Data Processing Addendum (template)
Effective June 22, 2026
This DPA template is for enterprise and institutional customers (including schools) who need a data-protection agreement before deploying Feynman. It is a starting point to be completed and executed with counsel; it is not a signed agreement until both parties sign.
1. Roles
The Customer is the controller (or, for student data, the school acting on parents' behalf); the operator of this deployment is the processor acting only on the Customer's documented instructions. Feynman processes personal data solely to provide the Service and does not sell it or use it for advertising or model training.
2. Scope of processing
- Subject matter: provision of the Feynman educational tutor.
- Data subjects: the Customer's end users (which may include students, some under 13).
- Data categories: tutor messages submitted by users; limited technical data (IP, request logs); optional safety-event metadata. No special categories are requested by design.
3. Subprocessors
Current subprocessors are listed on the Data & subprocessors page. the operator of this deployment will give notice of new subprocessors and allow the Customer to object on reasonable data-protection grounds.
4. Security
the operator of this deployment maintains technical and organizational measures appropriate to the risk, including transport encryption, strict security headers, rate limiting, input validation, and content moderation. [Operator to attach the full security-measures schedule.]
5. Student-data commitments
- Process student data only to provide the Service to the Customer.
- No advertising to students and no profiling for non-educational purposes.
- No sale of student data; no use of student data to train models.
- Assist the Customer with access, correction, and deletion requests, and delete or return student data on termination.
- Support the Customer's obligations under FERPA, COPPA, and applicable state student-privacy laws (e.g., SOPIPA / SOPPA / NY Education Law § 2-d).
6. International transfers
Where personal data is transferred across borders, the parties will rely on an appropriate transfer mechanism (e.g., Standard Contractual Clauses). [Complete with counsel.]
7. Breach notification
the operator of this deployment will notify the Customer without undue delay after becoming aware of a personal-data breach and provide information reasonably necessary for the Customer to meet its own notification obligations.
8. Audits, deletion, and term
the operator of this deployment will make available information reasonably necessary to demonstrate compliance and will delete or return personal data at the end of the engagement, subject to legal retention requirements.
Requesting an executed DPA
To request a signed DPA for your organization, contact [set FEYNMAN_OPERATOR_CONTACT].
