Our DPA, in plain English.

What you get when we sign

A signed OneTeam DPA includes:

• The standard SDPC NDPA Version 1.0 (or the version most recently adopted by your state alliance)
• The OneTeam Exhibit summarized below — sub-processors, security measures, deletion procedures, and incident-response commitments
• State-specific exhibits where applicable (NY Ed Law § 2-d, CA SOPIPA, IL SOPPA, CO HB 16-1423)
• The Parents’ Bill of Rights (incorporated by reference)

1. Permitted uses of student data

Each school designates OneTeam as a “school official” with a legitimate educational interest under 34 C.F.R. § 99.31(a)(1)(i)(B). The school retains direct control over the use and maintenance of education records. OneTeam will use student data only to provide the OneTeam service to the school. Specifically:

• Display each student’s record to authorized users (their teachers, the school’s admin, and consenting parents)
• Compute MTSS tier suggestions, progress trends, and 6-week cycle evaluations
• Send notifications via Microsoft Teams when a teacher has opted in
• Maintain an audit log of access and changes
• Maintain encrypted database backups for disaster recovery (see Section 5 for backup-retention behavior)

OneTeam will not use student data for: advertising, behavioral targeting, AI model training, market research, product analytics that identify individual students, or any commercial purpose unrelated to providing the service.

2. Sub-processors and storage location

Each sub-processor is contractually prohibited from using student data for any purpose other than providing the contracted service to OneTeam. 30 days’ written notice required before adding or changing sub-processors; schools may terminate before the change takes effect if they object.

Sub-processor agreement form

• Supabase — countersigned Data Processing Addendum dated 2026-04-29, Document Ref 6RUPA-RZ2BS-PWYF8-KGS72. Standard DPA available at supabase.com/legal/dpa; published sub-processor list at supabase.com/legal/subprocessors. A copy of the executed DPA is available on request to privacy@oneteam.school.
• Vercel — Data Processing Addendum incorporated by reference into Vercel’s Pro plan Terms of Service, accepted by OneTeam at signup. Vercel does not offer countersignature on Pro plans (reserved for Enterprise customers). DPA published at vercel.com/legal/dpa; sub-processor list at vercel.com/legal/sub-processors; Terms of Service at vercel.com/legal/terms.
• Microsoft Teams — opt-in outbound webhook only, terminating in the school’s own Microsoft 365 tenant. Data handling on the receiving side is governed by the school’s existing Microsoft agreement; OneTeam transmits the notification payload only when a teacher has explicitly configured a webhook URL.

3. Security measures

OneTeam implements the following controls in production:

• Access control: Postgres Row-Level Security on every table holding student data. Role-based scoping (teacher / specialist / admin / parent) enforced at the database, not the application.
• Authentication: Email + password via Supabase Auth (HaveIBeenPwned integration). TOTP two-factor authentication is required for administrator accounts and gated in the OneTeam app for destructive admin actions (account deletion, retention purge, staff approval).
• Encryption: TLS 1.2+ in transit. AES-256 at rest (managed by Supabase).
• Audit log: Immutable, append-only log of every roster change, access-control change, data export, and deletion. Server-captured user identity (cannot be spoofed by client).
• Rate limiting: 10 data exports per minute per user maximum (configurable down) to cap blast radius of credential theft.
• Segregation: Microsoft Teams webhook URLs stored in a separate own-only RLS table.
• Region pinning: All compute and primary storage in United States data centers; cannot drift.
• Tier-visibility limits: MTSS tier assignments are visible only to authorized administrators and the student’s authorized parent or guardian. Tier is never displayed on classroom-teacher dashboards or any surface other students or families can see.

4. Data subject rights

Right to inspect (built into the product)

Parents and schools may download a complete copy of any student’s record as a multi-section CSV file at any time, directly from the app. The CSV opens in Excel, Numbers, or Google Sheets and is rendered live from the database. Each export writes one row to the audit log.

Right to delete (built into the product)

OneTeam will permanently delete a student’s record within 7 days of a written deletion request from the school or from a parent with consent. This 7-day window applies to single-student deletion requests. Deletion cascades through every table holding data tied to the student. Paired audit-log entries (preview + completed) document what was deleted. Written confirmation including row counts is provided.

Right to correct

OneTeam corrects records on the school’s written confirmation within 7 days. The school controls the source of truth.

Right to know

On request, OneTeam will provide an audit trail showing every read of a student’s exported record and every roster, access-control, or deletion event affecting that student.

5. Retention and destruction

• Behavioral records (check-ins, tier history, cycle evaluations, reward log): automatically purged after 2 academic years by daily retention job. Districts may configure shorter retention.
• At agreement termination: 30-day grace period for school to export data in a structured, machine-readable format (CSV by default; JSON on request), then permanent deletion. Written confirmation provided.
• Audit log: minimum 7-year retention to support OneTeam’s incident response and the school’s FERPA disclosure-tracking obligations under 34 C.F.R. § 99.32. The audit log is append-only; the 7-year minimum is a contractual obligation managed by OneTeam operations, not an automated purge. Audit entries referencing a deleted student retain only the student’s internal record ID, not name or other identifying information.
• Encrypted backups are retained as the three most recent daily snapshots in Supabase’s standard backup rotation, so deleted data may persist in an encrypted backup for up to 3 days before being overwritten. Backups are not accessed for any purpose other than disaster recovery.
• No retention beyond agreement except as required by law.

6. Security incident notification

OneTeam will notify the affected school’s designated contact within 72 hours of having a reasonable basis to believe a security incident affecting student data has occurred, even if confirmation is pending. Subsequent updates will follow as the investigation progresses. Notification will include:

• A description of what happened and what we know about how it occurred
• The categories of information affected and approximate number of records involved
• The students affected (if identifiable)
• Mitigation steps already taken and planned
• The OneTeam contact responsible for the incident

State-specific notification windows take precedence where stricter than 72 hours.

7. Audit and inspection rights

School districts may request, no more than once annually except in response to a security incident: a copy of OneTeam’s most recent third-party security assessment (if available; OneTeam’s initial third-party penetration test is targeted for the 2026–27 school year, and until completion OneTeam will provide its internal security review documentation in lieu), an updated sub-processor list with regions, the current list of OneTeam personnel with access to district data, and confirmation of compliance with this DPA. In addition, the school may request, at any time and without limit, an audit-log export for any specific student or for any access-control event in the school’s instance. Requests should go to privacy@oneteam.school and will be answered within 14 days.

8. Change of control

If OneTeam is acquired, sold, or transferred, the new owner must obtain affirmative re-consent from each parent within 60 days. Within 30 days of the transfer each parent will receive a re-consent prompt with at least 30 days to respond. Parents who have not responded by the end of the 60-day window will receive a final 14-day notice to a verified contact method before deletion. Records belonging to parents who do not re-consent will be permanently deleted, not migrated. Schools will be notified at least 30 days in advance of any change of control where feasible.

9. Term and termination

This DPA remains in effect for the duration of the school’s service agreement with OneTeam plus the 30-day data return / destruction period. Either party may terminate for material breach with 30 days’ written notice and opportunity to cure. During any cure period, OneTeam will continue to maintain all security and data-handling commitments under this DPA, and the school may suspend its own users’ access without terminating the agreement.

10. State-specific exhibits

Washington State (RCW 28A.604 — SUPER Act)

For Washington school districts, OneTeam signs the SDPC National Data Privacy Agreement (NDPA) Washington Alliance version, with the following SUPER Act commitments incorporated:

• Collection, use, and sharing limited to school-authorized purposes (RCW 28A.604.030)
• Prohibition on sale of student personal information (RCW 28A.604.030(2))
• Comprehensive information security program (RCW 28A.604.040), described in Section 3 above
• 30 days’ prior written notice for material policy changes (RCW 28A.604.020)
• Direct in-app access and correction support (RCW 28A.604.020)
• 30-day deletion on agreement termination (RCW 28A.604.040)
• Sub-processor flow-down per RCW 28A.604.030(3) — see Section 2 sub-processor table

State exhibits for California (SOPIPA), Illinois (SOPPA), Colorado (HB 16-1423), and New York (Ed Law § 2-d) are added to the signed DPA where applicable. The Washington exhibit above is in production today; the others are drafted on a per-district basis at signing time and reflect the same underlying commitments described in Sections 1–9.