Data Processing Agreement

Effective June 1, 2026 · Last updated June 1, 2026

To execute a signed DPA with FormVault, contact legal@formvault.net.

1. Purpose

This Data Processing Agreement (“DPA”) governs the processing of student education records by FormVault on behalf of schools and districts (“Customer”) using the FormVault platform. It is intended to satisfy the requirements of the Family Educational Rights and Privacy Act (FERPA) and applicable state student data privacy laws.

2. Scope

This DPA applies to all schools and districts that have entered into a subscription agreement or free trial with FormVault and that upload, store, or process student education records through the Service. This DPA is incorporated by reference into FormVault’s Terms of Service.

3. Roles

Under this DPA, the Customer (school or district) is the data controller responsible for determining the purposes and means of processing student education records. FormVault is the data processor acting as a “school official” under FERPA with a legitimate educational interest. FormVault will process student data only as directed by the Customer and as necessary to provide the Service.

4. Data Processing Details

FormVault processes the following categories of student data on behalf of Customer:

  • Student names and grade levels
  • Sport participation and athletic clearance status
  • Physical examination records and physician certifications
  • Digital signatures from students, parents, and authorized signers
  • Uploaded documents (physicals, waivers, permission slips)
  • Emergency contact information as provided by parents or guardians

Data is processed solely for the purpose of athletic clearance management, FERPA compliance documentation, and the delivery of FormVault features as described in the Terms of Service.

5. Security Measures

FormVault implements the following technical and organizational security measures to protect student data:

  • Encryption at rest: AES-256-GCM for all stored documents and student records.
  • Encryption in transit: TLS 1.2 or higher for all data transmission.
  • Infrastructure: Hosted on SOC 2 compliant cloud infrastructure with continuous security monitoring.
  • Access logging: All access to student records is logged with user ID, timestamp, and IP address.
  • Role-based access controls: Data access is scoped to each user’s assigned role (administrator, coach, read-only).

6. Sub-processors

FormVault engages the following sub-processors in the delivery of the Service. Each sub-processor is bound by data protection obligations equivalent to those in this DPA:

  • Amazon Web Services (AWS) — Cloud hosting and infrastructure. Data stored in US-East regions.
  • Resend — Transactional email delivery for signature requests, reminders, and account notifications.
  • Stripe — Payment processing for subscription billing. Stripe does not receive or process student education records.

FormVault will notify Customer of any material changes to its sub-processor list with at least 30 days’ advance notice.

7. Breach Notification

In the event FormVault discovers a confirmed security breach involving Customer’s student data, FormVault will notify Customer within 72 hours of discovery. Notification will include the nature of the breach, the categories and approximate number of records affected, the likely consequences, and the measures taken or proposed to address the breach.

8. Data Deletion

Upon written request or account termination, FormVault will delete all of Customer’s student data from its systems and backups within 30 days. Prior to deletion, Customer may request a full data export in a standard format (CSV or PDF). FormVault will confirm in writing when deletion is complete.

9. Contact

For questions about this DPA or to request a signed copy, contact privacy@formvault.net. To execute a signed DPA agreement with FormVault, contact legal@formvault.net.