Sub-Processor Disclosure

Last updated: June 2026

[DRAFT — Not yet legally reviewed.] This disclosure was reconciled against the codebase by the AA-291 External Services + DPA Collection Audit. It lists every external service currently called by the platform, grouped by category, with each vendor's legal entity, DPA URL, DPA status, PII classification, certifications, and any deal-breaker flag raised during research. Five vendors are flagged as deal-breaker-for-districts and appear in their own section near the end. The draft: true flag will be removed only after operator + legal review.

The following third-party services process data on behalf of Avatar Animator. This page is maintained as part of our commitment to transparency under FERPA, COPPA, CCPA/CPRA, GDPR, and US state student-privacy laws.

For questions or to request a Data Processing Agreement, contact darryl@inspirationdancecompany.ai.

1. Cloud Infrastructure

Amazon Web Services (AWS)

Legal entity: Amazon Web Services, Inc. (Delaware, USA); EEA contracting via Amazon Web Services EMEA SARL (Luxembourg)
Purpose: Primary cloud infrastructure — Lightsail compute, Lightsail RDS Postgres, S3 storage, Cognito user pool, SES transactional email (failover), Secrets Manager, Lambda
Data processed: All platform data — student PII, content, sessions, audit logs (encrypted at rest and in transit)
PII classification: student-data
Location: US East (N. Virginia); 30+ regions available; European Sovereign Cloud forthcoming
DPA: AWS Data Processing Addendum — auto-incorporated by reference; signed copies via AWS Artifact
DPA status: available-public
Sub-processor list: https://aws.amazon.com/compliance/sub-processors/ (30-day advance notice for new sub-processors)
Certifications: SOC 2 Type II, ISO 27001 (+ 27017, 27018, 27701), FedRAMP Moderate + High, HIPAA BAA, PCI DSS Level 1, StateRAMP, CSA STAR, CCPA service-provider
Notes: SES is the failover transactional email path (Resend is primary); both run on the same AWS DPA. CCPA service-provider terms included.
Deal-breaker flag: none
Last verified: 2026-05-30

Vercel

Legal entity: Vercel Inc. (Delaware, USA)
Purpose: Frontend hosting + serverless function execution for codecandance.com; Vercel Blob for user-uploaded assets
Data processed: All HTTP requests reaching codecandance.com (server-rendered pages, session cookies, request bodies including student-authored content, auth tokens, Blob objects)
PII classification: student-data
Location: US (AWS-backed); Edge Functions run globally; EU residency available on Enterprise plans
DPA: Vercel Data Processing Addendum — auto-incorporated; signed copies via dashboard or privacy@vercel.com
DPA status: available-public
Sub-processor list: https://security.vercel.com (Trust Center)
Certifications: SOC 2 Type II, ISO 27001 (+ 27017, 27018, 27701, 9001), HIPAA BAA, EU-US Data Privacy Framework, Swiss-US DPF, UK Extension, PIPEDA, DSA, NIS 2, DORA, nFADP, TISAX (Level 2), PCI DSS
Notes: Vercel Blob (*.public.blob.vercel-storage.com) is covered under the same DPA / Trust Center scope. No FERPA-specific addendum (FERPA does not require one).
Deal-breaker flag: none
Last verified: 2026-05-30

Neon (Serverless Postgres) — conditional, pending AA-308

Legal entity: Neon, LLC (Delaware, USA), an affiliate of Databricks, Inc. since May 2025
Purpose: Serverless Postgres database (auto-detected by server/db.ts when DATABASE_URL host contains neon.tech)
Data processed: Full platform database (students, users, projects, sessions, audit logs) — only if Neon is in the live production data path
PII classification: student-data (conditional)
Location: Configurable — US-East default; EU (Frankfurt), Singapore, Sydney available
DPA: Databricks Master DPA + Neon Product-Specific Schedule
DPA status: available-public
Sub-processor list: https://neon.com/subprocessors (AWS, Microsoft Azure, Salesforce, Grafana)
Certifications: SOC 2 Type II, GDPR DPA + SCCs, HIPAA BAA (via Databricks tier), DPF participation; ISO 27001 inherited from AWS
Notes: CONDITIONAL — see AA-308 backlog item. Whether Neon is in the production data path depends on the live DATABASE_URL value (primary DB is AWS Lightsail Postgres post-migration). Listed here for over-disclosure; this entry will be removed if AA-308 confirms the Neon code branch is dead.
Deal-breaker flag: concern-needs-review (CLOUD Act exposure identical to AWS; codebase-state uncertainty)
Last verified: 2026-05-30

2. Auth / Identity (SSO + Rostering)

Google (OAuth + Classroom + Cloud Storage)

Legal entity: Google LLC (Delaware, USA); EEA contracting via Google Ireland Limited (Dublin, Ireland)
Purpose: "Sign in with Google" OAuth, Google Classroom API (course + roster sync), Google Cloud Storage (legacy Replit sidecar — pending AA-309)
Data processed: OAuth subject (email, name, sub) inbound from Google; Classroom roster (course IDs, student IDs, names — read-only scopes); GCS objects (if live)
PII classification: student-data (Classroom roster), identified-PII (OAuth)
Location: Configurable (Workspace for Education K-12 defaults to US; EU regions available)
DPA: Google Cloud DPA (auto-effective); Workspace for Education DPA at https://workspace.google.com/terms/education_terms/
DPA status: available-public
Sub-processor list: https://cloud.google.com/terms/subprocessors ; https://workspace.google.com/terms/subprocessors/ (30-day advance notice)
Certifications: SOC 2 Type II, ISO 27001 (+ 27017, 27018, 27701), GDPR, HIPAA BAA, FedRAMP High + Moderate, iKeepSafe FERPA + COPPA Safe Harbor (Workspace for Education), Student Privacy Pledge signatory
Notes: Google's Workspace-for-Education FERPA designation does not automatically extend to third-party apps using the Classroom API — the platform (us) becomes the responsible FERPA controller for roster data we ingest. Our own DPA with the district (AA-280) is the substantive contract for that data.
Deal-breaker flag: concern-needs-review (third-party Classroom-API consumer FERPA framing — see notes)
Last verified: 2026-05-30

Clever

Legal entity: Clever, Inc. (Delaware, USA); acquired by Kahoot! ASA (Norway) in 2021 — US contracting entity unchanged
Purpose: Student SSO IdP + district roster (OneRoster-style)
Data processed: Student rosters (name, school, grade, sometimes email); OAuth identity for student logins
PII classification: student-data
Location: US only (US districts); EU via separate Clever European DPA
DPA: Clever Additional Terms of Use for Developers (Nov 21, 2025) at https://www.clever.com/trust/terms/developers — auto-accepted on developer registration; Universal DSA (district-side); European DPA
DPA status: available-public
Sub-processor list: https://clever.com/trust/subprocessors (15 sub-processors, all US — AWS, Apple, Clickhouse, DataDog, Edlink API, Google, MaestroQA, MongoDB, Salesforce, Slack, Snowflake, Stitch, TalkDesk, Twilio, Zoom)
Certifications: iKeepSafe FERPA-certified, iKeepSafe COPPA Safe Harbor, iKeepSafe California Student Privacy, 1EdTech TrustEd Apps, Student Privacy Pledge signatory, SOPIPA / CT GS § 10-234aa-dd / IL SOPPA / NY Education Law § 2-d. SOC 2 Type II available on request from security@clever.com (not prominently public).
Notes: Data flow direction is Clever → us (Clever is the source-of-truth for roster). Developers must delete student data within 30 days of agreement termination. Clever's Section 3.7 requires us to disclose our own sub-processors back to Clever during certification.
Deal-breaker flag: none
Last verified: 2026-05-30

ClassLink

Legal entity: ClassLink, Inc. (Delaware, USA; operating HQ in Clifton, NJ)
Purpose: Student SSO IdP + OneRoster v1.1 roster sync
Data processed: Student OAuth identity + roster pulls (name, school, grade, district, sometimes email)
PII classification: student-data
Location: US (AWS-backed) for US districts; EU residency available (Frankfurt, Germany)
DPA: Partner DPA via partners@classlink.com (portal-signup-required); SDPC-style district-side DPA template
DPA status: portal-signup-required
Sub-processor list: Not publicly published — operator-requested as part of partner DPA execution (transparency gap relative to Clever).
Certifications: SOC 2 Type II (KirkpatrickPrice), ISO/IEC 27001 + 20000, iKeepSafe (FERPA, COPPA, California Student Privacy), 1EdTech TrustEd Apps, OneRoster certified, StateRAMP member, TX-RAMP, Cloud Security Alliance STAR, Secure by Design pledge signatory. Privacy Shield listed publicly — DPF migration status to confirm.
Notes: Data flow direction is ClassLink → us. Partner DPA is operator-action gated (see outreach drafts).
Deal-breaker flag: concern-needs-review (sub-processor list opacity; Privacy Shield → DPF migration to verify)
Last verified: 2026-05-30

3. Email

Resend

Legal entity: Plus Five Five, Inc. d/b/a Resend (Delaware, USA; San Francisco)
Purpose: Transactional email delivery (account verification, password reset, DPA notifications, COPPA consent emails, audit-trail notifications)
Data processed: Recipient email addresses, name, transactional message bodies (templated platform messages; no free-form student content)
PII classification: identified-PII
Location: US only — no EU-region alternative
DPA: Resend DPA — publicly viewable; click-through self-execute via dashboard
DPA status: available-public
Sub-processor list: https://resend.com/legal/subprocessors (21 sub-processors, all US — AWS, Anthropic PBC, Attio, Cloudflare, Datadog, Elastic, Estuary, Google, Inngest, Liveblocks, Metabase, Plain (Not Just Tickets), Retool, RunPod, Salesforce (Slack), Snowflake, Stripe, Supabase, Svix, Tinybird, Vercel)
Certifications: GDPR DPA + EU SCCs + UK SCCs; SOC 2 Type II / ISO 27001 inherited from infrastructure providers — Resend's own direct certifications not advertised (operator clarification pending)
Notes: Anthropic, PBC is listed as a sub-processor for "Artificial Intelligence" — scope clarification pending (does AI tooling see customer email content?). Customer data deleted within 90 days of account termination; compliance records retained 3 years post-termination. Governing law: Ireland.
Deal-breaker flag: concern-needs-review (Anthropic AI scope; own-certification opacity; no EU residency)
Last verified: 2026-05-30

AWS SES (failover; see AWS entry in §1)

AWS SES is the failover transactional email path, wired in server/lib/ses.ts. Covered by the same AWS DPA, same certifications, same legal entity as the rest of the AWS footprint.

4. AI — Text / NLP

OpenAI

Legal entity: OpenAI OpCo, LLC (effective 2026-01-01; supersedes OpenAI, L.L.C.) — Delaware, USA; principal place of business San Francisco
Purpose: AI-powered features — background/image generation, music lyric prompts, face-filter prompts, Sam tutor chatbot, content moderation
Data processed: Text prompts only. Per platform policy, student names/IDs/emails are NOT sent. Moderation API receives raw user-authored text for safety scoring.
PII classification: pseudonymous
Location: US default; EU residency available for ChatGPT Enterprise (not API); region routing configurable on Enterprise
DPA: OpenAI Data Processing Addendum — self-execute via web form
DPA status: available-public
Sub-processor list: https://openai.com/policies/sub-processor-list/ (email-subscription notification mechanism)
Certifications: SOC 2 Type II (Business + API), ISO/IEC 27001:2022 (+ 27017:2015, 27018:2019, 27701:2019), GDPR DPA + SCCs + UK IDTA, FedRAMP 20x
Notes: API default retention is 30-day abuse-monitoring window; Zero Data Retention (ZDR) is available for eligible Enterprise endpoints on request (not self-serve). API / Team / Enterprise data is not used to train models by default.
Deal-breaker flag: concern-needs-review (ZDR not default; FERPA-specific addendum not published — ChatGPT Edu exists as separate product)
Last verified: 2026-05-30

Perplexity

Legal entity: Perplexity AI, Inc. (Delaware / California Stock Corp doc # 5186927)
Purpose: Search-augmented chat completions via api.perplexity.ai/chat/completions
Data processed: Text search queries (no identified PII; no student account metadata in current integration)
PII classification: metadata
Location: US primary; SCC-governed transfers for EU customers
DPA: Perplexity DPA — part of Enterprise/API ToS
DPA status: available-public
Sub-processor list: https://trust.perplexity.ai/subprocessors (JS-rendered; retrieve via browser for verbatim listing)
Certifications: GDPR DPA + EU SCCs (Module 2 + 3) + UK IDTA Version B.0; SOC 2 Type II claimed (verify via Trust Center)
Notes: Enterprise/API customers: data is not used for model training. Consumer/free tier may train. Phase-1 inventory flagged the integration as possibly dormant — operator should confirm endpoint is live before DPA execution.
Deal-breaker flag: concern-needs-review (Trust-Center verification + runtime-usage confirmation)
Last verified: 2026-05-30

5. AI — Image / Video Generation

RunwayML

Legal entity: Runway AI, Inc. (Delaware, USA; NYC principal place of business)
Purpose: Gen-3 text-to-video generation via api.dev.runwayml.com (canonical production endpoint, despite dev. prefix — required header X-Runway-Version: 2024-11-06)
Data processed: Text prompts → generated video; polling task status. No video uploads; no user-id metadata.
PII classification: metadata to pseudonymous
Location: US primary (AWS + Google Cloud); sub-processors in US, UK, Spain, Singapore
DPA: available-on-request (Enterprise-only; not self-serve) — request via privacy@runwayml.com
DPA status: available-on-request
Sub-processor list: https://runwayml.com/customer-subprocessors — 20 named entities including AWS, Google LLC, Anthropic PBC, AssemblyAI, Dolby, Eleven Labs, Cartesia AI, Modal Labs, LiveKit, OpenAI OpCo LLC, Black Forest Labs, Runware (UK), Freepik (Spain), Byteplus Pte Ltd (Singapore — ByteDance-affiliated), Kling AI Pte Ltd (Singapore — ByteDance-affiliated), fal Features & Labels, Oracle America, CoreWeave, X.AI LLC
Certifications: SOC 2 Type II; GDPR readiness + DPA + SCCs available; ISO 27001 framework-aligned but not formally certified
Notes: Training-on-Customer-Data not affirmatively prohibited in public docs — explicit no-training language is a pending operator ask. Byteplus / Kling AI Singapore sub-processors are ByteDance-affiliated — districts with policy positions on ByteDance should be notified.
Deal-breaker flag: concern-needs-review (DPA not self-serve; training-on-prompt not affirmatively prohibited)
Last verified: 2026-05-30

6. AI — Music

MusicGPT (Mureka) — deal-breaker; replacement recommended

Legal entity: Two related but distinct trails — MusicGPT (musicgpt.com, Singapore claimed; specific entity unconfirmed) and Mureka, developed by Skywork AI Pte. Ltd. (Singapore), parent Kunlun Tech Co., Ltd. (PRC; HKEX / Shenzhen listed)
Purpose: AI music generation via api.musicgpt.com/api/public/v1/MusicAI
Data processed: Music style + lyric text prompts. No student PII.
PII classification: metadata
Location: Singapore / PRC presumed (Skywork AI / Kunlun parent); residency not explicitly disclosed
DPA: None publicly discoverable
DPA status: unknown
Sub-processor list: None disclosed
Certifications: None publicly advertised
Notes: Active class action Attack the Sound LLC v. Kunlun Tech Co., Ltd. (December 2024, IL Northern District) names Skywork AI as defendant for the Mureka product. PRC-linked parentage + no contractual framework is a recurring district veto pattern.
Deal-breaker flag: deal-breaker-for-districts — replace if no DPA + SCC pathway emerges
Last verified: 2026-05-30

7. AI — Motion Capture / Video Understanding

DeepMotion — deal-breaker (conditional on payload reality)

Legal entity: DeepMotion, Inc. (Delaware, USA; 400 Concar Drive, San Mateo, CA)
Purpose: Video-to-animation (Animate 3D) via server/deepmotion-client.ts
Data processed: Video uploads (animation source material)
PII classification: identified-PII to student-data (if student-recorded video is sent)
Location: US primary (Google Cloud US hosting); vague international-transfer disclosure
DPA: Not published — available-on-request for enterprise
DPA status: not-offered (presumed; operator outreach to confirm)
Sub-processor list: Embedded in privacy policy — Google Inc. (US, primary hosting), SendGrid (US, email), OKTA (US, auth), Citrix Podio (US + Denmark, CRM)
Certifications: None publicly advertised. No SOC 2, no ISO 27001, no FERPA addendum.
Notes: ToS license-grant clause is broad ("non-exclusive, fully-paid, royalty-free, worldwide license to access, review, use, copy, modify, create derivative works of, reproduce and analyze your uploaded Content"). Without an amendment, even with a DPA, this is a non-starter for most district legal teams. Severity drops to concern-needs-review if Avatar Animator only sends non-student video — requires payload-reality cross-read of server/deepmotion-client.ts call sites.
Deal-breaker flag: deal-breaker-for-districts (conditional on payload reality)
Last verified: 2026-05-30

QuickMagic — deal-breaker; replacement recommended

Legal entity: Hangzhou Lemanduo Technology Co., Ltd. (杭州乐曼多科技有限公司) — Hangzhou, Zhejiang Province, PRC
Purpose: Motion-capture / animation transformation via quickmagic.ai/business endpoints
Data processed: Uploaded video (animation source material; may contain identifiable persons)
PII classification: identified-PII to student-data
Location: PRC presumed (Hangzhou-based operator; likely Alibaba Cloud / Tencent Cloud / Huawei Cloud hosting)
DPA: None discoverable
DPA status: not-offered
Sub-processor list: None disclosed
Certifications: None publicly advertised (SOC 2 not in scope for PRC consumer-AI vendors)
Notes: PRC-based operator + student-data-eligible payload type + zero-contractual-framework = hard procurement veto for US K-12 districts under state student-data laws (esp. TX / FL / MT post-2024). Incidental hygiene flag: docs.qmai.vip TLS certificate is expired as of 2026-05-30.
Deal-breaker flag: deal-breaker-for-districts — replace primary recommendation
Last verified: 2026-05-30

TwelveLabs

Legal entity: Twelve Labs, Inc. (Delaware, USA; 55 Green St, San Francisco)
Purpose: Video understanding / segmentation (TikTok dance ingestion pipeline)
Data processed: Video clips for segmentation / understanding (currently TikTok-ingest, not student-uploaded)
PII classification: pseudonymous to identified-PII (depending on video content)
Location: US + Republic of Korea (significant Korean operations)
DPA: TwelveLabs DPA — published as attachment to Enterprise Terms of Service; Enterprise Order signature required
DPA status: available-public (Enterprise tier)
Sub-processor list: Not publicly listed; gated to in-portal notification + Documentation. Categorically: GCP, AWS, Google Analytics, LinkedIn Analytics, Mixpanel, payment processors.
Certifications: GDPR DPA + EU SCCs (Module 2) + UK + Swiss appendices; SOC 2 Type II / ISO 27001 status not surfaced publicly
Notes: Training-on-Customer-Data not affirmatively prohibited in public ToS — explicit no-training language is a pending operator ask.
Deal-breaker flag: concern-needs-review
Last verified: 2026-05-30

8. Media (Stock Assets)

Pexels

Legal entity: Canva Germany GmbH (Berlin, Germany) — Pexels is a brand operated by Canva since the 2018 acquisition; ultimate parent Canva Pty Ltd (Australia)
Purpose: Stock image and video search for backgrounds
Data processed: Text search queries (no embedded user PII; Pexels logs IP / UA per privacy policy)
PII classification: metadata
Location: Germany (Pexels operations); Canva infrastructure may transfer to US under SCCs
DPA: Canva Data Processing Addendum — applicability to Pexels-API consumers requires written confirmation (operator action pending)
DPA status: available-on-request
Sub-processor list: Canva Trust Center (https://www.canva.com/trust/) — Pexels-API-tier applicability not explicit
Certifications: Pexels itself does not advertise direct certifications; Canva holds SOC 2 Type II, ISO 27001, GDPR DPA + EU SCCs (Module 2, Irish law), Canva National Data Privacy Agreement + US state-level addenda for K-12
Notes: Districts that have an existing Canva NDPA may already be covered for Pexels-API usage downstream of Avatar Animator.
Deal-breaker flag: concern-needs-review (Pexels-API DPA coverage not explicitly documented)
Last verified: 2026-05-30

Unsplash

Legal entity: Unsplash Inc. (Ontario, Canada); subsidiary of Getty Images Holdings, Inc. (since 2021)
Purpose: Stock image search for backgrounds
Data processed: Text search queries + originating server IP (no embedded user PII)
PII classification: metadata
Location: US (historically AWS-hosted); residency not formally stated
DPA: available-on-request via privacy@unsplash.com — Unsplash API Terms explicitly shift contractual responsibility to the API consumer
DPA status: available-on-request
Sub-processor list: Not published
Certifications: GDPR statement only; no SOC 2 / ISO 27001 advertised
Notes: Single-vendor reduction (consolidate to Pexels) is a possible simplification — same data flow, Canva-DPA umbrella.
Deal-breaker flag: concern-needs-review
Last verified: 2026-05-30

9. Billing

Stripe

Legal entity: Stripe, Inc. / Stripe, LLC (Delaware, USA — North & South America); Stripe Payments Europe, Limited (Ireland — EEA / UK / Switzerland)
Purpose: Subscription billing for teachers, school admins, district admins
Data processed: Billing PII — cardholder name, email, address. Students do NOT touch Stripe.
PII classification: billing-PII (adult subscribers only)
Location: Cross-border (US-resident processing by default; Stripe Payments Europe for EEA customers)
DPA: Stripe DPA (HTML) — incorporated by reference into the Services Agreement (auto-applies)
DPA status: available-public
Sub-processor list: https://stripe.com/service-providers/legal (30-day notice + objection rights; AWS US+India, customer-support outsourcers, identity-verification vendors, payment partners)
Certifications: SOC 2 Type II (+ public SOC 3), ISO 27001, GDPR DPA + EU SCCs, PCI DSS Level 1
Notes: Students never transact on Stripe — FERPA scope not triggered. Stripe Radar uses aggregated transactional data for fraud-detection ML; no opt-in to foundational model training.
Deal-breaker flag: none
Last verified: 2026-05-30

10. CRM / Sales

HubSpot

Legal entity: HubSpot, Inc. (Delaware, USA; Two Canal Park, Cambridge, MA)
Purpose: Lead capture (quote-request flow), CRM contact/deal records, sales-funnel automation. No student data sent.
Data processed: Lead PII — name, email, company, free-text message; deal / contact records for adult prospects
PII classification: lead-PII (adult prospects; explicitly NOT student data)
Location: US primary; EEA residency available (not currently used)
DPA: HubSpot DPA — auto-incorporated into Customer Terms of Service
DPA status: available-public
Sub-processor list: https://legal.hubspot.com/sub-processors-page (30-day notice via subscriber list)
Certifications: SOC 2 Type II, ISO 27001, GDPR DPA + EU SCCs, HIPAA BAA available on Enterprise tier (not used)
Notes: Operator should verify HubSpot AI opt-out is configured (Breeze / ChatSpot). DPO: Nicholas Knoop.
Deal-breaker flag: none
Last verified: 2026-05-30

11. Error Tracking / Telemetry

Sentry

Legal entity: Functional Software, Inc. d/b/a Sentry (Delaware, USA; 45 Fremont Street, San Francisco)
Purpose: Error tracking, performance monitoring (server + client)
Data processed: Error stack traces, breadcrumbs, browser/device metadata, pseudonymous user ID. PII is scrubbed via beforeSend hook in server/lib/sentry.ts and client/src/lib/sentry.ts.
PII classification: pseudonymous (after scrubber); see incidental AA-312 for scrubber coverage audit
Location: US (default) or EU (Frankfurt — GA since May 2026; cannot be changed for existing orgs)
DPA: Sentry DPA — self-service execution via Sentry Help Center
DPA status: available-public
Sub-processor list: https://sentry.io/legal/subprocessors/ (Google Cloud Platform primary host; 30-day advance notice)
Certifications: SOC 2 Type I + II, ISO 27001, GDPR DPA + EU SCCs (Schedule 3), HIPAA BAA available, automatic PII-scrubbing filter
Notes: Sentry AI features (Seer, Autofix) are opt-in only — verify opt-in state. Region selection is irreversible per org; if EEA students are onboarded, may require new EU-region org and migration. Codebase-audit task AA-312 covers beforeSend scrubber field coverage.
Deal-breaker flag: concern-needs-review (scrubber coverage is the gating concern, not vendor posture)
Last verified: 2026-05-30

12. Aggregator (API Marketplace Routing)

RapidAPI (now Rapid, a Nokia Corporation subsidiary since Nov 2024)

Legal entity: Rapid (formerly RapidAPI) — Nokia subsidiary post-Nov 2024 acquisition; pre-acquisition Rapid LLC / RapidAPI Enterprise Inc. (San Francisco, USA)
Purpose: API marketplace routing — sole downstream is tiktok-api23.p.rapidapi.com (see §13)
Data processed: TikTok video URLs / IDs only — RapidAPI as routing tier sees the request payload that transits to the downstream
PII classification: metadata
Location: US (SF HQ; Nokia is Finnish but US operations retained)
DPA: Request via gdpr@rapidapi.com (no public URL)
DPA status: available-on-request
Sub-processor list: Not publicly disclosed
Certifications: GDPR self-identifies as data processor; SOC 2 / ISO 27001 not advertised
Notes: Operationally tied to §13 — if the tiktok-api23 downstream is eliminated (recommended), RapidAPI itself drops from the registry entirely. Sole-downstream relationship documented in server/tiktok-service.ts.
Deal-breaker flag: concern-needs-review (compliance posture minimal; eliminate-if-downstream-eliminated)
Last verified: 2026-05-30

13. External Content Source (deal-breakers — replacement recommended)

tiktok-api23 (RapidAPI marketplace listing) — deal-breaker

Legal entity: UNKNOWN. Marketplace publisher handle: Lundehund (an anonymous individual developer; no company name, no incorporation jurisdiction, no registered address, no contact email)
Purpose: Unofficial scraper of TikTok content metadata via tiktok-api23.p.rapidapi.com
Data processed: TikTok video URLs / IDs (metadata-tier requests)
PII classification: metadata
Location: UNKNOWN
DPA: None — no entity to contract with
DPA status: not-offered
Sub-processor list: None
Certifications: None
Notes: No identifiable legal counterparty + no DPA capability + no service warranty + inherent TikTok-ToS violation + reputational / disclosure risk = unambiguous deal-breaker. The recommended remediation is replacement, which also collapses RapidAPI to zero downstreams (§12 drops out as well).
Deal-breaker flag: deal-breaker-for-districts — replace
Last verified: 2026-05-30

TikTok-direct (oembed + embed.js + player iframe) — deal-breaker

Legal entity: Complex chain — TikTok Inc. (California / Los Angeles), TikTok Pte. Ltd. (Singapore), TikTok U.S. Data Security Inc. (Delaware — Project Texas remediation), TikTok Ltd. (Cayman Islands), ByteDance Ltd. (Cayman Islands / Beijing) — ultimate parent ByteDance
Purpose: Direct client-side TikTok content embed via tiktok.com/oembed, tiktok.com/embed.js, tiktok.com/player/v1/{id}
Data processed: Browser-side data flows to TikTok when a student loads the embed: IP address, User-Agent, Referer header (which codecandance.com page), TikTok cookies (if student has TikTok account), embed / player tracking pixels
PII classification: identified-PII (privacy-purist; IP + cross-site behavioral signal from minors)
Location: US-user data nominally in US per "Project Texas" / TTUSDS; Singapore backups; historical ByteDance-China access documented in 2024
DPA: No DPA for embedders. TikTok does not contractually treat embedders as data processors. "TikTok for Business" DPA exists for advertisers ONLY.
DPA status: not-applicable (no DPA framework for embedders)
Sub-processor list: Not applicable (TikTok is controller of its own data flows, not our processor)
Certifications: None applicable; under active US DOJ litigation for alleged COPPA violations involving under-13s
Notes: COPPA enforcement risk by association + no school-official contractual framework + ByteDance ownership chain (state student-data laws in TX / FL / MT post-2024) + behavioral profiling of minors via embeds = unambiguous deal-breaker. Independent code path from tiktok-api23 — both must be eliminated for district-facing deployment.
Deal-breaker flag: deal-breaker-for-districts — replace
Last verified: 2026-05-30

Appendix A — Frontend Asset Loaders (`pii_sent: none`)

Per AA-291 orchestrator decision 2026-05-30 §4: listed for transparency; the platform never sends student data to these — they serve static assets to the user's browser. The browser's IP / UA reaches these origins when the asset is fetched.

cdn.jsdelivr.net (jsDelivr)

Asset type: JS bundles + WASM (MediaPipe tasks-vision), Pyodide runtime (https://cdn.jsdelivr.net/pyodide/v0.29.0/full/)
Vendor URL: https://www.jsdelivr.com
PII classification: none — asset-CDN, no platform-side data transmission

storage.googleapis.com (Google Cloud Storage — MediaPipe model hosting)

Asset type: MediaPipe model binaries (tasks-vision)
Vendor: Google LLC — covered under Google entry in §2 above
PII classification: none — asset-CDN, no platform-side data transmission

fonts.googleapis.com + fonts.gstatic.com (Google Fonts)

Asset type: Webfont CSS + WOFF2 binaries (Inter, JetBrains Mono)
Vendor: Google LLC — covered under Google entry in §2 above
PII classification: none — asset-CDN, no platform-side data transmission

cdnjs.cloudflare.com (Cloudflare CDN — Font Awesome) and cdn.tailwindcss.com (Tailwind Play CDN)

Asset type: Font Awesome icon CSS (cdnjs.cloudflare.com/ajax/libs/font-awesome/6.4.0/css/all.min.css); Tailwind Play CDN
Vendor URLs: https://www.cloudflare.com/cdn ; https://tailwindcss.com
PII classification: none — asset-CDN, no platform-side data transmission
Note: Referenced from root index.html. Production Tailwind is bundled via PostCSS — verify whether the root index.html script tag is live on either deployment, or only client/index.html (which has neither). May be residual dev tag.

Appendix B — Build / CI Infrastructure (not for district-facing disclosure)

Per AA-291 orchestrator decision 2026-05-30 §5: these vendors process our source code and deployment artifacts, not student data. Listed for full auditability; segregated from the main disclosure block because they are materially different from runtime sub-processors.

npm Registry (npmjs.com / GitHub-owned)

Purpose: JavaScript package registry; resolves runtime dependencies during npm install
Operator: npm, Inc. (GitHub, Inc. subsidiary; ultimate parent Microsoft Corporation)
Data processed: Our package.json dependency manifest at install time; no student data
PII classification: none — build-time only

GitHub / GitHub Actions

Purpose: Source code hosting + CI / CD runners (deploy-on-tag.yml, verify-deployed.yml)
Operator: GitHub, Inc. (Microsoft Corporation subsidiary)
Data processed: Source code, build artifacts, deployment secrets injected at CI time
PII classification: none — build-time only

Appendix C — Internal Infrastructure (not a third-party sub-processor)

Per AA-291 orchestrator decision 2026-05-30 §1: listed in our security model / threat surface, but not a contractually-relevant sub-processor for district DPA purposes.

iLumaCap

Purpose: Inspiration Dance LLC's own backend service for the LED Cap / Vest hardware
Operator: Inspiration Dance LLC (us — this is internal infrastructure, not a third party)
Data processed: LED Cap / Vest device-pairing telemetry (may have student-data touchpoints under the operator's existing security model)
PII classification: N/A (not a sub-processor — internal data flow)

Questions

For questions about our data processing practices or to request a Data Privacy Agreement, contact us at darryl@inspirationdancecompany.ai.

This page is the server-rendered canonical version. For an interactive view, navigate via the in-app links once signed in.