Chalk

Data Processing Addendum

Last updated 2026-05-14

This Data Processing Addendum ("DPA") forms part of the agreement between the school district ("District" or "Controller") and Chalk ("Processor") for use of the hosted Chalk service ("Service"). It governs processing of personal data carried out by the Processor on behalf of the Controller.

1. Definitions

  • Personal Data — any information relating to an identified or identifiable natural person processed under this DPA.
  • Controller — the District that determines the purposes and means of processing.
  • Processor — Chalk, processing Personal Data on the Controller's behalf.
  • Sub-processor — any third party engaged by the Processor to process Personal Data.
  • Data Subject — the individual to whom Personal Data relates.

2. Scope and roles

The District is the Controller of all Personal Data it submits to or syncs through the Service. Chalk acts as Processor and processes Personal Data only on documented instructions from the Controller, as set out in this DPA and the Service configuration.

3. Categories of data

  • Student roster: names, school-issued email, grade level, enrollments, class assignments.
  • Student demographics (race, gender, IEP/504, ELL status) — only if the District opts in.
  • Staff roster: names, work email, role/title, school assignments.
  • Class and section data: course codes, terms, periods, locations.
  • Identifier data: SIS source IDs, OneRoster sourcedIds, SAML NameIDs.

4. Categories of data subjects

  • Students enrolled at the District.
  • Teachers and other District staff.
  • Parents or guardians, where the District elects to sync guardian relationships.

5. Purpose of processing

Personal Data is processed solely to deliver the Service: sync rosters between systems, provision identity, generate badges and credentials, write audit logs, and maintain operational telemetry. The Processor does not use Personal Data for advertising, profiling, resale, or model training.

6. Confidentiality

The Processor ensures that personnel authorized to process Personal Data are bound by confidentiality obligations and have received appropriate training on data-protection responsibilities.

7. Sub-processors

The Processor uses the following Sub-processors. The Controller consents to their engagement and will be notified at least 30 days before any new Sub-processor begins processing Personal Data. The Controller may object during the notice period on reasonable data-protection grounds; if the parties cannot agree on a resolution, the Controller may terminate the Service without penalty.

  • Cloudflare — CDN, DDoS protection, Turnstile bot challenge.
  • Postmark — transactional email delivery.
  • Hosting provider [placeholder — confirm with counsel] — compute, managed database, and object storage.

The Processor remains liable for the acts and omissions of its Sub-processors to the same extent as for its own acts.

8. Security measures

The Processor implements appropriate technical and organizational measures, including:

  • AES-256-GCM encryption at rest for credentials, tokens, SAML keypairs, and OIDC JWKs.
  • TLS 1.2+ for data in transit.
  • Per-tenant database schema isolation in Postgres.
  • Master-key rotation supported without service downtime.
  • Audit logging of logins, password changes, badge events, admin actions, and tenant provisioning.
  • Argon2 password hashing and CSRF tokens on state-changing requests.
  • Least-privilege access controls for Processor personnel.

9. Assistance with data-subject rights

The Processor will provide reasonable assistance to the Controller in responding to data-subject requests for access, correction, deletion, restriction, portability, and objection within the timeframes required by applicable law. Requests directed to the Processor will be forwarded to the Controller without undue delay.

10. Incident notification

The Processor will notify the Controller without undue delay, and in any case within 72 hours of confirmation, of any personal-data breach affecting the Controller's data. Notification will describe the nature and scope of the breach, the categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed.

11. International data transfers

The hosted Service operates from data centers in the United States. Where Personal Data is transferred from a jurisdiction that requires a transfer mechanism, the parties agree to incorporate the applicable Standard Contractual Clauses or equivalent safeguards by reference.

12. Audit rights

On reasonable written request, the Processor will provide information necessary to demonstrate compliance with this DPA, including third-party audit reports where available (e.g., SOC 2 once obtained). On-site audits may be conducted no more than once per year, with at least 30 days notice, during business hours, and subject to confidentiality.

13. Return and deletion

On termination of the Service the Controller may export all Personal Data via the Service's standard export tools. The Processor will delete Personal Data and all copies within 30 days of termination, except where retention is required by law. Encrypted backups age out on a 30-day rolling window.

14. Term and survival

This DPA remains in effect for as long as the Processor processes Personal Data on behalf of the Controller. Provisions intended to survive termination (security, deletion, confidentiality) survive accordingly.

15. Order of precedence

If this DPA conflicts with the Terms of Service, this DPA controls with respect to the processing of Personal Data.

16. Signed DPA on request

Districts may request a counter-signed PDF version of this DPA from sales@usechalk.xyz.