Scope
This Data Processing Agreement ("DPA") applies to educational institutions ("Institution") that deploy RemMe for their students via Canvas LMS integration. It supplements the Terms of Service and Privacy Policy and governs the processing of student educational records.
This DPA applies when an Institution authorises students to connect RemMe to their institution's Canvas instance, or when the Institution itself deploys RemMe as part of a managed rollout.
Roles
- Institution is the data controller for student educational records under FERPA.
- Panderose is the data processor, acting as a "school official" under the Institution's direction for the legitimate educational interest of providing RemMe to students.
- Students are the data subjects whose educational records are processed.
Processing details
| Element | Detail |
|---|---|
| Subject matter | Student educational records from Canvas LMS |
| Duration | For the term of the institutional deployment |
| Nature | Collection, storage, semantic indexing, retrieval |
| Purpose | Building and querying the student's personal knowledge graph |
| Data types | Course names, assignment titles and descriptions, due dates, announcements |
| Data subjects | Enrolled students who connect Canvas to RemMe |
Panderose obligations
- Process student data only as directed by the Institution and as necessary to provide RemMe.
- Not sell student data to any third party.
- Not use student data to build advertising profiles or for any commercial purpose beyond providing RemMe.
- Not train AI models on student educational records.
- Implement and maintain reasonable security measures (see Section 07).
- Notify the Institution of a confirmed data breach within 72 hours of discovery.
- Delete or return student data within 30 days of termination of the deployment.
- Provide the Institution with information necessary to demonstrate compliance with this DPA.
Institution rights
- Request deletion of any student's data at any time by emailing [email protected].
- Request a list of all data held for a specific student.
- Terminate the deployment at any time; data will be deleted within 30 days.
- Receive notice of material changes to this DPA at least 30 days in advance.
Sub-processors
Panderose uses the following sub-processors that may process student data:
| Name | Purpose | Location |
|---|---|---|
| Groq | LLM inference for chat (receives query context only, not full graph) | United States |
| Qdrant (self-hosted) | Vector search index | Prescott, AZ |
| Neo4j (self-hosted) | Knowledge graph storage | Prescott, AZ |
| Ollama (self-hosted) | Embedding generation | Prescott, AZ |
Panderose will provide 30 days' notice of any new sub-processor that processes student educational records. Institutions may object to new sub-processors within 14 days.
Security measures
- TLS 1.3 encryption in transit for all data
- AES-256 encryption at rest for all data stores
- Per-user data isolation enforced at the API, graph, and vector search layers
- MFA required for administrative access to production systems
- Access logging and audit trail for all admin actions
Full details at the Security page.
Breach notification
In the event of a confirmed security incident affecting student data, Panderose will notify the Institution by email within 72 hours of discovery, describing the nature of the incident, data affected, and steps taken to contain and remediate it.
Data deletion
Upon termination of an institutional deployment, Panderose will delete all student educational records within 30 days. Panderose will provide written confirmation of deletion upon request.
Execute this DPA
To execute a signed DPA for your institution, email [email protected] with subject "DPA Request" and include your institution name and primary contact. We will send a countersigned copy within 5 business days.