For institutions: This Data Processing Agreement is designed for educational institutions seeking to deploy VetFeedback.ai for their faculty. To execute a signed copy of this DPA, please contact ariana.boltax@tufts.edu.
1. Parties
This Data Processing Agreement ("DPA") is entered into between:
- Data Controller: The educational institution or individual instructor ("Institution") using VetFeedback.ai
- Data Processor: VetFeedback.ai ("Processor")
This DPA supplements the Terms of Service and Privacy Policy and governs the processing of personal data and education records.
2. Definitions
- Personal Data: Any information relating to an identified or identifiable natural person, including education records as defined under FERPA
- Education Records: Records directly related to a student and maintained by an educational institution, as defined under 20 U.S.C. 1232g (FERPA)
- Processing: Any operation performed on Personal Data, including collection, storage, analysis, transmission, and deletion
- Sub-processor: A third party engaged by the Processor to process Personal Data on behalf of the Controller
3. Scope and Purpose of Processing
3.1 Categories of Data Processed
| Category | Data Elements | FERPA Relevance |
|---|
| Instructor Account Data | Name, email, institution | Not education records |
| Audio Recordings | Teaching session recordings containing instructor and student voices | May contain education records if student-identifiable |
| Transcripts | Text transcriptions of teaching sessions | May contain education records if student-identifiable |
| AI Analysis Output | Feedback quality analysis, learning outcomes, coaching recommendations | May be derived from education records |
| Source Materials | Rubrics, syllabi, course documents | Generally not education records |
3.2 Purpose
The Processor processes data solely for the purpose of:
- Transcribing audio recordings of teaching sessions
- Analyzing feedback quality using AI models
- Generating coaching recommendations for instructors
- Producing assessment templates and reports
- Delivering email reports when requested by the instructor
4. FERPA Compliance
4.1 School Official Designation
The Processor operates as a "school official" under FERPA (34 CFR 99.31(a)(1)), performing an institutional service for which the Institution would otherwise use its own employees. The Processor:
- Performs a function for which the Institution would otherwise use employees
- Is under the direct control of the Institution with respect to the use and maintenance of education records
- Uses education records only for the purposes for which disclosure was made
- Meets the criteria set forth in the Institution's annual FERPA notification for "school official"
4.2 Data Use Restrictions
The Processor shall:
- Not use education records for any purpose other than providing the Service
- Not disclose education records to any third party except as required to provide the Service (see Sub-processors below) or as required by law
- Not use education records to develop, improve, or train AI models
- Not create profiles of students based on education records
- Not sell or commercially exploit education records
5. Sub-processors
The following sub-processors are used to provide the Service. Each processes data only as needed to perform its specific function:
| Sub-processor | Function | Data Processed | Retention |
|---|
| Vercel | Hosting, AI Gateway, Blob Storage | All data in transit and at rest | As long as account is active |
| Anthropic | AI inference (Claude) | Transcript text sent for analysis | 30 days (safety), not used for training |
| Groq | Audio transcription, AI inference | Audio files, transcript text | Not retained after processing |
| Auth0 | Authentication | Email, name, login events | Per Auth0 data retention policy |
| Resend | Email delivery | Recipient email, report content | Per Resend data retention policy |
The Processor will notify the Institution before adding or replacing sub-processors. The Institution may object to a new sub-processor by contacting us within 30 days of notification.
6. Security Measures
The Processor implements the following technical and organizational measures:
- Encryption in transit: All data transmitted via HTTPS/TLS
- Encryption at rest: File storage encrypted via Vercel Blob
- Access control: User data isolated per account; admin access restricted
- Authentication: Industry-standard authentication via Auth0
- Data isolation: Each instructor can only access their own session data
- Minimal data transfer: Only the data necessary for each processing step is sent to sub-processors
- No model training: No sub-processor uses data to train or improve AI models
7. Data Retention and Deletion
- Session data is retained for the duration of the instructor's account
- Instructors may delete individual sessions at any time
- Upon account termination or institutional request, all data is permanently deleted within 30 days
- The Institution may request a complete data export before deletion
- Sub-processor safety logs (Anthropic) expire automatically within 30 days
8. Data Breach Notification
In the event of a data breach involving education records or personal data, the Processor will:
- Notify the Institution within 72 hours of becoming aware of the breach
- Provide details of the nature and scope of the breach
- Describe the measures taken to mitigate the breach
- Cooperate with the Institution's incident response procedures
- Assist in meeting any legal notification requirements
9. Audit Rights
The Institution may request information regarding the Processor's data handling practices and security measures. The Processor will make available all information necessary to demonstrate compliance with this DPA and allow for reasonable audits upon written request with 30 days' notice.
10. Institution Obligations
The Institution agrees to:
- Include VetFeedback.ai as a "school official" in its annual FERPA notification, if required
- Ensure that instructors using the Service obtain necessary consents for recordings
- Inform the Processor of any specific data handling requirements
- Notify the Processor of any changes in applicable data protection regulations
11. Term and Termination
This DPA remains in effect for the duration of the Service agreement. Either party may terminate this DPA with 30 days' written notice. Upon termination, the Processor will delete all Institution data in accordance with Section 7 and provide written confirmation of deletion.
12. Governing Law
This DPA is governed by the laws of the Commonwealth of Massachusetts and applicable federal law, including FERPA (20 U.S.C. 1232g; 34 CFR Part 99).
13. Contact
To execute a signed copy of this DPA or discuss institutional requirements:
VetFeedback.ai
Email: ariana.boltax@tufts.edu