Data Processing Agreement

Version 1.0 — Effective April 15, 2026 | KIRUNIVERSE LLC, Brooklyn, New York

This Data Processing Agreement (“DPA”) is entered into between KIRUNIVERSE LLC, a limited liability company organized under the laws of the State of New York, headquartered in Brooklyn, New York (“Provider”), and the school, school district, or educational institution identified in the applicable Order Form or subscription agreement (“School”). This DPA governs the processing of Student Data by KIRUNIVERSE LLC on behalf of the School in connection with the kidHQ platform. It supplements the Terms of Service. In the event of a conflict, this DPA controls with respect to data protection matters.

The parties agree that KIRUNIVERSE LLC acts as a service provider and, for purposes of FERPA, as a “school official” with a “legitimate educational interest” in Student Data, as those terms are defined under FERPA and its implementing regulations at 34 C.F.R. Part 99.

1. Definitions

“COPPA”means the Children’s Online Privacy Protection Act, 15 U.S.C. §§ 6501–6506, and its implementing regulations at 16 C.F.R. Part 312.

“FERPA”means the Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g, and its implementing regulations at 34 C.F.R. Part 99.

“NY Education Law 2-d” means New York Education Law Section 2-d and its implementing regulations at 8 N.Y.C.R.R. Part 121.

“Personal Data” means any information that identifies or could reasonably be used to identify an individual, including Student Data.

“Student Data”means any personally identifiable information contained in a student’s education record, as defined by FERPA, that is provided to or generated through the kidHQ platform by or on behalf of the School.

“Subprocessor” means any third-party service provider engaged by KIRUNIVERSE LLC that processes Student Data in connection with providing the kidHQ platform.

“Services” means the kidHQ school communication and administration platform and all related services provided by KIRUNIVERSE LLC to the School under the Terms of Service.

2. Roles and responsibilities

The School is the data controller for Student Data. The School determines the purposes and means by which Student Data is collected and used in connection with the School’s educational mission.

KIRUNIVERSE LLC is a data processor and service provider acting on behalf of and under the instruction of the School. KIRUNIVERSE LLC processes Student Data only as directed by the School and as necessary to provide the Services.

For purposes of FERPA, the School designates KIRUNIVERSE LLC as a school official with a legitimate educational interest in Student Data to the extent necessary to provide the Services. KIRUNIVERSE LLC agrees to be subject to the requirements of FERPA in the same manner as a school official under 34 C.F.R. § 99.33(a)(2).

The School represents and warrants that it has the legal authority to provide Student Data to KIRUNIVERSE LLC, that it has complied with all applicable notice and consent requirements under FERPA and COPPA prior to providing Student Data, and that its use of the Services complies with all applicable law.

3. Permitted purposes

KIRUNIVERSE LLC may process Student Data solely for the following purposes: providing, maintaining, and improving the Services as described in the Terms of Service; communicating with the School and its authorized users about the Services; complying with applicable law; and as otherwise expressly directed in writing by the School.

KIRUNIVERSE LLC will not process Student Data for any of the following purposes: advertising or marketing to students, parents, or guardians; developing commercial products or services unrelated to the Services; selling, renting, leasing, or otherwise disclosing Student Data to any third party for commercial purposes; building profiles about students for purposes unrelated to the School’s educational mission; training generative artificial intelligence models; or any purpose not expressly permitted by this DPA.

4. Confidentiality

KIRUNIVERSE LLC will maintain the confidentiality of all Student Data and will not disclose Student Data to any person or entity except as permitted by this DPA, required by applicable law, or expressly directed in writing by the School.

KIRUNIVERSE LLC will ensure that all personnel who have access to Student Data are subject to written confidentiality obligations and have received appropriate training on data privacy and security requirements.

5. Security

KIRUNIVERSE LLC will implement and maintain technical and organizational security measures appropriate to the nature and sensitivity of the Student Data processed, including at minimum: encrypted data transmission using TLS 1.2 or higher; encrypted data storage using AES-256 at the database layer; role-based access controls limiting access to Student Data to authorized personnel only; row-level database security preventing cross-school data access; comprehensive audit logging of all administrative actions; regular security reviews and vulnerability assessments; and incident response procedures.

KIRUNIVERSE LLC’s infrastructure is hosted on Supabase (database and authentication) and Vercel (application hosting), both of which maintain SOC 2 Type 2 certification. Payment processing is handled by Stripe, Inc., which is PCI DSS Level 1 certified.

6. Subprocessors

KIRUNIVERSE LLC engages the following Subprocessors in connection with the Services. Each Subprocessor is bound by written agreements requiring data protection standards at least as protective as those in this DPA:

Supabase, Inc. — database infrastructure, authentication, and storage — United States

Vercel, Inc. — application hosting and deployment — United States

Stripe, Inc. — payment processing — United States

Google LLC — calendar integration and transactional email delivery — United States

KIRUNIVERSE LLC will notify the School at least 30 days in advance of adding or replacing any Subprocessor that will have access to Student Data. The School may object to any new Subprocessor by providing written notice within 14 days of receiving notification. If the School objects and the parties cannot reach a resolution, the School may terminate the agreement for cause with a prorated refund of prepaid fees for the unused term.

7. Data subject rights

The School is responsible for responding to requests from parents, guardians, and eligible students to inspect, amend, or delete Student Data under FERPA, COPPA, and applicable state law. KIRUNIVERSE LLC will provide reasonable assistance to the School in responding to such requests within a timeframe that enables the School to meet its legal obligations. KIRUNIVERSE LLC will not respond directly to data subject requests regarding Student Data without prior authorization from the School except as required by applicable law.

8. Breach notification

In the event of a confirmed or reasonably suspected breach of security affecting Student Data, KIRUNIVERSE LLC will notify the School without undue delay and in no event later than 72 hours after becoming aware of the breach. Notification will include: a description of the nature of the breach; the categories and approximate number of individuals affected; the categories and approximate volume of Student Data affected; the likely consequences of the breach; and the measures taken or proposed to address the breach and mitigate its effects.

KIRUNIVERSE LLC will cooperate with the School in meeting the School’s breach notification obligations under NY Education Law 2-d, FERPA, and applicable state breach notification statutes.

9. New York Education Law 2-d

This DPA constitutes a written agreement for purposes of NY Education Law Section 2-d. KIRUNIVERSE LLC agrees to comply with all requirements of NY Education Law 2-d and its implementing regulations at 8 N.Y.C.R.R. Part 121, including the obligation to limit access to Student Data to those with a legitimate educational interest, the prohibition on selling or disclosing Student Data, and the requirement to maintain a data security program consistent with industry standards.

KIRUNIVERSE LLC’s Parents’ Bill of Rights for Data Privacy and Security, available at kidhq.app/legal/parents-bill-of-rights, is incorporated by reference into this DPA and must be made available to parents and guardians of students enrolled at the School.

The School must include a link to KIRUNIVERSE LLC’s Parents’ Bill of Rights in its own annual notification to parents, or otherwise ensure that parents receive the required notice under NY Education Law 2-d.

10. COPPA

Where the School uses the Services with students under the age of 13, the School represents and warrants that it has provided all required notices to parents and obtained all required consents under COPPA, or that it is acting as the agent of parents for purposes of providing consent under the school consent mechanism described in the FTC’s COPPA Rule at 16 C.F.R. § 312.5(b)(1). KIRUNIVERSE LLC relies on the School’s representation and authorization to provide access to the Services to students under 13.

11. Retention and deletion

KIRUNIVERSE LLC will retain Student Data only for as long as necessary to provide the Services or as required by applicable law. Upon termination or expiration of the agreement between the parties, KIRUNIVERSE LLC will, at the School’s election, return all Student Data to the School in a portable format or securely delete all Student Data within 60 days of the termination date, and will provide the School with written confirmation of deletion upon request.

KIRUNIVERSE LLC may retain anonymized, aggregated data that cannot reasonably be used to identify individual students indefinitely for product improvement purposes, provided that such data does not constitute Student Data.

12. Audit rights

The School may, upon reasonable prior written notice of at least 14 days and no more than once per calendar year, request that KIRUNIVERSE LLC provide documentation demonstrating compliance with this DPA, including security certifications, subprocessor agreements (subject to confidentiality redactions), and relevant audit logs. KIRUNIVERSE LLC will respond to such requests within 30 days.

13. Term and termination

This DPA remains in effect for the duration of the agreement between the parties and terminates automatically upon termination or expiration of the Terms of Service, subject to Section 11 (Retention and deletion). Sections 4 (Confidentiality), 5 (Security), 8 (Breach notification), and 11 (Retention and deletion) survive termination.

14. Governing law

This DPA is governed by the laws of the State of New York, without regard to conflict of laws principles. Disputes arising under this DPA are subject to the dispute resolution provisions of the Terms of Service.

15. Execution

This DPA is effective upon the School’s execution of the Order Form or completion of the signup process on kidhq.app. Electronic acceptance constitutes a valid and binding signature for purposes of this DPA. A countersigned copy of this DPA is available upon request by contacting privacy@kiruniverse.com.

KIRUNIVERSE LLC | Brooklyn, New York, United States | privacy@kiruniverse.com | kidhq.app