Legal

Data Processing Agreement

Version 1.0 · Effective April 11, 2026

What this document is: This Data Processing Agreement ("DPA") is a contract between your school or district and RewardVault. It defines how RewardVault handles student and staff data on your behalf, in compliance with FERPA, COPPA, and applicable state student privacy laws.

Who signs it: An authorized school or district administrator signs on behalf of the school. RewardVault signs on behalf of the platform. Both parties keep a copy.

When it takes effect: This DPA becomes effective when both parties have signed and is incorporated into the RewardVault Terms of Service.

1. Definitions

For the purposes of this Agreement:

"School" means the educational institution, school district, or authorized representative entering into this Agreement.
"RewardVault" means the platform operated by RewardVault, headquartered in Illinois, United States.
"Student Data" means any personally identifiable information related to students that is provided to RewardVault by the School, including but not limited to names, grade levels, classroom assignments, student ID numbers, email addresses, award records, and wallet balances.
"Staff Data" means personally identifiable information about school staff provided to RewardVault, including names, professional email addresses, and role assignments.
"Covered Data" means Student Data and Staff Data collectively.
"FERPA" means the Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g, and its implementing regulations at 34 CFR Part 99.
"Authorized Purpose" means the operation of the RewardVault platform to provide digital recognition, reward management, and store fulfillment services to the School.

2. Roles and Responsibilities

2.1 School as Data Controller

The School is the data controller for all Covered Data. The School determines what data is provided to RewardVault, authorizes its use for the Authorized Purpose, and retains ownership of all Covered Data at all times.

2.2 RewardVault as Data Processor

RewardVault acts as a data processor and, where applicable under FERPA, as a "school official" with a "legitimate educational interest" as defined under 34 CFR § 99.31(a)(1). RewardVault will:

Process Covered Data only as directed by the School and only for the Authorized Purpose
Not sell, rent, lease, or otherwise disclose Covered Data to any third party for commercial purposes
Not use Covered Data to advertise to students or to build profiles of students for non-educational purposes
Not use Student Data to market products or services to students
Process data only in accordance with this Agreement and applicable law

3. Authorized Data Processing Activities

RewardVault is authorized to process Covered Data solely for the following purposes:

Authenticating users and maintaining secure sessions
Displaying student rosters to authorized school staff for the purpose of sending recognition awards
Maintaining student currency balances and transaction history
Processing and fulfilling student store requests
Generating activity and usage reports accessible to school administrators
Sending transactional communications (password setup, system notifications) to authorized staff
Diagnosing technical issues and maintaining platform reliability
Complying with legal obligations

RewardVault will not process Covered Data for any purpose not listed above without prior written consent from the School.

4. Data Security

4.1 Security Measures

RewardVault implements and maintains the following technical and organizational security measures:

All passwords are hashed using industry-standard cryptographic algorithms. Passwords are never stored in recoverable plain text.
All data in transit between users and RewardVault servers is encrypted using TLS 1.2 or higher.
Student temporary passwords are displayed only at the moment of creation and are not stored in recoverable form thereafter.
Staff account setup links are single-use and expire after activation.
Access to Covered Data within the platform is role-restricted. Staff members can access only data within their school. Students can access only their own data.
Server infrastructure is provided by Namecheap.com with all data stored in the United States.
Access and authentication logs are maintained for security monitoring.

4.2 Breach Notification

In the event of a confirmed data breach affecting Covered Data, RewardVault will:

Notify the School's registered administrator by email within 72 hours of discovery
Provide a description of the nature of the breach, the categories and approximate number of records affected, and the likely consequences
Describe the measures taken or proposed to address the breach and mitigate its effects
Cooperate fully with the School in any required notification to affected individuals or regulatory authorities

5. Subprocessors

RewardVault uses the following third-party subprocessors in the delivery of its services. Each subprocessor is bound by data processing obligations no less protective than those in this Agreement:

Subprocessor	Purpose	Data Location
Stripe, Inc.	Payment processing for school subscription billing only. No student data is shared with Stripe.	United States
Namecheap, Inc.	Server hosting and infrastructure	United States
Postmark (Wildbit LLC)	Delivery of staff password setup links and system notifications. Staff email addresses only; no student data.	United States

RewardVault will notify the School at least 14 days before adding or replacing any subprocessor that will process Student Data. The School may object to a new subprocessor within that period by contacting info@getrewardvault.com.

6. School Rights and Obligations

6.1 School Obligations

The School agrees to:

Provide only the data necessary for the Authorized Purpose
Ensure appropriate parental notification and consent has been obtained where required by applicable law prior to providing Student Data to RewardVault
Maintain accurate and up-to-date roster data and notify RewardVault of required corrections
Designate an authorized administrator contact for privacy and data matters
Use RewardVault only in compliance with applicable laws including FERPA and COPPA

6.2 Data Access and Correction

The School may at any time:

Request a complete export of all Covered Data associated with the School's account
Request correction of inaccurate data records
Request deletion of specific student or staff records
Direct RewardVault to restrict processing of specific data

RewardVault will fulfill data access, correction, and deletion requests within 10 business days of receipt.

7. Data Retention and Deletion

7.1 During Active Subscription

RewardVault retains Covered Data for the duration of the School's active subscription to enable continuity of service.

7.2 Upon Subscription Termination

Upon termination or non-renewal of the School's subscription:

The School may request a full data export at no charge within 30 days of termination
All Covered Data will be permanently and irreversibly deleted from RewardVault's systems within 30 days of subscription end
RewardVault will provide written confirmation of deletion to the School's registered administrator email
Anonymized aggregate statistical data that cannot be linked to any individual may be retained for platform improvement purposes

7.3 Early Deletion Requests

The School may request early deletion of all or part of its Covered Data at any time. RewardVault will complete deletion within 10 business days and provide written confirmation.

8. FERPA Compliance

RewardVault acknowledges that Student Data constitutes "education records" under FERPA. RewardVault agrees to:

Comply with FERPA in its capacity as a school official with legitimate educational interest
Not disclose Student Data to any party other than the School without written authorization from the School, except as required by law
Support the School in responding to FERPA-related requests from parents and eligible students
Allow the School to audit RewardVault's data handling practices on reasonable notice

9. COPPA Compliance

RewardVault operates as a school-directed service and does not collect personal information from students under 13 for its own commercial purposes. The School, by entering into this Agreement, represents that it has authority under COPPA's school consent exception to authorize RewardVault's collection of Student Data for the Authorized Purpose, and that such use is consistent with the school's authorization.

10. State Privacy Law Compliance

RewardVault is committed to compliance with applicable state student data privacy laws, including but not limited to Illinois's Student Online Personal Protection Act (SOPPA), 105 ILCS 85. RewardVault will:

Not use Student Data for any purpose prohibited by applicable state law
Implement and maintain reasonable security procedures appropriate to the nature of the data
Delete Student Data as required upon termination of the agreement
Cooperate with the School in complying with applicable state requirements

11. Term and Termination

This Agreement is effective upon execution by both parties and remains in effect for the duration of the School's active RewardVault subscription. This Agreement automatically renews with each subscription renewal.

Either party may terminate this Agreement with 30 days written notice. Termination of this Agreement constitutes termination of the School's RewardVault subscription. Data deletion obligations in Section 7 survive termination.

12. Limitation of Liability

RewardVault's liability under this Agreement is limited to direct damages and shall not exceed the total subscription fees paid by the School in the 12 months preceding the event giving rise to the claim. RewardVault is not liable for indirect, incidental, consequential, or punitive damages.

Nothing in this section limits RewardVault's obligations in the event of a data breach caused by RewardVault's negligence or willful misconduct.

13. Governing Law and Dispute Resolution

This Agreement is governed by the laws of the State of Illinois, United States. Any disputes arising under this Agreement will first be addressed through good-faith negotiation. If negotiation does not resolve the dispute within 30 days, disputes will be resolved through binding arbitration in Illinois in accordance with the American Arbitration Association's rules.

14. Entire Agreement

This Agreement, together with the RewardVault Terms of Service and Privacy Policy (available at getrewardvault.com/privacy-policy.html), constitutes the entire agreement between the parties with respect to the processing of Covered Data and supersedes all prior agreements on this subject. In the event of a conflict between this Agreement and the Terms of Service, this Agreement controls with respect to data processing matters.

Schedule A — Data Processing Details

Category	Details
Subject matter	Digital recognition and reward management for K–12 schools
Duration	Duration of active subscription
Nature of processing	Collection, storage, display, and deletion of student and staff records for school-directed recognition and store operations
Purpose	Authorized Purpose as defined in Section 3
Categories of data subjects	K–12 students; school staff including teachers, administrators, store managers, and approvers
Categories of personal data	Student: first name, last name, grade, classroom, SIS ID, email (optional), award history, wallet balance. Staff: name, salutation, professional email, role.
Special categories	None. RewardVault does not process sensitive categories of data (health, biometric, disciplinary records).
Data location	United States

Signatures

By signing below, both parties agree to the terms of this Data Processing Agreement.

School / District

Institution Name

Authorized Signatory Name

Title

Email Address

Signature

Date

RewardVault

Company

RewardVault

Authorized Signatory Name

Joseph Ancona

Title

Founder

Email Address

info@getrewardvault.com

Signature

Date

Questions About This Agreement

Contact RewardVault for DPA questions, execution copies, or data requests:

Email: info@getrewardvault.com

Website: getrewardvault.com

We aim to respond to all DPA inquiries within 3 business days.