Data Processing Agreement (DPA)

Effective Date: January 1, 2026

This Data Processing Agreement ("DPA") forms part of the agreement between Kids on the Yard (operated by Limitless Virtue LLC) ("Processor" or "Kids on the Yard") and the contracting school district, educational institution, or organization ("Controller" or "Client") for the provision of educational services.

1. Definitions

2. Scope and Purpose

2.1 Services Covered

This DPA applies to all Kids on the Yard services provided to Controller, including:

• Tutoring and educational support services
• Paraprofessional and staff placement
• Special education (SPED) services
• ABA therapy services
• Online and in-person educational programs

2.2 Purpose of Processing

Kids on the Yard processes Personal Data solely for:

• Providing contracted educational services
• Managing student accounts and records
• Communicating with students, parents, and school staff
• Scheduling and attendance tracking
• Progress monitoring and reporting
• Billing and administrative functions

3. Controller Obligations

3.1 Lawful Basis

Controller warrants that:

• Collection of Personal Data has a lawful basis
• Required consents have been obtained
• Data Subjects have been informed of processing activities
• Data shared with Processor is accurate and up-to-date

3.2 Instructions

Controller shall provide clear, lawful instructions for data processing. Processor will process Personal Data only according to Controller's documented instructions unless required by law.

3.3 FERPA Compliance

For U.S. educational institutions, Controller confirms:

• Processor is designated as a "school official" under FERPA
• Disclosure to Processor meets FERPA exceptions
• Controller maintains required FERPA notices

4. Processor Obligations

4.1 Processing Limitations

Kids on the Yard shall:

• Process Personal Data only as instructed by Controller
• Not sell, rent, or commercially exploit Personal Data
• Not use Personal Data for advertising or marketing without consent
• Not disclose Personal Data except as required to provide services or by law

4.2 Confidentiality

All personnel processing Personal Data:

• Are bound by confidentiality obligations
• Have received appropriate training on data protection
• Process data only on a need-to-know basis

4.3 Security Measures

Kids on the Yard implements appropriate technical and organizational measures:

Technical Measures:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
• Multi-factor authentication for system access
• Regular security assessments and penetration testing
• Automated threat detection and monitoring
• Secure backup and disaster recovery

Organizational Measures:

• Role-based access controls
• Background checks for personnel
• Security awareness training
• Incident response procedures
• Regular policy reviews

4.4 Sub-processors

Kids on the Yard may engage Sub-processors subject to:

• Written contract with equivalent data protection obligations
• Controller notification before engaging new Sub-processors
• Controller right to object to new Sub-processors within 30 days
• Processor liability for Sub-processor compliance

Current Sub-processors: Available upon request at [email protected]

5. Data Subject Rights

5.1 Assistance with Requests

Kids on the Yard shall assist Controller in responding to Data Subject requests to:

• Access their Personal Data
• Correct inaccurate data
• Delete their data (where applicable)
• Restrict or object to processing
• Receive data in portable format

5.2 Response Timeline

• Requests forwarded to Controller within 5 business days
• Assistance provided within 10 business days
• Controller responsible for final response to Data Subject

6. Data Breach Notification

6.1 Notification Obligations

Upon becoming aware of a Data Breach, Kids on the Yard shall:

• Notify Controller within 24 hours of discovery
• Provide details of the breach (nature, scope, affected data)
• Describe likely consequences
• Outline remedial measures taken or proposed

6.2 Cooperation

Kids on the Yard shall:

• Cooperate with Controller's investigation
• Preserve evidence for forensic analysis
• Assist with regulatory notifications
• Support remediation efforts

7. Data Retention and Deletion

7.1 Retention Period

Personal Data retained for:

• Duration of the service agreement
• Plus period required by applicable law
• Plus period specified in Data Retention Policy

7.2 Return or Deletion

Upon contract termination or Controller request:

• Return Personal Data in common format (within 30 days)
• Securely delete all copies (within 60 days)
• Provide written certification of deletion
• Exception: Data required by law may be retained with notice

8. Audits and Compliance

8.1 Audit Rights

Controller may:

• Request compliance documentation
• Conduct audits with reasonable notice (30 days)
• Engage third-party auditors (subject to confidentiality)
• Review Sub-processor compliance

8.2 Audit Costs

• Standard documentation provided at no cost
• On-site audits: Controller bears reasonable costs
• Regulatory audits: Cooperation provided at no cost

8.3 Certifications

Kids on the Yard maintains or pursues:

• SOC 2 Type II certification
• Privacy compliance assessments
• Regular security audits

9. International Transfers

9.1 Transfer Restrictions

Personal Data processed primarily in the United States. For international transfers:

• Appropriate safeguards implemented
• Standard Contractual Clauses available upon request
• Controller notified of transfer mechanisms

9.2 Government Access

If legally required to disclose Personal Data to government:

• Notify Controller unless legally prohibited
• Challenge overbroad or unlawful requests
• Minimize data disclosed

10. Special Categories

10.1 Student Data

Enhanced protections for student education records:

• FERPA compliance maintained
• Access limited to educational necessity
• No secondary commercial use
• Parental rights honored

10.2 Children's Data

For children under 13 (COPPA):

• Verifiable parental consent obtained
• Minimal data collection
• Enhanced security measures
• Prompt deletion upon request

10.3 Special Education Data

For SPED-related data:

• IDEA compliance maintained
• IEP/504 confidentiality protected
• Additional state law compliance
• Heightened access restrictions

11. Liability and Indemnification

11.1 Processor Liability

Kids on the Yard is liable for:

• Processing not in accordance with Controller instructions
• Breach of this DPA
• Sub-processor failures to the extent of Processor's obligations

11.2 Limitation

Liability is subject to limitations in the main service agreement, except that neither party limits liability for:

• Willful misconduct or gross negligence
• Breach of confidentiality obligations
• Indemnification for third-party claims arising from breach

12. Term and Termination

12.1 Term

This DPA:

• Effective upon execution of service agreement
• Continues for duration of service agreement
• Survives termination for data deletion obligations

12.2 Termination Effects

Upon termination:

• Cease processing Personal Data
• Complete data return/deletion procedures
• Provide termination certification

13. Amendments

This DPA may be amended:

• By mutual written agreement
• To comply with legal requirements (with notice)
• Updates posted to legalhub with notification

14. Contact Information

Data Protection Contact Kids on the Yard Limitless Virtue LLC 9701 NE 2nd Ave, Suite #1069 Miami Shores, Florida 33138 U.S.A

15. Governing Law

This DPA is governed by the laws of the State of Florida, United States, without regard to conflicts of law principles. Disputes shall be resolved in accordance with the dispute resolution provisions of the main service agreement.

Related Documents

• Privacy Policy
• Data Retention Policy
• Incident Response Plan
• FERPA Notice
• COPPA Procedures

To execute this DPA, please contact [email protected]