Data Processing Agreement
School Data Processing Agreement
This agreement formally designates DetermiNext (Serbesa Software LLC) as a school official under FERPA (34 CFR § 99.31(a)(1)). It defines what student data is processed, how it is protected, and the rights of the school.
Required for all campus and district accounts. Individual teacher trial accounts are governed by the Privacy Policy and Terms of Service.
Executed agreements are countersigned by Serbesa Software LLC and returned within 5 business days.
This Data Processing Agreement ("Agreement") is entered into between Serbesa Software LLC, a Nevada limited liability company operating as DetermiNext ("Processor"), and the school, district, or educational institution identified in the signature block below ("Controller"). This Agreement is effective as of the date both parties have signed below ("Effective Date").
1. Definitions
1.1 "FERPA" means the Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g, and its implementing regulations at 34 CFR Part 99.
1.2 "Education Records" means records, files, documents, and other materials that contain information directly related to a student and are maintained by the Controller, as defined under FERPA.
1.3 "Student PII" means personally identifiable information from education records as defined under 34 CFR § 99.3, including but not limited to student names, usernames, and assessment data.
1.4 "Service" means the DetermiNext transition planning assessment platform provided by Serbesa Software LLC.
1.5 "Legitimate Educational Interest" means the interest the Processor has in processing Student PII for the sole purpose of providing the Service under the direction of the Controller.
2. Designation as School Official
2.1 The Controller hereby designates Serbesa Software LLC as a "school official with a legitimate educational interest" as that term is used in FERPA (34 CFR § 99.31(a)(1)) for the purpose of providing the Service.
2.2 In accordance with this designation, Serbesa Software LLC agrees to:
- (a) Use Education Records and Student PII only to provide the Service and for no other purpose;
- (b) Not re-disclose Education Records or Student PII to any party other than the designated subprocessors listed in Section 6, without prior written authorisation from the Controller;
- (c) Remain under the direct control of the Controller with respect to the use and maintenance of Education Records;
- (d) Comply with FERPA requirements applicable to school officials with respect to the Student PII it processes.
2.3 The Controller retains ownership of all Education Records and Student PII at all times. This Agreement does not transfer ownership of any student data to Serbesa Software LLC.
3. Categories of Student Data Processed
Serbesa Software LLC processes the following categories of Student PII under this Agreement:
- Student first and last name
- Student username and assessment code
- Assessment responses (career interest and transition planning answers)
- AI-generated transition planning reports
- Assessment attempt history and completion status
- Launch access records and timestamps
- School and teacher associations (school_id, teacher_id)
4. Permitted Uses
Serbesa Software LLC may process Student PII solely to:
- (a) Provide the transition planning assessment Service to the Controller;
- (b) Generate AI-assisted transition planning reports for teacher review using the Google Gemini API (see Section 6);
- (c) Maintain classroom records accessible to the Controller's authorised staff;
- (d) Provide technical support to the Controller's account.
5. Prohibited Uses
Serbesa Software LLC shall not:
- (a) Sell, rent, or otherwise transfer Student PII to any third party;
- (b) Use Student PII for advertising, marketing, or targeted content directed at students;
- (c) Build student profiles beyond what is necessary to provide the Service;
- (d) Use Student PII to train, fine-tune, test, or otherwise improve any AI or machine learning model;
- (e) Disclose Student PII to any party not listed as a subprocessor in Section 6, except as required by law or with prior written authorisation from the Controller.
6. Subprocessors
The Controller consents to Serbesa Software LLC engaging the following subprocessors to process Student PII:
| Subprocessor | Purpose | Location |
|---|---|---|
| Google LLC (Gemini API) | AI-assisted transition planning report generation | United States |
| Railway Inc. | Database hosting and infrastructure | United States |
Serbesa Software LLC will provide 30 days' written notice to the Controller before adding any new subprocessor that will process Student PII. The Controller may object within that period; if the parties cannot resolve the objection, the Controller may terminate this Agreement without penalty.
All subprocessors are contractually bound to data protection obligations no less protective than those in this Agreement.
7. Security Measures
Serbesa Software LLC implements and maintains the following security measures:
- (a) Encryption of all Student PII in transit via HTTPS/TLS;
- (b) Encryption of all Student PII at rest in Railway PostgreSQL;
- (c) Tenant-scoped access controls ensuring one school's data is not accessible to another;
- (d) Role-based internal access controls with audit logging of all administrative actions;
- (e) Default exclusion of raw assessment answers and report content from support exports;
- (f) Periodic internal security reviews.
8. Breach Notification
In the event of a confirmed security breach affecting Student PII, Serbesa Software LLC will:
- (a) Notify the Controller within 72 hours of discovering the breach;
- (b) Include: the nature of the breach, categories of Student PII affected, estimated number of students affected, steps taken or planned to remediate the breach, and a point of contact;
- (c) Cooperate with the Controller's reasonable requests in investigating and remediating the breach.
9. Controller Rights and Requests
The Controller may at any time request Serbesa Software LLC to:
- (a) Provide a list or export of Student PII held for the Controller's account;
- (b) Correct inaccurate Student PII;
- (c) Delete individual student records;
- (d) Delete all Student PII associated with the Controller's account.
All requests must be submitted to teng.bernabe@determinext.com and will be honoured within 30 days.
10. Data Retention and Deletion
10.1 Student PII is retained while the Controller's account is active.
10.2 Within 90 days of account closure or termination of this Agreement, Serbesa Software LLC will permanently delete all Student PII from production systems and backups.
10.3 Upon request, Serbesa Software LLC will provide written confirmation of deletion to the Controller.
10.4 Student PII may be deleted earlier if the Controller submits a deletion request under Section 9 prior to the 90-day window.
11. Controller Obligations
The Controller represents and warrants that it:
- (a) Has the legal authority under FERPA to share the Student PII described in Section 3 with Serbesa Software LLC for the purposes described in Section 4;
- (b) Has provided appropriate notice to students, parents, and guardians as required by FERPA regarding the use of education records;
- (c) Will use the Service only for lawful educational purposes consistent with FERPA and applicable state law;
- (d) Will promptly notify Serbesa Software LLC if it becomes aware of any unauthorised access to or disclosure of Student PII.
12. Term and Termination
12.1 This Agreement is effective from the Effective Date and remains in force for the duration of the Controller's use of the Service.
12.2 Either party may terminate this Agreement with 30 days' written notice.
12.3 Termination does not affect obligations of confidentiality, data deletion, or breach notification, which survive termination.
13. Governing Law
This Agreement is governed by the laws of the State of Nevada. Any disputes arising under this Agreement shall be resolved in Clark County, Nevada.
14. Entire Agreement
This Agreement, together with DetermiNext's Terms of Service and Privacy Policy, constitutes the entire agreement between the parties with respect to the processing of Student PII and supersedes all prior agreements or understandings on this subject.
Signatures
Download the PDF to obtain a signable copy. Email the signed copy to teng.bernabe@determinext.com.
Serbesa Software LLC
Signature
Name
Title
Date
School / District
Signature
Name
Title
Institution
Date
Ready to sign?
Download the PDF above and email the signed copy to teng.bernabe@determinext.com. We countersign and return within 5 business days.