Version v1.0.0 โ Last updated: 2026-05-29
1. Parties
This Data Processing Addendum ("DPA") forms part of the agreement between Inspiration Dance LLC ("Operator") and the educational agency or district that countersigns this document ("Customer"). Together the parties agree to the terms set forth herein.
The Operator processes Customer Data solely as a Service Provider on behalf of the Customer, in support of the educational service the Operator delivers at https://codecandance.com.
2. Definitions
"Customer Data" means data and information provided to or collected by the Operator under the Customer's account, including student educational records, account identifiers, and project content.
"FERPA" means the Family Educational Rights and Privacy Act (20 U.S.C. ยง 1232g; 34 CFR Part 99).
"COPPA" means the Children's Online Privacy Protection Rule (16 CFR Part 312).
"Sub-Processor" means any third-party service the Operator engages to process Customer Data on its behalf.
3. Scope of Processing
The Operator shall process Customer Data only as necessary to perform the contracted service, and only on the documented instructions of the Customer. Customer Data shall not be used for advertising, sold, or used to train AI models without explicit Customer consent.
The Operator collects only the minimum data necessary: account email, display name, project work, and usage analytics. The Operator does not collect biometric data, government identifiers, photographs, or audio/video recordings.
4. Sub-Processors
The Operator engages Sub-Processors to deliver the service (e.g., cloud hosting, transactional email, AI model providers). A current list of Sub-Processors is maintained at https://codecandance.com/sub-processors.
The Operator will provide the Customer with at least thirty (30) days notice of any new Sub-Processor whose processing involves Customer Data, by updating the public list and, where the Customer has subscribed to notifications, via email.
5. Security
The Operator implements technical and organizational measures appropriate to the risk, including encryption of Customer Data at rest (AES-256) and in transit (TLS 1.2 or higher), role-based access control, audit logging, and regular security review of Sub-Processors.
The Operator maintains an information security program aligned with industry-standard frameworks. Specific certifications (e.g., SOC 2 Type II) are available on request to darryl@inspirationdancecompany.ai.
6. Data Subject Rights
The Operator shall assist the Customer in responding to requests from parents, eligible students, and other data subjects to access, correct, delete, or port Customer Data, in accordance with FERPA and applicable state student privacy laws.
Requests should be directed to darryl@inspirationdancecompany.ai.
7. Data Deletion and Retention
Upon termination of the underlying service agreement, the Operator shall delete or return all Customer Data within forty-five (45) days, unless retention is required by law.
The Customer may request deletion of individual student data at any time via in-app controls or by emailing darryl@inspirationdancecompany.ai.
8. Security Incidents
In the event the Operator becomes aware of a Security Incident involving Customer Data, the Operator shall notify the Customer without undue delay and in any event within seventy-two (72) hours of confirmation.
The notice shall include the nature of the incident, the categories of data affected (to the extent known), the steps taken to mitigate, and a point of contact for follow-up.
9. Audit Rights
On reasonable notice (not less than thirty days) and during regular business hours, the Operator shall make available to the Customer information reasonably necessary to demonstrate compliance with this DPA, including the results of independent third-party audits where available.
Direct audits of Operator infrastructure may be permitted under a mutually agreed scope and confidentiality agreement.
10. FERPA and COPPA Acknowledgment
For purposes of FERPA, the Operator acknowledges and is hereby designated as a "school official" with a legitimate educational interest in Customer Data, under the direct control of the Customer with respect to use and maintenance of education records.
For purposes of COPPA, where the Operator processes data from children under thirteen, it does so in reliance on the Customer's school consent in accordance with the COPPA school authorization exception.
11. Governing Law and Jurisdiction
This DPA shall be governed by the laws of the jurisdiction in which the Operator is established. Disputes shall be subject to the exclusive jurisdiction of the courts in that location, unless applicable mandatory student-privacy law requires otherwise.
12. Term and Execution
This DPA enters into force on the date the Customer signs below and remains in effect for the duration of the underlying service agreement.
By signing below, the Customer represents that the signer is authorized to bind the Customer to this DPA. The Operator countersigns electronically; the countersigned PDF is provided to the Customer at the email address of record.