Data Privacy Agreement (DPA)

What Does DPA Stand For?

DPA stands for Data Privacy Agreement. In K-12 education procurement, a DPA is a legally binding contract between a school district (or other education agency) and a technology vendor that governs how student data will be collected, used, stored, shared, and ultimately deleted.

DPAs have become a critical part of EdTech sales. As student data privacy regulations have expanded at both federal and state levels, districts increasingly require a signed DPA before approving any technology product that touches student information.

What a DPA Covers

A typical DPA includes the following sections:

• Data collection scope. What student data the vendor will access and why. This includes personally identifiable information (PII) like names, student IDs, grades, and behavioral records.
• Purpose limitation. Data can only be used for the purposes defined in the agreement. Vendors cannot use student data for advertising, profiling, or any purpose beyond delivering the contracted service.
• Data security requirements. Technical and organizational measures the vendor must implement: encryption, access controls, employee training, and incident response procedures.
• Subprocessor disclosure. If the vendor shares data with third parties (cloud hosting, analytics providers), the DPA must identify those subprocessors and ensure they meet the same security standards.
• Data retention and deletion. How long the vendor retains student data and the process for deleting it when the contract ends or the district requests it.
• Breach notification. The timeline and process for notifying the district if a data breach occurs. Most DPAs require notification within 24 to 72 hours.
• Parental rights. How the vendor supports parental access requests and opt-out requirements under FERPA and state law.

The SDPC National DPA

The Student Data Privacy Consortium (SDPC) developed a standardized National DPA template that has been adopted by many states. The SDPC template includes:

• A standard agreement form with consistent legal language
• Exhibit A: a checklist of data elements the vendor will access
• Exhibit B: security assessment questionnaire
• Exhibit C: general terms including breach notification and data deletion
• State-specific addenda that layer additional requirements on top of the national template

Pre-signing the SDPC National DPA is one of the most effective things an EdTech vendor can do to accelerate sales. Districts in participating states can adopt a vendor's pre-signed DPA without negotiating from scratch.

State-by-State DPA Requirements

DPA requirements vary significantly by state. Some key examples:

StateRequirementKey LawCaliforniaStrict data minimization, parental consent for certain dataSOPIPA, CalOPPANew YorkParents' Bill of Rights, mandatory DPA for all ed techEducation Law 2-dColoradoDPA required, annual transparency reportsStudent Data Transparency and Security ActConnecticutWritten agreement required for all student data accessPA 16-189IllinoisParental consent for certain data collectionSOPPA

Many other states have adopted the SDPC framework or enacted their own student data privacy laws. The trend is clearly toward more regulation, not less.

DPA vs. BAA (Business Associate Agreement)

FactorDPABAAGovernsStudent education recordsProtected health information (PHI)Required byFERPA, state privacy lawsHIPAAApplies toEdTech vendors, school districtsHealthcare vendors, covered entitiesKey obligationProtect student PII, limit data useProtect PHI, breach notification

Some products that serve both education and healthcare (e.g., school-based mental health platforms) may need both a DPA and a BAA.

How Vendors Should Prepare

1. Pre-sign the SDPC National DPA. This is the single most impactful step. It signals readiness and eliminates weeks of negotiation with districts in participating states.
2. Build a privacy page on your website. List your DPA status, link to your signed agreements, and publish your security certifications.
3. Complete Exhibit B proactively. The SDPC security questionnaire is detailed. Having it completed before a district asks saves time during procurement.
4. Know your state requirements. If you sell in California, New York, or Colorado, understand the specific state addenda and requirements that go beyond the national template.
5. Train your sales team. Reps should understand what a DPA is, why districts require it, and how to navigate the signing process without creating legal bottlenecks.

The DPA Signing Process

1. District identifies a new technology product for classroom or administrative use
2. District's data privacy officer requests the vendor's DPA status
3. Vendor provides pre-signed SDPC DPA or enters negotiation on a custom DPA
4. District reviews the agreement, data elements checklist, and security assessment
5. Both parties sign. With a pre-signed SDPC template, this can happen in days. Custom negotiations can take weeks to months.
6. Product is approved for use in the district

Having pre-signed DPA templates ready is a competitive advantage. Vendors who can say "we're already signed" move faster than vendors who need to start the process from scratch.

NationGraph tracks compliance requirements across SLED agencies, helping vendors identify which districts require signed DPAs and what state-specific data privacy rules apply before engaging.