Spire Ledgers

FERPA Data Processing Agreement

Plain-language reference DPA for K-12 districts. The signed contract version is available on request from districts@spireledgers.com.

Download Markdown (English)Download Markdown (Spanish)

This document is a plain-language reference based on the Consortium for School Networking (CoSN) DPA template. It is not the signed contract. Districts requiring an executed DPA on the district’s own paper or on the SDPC NDPA template should email districts@spireledgers.com — we sign both. This reference is provided so a district’s legal, technology, and business offices can review our practices before negotiation.

Version 1.0 — Effective 2026-05-04

1. Purpose

Spire Ledgers, Inc. (“Provider,” “Spire”) provides cloud-based fund accounting and financial management software (“the Service”) to K-12 local education agencies (“LEAs,” “Districts”). When a District uses the Service, Spire processes Education Records and other student-related data on the District’s behalf and only on the District’s documented instructions.

The District remains the sole “educational agency or institution” under the Family Educational Rights and Privacy Act (“FERPA,” 20 U.S.C. §1232g; 34 CFR Part 99). Spire acts as a “school official” with a legitimate educational interest under 34 CFR §99.31(a)(1)(i)(B), performing services for which the District would otherwise use its own employees, under the direct control of the District with respect to the use and maintenance of Education Records, and bound by the use and re-disclosure limits of 34 CFR §99.33(a).

Spire’s processing is also subject to COPPA (15 U.S.C. §6501 et seq.) where applicable, and to any state student-data-privacy law that applies to the District (California SOPIPA, New York Ed Law §2-d, Connecticut Public Act 16-189, Illinois SOPPA, Texas Ed Code §32.151 et seq., Colorado SB 18-187, and similar enactments).

2. Data Flow

2.1 Categories of data Spire processes

  • Student-activity-fund identifiers — name and grade/homeroom when associated with a club, athletic team, or fund receipt or disbursement.
  • Receipt and disbursement metadata — date, amount, fund, account code, payment method, and any free-text memo a District employee enters.
  • Parent / guardian payment information — contact name, email, and Stripe-tokenized payment instrument used to pay a student fee. Full card numbers are never transmitted to or stored by Spire.
  • Free / reduced-price meal indicators — only if the District chooses to flag a student-activity-fund record. Not used for the District’s NSLP/SBP eligibility programs.
  • District employee records — staff who have Spire login accounts. Staff PII, not student PII.

The Service does not collect or process: student grades, attendance records, special-education records, IEP/504 plan content, disciplinary records, health records, or directly-collected biometric data. Those data classes are out of scope.

2.2 Where data is stored

Production data is stored in commercial cloud-infrastructure data centers located in the continental United States. No District data is intentionally stored or processed outside the United States. Backups are encrypted and retained in the same jurisdiction.

2.3 Subprocessors

SubprocessorPurposeScope of dataFERPA notes
Stripe, Inc.Payment processing and subscription billingTokenized payment data, billing contactPCI DSS Level 1; bound by Stripe DPA. No Education Record content.
Plaid Inc. (optional)Bank-feed aggregation for District operating accountsBank account number, routing number, transaction descriptionsUsed only when District opts in. Plaid does not see student data.
Anthropic, PBC (flag)AI assistant (“Gwen”) in-product help and report-summarizationFree-text prompts the user types; the report or screen the user is currently viewingFlagged for District review. District-side AI features are off by default for K-12 customers and must be enabled by an authorized District administrator. Anthropic is contractually prohibited from training on District prompts. PII is redacted client-side before transmission.
Cloud-infrastructure providerCompute, storage, networkAll District dataBound by standard cloud DPA; SOC 2 Type II audited.
Transactional email vendorReceipts, password resets, notificationsRecipient email + message bodyNo student-record content beyond the receipt detail the District would print and hand to a parent.

Spire will give the District at least thirty (30) days’ written notice before adding or replacing any subprocessor that processes Education Records. The District may object in writing during the notice period; if the District objects and the parties cannot reach agreement, the District may terminate the affected portion of the Service for cause and receive a prorated refund.

3. Retention

  • During the term: Spire retains District data for as long as the District’s account is active, plus the in-product retention windows the District configures (default 7 years for journal entries).
  • After termination: Spire retains District data for a minimum of three (3) years following termination, consistent with the federal records-retention floor at 2 CFR §200.334. If the District is subject to an active audit, litigation hold, or open records request at the end of that window, Spire will continue to retain the affected records until the District releases the hold in writing.
  • Backups: Encrypted backups are retained on a rolling 35-day cycle during the term and through the post-termination retention window; individual deletions take effect in the production database immediately and propagate out of backups as old generations age out.

4. Breach Notification

Spire will notify the District of a confirmed security incident affecting District data within forty-eight (48) hoursof confirmation. This is consistent with FERPA recordkeeping at 34 CFR §99.32(a)(5) and meets or exceeds the shortest state-law notification window currently applicable to Spire’s K-12 customer base (Texas: “as quickly as possible” per Tex. Bus. & Com. Code §521.053; Connecticut: 60 days per Conn. Gen. Stat. §10-234dd; Illinois SOPPA: 30 days per 105 ILCS 85/30).

Notice will include — to the extent known and updated as the investigation progresses — date and nature of the incident, categories of data affected, District-specific records implicated where determinable, remediation taken, and recommended District next steps. Spire will not notify affected parents, students, or the public on the District’s behalf.

5. Parent and Eligible-Student Access

Parents and eligible students retain their FERPA rights to inspect (34 CFR §99.10), seek amendment (§99.20), and consent to disclosure (§99.30). The District facilitates these rights. Spire supports the District by providing:

  • Per-student transaction history export tools (PDF and CSV) that authorized District staff can run within five (5) business days of a parent request.
  • Amendment tooling that creates clearly-labeled correcting entries rather than overwriting the original record (preserves the audit trail required by GAGAS Yellow Book).
  • A directed-redirect protocol: if a parent or student contacts Spire directly, Spire forwards the request to the District’s designated FERPA contact within two (2) business days and does not respond to the requestor on its own.

6. Deletion on Termination

  • Sixty-day Grace Period: District retains read-only and export access so the business office can produce final reports and archive copies.
  • Permanent purge: At the end of the Grace Period, Spire purges District data from production on the District’s written instruction, except residual records required by Section 3.
  • Certificate of Destruction: Provided on request, signed by Spire’s CTO once the purge completes.
  • Backups: Age out on the schedule described in Section 3 and are not recoverable to a restored production environment after that window.

7. Audit Rights

  • SOC 2 Type II: Targeting initial certification in fiscal year 2027. Until then, Spire furnishes an annual self-attestation (the “Spire Security Practices Statement”) signed by Spire’s CTO covering encryption, access controls, personnel screening, vulnerability management, incident response, business continuity, and subprocessor oversight.
  • Security questionnaires: Once per twelve months on thirty (30) days’ notice, Spire will complete a HECVAT Lite, SIG-Lite, or equivalent within thirty (30) days of receipt at no cost.
  • Pen testing: Permitted by the District’s qualified third party with prior written authorization and a mutually-agreed scope and rules-of-engagement document.

8. Use Limitations

Spire and its subprocessors shall not:

  • Use District data for advertising, marketing, or behavioral profiling.
  • Sell, rent, lease, or trade District data to any third party.
  • Use District data to train any general-purpose machine-learning model. (Anthropic is contractually prohibited from training on District prompts; see §2.3.)
  • Combine District data with data from any other source for any purpose other than providing the Service.

De-identified, aggregated metrics derived from Service usage may be used for operational analytics, provided the data satisfies the FERPA de-identification standard at 34 CFR §99.31(b).

9. Survival

Sections 3 (Retention), 4 (Breach Notification), 6 (Deletion on Termination), 7 (Audit Rights, only as to records retained under Section 3), and 8 (Use Limitations) survive termination of the underlying Service agreement.

10. Conflict

In any conflict between this DPA and the Spire Ledgers Terms of Service or other Spire-paper agreement, this DPA controls with respect to Education Records.

Spire Ledgers, Inc. — districts@spireledgers.comsecurity@spireledgers.com