Data Processing Agreement Glossary
A Data Processing Agreement is a contract that defines how a vendor may handle data provided by a customer or institution. In education, the term matters because AI tools often process student data, assessment material, communications, or institutional records. The question is not merely whether a tool is useful; it is whether the vendor relationship is legally and operationally fit for that data.
A good DPA addresses permitted use, retention, deletion, subcontractors, security controls, breach notification, audit rights, and whether data may be used for model training. Without such an agreement, sending protected student information to a third-party AI system may create compliance risk even if the pedagogical use is sensible.
This is one reason local-first architectures are attractive. If protected data never leaves controlled infrastructure, the DPA problem may shrink substantially, though it does not disappear entirely.