TeaganAI
TeaganAI

Data Processing Agreement (DPA)

This Data Processing Agreement governs how TeaganAI processes data on behalf of school customers (“School”) who use our platform. It is incorporated into our Terms of Service for all paid school subscribers.

1. Roles

  • School is the Data Controller — you decide what information to enter about your programs, staff, and the family inquiries you receive.
  • TeaganAI is the Data Processor — we host, store, and process that data on your instructions.

2. FERPA (educational records)

TeaganAI does notretrieve, store, or transmit official FERPA-protected educational records (IEPs, 504 plans, transcripts, behavior records) on your behalf. The lead information families share through TeaganAI is volunteered by the family and is governed by their own consent, not by FERPA's school-controlled record provisions.

If a family chooses to upload official educational documents to your school through any feature we may add (e.g., document upload), we will treat those documents as “school records” under FERPA and apply the same access controls you specify in writing.

3. Sub-processors

We use the following sub-processors:

  • Supabase (PostgreSQL hosting + auth) — US-East
  • Vercel (application hosting) — US-East
  • Anthropic (Claude AI) — US
  • Stripe (payments) — US
  • Tavily (web search grounding) — US
  • [Your SMTP provider] (transactional email)

We notify schools by email at least 30 days before adding any new sub-processor.

4. Data location & transfers

All data is stored in US-East regions of our sub-processors. We do not transfer data outside the United States.

5. Security

TLS 1.2+ in transit, AES-256 at rest, role-based access controls, MFA required for engineering access, annual third-party security review. Full details available on request: security@teaganai.tech.

6. Incident response

We notify affected schools within 72 hours of a confirmed data breach involving their data. The notice will include scope, root cause, remediation steps, and any required action on your part.

7. Data retention & return

  • Your account data is retained for the duration of your subscription.
  • On termination you may request a full data export within 30 days of cancellation. After 30 days, we permanently delete all personal data unless retention is required by law.
  • Aggregated, de-identified analytics may be retained indefinitely for product improvement.

8. Audit rights

Schools subscribed to the Enterprise tier may request an annual security audit via written notice. We will provide our most recent third-party assessment report under NDA within 30 days.

9. Contact

Email dpa@teaganai.tech or contact your TeaganAI account manager to execute a signed copy of this DPA for your records.