For schools & districts

Data Processing Agreement

Last updated: May 26, 2026

Need a signed DPA right now?

Our public DPA template is being finalized. While we wrap it up, our team will send you the current draft, redline against your district’s template, and return a signed copy.

Request a signed DPA

A Data Processing Agreement (DPA) sets out how Brevlex, acting as a processor, handles personal data on behalf of a school, district, or organization that uses Brevlex for Educators. It covers the categories of data we process, the purposes of processing, security measures, subprocessors, breach notification, and data subject rights.

We are currently finalizing a public, downloadable DPA template that incorporates FERPA, COPPA, and applicable state student privacy law requirements (including the Student Data Privacy Consortium’s National DPA framework where relevant).

What you can do today

Request the current draft — email sales@brevlex.com and we will send our latest DPA draft, typically within one business day.
Send us your district’s template — most districts have a preferred DPA form. We will review, redline, and return a signed copy.
Sign before your first PO — we sign a DPA before any paid pilot or purchase order. No district data should land in Brevlex without one in place.

What the DPA will cover

Roles — district as controller, Brevlex as processor.
Categories of data — educator and student account data, class roster information, learning progress, and synthetic student emails of the form student_{id}@classroom.local.
Purposes of processing — providing the learning platform, generating AI-personalized sentences, supporting educators, and producing aggregated, de-identified product analytics.
Security measures — TLS 1.2+ in transit; passwords bcrypt-hashed and TOTP secrets AES-256-GCM-encrypted at the application layer; the Postgres data volume runs on droplet local disk and is not encrypted at rest by default (see /legal/subprocessors for our full encryption attestation); hashed tokens (SHA-256); two-factor authentication for staff; access controls; audit logging; and routine vulnerability review.
Subprocessors — current list maintained at /legal/subprocessors. Districts receive notice before a new subprocessor is added.
Data location — primary processing in the United States.
Retention and deletion — data deleted at the end of the subscription term or on written request, with confirmation of deletion provided to the district.
Breach notification — without undue delay, and in any event within the timelines required by applicable state student privacy law.
Data subject rights — support for parental review, correction, and deletion requests routed through the district.
Audit and assistance — Brevlex assists the district with security questionnaires, parent inquiries, and regulator requests.

Contact

To request a signed DPA, send your district’s template, or ask a question about this agreement, contact:

sales@brevlex.com

Ready to move forward?

We typically return a signed DPA within one to three business days.

Request a signed DPA

What you can do today

Request the current draft — email sales@brevlex.com and we will send our latest DPA draft, typically within one business day.

Send us your district’s template — most districts have a preferred DPA form. We will review, redline, and return a signed copy.

Sign before your first PO — we sign a DPA before any paid pilot or purchase order. No district data should land in Brevlex without one in place.

What the DPA will cover

Roles — district as controller, Brevlex as processor.

Categories of data — educator and student account data, class roster information, learning progress, and synthetic student emails of the form student_{id}@classroom.local.

Purposes of processing — providing the learning platform, generating AI-personalized sentences, supporting educators, and producing aggregated, de-identified product analytics.

Security measures — TLS 1.2+ in transit; passwords bcrypt-hashed and TOTP secrets AES-256-GCM-encrypted at the application layer; the Postgres data volume runs on droplet local disk and is not encrypted at rest by default (see /legal/subprocessors for our full encryption attestation); hashed tokens (SHA-256); two-factor authentication for staff; access controls; audit logging; and routine vulnerability review.

Subprocessors — current list maintained at /legal/subprocessors. Districts receive notice before a new subprocessor is added.

Data location — primary processing in the United States.

Retention and deletion — data deleted at the end of the subscription term or on written request, with confirmation of deletion provided to the district.

Breach notification — without undue delay, and in any event within the timelines required by applicable state student privacy law.

Data subject rights — support for parental review, correction, and deletion requests routed through the district.

Audit and assistance — Brevlex assists the district with security questionnaires, parent inquiries, and regulator requests.

Data Processing Agreement

What you can do today

What the DPA will cover

Related documents

Contact

Data Processing Agreement

What you can do today

What the DPA will cover

Related documents

Contact