Data Processing Addendum

1. Definitions

• Controller / Institution — the school, district, or other educational entity that determines the purposes and means of processing student data.
• Processor / Brinl— Brinl LLC, processing personal data on the Controller's behalf under this DPA.
• Personal Data — any information relating to an identified or identifiable natural person entered into or generated by the Service, including Student Data.
• Student Data— information about a student that would be considered an “education record” under FERPA, or equivalent information regulated under other applicable laws (including Dominican Republic Ley No. 172-13).
• Sub-processor — a third party engaged by Brinl to process Personal Data on its behalf.
• Data Subject Request — a request by an individual to exercise rights under applicable law (access, rectification, deletion, portability, objection).

2. Roles and scope of processing

The Institution is the Controller of Student Data, and Brinl is the Processor. Brinl processes Personal Data only on documented instructions from the Institution, which are embodied in (a) this DPA, (b) the Terms of Service, and (c) the Institution's configured use of the Service.

Subject-matter and nature

Operating a teacher-facing gradebook, lesson planning, and attendance platform on behalf of the Institution.

Duration

For as long as the Institution maintains an account, plus a deletion window as described in Section 10.

Categories of data subjects

• Educators and administrators of the Institution.
• Students enrolled at the Institution.
• Limited contact information for parents or guardians, if entered by the educator.

Categories of Personal Data

• Educator account data: name, email, authentication metadata, role.
• Student roster: name, optional email, optional external student ID, optional accommodation flags (IEP, 504, ELL), educator notes, optional parent WhatsApp number with a paired teacher attestation of parental consent (timestamp recorded. The two fields are stored together or not at all, enforced by a database CHECK constraint).
• Educational records: assignments, scores, grading categories, attendance, Smart-assisted comments authored and approved by the educator.
• Lesson content: objectives, activities, homework, worksheets and files uploaded by the educator.

3. Brinl's obligations

• Process Personal Data only to provide the Service and only on the Institution's documented instructions, except where required otherwise by applicable law.
• Ensure personnel authorized to process Personal Data are under a duty of confidentiality.
• Implement and maintain the technical and organizational security measures described in Annex II.
• Not sell Personal Data. Not use Personal Data to train machine-learning models. Not use Personal Data for advertising.
• Promptly assist the Institution in responding to Data Subject Requests and in meeting the Institution's own regulatory obligations (impact assessments, audits, breach response).
• Notify the Institution without undue delay, and in any event within 72 hours, of becoming aware of a Personal Data breach affecting the Institution's data, per Section 6.

4. Institution's obligations

• Ensure a lawful basis for entering Personal Data into the Service (including any parental or guardian consent required by FERPA, COPPA, Ley 172-13, or other applicable law).
• Minimize the Personal Data entered — the Service operates fully with student first name, last name, and an optional external ID.
• Maintain the security of its educator accounts (no credential sharing, prompt reporting of suspected compromise).
• Promptly communicate Data Subject Requests received directly by the Institution to Brinl where Brinl's assistance is needed.

5. Sub-processors

The Institution authorizes Brinl to engage the Sub-processors listed in Annex I. Brinl will:

• Impose data-protection obligations on each Sub-processor no less protective than those in this DPA.
• Remain liable for the acts and omissions of its Sub-processors.
• Give the Institution reasonable notice (via the Privacy Policy change log or email for Institution accounts) before engaging a new Sub-processor, and provide the Institution a reasonable opportunity to object on legitimate data-protection grounds.

6. Personal Data breach notification

Brinl will notify the Institution without undue delay and in any event within 72 hoursof becoming aware of a Personal Data breach affecting the Institution's data. The notice will include, to the extent known at the time:

• The nature of the breach, categories and approximate number of records and data subjects affected.
• The likely consequences and the measures taken or proposed to address the breach and mitigate its effects.
• A point of contact for further information.

Brinl will update the Institution as the investigation proceeds and cooperate in the Institution's own notification obligations under applicable law.

7. Data subject rights

Educators can access, export (CSV), and delete their own data from within the Service. For requests Brinl cannot satisfy through standard product features, the Institution may email legal@brinl.com. Brinl will respond within 30 days, extended only as permitted by applicable law.

8. International transfers

Personal Data may be processed in the United States, European Union, or other jurisdictions where Brinl's Sub-processors operate (see Annex I). Where cross-border transfers require a specific legal mechanism (e.g., EU Standard Contractual Clauses, UK IDTA), Brinl and the Institution agree to rely on the applicable mechanism incorporated by reference into this DPA.

9. Audits

Brinl will make available to the Institution the information reasonably necessary to demonstrate compliance with this DPA, including its security measures, sub-processor list, and breach history. The Institution may conduct or commission an audit (via a mutually agreed independent auditor, at the Institution's cost, with reasonable notice and during business hours) no more than once per 12-month period, or more frequently where required by a regulatory authority or following a material breach.

10. Data return and deletion

On termination of the Institution's account, or at the Institution's earlier written request:

• Brinl will make the Institution's data available for export in a standard format (CSV or equivalent) for at least 30 days.
• Thereafter, Brinl will delete the Institution's Personal Data from its production systems within 30 days, and from routine backups on their next overwrite cycle (not exceeding 90 days).
• Deletion is subject to narrow retention obligations imposed by applicable law (e.g., financial records for tax purposes), which Brinl will document on request.

11. FERPA school-official designation

To the extent the Institution is subject to the U.S. Family Educational Rights and Privacy Act (FERPA), the Institution designates Brinl as a “school official” with a “legitimate educational interest” in the Student Data processed under this DPA, under the conditions set out in 34 C.F.R. § 99.31(a)(1). Brinl will use Student Data only for the authorized educational purposes described in Section 2, will be under the direct control of the Institution with respect to those records, and will not redisclose Student Data except as authorized by FERPA or by this DPA.

12. Dominican Republic, Ley 172-13

For Institutions in the Dominican Republic, Brinl's processing of personal data complies with the principles of Ley No. 172-13 sobre Protección de Datos Personales: lawful basis, purpose limitation, data minimization, accuracy, limited retention, confidentiality, and the rights of access, rectification, cancellation, and opposition (derechos ARCO). Educators are encouraged to enter only the minimum Student Data necessary for instructional purposes.

13. Liability

Each party's liability arising out of or in connection with this DPA is subject to the exclusions and limitations of liability in the Terms of Service, and this DPA does not expand those limits except where applicable law requires otherwise.

14. Order of precedence

If there is a conflict between this DPA and the Terms of Service, this DPA prevails with respect to the processing of Personal Data. If there is a conflict between this DPA and any separately executed agreement signed by both parties, the separately executed agreement prevails.

15. Changes

Brinl may update this DPA from time to time. Material changes will be communicated via email or in-app notice at least 30 days before taking effect. Changes required by law may take effect immediately on notice.

Annex I. Sub-processors

The following Sub-processors support the delivery of the Service. Each is bound by contractual data-protection obligations no less protective than this DPA.

• Vercel, Inc. (United States) — application hosting, delivery, and serverless compute.
• Neon, Inc. (United States) — managed PostgreSQL database for all Institution data.
• Upstash, Inc. (United States). Rate limiting and short-lived Smart-output cache (no Student Data persisted).
• Stripe, Inc. (United States). Subscription billing and payment processing (no Student Data).
• Moonshot (Kimi). Smart generation of lesson scaffolds and worksheets. Inputs sent to Moonshot are not used to train its models under our commercial agreement.
• OpenAI, LLC(United States). Text embeddings used to match teacher inputs against our research corpus. Inputs are not used to train OpenAI's models (zero data retention setting applied on the API account).
• Resend, Inc. (United States) — transactional email delivery for magic-link sign-in and receipts. No Student Data sent.

Brinl maintains an up-to-date list and will post changes here and in the Privacy Policy before new Sub-processors begin processing Institution data.

Annex II. Security measures

Brinl implements the following technical and organizational security measures. These are reviewed periodically and may be updated to maintain or improve the level of protection.

Access control

• Educators authenticate via magic-link email or SSO. No long-lived passwords stored.
• Session tokens are signed, HTTP-only, and scoped to the application domain.
• Administrative access to production systems is limited to named personnel with least-privilege permissions and multi-factor authentication.

Encryption

• TLS 1.2+ for all traffic between client and Service.
• Encryption at rest for the primary database and object storage.
• Secrets and API keys stored in an encrypted secret-management system, not in source code.

Tenant isolation

• Every database query is scoped server-side by authenticated user ID; no teacher can access another teacher's data even within the same Institution.
• Institution administrators see aggregate usage statistics only, not individual educational records.

Logging and monitoring

• Structured request logs with personally identifying fields redacted where feasible.
• Error monitoring alerts on anomalies and failed access attempts.
• Logs are retained for operational and security purposes and deleted on a rolling basis.

Vulnerability management

• Dependencies are kept current. Critical security advisories are patched on a priority basis.
• Code changes are peer-reviewed, with automated linting, type-checking, and test coverage on the main branch.

Backups and recovery

• Managed database backups with point-in-time recovery.
• Recovery procedures documented and exercised.

Personnel

• All personnel with access to Personal Data are bound by written confidentiality obligations.
• Security awareness guidance is provided. Access is revoked promptly on role change or departure.

Contact

Brinl LLC
260 Shirley Ln, Pennsburg, PA 18071, United States
Building real impact in next-gen learning.

DPA, subprocessor, and data-security matters: legal@brinl.com
General inquiries: info@brinl.com