The contractual terms a school can adopt to formalize CohortLedger's role as a service provider, especially in states with stricter student data privacy laws.
Effective January 22, 2026
This Data Processing Addendum (the “DPA”) is entered into between the school operator (the “Controller” or “Educational Agency”) and Ravencord Inc., a Delaware C-corporation operating CohortLedger (the “Processor” or “Service Provider”). It supplements the Terms of Service and the Privacy Policy. If there is a conflict, the DPA governs for matters of personal information and student data handling.
The school is the controller of personal information about its families and students. Ravencord is the processor and acts only on documented instructions from the school. Where state law uses the terms “school official” or “service provider,” Ravencord serves in that capacity.
Ravencord will process personal information only to provide the CohortLedger service to the school, including enrollment records, quarterly invoicing, attendance tracking, compliance reporting, and related support. Ravencord will not use personal information for any other purpose, including no use for advertising, no resale, and no use for AI model training.
Personal information processed under this DPA includes the categories described in the Privacy Policy: operator account information, family contact information, and limited student records (name, grade, attendance, funding status). Sensitive categories such as health records, biometric data, and child photos are not processed.
Ravencord uses the following sub-processors:
We will notify the school in advance of adding a new sub-processor. The school may object on reasonable grounds, and if we cannot resolve the objection, the school may terminate the affected portion of the service.
Ravencord will maintain administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, use, disclosure, alteration, and destruction, including:
The school is responsible for verifying the identity of a data subject (typically a parent acting on behalf of a child) and handling the underlying access, correction, or deletion request. Ravencord will provide the tools and support needed to fulfill verified requests, including export and deletion functionality in the dashboard.
Ravencord will notify the school of any confirmed security incident affecting personal information without undue delay and within any timeline required by applicable US state law. Notification will include the facts the school needs to satisfy its own notification obligations to affected families.
On reasonable written notice and no more than once per calendar year except in case of a confirmed incident, the school may request documentation of Ravencord’s security and privacy controls. Ravencord will provide a summary of controls and any relevant independent assessments. Audit requests will be coordinated to minimize disruption to either party.
Ravencord will retain personal information for the duration of the school’s subscription and for a defined post-termination window during which the school may export records. After that window, Ravencord will delete or anonymize personal information, except where state record-retention rules require longer retention.
Personal information processed under this DPA is hosted in the United States. Ravencord does not transfer personal information outside the United States as part of normal service operations.
For schools operating in states with stricter student data privacy laws (including California, Colorado, Connecticut, Utah, Texas, Virginia, and other states with applicable student data privacy statutes), Ravencord is willing to negotiate state-specific terms consistent with the principles above. Contact privacy@cohortledger.com to request a state-specific addendum.
This DPA is effective when both parties have signed (or when the school has signified acceptance through the dashboard) and remains in force for the duration of the underlying subscription. On termination, the obligations on confidentiality, return and deletion of data, breach notification, and audit cooperation survive.
Schools that need a signed DPA, including state-specific addenda, should email privacy@cohortledger.com with the school name, state, and a contact. We will return a draft for review within two business days.
