Data Privacy Agreement (DPA): Contracts That Govern Student Data Handling

What Is a Data Privacy Agreement?

A Data Privacy Agreement (DPA) is a legal contract between a school district (or other LEA) and a vendor that defines how student data will be collected, used, stored, shared, and protected. DPAs are increasingly required before any EdTech vendor can access student information.

Many states have enacted laws requiring DPAs for technology vendors serving K-12 schools. Some states have standardized DPA templates through organizations like the Student Data Privacy Consortium (SDPC), which provides a nationally recognized framework.

What a DPA Covers

Data collected. What student data the vendor will access and collect.
Purpose limitations. How the data can be used (educational purposes only, no marketing, no sale).
Security requirements. Encryption, access controls, audit logging, and incident response.
Data retention and deletion. How long data is kept and how it is deleted when the contract ends.
Breach notification. How quickly and through what channels the vendor must notify the district of a data breach.
Subprocessor controls. Whether the vendor can share data with third parties and under what conditions.
FERPA and COPPA compliance. Vendor attestations to federal privacy law compliance.

Why DPAs Matter for Vendors

Required for sales. Many districts will not evaluate your product until a DPA is signed. Having DPA templates ready accelerates the sales process.
State mandates. States including California, New York, Illinois, Colorado, and Connecticut require signed DPAs for EdTech vendors. The list is growing.
Competitive advantage. Vendors with clean, ready-to-sign DPAs close faster than those who negotiate from scratch.

SDPC National DPA

The Student Data Privacy Consortium has developed a standardized DPA that has been adopted by many states. Signing the SDPC National DPA streamlines the process because districts in participating states accept the standard form rather than requiring custom negotiations.

Preparing for DPA Requirements

Adopt the SDPC National DPA template. Pre-sign it so districts can execute quickly.
Complete a security assessment. Districts will ask about encryption, access controls, SOC 2 compliance, and data handling procedures.
Document your data practices. Map what student data you collect, how it flows through your systems, who has access, and how it is deleted.
Designate a privacy contact. Districts need a named individual they can reach for data privacy questions and breach notifications.
Review state-specific requirements. Each state may add requirements on top of the national template. Know the rules in your target states.

Frequently Asked Questions

What is a Data Privacy Agreement?

A DPA is a contract between a school district and a vendor governing how student data will be collected, used, stored, and protected. Many states require signed DPAs before EdTech vendors can access student information.

Do all EdTech vendors need a DPA?

If your product accesses, stores, or processes student data, most states now require a signed DPA. Even in states without a mandate, districts increasingly require them as part of their procurement process.

What is the SDPC National DPA?

The Student Data Privacy Consortium developed a standardized DPA template adopted by many states. Pre-signing it streamlines the process because districts in participating states accept the standard form.

How long does it take to execute a DPA?

With a pre-signed SDPC template, execution can happen in days. Custom DPA negotiations can take weeks to months. Having templates ready is a competitive advantage in EdTech sales.

What happens if a vendor violates a DPA?

Violations can result in contract termination, required data deletion, notification to affected families, and potential legal liability. Repeated violations may lead to the district barring the vendor and reporting to state authorities.

Data Privacy Agreement