Data Processing Agreement
TL;DR: A DPA is a contract governing how we process your organization’s data. Educational institutions (FERPA), GDPR-covered organizations, and enterprise customers typically need one. Request at legal@scrubcampus.com - no extra cost.
Overview
A Data Processing Agreement (DPA) is a legally binding contract between ScrubCampus (as the data processor) and your organization (as the data controller) that governs how we process personal data on your behalf.
Who Needs a DPA
Quick Reference
| Organization Type | Need DPA? | Reason |
|---|---|---|
| U.S. Educational Institution | Yes | FERPA compliance |
| EU/UK Organization | Yes | GDPR requirement |
| Healthcare Organization (PHI) | Yes | HIPAA/BAA required |
| Enterprise with compliance policies | Likely | Internal requirements |
| Individual user | No | Personal use |
| Small organization (no personal data) | No | No data processing |
Educational Institutions
- FERPA Compliance: U.S. educational institutions that share student education records with ScrubCampus typically need a written agreement ensuring we act as a “school official” under FERPA
- State Laws: Many states have additional student privacy laws requiring data agreements with education technology vendors
Organizations Processing EU/UK Personal Data
- GDPR Requirement: If your organization is subject to the General Data Protection Regulation (GDPR) and shares personal data with us, you are legally required to have a DPA in place
- UK GDPR: Similar requirements apply under the UK’s data protection framework
Healthcare Organizations
- HIPAA: Healthcare organizations that may share Protected Health Information (PHI) need a Business Associate Agreement (BAA)
Enterprise Customers
- Corporate Policies: Many organizations have internal policies requiring DPAs with all vendors that process employee or customer data
- Compliance Requirements: Industry-specific regulations may require formal data processing agreements
If you’re unsure whether you need a DPA, please contact us at legal@scrubcampus.com and we’ll help you determine the appropriate arrangement.
What Our DPA Covers
| Area | Coverage |
|---|---|
| Scope | Clear definitions, data categories, processing purposes |
| Instructions | Processing only per your documented instructions |
| Security | Technical & organizational measures (see Security) |
| Subprocessors | List, notification of changes, objection rights |
| Data Subject Rights | Assistance with access, rectification, deletion requests |
| Breach Notification | Within 72 hours with full details |
| Audit Rights | Your right to audit, acceptance of SOC 2/ISO 27001 |
| Data Return/Deletion | Return or certify deletion upon termination |
| International Transfers | Standard Contractual Clauses (SCCs) included |
Requesting a DPA
Contact
Email: legal@scrubcampus.com Subject Line: DPA Request - [Your Organization Name]
Information to Include
| Category | Details Needed |
|---|---|
| Organization | Full legal name, address, primary contact |
| Agreement Type | Standard DPA, DPA+FERPA, BAA (HIPAA), or custom |
| Regulations | GDPR, FERPA, state laws, etc. |
| Timeline | When you need the agreement in place |
Response Time
| Request Type | Timeline |
|---|---|
| Standard DPA | 5 business days |
| Custom requests | 2-4 weeks |
Standard Terms
Regulatory Compliance
| Regulation | How Our DPA Addresses It |
|---|---|
| GDPR | Article 28 compliant, SCCs (Commission Decision 2021/914), supplementary measures |
| FERPA | School official status, no re-disclosure, security safeguards |
| California (SOPIPA, AB 1584) | Student privacy protections included |
| New York (Education Law 2-d) | Data security and privacy requirements |
| Colorado (Student Data Transparency) | Transparency and security requirements |
Enterprise Customers
When Custom Terms May Be Needed
| Situation | Custom DPA? |
|---|---|
| Non-standard compliance requirements | Yes |
| Specific audit rights needed | Yes |
| Particular indemnification terms | Yes |
| Industry-specific regulations | Yes |
| Specific data residency requirements | Yes |
Enterprise Process
- Initial Consultation - Contact us to discuss your requirements
- Requirements Review - Our legal team reviews your specific needs
- Negotiation - Work with your legal team to address requirements
- Execution - Final agreement signing by authorized representatives
Contact: enterprise@scrubcampus.com
Frequently Asked Questions
Can I use my organization's DPA template?
We prefer to use our standard DPA as it has been designed for our specific services and reviewed for compliance. However, for enterprise customers, we can review your template and discuss incorporating key provisions.
Is there a cost for a DPA?
No, we provide DPAs at no additional cost as part of our commitment to data protection compliance.
Do I need a separate DPA for each campus or department?
Typically, one DPA covers your entire organization. If different entities within your organization have separate legal identities, each may need its own agreement.
How often is the DPA updated?
We review our standard DPA annually and update it when regulations change or our services evolve significantly. We notify existing customers of material changes.
Can the DPA be signed electronically?
Yes, we accept electronic signatures for DPA execution.
What happens to our DPA if we cancel our subscription?
The DPA remains in effect for any personal data we continue to process (e.g., during wind-down or retention periods) and terminates when all personal data has been deleted or returned.
Contact Us
| Team | For | |
|---|---|---|
| Legal | legal@scrubcampus.com | DPA requests, legal inquiries |
| Privacy | privacy@scrubcampus.com | Privacy questions |
| Enterprise | enterprise@scrubcampus.com | Enterprise sales |
| DPO | dpo@scrubcampus.com | Data protection officer |