliance with FERPA and state privacy laws.

2. What is a Security Incident?

Security incidents include unauthorized access to data, loss, theft, or exposure of student information, compromised user accounts, malware, ransomware, or intrusion attempts, internal misuse of access, and system vulnerabilities affecting data confidentiality or integrity.

3. Incident Response Team (IRT)

The Company assigns key roles: Incident Lead (oversees investigation), Security Engineer (analyzes logs and systems), Support Lead (coordinates communication with Schools), and Executive Lead (makes final decisions and reports).

4. Incident Response Stages

Stage 1 — Identification: We detect incidents via monitoring alerts, anomaly detection, audit logs, vendor notifications, and user reports. If suspicious activity is detected, the IRT is activated.

Stage 2 — Containment: Immediate steps include disabling affected accounts, isolating compromised systems, blocking malicious IPs or networks, revoking access tokens, and stopping unauthorized data flows.

Stage 3 — Investigation: We quickly determine what happened, which data was accessed, which users were affected, when the incident began, and whether data was copied, modified, or deleted.

Stage 4 — Notification (within 72 hours): The Company notifies affected Schools within 72 hours of confirming a breach with detailed, accurate information. Notifications include description of incident, data affected, individuals impacted, steps taken to contain the issue, recommendations for Schools, and contact for follow-up questions.

Stage 5 — Remediation: Actions may include resetting passwords, strengthening access controls, removing vulnerabilities, enhancing monitoring, restoring from backups if needed, and updating processes and training.

Stage 6 — Documentation & Review: We maintain internal records and conduct a post-incident review to improve security controls, prevent recurrence, and update School-facing documentation if needed.

5. School Responsibilities

Schools agree to report suspicious activity immediately, protect login credentials, train staff on safe usage, cooperate with investigations, and reset compromised user accounts.

6. Contact for Security Incidents

Overview

This document clarifies that all Student Data and school information processed by the Chabad Chinuch Platform is fully owned and controlled by the School.

1. Ownership of Student Data

Schools own 100% of all Student Data. This includes:

• Attendance
• Behavior logs
• Bus logs
• Assessments and standards
• Grades & report cards
• Parent/guardian information
• Student profiles
• User accounts linked to the School
• Communications

The Company has no ownership rights to Student Data.

2. Use of Student Data

Student Data may only be used for providing the educational services, supporting School staff, troubleshooting technical issues, and complying with legal obligations.

We do not sell data, share data for advertising, or use data for commercial profiling.

3. Export Rights

Schools may request an export of all Student Data, class rosters, attendance data, behavior logs, assessment/standards data, or full relational database exports if needed.

Exports are provided in CSV, JSON, SQL dump, or another mutually agreed format. Exports will be provided within 10 business days of request.

4. Data Access

Only authorized school staff, authorized parents (for their own child), and authorized Company personnel (support only) can access Student Data.

5. Data Deletion

A School may request individual student deletion, class or grade deletion, or full database deletion upon contract termination. We delete data within 10 business days of request, consistent with our retention policy.

6. FERPA & Legal Compliance

Under FERPA, schools control all disclosure, schools may request corrections or deletions, and schools may export or transfer records at any time. This Statement is incorporated into the MSA & DPA.

7. Contact

For data export or ownership questions: