Data Processing Agreement
Level Up Classroom Inc. — Last updated April 2026
1. Parties & Scope
This Data Processing Agreement ("DPA") is entered into between the educational institution or school board ("Data Controller") and Level Up Classroom Inc. ("Data Processor"), an Ontario corporation operating the platforms LevelUpClassroom.com and OSSLTPrep.com.
This agreement governs the processing of student personal information by the Data Processor on behalf of the Data Controller in connection with the educational services provided by both platforms.
2. Definitions
- "Student Data" means any personal information relating to an identified or identifiable student, including names, student numbers, grades, attendance records, assessment responses, and written work.
- "Processing" means any operation performed on Student Data, including collection, storage, retrieval, use, disclosure, or deletion.
- "Services" means the Level Up Classroom platform (classroom management, gradebook, attendance, timetabling, gamification, AI-assisted report generation) and OSSLTPrep platform (OSSLT practice tests, Literacy Dojo, AI essay grading).
3. Data Collected
Level Up Classroom collects:
- Student names (or anonymous nicknames in Privacy Mode), student numbers, email addresses (optional)
- Ontario Education Numbers (OENs) — optional, at school board/administrator discretion for SIS integration
- Parent/guardian contact information (optional — name, email, phone)
- Grades, assessment scores, learning skills evaluations, attendance records
- Assignment submissions (Google Drive links), class stream activity
- OSSLT practice test responses, scores, and AI-generated feedback
Level Up Classroom does NOT collect:
- Student home addresses or phone numbers
- Location data, browser history, or device identifiers
- Camera, microphone, biometric, or audio data
- Contact lists, personal files, or social media profiles
- Payment information from students (billing is teacher/board only via Stripe)
4. Purpose of Processing
Student Data is processed solely for providing the educational services described in Section 2, including:
- Delivering classroom management tools (gradebook, attendance, timetable)
- Enabling student access to grades, assignments, and class activities
- Generating AI-powered report card comments (student first names and aggregate grade data only)
- Delivering OSSLT practice tests with automated scoring and AI essay feedback
- Providing Literacy Dojo practice exercises with AI-generated feedback
- Generating progress reports and data exports for teachers and administrators
Student Data is never sold, used for advertising, used for profiling, shared with third parties for marketing purposes, or used to train AI models.
5. Sub-Processors
The Data Processor uses the following sub-processors:
| Provider | Purpose | Data Location | Student PII Processed |
|---|---|---|---|
| Google Firebase / Google Cloud | Database storage, authentication, file hosting | Toronto, Canada (northamerica-northeast1) | Yes — all stored student data |
| Anthropic (Claude AI) | AI report comments, essay grading, educational content generation (Level Up Classroom) | United States | First names only (report comments); no PII for other features. Anthropic does not retain API data or use it for training. |
| OpenAI | AI essay grading, writing feedback (OSSLTPrep) | United States | Student written responses only — no names or identifying information. OpenAI API data is not used for model training (API terms). |
| Stripe | Subscription billing for teachers/boards | United States | None — teacher/board billing only, no student data |
| Netlify | Web hosting, serverless functions | United States | Transient only — data passes through serverless functions but is not stored by Netlify |
The Data Processor will notify the Data Controller before adding any new sub-processor that handles Student Data.
6. Security Measures
- Encryption at rest: AES-256 via Google Cloud KMS (always on, cannot be disabled)
- Encryption in transit: TLS 1.2+ enforced on all connections
- Access control: Firestore Security Rules enforce role-based access — teachers see only their classes, students see only their enrolled classes, administrators see only their school's data
- Authentication: Firebase Authentication with OAuth 2.0, short-lived tokens (1 hour) with automatic refresh
- API security: AI API keys stored server-side only, rate-limited (20 requests/hour/IP), restricted to authorized origins
- Audit logging: Administrative actions (staff changes, timetable operations, configuration) are logged with actor identity and timestamp
- Automated cleanup: Nightly scheduled process deletes expired archived data and stale invitations
7. Data Retention & Deletion
- Student Data is retained for the duration of the Data Controller's active account
- Archived classes are automatically deleted after the plan-based retention period by a nightly scheduled process
- Upon termination of the agreement, all Student Data associated with the Data Controller will be permanently deleted within 90 days, or returned in a standard format (CSV) upon written request
- The Data Controller or individual students/parents may request deletion of specific student records at any time by contacting reece@levelupclassroom.com
- Backup data is stored within the same Google Cloud Toronto region and follows the same deletion timeline
8. Data Subject Rights
The Data Processor will assist the Data Controller in fulfilling data subject requests including:
- Access: Provide copies of all personal data held for a specific student
- Correction: Correct inaccurate personal information
- Deletion: Permanently delete a student's data upon request
- Export: Provide student data in standard formats (CSV)
- AI Opt-out: Disable AI features for specific students upon request. Teachers can toggle AI opt-out per student in the platform, which blocks AI-generated report comments and feedback for that student.
Requests will be fulfilled within 30 days of receipt.
9. Breach Notification
In the event of a confirmed data breach affecting Student Data, the Data Processor will:
- Notify the Data Controller within 72 hours of confirming the breach
- Provide details of the scope, affected data, and remediation steps taken
- Notify the Office of the Privacy Commissioner of Canada if required under PIPEDA
- Cooperate fully with the Data Controller's incident response procedures
- Maintain breach records for a minimum of 24 months
See our full Breach Response Protocol for detailed procedures.
10. Data Ownership
The Data Controller retains full ownership of all Student Data at all times. The Data Processor does not claim any ownership rights over student records, grades, attendance data, or any other educational information. Students retain ownership of all content they create (assignments, essays, written responses).
11. Compliance
This DPA is designed to comply with:
- The Personal Information Protection and Electronic Documents Act (PIPEDA)
- The Municipal Freedom of Information and Protection of Privacy Act (MFIPPA)
- Applicable Ontario education privacy standards
12. Term & Termination
This DPA is effective for the duration of the Data Controller's use of the Services. Either party may terminate this agreement with 30 days written notice. Upon termination, the Data Processor will delete or return all Student Data as described in Section 7.
13. Contact
Privacy Officer: Reece Cantelon
Email: reece@levelupclassroom.com
Entity: Level Up Classroom Inc., Ontario, Canada
Signatures
Data Controller (School Board / Institution)
Name & Title
Organization
Signature & Date
Data Processor (Level Up Classroom Inc.)
Reece Cantelon, Privacy Officer
Level Up Classroom Inc.
Signature & Date
Level Up Classroom Inc. — levelupclassroom.com — reece@levelupclassroom.com
This document applies to all products operated by Level Up Classroom Inc.