# FERPA Data Processing Agreement **Spire Ledgers, Inc. — Reference DPA for K-12 School Districts** *Version 1.0 — Effective 2026-05-04* > This document is a plain-language reference based on the Consortium for > School Networking (CoSN) DPA template. It is not the signed contract. > Districts requiring an executed DPA on the district's own paper or on > the SDPC NDPA template should email **districts@spireledgers.com** — > we sign both. This reference is provided so a district's legal, > technology, and business offices can review our practices before > negotiation. --- ## 1. Purpose Spire Ledgers, Inc. ("Provider," "Spire") provides cloud-based fund accounting and financial management software ("the Service") to K-12 local education agencies ("LEAs," "Districts"). When a District uses the Service, Spire processes Education Records and other student-related data on the District's behalf and only on the District's documented instructions. The District remains the sole "educational agency or institution" under the Family Educational Rights and Privacy Act ("FERPA," 20 U.S.C. §1232g; 34 CFR Part 99). Spire acts as a "school official" with a legitimate educational interest under 34 CFR §99.31(a)(1)(i)(B), performing services for which the District would otherwise use its own employees, under the direct control of the District with respect to the use and maintenance of Education Records, and bound by the use and re-disclosure limits of 34 CFR §99.33(a). Spire's processing of Education Records is also subject to the Children's Online Privacy Protection Act ("COPPA," 15 U.S.C. §6501 et seq.) where applicable, and to any state student-data-privacy law that applies to the District (including but not limited to: California SOPIPA, New York Ed Law §2-d, Connecticut Public Act 16-189, Illinois SOPPA, Texas Ed Code §32.151 et seq., Colorado SB 18-187, and similar enactments). ## 2. Data Flow ### 2.1 Categories of data Spire processes Spire's accounting role means Education Records flow through the Service incidentally, attached to financial transactions. The categories of student-related data the Service may process are: - **Student-activity-fund identifiers**: a student's name and grade/homeroom when associated with a club, athletic team, or fund receipt or disbursement. - **Receipt and disbursement metadata**: the financial transaction itself (date, amount, fund, account code, payment method) including any free-text memo a District employee enters. - **Parent / guardian payment information**: the contact name, email, and the Stripe-tokenized payment instrument used to pay a student fee. Full card numbers are never transmitted to or stored by Spire. - **Free / reduced-price meal indicators**: only if the District chooses to flag a student-activity-fund record. Spire does not process free/reduced-price meal eligibility data for the District's NSLP/SBP programs. - **District employee records**: the District business-office staff who have Spire login accounts. This is staff PII, not student PII. The Service does **not** collect or process: student grades, attendance records, special-education records, IEP/504 plan content, disciplinary records, health records, or directly-collected biometric data. Those data classes are out of scope. ### 2.2 Where data is stored Production data is stored in commercial cloud-infrastructure data centers located in the continental United States. No District data is intentionally stored or processed outside the United States. Backups are encrypted and retained in the same jurisdiction. ### 2.3 Subprocessors Spire engages the following named subprocessors. Each is bound by a written agreement that limits use of District data to providing services to Spire and prohibits onward sale or marketing use: | Subprocessor | Purpose | Scope of data | FERPA notes | |-------------------|------------------------------------------------------|--------------------------|------------------------------------------------------------| | **Stripe, Inc.** | Payment processing and subscription billing | Tokenized payment data, billing contact | PCI DSS Level 1; bound by Stripe DPA. No Education Record content. | | **Plaid Inc.** *(optional)* | Bank-feed aggregation for District operating accounts | Bank account number, routing number, transaction descriptions | Used only when District opts in. Plaid does not see student data. | | **Anthropic, PBC** *(flag)* | AI assistant ("Gwen") in-product help and report-summarization | Free-text prompts the user types; the report or screen the user is currently viewing | **Flagged for District review.** District-side AI features are off by default for K-12 customers and must be enabled by an authorized District administrator. Anthropic is contractually prohibited from training on District prompts. PII is redacted client-side before transmission. | | Cloud-infrastructure provider | Compute, storage, and network for the Service | All District data | Bound by standard cloud DPA; SOC 2 Type II audited. | | Transactional email vendor | Receipts, password resets, notifications | Recipient email + message body | Email body never contains student-record content beyond the receipt detail the District would print and hand to a parent. | Spire will give the District at least **thirty (30) days' written notice** before adding or replacing any subprocessor that processes Education Records. The District may object in writing during the notice period; if the District objects and the parties cannot reach agreement, the District may terminate the affected portion of the Service for cause and receive a prorated refund. ## 3. Retention - **During the term**: Spire retains District data for as long as the District's account is active, plus the in-product retention windows the District configures (e.g., 7 years for journal entries by default). - **After termination**: Spire retains the District's data for a minimum of three (3) years following termination, consistent with the federal records-retention floor at 2 CFR §200.334. If the District is subject to an active audit, litigation hold, or open records request at the end of that window, Spire will continue to retain the affected records until the District releases the hold in writing. - **Backups**: Encrypted backups are retained on a rolling 35-day cycle during the term and through the post-termination retention window; individual deletions take effect in the production database immediately and propagate out of backups as old backup generations age out. ## 4. Breach Notification In the event Spire confirms a security incident that affects the confidentiality, integrity, or availability of District data, Spire will notify the District within **forty-eight (48) hours** of confirmation. This is consistent with FERPA best practice (34 CFR §99.32(a)(5) recordkeeping for unauthorized disclosure) and meets or exceeds the shortest state-law notification window currently applicable to Spire's customer base (Texas: "as quickly as possible," Tex. Bus. & Com. Code §521.053; Connecticut: 60 days, Conn. Gen. Stat. §10-234dd; Illinois SOPPA: 30 days, 105 ILCS 85/30). Spire's breach notification will include, to the extent known at the time of notice and updated as the investigation progresses: the date and nature of the incident, the categories of data affected, the District- specific records implicated (where determinable), the remediation steps taken, and the recommended steps the District should consider. Spire will not notify affected parents, students, or the public on the District's behalf — that decision and the timing of any external notification rest with the District as the data controller. ## 5. Parent and Eligible-Student Access Rights Parents and eligible students have the right under FERPA to inspect and review the student's Education Records (34 CFR §99.10), to seek amendment of records they believe are inaccurate (34 CFR §99.20), and to consent to disclosures (34 CFR §99.30). The District is responsible for facilitating these rights with the parent or eligible student. To support the District: - Spire provides **export tools** in the District's dashboard that let authorized District staff produce a per-student transaction history in PDF and CSV form within five (5) business days of a parent request. - Spire provides **amendment tooling** that creates a clearly-labeled correcting entry rather than overwriting the original record, so the audit trail is preserved as required by GAGAS Yellow Book auditing standards. - Spire will **not respond directly** to a parent or student who contacts Spire requesting access to records. Spire will redirect the request to the District's designated FERPA contact within two (2) business days. ## 6. Deletion on Termination - Within sixty (60) days of the effective date of termination ("Grace Period"), the District retains read-only and export access so the business office can produce final reports, archive copies, and any records needed for the District's records-retention schedule. - At the end of the Grace Period, Spire will permanently purge the District's data from production systems on the District's written instruction, except for the residual records required to demonstrate compliance with the post-termination retention window described in Section 3 (audit, legal hold, federal records-retention floor). - On request, Spire will provide a written **Certificate of Destruction** signed by Spire's Chief Technology Officer once the purge completes. - District data in encrypted backups will age out of the backup generations on the schedule described in Section 3 and is not recoverable to a restored production environment after that window. ## 7. Audit Rights - The District may request Spire's most recent **SOC 2 Type II report** once issued. Spire is targeting initial SOC 2 Type II certification in fiscal year 2027; until that report is available Spire will furnish an **annual self-attestation** (the "Spire Security Practices Statement") signed by Spire's Chief Technology Officer covering: encryption practices, access controls, personnel screening, vulnerability management, incident response, business continuity, and subprocessor oversight. - The District may, no more than once per twelve (12) months and on thirty (30) days' written notice, conduct or commission a written security questionnaire (e.g., HECVAT Lite, SIG-Lite) that Spire will complete within thirty (30) days of receipt at no additional cost. - Penetration tests of the production environment may be conducted by the District's qualified third party with prior written authorization and a mutually-agreed scope and rules of engagement document. ## 8. Use Limitations Spire shall not, and shall ensure its subprocessors do not: - Use District data for advertising, marketing, or behavioral profiling. - Sell, rent, lease, or trade District data to any third party for any purpose. - Use District data to train any general-purpose machine-learning model. (As stated in Section 2.3, the AI assistant subprocessor is contractually prohibited from training on District prompts.) - Combine District data with data from any other source for any purpose other than providing the Service to the District. Spire may use de-identified, aggregated metrics derived from Service usage (e.g., "average response time of the GL posting endpoint") for operational analytics and capacity planning. De-identified data must satisfy the FERPA de-identification standard at 34 CFR §99.31(b) — that is, all direct and indirect identifiers must be removed and the remaining data must not be reasonably re-identifiable. ## 9. Survival Sections 3 (Retention), 4 (Breach Notification), 6 (Deletion on Termination), 7 (Audit Rights, only to the extent of records retained under Section 3), and 8 (Use Limitations) survive termination of the underlying Service agreement. ## 10. Conflict In the event of any conflict between this DPA and the Spire Ledgers Terms of Service or any other Spire-paper agreement, this DPA controls with respect to the District's Education Records. --- *Spire Ledgers, Inc. — districts@spireledgers.com — security@spireledgers.com*