AuthGuard AuthGuard

UserAuthGuard Data Processing Agreement

FERPA, COPPA, and state-law-aligned. Modeled on the SDPC National Data Privacy Agreement (NDPA) framework. The full, current text is below — same document we sign with every district.

Download signable PDF Email Privacy Officer
Permanent URL: userauthguard.com/data-processing-agreement/  ·  Source of truth — auto-rendered from the contracting document

DATA PROCESSING AGREEMENT

Between: ______________________________ ("LEA" or "School District")

And: Asan Digital LLC, dba UserAuthGuard ("Provider")

Product: UserAuthGuard — K-12 Chromebook Management Platform

Effective Date: ________________

ARTICLE I — PURPOSE AND SCOPE

1.1 Purpose. This Data Processing Agreement ("DPA") establishes the terms under which Provider collects, uses, maintains, and protects Student Data received from or on behalf of LEA through the UserAuthGuard platform. This DPA ensures compliance with the Family Educational Rights and Privacy Act ("FERPA"), the Children's Online Privacy Protection Act ("COPPA"), applicable state student data privacy laws, and industry best practices.

1.2 Scope of Services. Provider operates UserAuthGuard, a cloud-based K-12 technology management platform that enables schools to manage device inventory, assign devices to students, filter web content, monitor classroom activity, track IT support and repair workflows, and recover lost or stolen devices. The complete description of services is set forth in Exhibit A.

1.3 Applicability. This DPA applies to all Student Data received by Provider from or on behalf of LEA, regardless of format. This DPA supplements the underlying service agreement between the parties. In the event of conflict, the terms of this DPA shall prevail over the service agreement with respect to Student Data.

ARTICLE II — DEFINITIONS

"Breach" means the unauthorized acquisition, access, use, or disclosure of Student Data that compromises the security, confidentiality, or integrity of the data.

"Commercial Purpose" means to sell, use, or disclose data for advertising, marketing, building user profiles for non-educational purposes, or any purpose other than providing the contracted services to LEA.

"COPPA" means the Children's Online Privacy Protection Act, 15 U.S.C. 6501-6506, and its implementing regulations at 16 CFR Part 312.

"De-Identified Data" means data from which all personally identifiable information has been removed or obscured such that the remaining information does not reasonably identify an individual and re-identification is not possible.

"Education Records" has the meaning set forth in FERPA, 34 CFR 99.3.

"FERPA" means the Family Educational Rights and Privacy Act, 20 U.S.C. 1232g, and its implementing regulations at 34 CFR Part 99.

"LEA" means the Local Education Agency (school district or educational institution) entering this agreement.

"Parent" means a parent or legal guardian of a Student.

"Personally Identifiable Information" or "PII" has the meaning set forth in 34 CFR 99.3.

"Provider" means Asan Digital LLC, doing business as UserAuthGuard.

"Student" means any individual enrolled in or receiving services from LEA.

"Student Data" means PII from Education Records and any other information collected or maintained by Provider on behalf of LEA that directly relates to an identifiable current or former Student.

"Sub-Processor" means a third party engaged by Provider to process Student Data on behalf of Provider in connection with the services.

ARTICLE III — STUDENT DATA OWNERSHIP AND CONTROL

3.1 Ownership. All Student Data remains the sole property of LEA. Provider acquires no ownership rights in Student Data.

3.2 LEA Control. LEA retains full decision-making authority over Student Data. Provider processes Student Data only in accordance with LEA's documented instructions and the terms of this DPA.

3.3 Parental Access. Provider shall respond to any LEA request for access to Student Data within 10 business days. Provider supports LEA's obligations under FERPA to provide parents with the right to inspect and review their children's education records. All parent requests are routed through LEA; Provider does not provide data directly to parents.

3.4 Correction and Deletion. Provider shall process LEA-directed corrections to Student Data within 30 business days. LEA may delete individual student records at any time through the UserAuthGuard admin dashboard or by written request to Provider.

ARTICLE IV — AUTHORIZED ACCESS AND USE

4.1 FERPA School Official Designation. Provider is designated as a "school official" with a "legitimate educational interest" under FERPA (34 CFR 99.31(a)(1)). Provider:

  • (a) Performs an institutional service or function for which LEA would otherwise use its own employees — specifically, managing and securing school-owned Chromebook devices;
  • (b) Is under the direct control of LEA with respect to the use and maintenance of Education Records;
  • (c) Uses Education Records only for the purposes for which disclosure was made; and
  • (d) Complies with FERPA's re-disclosure requirements.

4.2 Permitted Uses. Provider may use Student Data solely to:

  • (a) Provide the device management services described in Exhibit A;
  • (b) Maintain and improve the security and functionality of the platform; and
  • (c) Generate De-Identified or aggregated data for product improvement, provided re-identification is prohibited.

4.3 Prohibited Uses. Provider shall NOT:

  • (a) Use Student Data for any Commercial Purpose;
  • (b) Sell, rent, lease, or trade Student Data to any third party;
  • (c) Use Student Data for targeted advertising or to build advertising profiles;
  • (d) Use Student Data to create behavioral profiles of students unrelated to the contracted services;
  • (e) Share Student Data with any third party except as authorized in this DPA;
  • (f) Use Student Data in any manner inconsistent with this DPA or applicable law; or
  • (g) Mine Student Data for any purpose not explicitly authorized by LEA.

4.4 COPPA Compliance. LEA provides consent on behalf of parents for Provider's collection of Student Data under COPPA's school consent provision (16 CFR 312.5(c)(3)). Provider relies on LEA to provide appropriate notices to parents regarding data collection. Provider collects only the minimum data necessary to perform the contracted services. Provider does not require students to disclose more information than is reasonably necessary to use the platform.

4.5 Employee Access. Access to Student Data is limited to Provider employees and contractors who have a legitimate need to know. All such individuals are bound by confidentiality obligations at least as protective as this DPA and have completed data privacy training.

ARTICLE V — DATA COLLECTION LIMITATIONS

5.1 Categories of Data. The categories of Student Data collected by Provider are set forth in Exhibit B. Provider collects only the minimum data necessary to perform the services.

5.2 No Excess Collection. If Provider discovers it has collected data beyond what is specified in Exhibit B, Provider shall promptly notify LEA and delete the excess data.

5.3 Purpose Limitation. Student Data is collected exclusively for the purposes specified in this DPA and Exhibit A. Any new use of Student Data requires prior written consent from LEA.

ARTICLE VI — DATA SECURITY

6.1 Security Program. Provider maintains a comprehensive information security program designed to protect the security, privacy, confidentiality, and integrity of Student Data. This program includes administrative, technical, and physical safeguards appropriate to the nature and scope of the data processed.

6.2 Technical Safeguards.

  • (a) Encryption in transit: TLS 1.2 or higher for all data transmitted between users, the platform, and third-party services.
  • (b) Encryption at rest: AES-256 encryption for all Student Data stored on Provider's systems and infrastructure.
  • (c) Access controls: Role-based access control with unique user credentials. Multi-factor authentication required for all administrative access.
  • (d) Audit logging: All access to Student Data is logged. Logs are retained for a minimum of one year.
  • (e) Vulnerability management: Regular vulnerability scanning, timely patching (critical patches within 48 hours), and secure development practices.
  • (f) Network security: Firewalls, intrusion detection, and DDoS protection measures.

6.3 Administrative Safeguards.

  • (a) Designated Privacy Officer responsible for data protection compliance.
  • (b) Background checks conducted on employees with access to Student Data.
  • (c) Annual data privacy and security training for all employees.
  • (d) Written data handling policies and procedures.
  • (e) Annual risk assessments.
  • (f) Documented incident response plan, tested at least annually.

6.4 Physical Safeguards. Student Data is hosted on cloud infrastructure providers that maintain SOC 2 Type II certification, physical access controls, environmental controls, and redundant systems. All data is stored and processed within the United States.

6.5 UserAuthGuard-Specific Security Practices.

  • (a) Device location data (Lost Mode). When an authorized LEA administrator activates Lost Mode for a device, location is fetched at the moment of the administrator's request — not continuously. Each "locate now" action by the administrator triggers a single point-in-time location lookup. Location data is retained only as needed to support the active Lost Mode session and is deleted when Lost Mode is deactivated or the device is recovered. Provider does not maintain location history, perform geofencing, or run background location tracking outside of administrator-initiated lookups.
  • (b) Device recovery captures. When an authorized LEA administrator marks a Chromebook for theft recovery via the UserAuthGuard dashboard, the device is moved into the LEA's dedicated /StolenDevices Organizational Unit. While the device is in that OU, the UserAuthGuard Theft Recovery Kiosk App captures geolocation and visible-screen screenshots continuously at backend-configured intervals (typically 30-second screenshots, 60-second location pings) for the duration of the active recovery session. Capture stops automatically when the LEA marks the device recovered, when the device leaves the /StolenDevices OU, or after 30 days from the start of the session — whichever occurs first. Captures are stored encrypted (AES-256 at rest, TLS 1.2+ in transit), access is restricted to the initiating LEA administrator and authorized district personnel via UserAuthGuard's role-based access control, and are automatically deleted upon recovery (with optional immediate purge for false-positive recoveries) or at the 30-day cap, whichever first.
  • (c) No webcam capture. UserAuthGuard does not capture from the device's camera or microphone under any circumstances, including during active theft-recovery sessions. The Theft Recovery Kiosk App's manifest does not request the videoCapture, audioCapture, or mediaDevices permissions and the application code does not call any media-capture APIs.
  • (d) Incidental capture of non-thieves. A stolen Chromebook may pass through the hands of someone who is not the thief — a returning student, sibling, parent, or finder. Where captures incidentally include such persons: (i) faces are auto-blurred where technically feasible; (ii) captures are deleted immediately upon LEA confirmation that the recovery was a false positive; (iii) captures are never used for student discipline or shared outside the LEA's UserAuthGuard tenant; (iv) the LEA may at any time direct UserAuthGuard to purge a specific session's captures.
  • (e) Provider does not engage in continuous screen monitoring, keystroke logging, browsing history collection, or application usage tracking on devices in normal use. The continuous capture described in (b) above applies solely to devices that have been explicitly marked for theft recovery by an LEA administrator and moved into the dedicated /StolenDevices OU.

ARTICLE VII — DATA BREACH NOTIFICATION

7.1 Notification Timeline. Provider shall notify LEA within 72 hours of confirming a Breach involving Student Data. Notification shall be made by phone to LEA's designated contact, followed by written confirmation via email.

7.2 Notification Contents. Breach notification shall include:

  • (a) Nature and circumstances of the Breach;
  • (b) Categories and approximate number of students affected;
  • (c) Description of the data elements compromised;
  • (d) Likely consequences of the Breach;
  • (e) Measures taken or proposed to contain and remediate the Breach; and
  • (f) Contact information for Provider's designated point of contact.

7.3 Provider Obligations. Following a Breach, Provider shall:

  • (a) Take immediate steps to contain and remediate the Breach;
  • (b) Cooperate fully with LEA's investigation;
  • (c) Provide ongoing updates at reasonable intervals until resolution;
  • (d) Maintain documentation of the Breach for a minimum of five years; and
  • (e) If the Breach is attributable to Provider's negligence, bear the reasonable costs of notification and remediation, including credit monitoring services if applicable.

7.4 LEA Responsibilities. LEA is responsible for notifying parents, students, and regulatory authorities as required by applicable law. Provider shall support LEA's notification efforts.

7.5 State Law Compliance. Provider shall comply with the Pennsylvania Breach of Personal Information Notification Act (73 P.S. 2301-2329) and any other applicable state breach notification laws. If more than 500 Pennsylvania residents are affected, Provider shall assist LEA with notification to the Pennsylvania Attorney General.

ARTICLE VIII — DATA RETENTION AND DELETION

8.1 Retention During Agreement. Provider retains Student Data only for the duration of the service agreement and as necessary to provide the contracted services.

8.2 Deletion Upon Termination. Within 30 calendar days of expiration or termination of the service agreement, Provider shall delete or destroy all Student Data in its possession, including all copies, backups, and archived data. Provider shall provide written certification of deletion to LEA upon request.

8.3 Data Export. Prior to deletion, LEA may request an export of all Student Data in a standard, machine-readable format (CSV or JSON). Provider shall provide such export within 15 business days of the request.

8.4 Survival. Provider's confidentiality and security obligations under this DPA survive termination for a period of three years. Breach notification obligations survive indefinitely.

8.5 Legal Hold Exception. If Provider is subject to a legal hold or preservation order, Provider may retain affected data for the duration of the hold, with prompt notice to LEA.

ARTICLE IX — SUB-PROCESSORS

9.1 Approved Sub-Processors. Provider's current Sub-Processors are listed in Exhibit C. Provider shall not engage any new Sub-Processor to process Student Data without providing LEA at least 30 days prior written notice.

9.2 Sub-Processor Obligations. Provider shall enter into a written agreement with each Sub-Processor that imposes data protection obligations no less protective than those in this DPA. Provider remains fully liable for the acts and omissions of its Sub-Processors with respect to Student Data.

9.3 Objection Right. LEA may object in writing to Provider's engagement of a new Sub-Processor within 15 days of receiving notice. If the parties cannot resolve the objection, LEA may terminate this DPA upon 30 days written notice.

ARTICLE X — DUTIES OF LEA

10.1 Compliance. LEA shall comply with FERPA, COPPA, and applicable state student data privacy laws, including providing all required notifications to parents regarding the disclosure of Student Data to Provider.

10.2 Parental Consent. LEA warrants that it has provided appropriate notice and/or obtained consent as required under COPPA's school consent provision (16 CFR 312.5(c)(3)) and that LEA has authority under FERPA to designate Provider as a school official.

10.3 Authorized Users. LEA is responsible for ensuring that only authorized school personnel access the UserAuthGuard platform and for managing its user accounts and credentials.

10.4 Data Accuracy. LEA is responsible for the accuracy and legality of Student Data provided to Provider.

ARTICLE XI — GENERAL TERMS

11.1 Governing Law. This DPA shall be governed by the laws of the Commonwealth of Pennsylvania. Federal law (FERPA, COPPA) applies where applicable.

11.2 Dispute Resolution. The parties shall first attempt to resolve disputes through good-faith negotiation for a period of 30 days. If unresolved, either party may pursue mediation or litigation in Montgomery County, Pennsylvania.

11.3 Term. This DPA is co-terminus with the underlying service agreement between the parties.

11.4 Termination for Breach. Either party may terminate this DPA upon 60 days written notice for material breach, provided the breaching party has been given 30 days to cure the breach after receiving written notice.

11.5 Order of Precedence. In the event of conflict: (1) applicable law; (2) this DPA; (3) Exhibits; (4) the underlying service agreement.

11.6 Amendment. This DPA may only be amended in writing signed by both parties.

11.7 Severability. If any provision is found unenforceable, the remaining provisions remain in full force and effect.

11.8 Assignment. Provider may not assign this DPA without LEA's prior written consent.

11.9 Indemnification.

(a) Provider shall indemnify and hold harmless LEA from and against any claims, damages, or losses arising from Provider's breach of this DPA or negligent handling of Student Data.

(b) LEA shall indemnify and hold harmless Provider from and against any claims, damages, or losses arising from LEA's breach of its obligations under this DPA, including but not limited to: failure to manage user credentials and access controls (Section 10.3); unauthorized sharing of login credentials with students, parents, or other unauthorized individuals; actions or omissions of LEA personnel that result in unauthorized access to, or disclosure of, Student Data through the Platform; and failure to comply with FERPA, COPPA, or applicable state privacy laws as required under Article X.

11.10 Limitation of Liability. In no event shall Provider be liable for any breach, loss, unauthorized access, or unauthorized disclosure of Student Data that is caused by or results from: (a) LEA's failure to comply with its obligations under Article X of this DPA; (b) LEA personnel sharing, mismanaging, or failing to secure user credentials or access controls; (c) unauthorized individuals accessing the Platform through credentials obtained from LEA personnel; or (d) LEA's failure to deactivate user accounts for personnel who are no longer authorized to access the Platform. Provider's total aggregate liability under this DPA shall not exceed the fees paid by LEA to Provider during the twelve (12) months immediately preceding the event giving rise to the claim.

11.11 Notices. All notices under this DPA shall be in writing and directed to:

Provider: Asan Digital LLC (dba UserAuthGuard) Attn: Privacy Officer 13 Station Ave Schwenksville, PA 19473 Email: privacy@userauthguard.com Phone: (267) 639-8522

LEA: ______________________________ Attn: ________________________ Address: _____________________ Email: _______________________ Phone: _______________________

11.12 Entire Agreement. This DPA, including all Exhibits, constitutes the entire agreement between the parties regarding the privacy and security of Student Data.

SIGNATURES

ASAN DIGITAL LLC (DBA USERAUTHGUARD)

Signature: ______________________________

Name: Stef Verleysen

Title: Founder & Privacy Officer

Date: ________________________

LOCAL EDUCATION AGENCY

Signature: ______________________________

Name: _________________________________

Title: __________________________________

Date: ________________________

EXHIBIT A — DESCRIPTION OF SERVICES

Service Name: UserAuthGuard

Service Description: Cloud-based K-12 technology management platform that enables schools to manage device inventory (Chromebooks, Windows devices, projectors, spare parts), assign devices to students, track IT support and repair workflows, filter web content, monitor classroom activity, and recover lost or stolen devices. The platform integrates with Google Workspace via the Admin SDK and deploys a Chrome browser extension to managed devices.

Device & Inventory Management:

  1. 1:1 student-to-device assignment with automatic OU policy enforcement
  2. Device check-in and check-out logging
  3. Device inventory tracking and status management — Chromebooks, Windows devices, projectors, peripherals, and spare parts
  4. Visual Google Workspace Organizational Unit (OU) explorer and management
  5. Bulk device assignment, transfer, and collection tools with charger tracking
  6. Group policy management
  7. Loaner device management with return tracking
  8. Lost and stolen device tracking and recovery workflows
  9. Device carts for shared grab-and-go pools
  10. QR code generation for physical asset identification

IT Support & Repair Tracking:

  1. Support queue — teachers submit, technicians triage, administrators oversee
  2. Repair queue with status tracking and technician assignment
  3. In-house repair tracking from intake through return to student
  4. Intermediate Unit (IU) service request tracking and follow-up
  5. Service categories: support, repair, onboarding, DOA
  6. Per-school reporting on ticket volume and resolution metrics

Web Filtering & Student Safety:

  1. URL filtering with organization-wide and per-school block lists
  2. Category-based content blocking policies
  3. Complete browsing history logging with timestamps for every managed device
  4. Web search query tracking across Google, Bing, Yahoo, and DuckDuckGo
  5. Self-serve PDF browsing reports — any student, any date range, generated by authorized administrators
  6. Keyword safety alerts for self-harm, violence, bullying, and custom keyword categories

Classroom Monitoring:

  1. Real-time view of student screens and active browsing during class
  2. Open tab and URL visibility per student
  3. Teacher dashboard — view all student activity in a homeroom or class
  4. Direct support ticket submission from the teacher portal

Lost & Stolen Device Recovery:

  1. On-demand device location lookup when a device is reported lost or stolen
  2. Remote device lock and lost device contact screen
  3. Device recovery screenshot — Continuous screen capture during active theft-recovery sessions, initiated solely by an authorized LEA administrator and terminating on recovery, OU change, or the 30-day retention cap, whichever first
  4. Device recovery workflow management

Administration & Reporting:

  1. Role-based dashboards for administrators, technicians, and teachers
  2. Multi-school management from a single interface
  3. Complete audit trail of every device action, assignment, and ticket
  4. Compliance reporting and FERPA-compliant data export
  5. Active device hours configuration and enforcement

Service Delivery: Cloud-hosted software-as-a-service (SaaS) accessed via web browser. Chrome browser extension deployed to managed devices via Google Admin Console for web filtering, classroom monitoring, browsing history, keyword alerts, and device recovery features.

Support: Email support at support@userauthguard.com. Phone support at (267) 639-8522 during business hours. Enterprise plan includes dedicated account support, priority bug fixes, and 100 hours/year of custom development.

EXHIBIT B — SCHEDULE OF STUDENT DATA

Data Collected — Platform (Always Active)

The following data is collected through the web-based platform for all organizations:

Category Data Elements Source Purpose
Student Identity First name, last name, school-assigned email address, student ID (if provided by LEA), grade level, school name Google Workspace directory (provided by LEA) Device assignment and identification
Device Assignment Device serial number, asset tag, device model, student-to-device assignment mapping, assignment start/end dates LEA admin actions + Google Admin Console 1:1 device management
Check-In/Check-Out Timestamp of check-out, timestamp of check-in, student identifier, staff identifier, device condition notes LEA staff actions in platform Device accountability and tracking
Support & Repair Data Ticket descriptions, repair notes, technician assignments, resolution status, timestamps LEA staff actions in platform IT support workflow management
Technical/Metadata Login timestamps, IP addresses, browser/device type, session identifiers Platform usage Security, platform functionality

Data Collected — Chrome Extension (Only When Deployed by LEA)

The following data is only collected when the LEA chooses to deploy the UserAuthGuard Chrome extension to managed devices via Google Admin Console. The extension is not deployed by default — it requires explicit action by an authorized LEA administrator. Each feature below can be independently enabled or disabled by the LEA through the platform's monitoring settings.

Category Data Elements Source Purpose
Browsing Activity URLs visited, page titles, timestamps, duration on page Chrome extension on managed devices Web filtering enforcement, safety monitoring, compliance reporting
Search Queries Search terms entered on Google, Bing, Yahoo, DuckDuckGo with timestamps Chrome extension on managed devices Student safety monitoring, keyword alerts
Keyword Alerts Flagged search terms or URL content matching safety categories (self-harm, violence, bullying, custom keywords) Chrome extension on managed devices Student safety, mandatory reporting support
Classroom Activity Active tab URL, page title, open tabs, screen thumbnail during class sessions Chrome extension on managed devices (real-time, during active class sessions only) Classroom monitoring by authorized teachers
Device Location GPS/Wi-Fi coordinates at time of lookup Chrome extension (on-demand only when Lost Mode activated by LEA admin) for Lost Mode; Theft Recovery Kiosk App (active continuously for the duration of an LEA-initiated theft-recovery session, until recovery, OU change, or the 30-day cap) for stolen-device recovery Recovery of lost/stolen devices
Device Recovery Screenshot Screen capture image Theft Recovery Kiosk App (active for the duration of an LEA-initiated recovery session) Theft investigation and device recovery
Heartbeat/Online Status Device online/offline status, last seen timestamp Chrome extension on managed devices Device status monitoring

Data NOT Collected

UserAuthGuard does not collect:

  • Student grades, test scores, or academic records
  • Health or medical records
  • Disciplinary records
  • Social security numbers or government IDs
  • Financial or payment information
  • Biometric data
  • Keystroke logs
  • Student communications, messages, or email content
  • Social media account data or private social media activity
  • File contents on student devices

EXHIBIT C — LIST OF SUB-PROCESSORS

Sub-Processor Purpose Data Processed Location
Amazon Web Services (AWS) Cloud infrastructure, data hosting, and storage (EC2, S3, RDS) All Student Data United States
Amazon Simple Email Service (SES) Transactional email delivery (account notifications, admin alerts) Email addresses of LEA administrators United States
Google Workspace for Education Directory integration (data source controlled by LEA) Student names, emails, OU assignments United States
Stripe, Inc. Payment processing for LEA subscriptions LEA billing contact name, email, payment method — No Student Data United States

All Sub-Processors are contractually bound to data protection obligations no less protective than those in this DPA. All Student Data is stored and processed within the United States.

Note: Stripe processes only LEA billing and payment information. No Student Data is shared with or accessible to Stripe.

Last Updated: March 2026

EXHIBIT D — BREACH NOTIFICATION PROCEDURES

1. Classification

Level Definition Response
Security Event Potential compromise under investigation Internal investigation within 24 hours
Confirmed Breach Unauthorized access to Student Data confirmed LEA notification within 72 hours

2. Notification Chain

Step 1: Phone call to LEA's designated privacy contact Step 2: Email confirmation within 4 hours of phone call Step 3: Written incident report within 5 business days

3. Incident Report Contents

  • Date and time of discovery
  • Nature and circumstances of the incident
  • Categories and approximate number of students affected
  • Data elements compromised
  • Containment measures taken
  • Root cause (if known)
  • Remediation plan with timeline
  • Provider point of contact for ongoing communication

4. Post-Incident

  • Root cause analysis completed within 30 days
  • Remediation verified and documented
  • Post-incident review shared with LEA
  • Lessons learned incorporated into security program

5. State Compliance

Provider complies with the Pennsylvania Breach of Personal Information Notification Act (73 P.S. 2301-2329). For breaches affecting more than 500 Pennsylvania residents, Provider assists LEA with notification to the Pennsylvania Attorney General as required.

EXHIBIT E — USERAUTHGUARD PRIVACY COMMITMENTS

Asan Digital LLC makes the following binding commitments with respect to Student Data processed through UserAuthGuard:

  1. No Advertising. UserAuthGuard does not display advertisements to students and does not use Student Data for advertising purposes of any kind.

  2. No Data Sales. Asan Digital LLC does not and will never sell, rent, lease, or trade Student Data to any third party for any reason.

  3. No Commercial Use. Student Data is used exclusively to provide the contracted device management services to LEA. Period.

  4. No Student Profiling. UserAuthGuard does not build behavioral, psychological, or commercial profiles of students. Device management data is used solely for asset tracking, assignment, and recovery.

  5. No Continuous Monitoring of Devices in Normal Use. UserAuthGuard does not continuously monitor student screens, capture scheduled screenshots, log keystrokes, track browsing history, or monitor application usage on devices in normal use. Device recovery screenshots are captured only during active LEA-initiated theft-recovery sessions, never on devices in normal use. The capture begins when a district administrator marks a device stolen via the UserAuthGuard dashboard and stops automatically on recovery, OU change, or the 30-day retention cap. Outside active sessions, no screenshots are captured.

  6. No Continuous Location Tracking of Devices in Normal Use. For Lost Mode, device location is fetched only at the moment of an authorized LEA administrator's "locate now" request — not continuously. For active theft-recovery sessions on devices an LEA has explicitly marked stolen, location is captured at backend-configured intervals (typically every 60 seconds) for the duration of the session, terminating on recovery, OU change, or the 30-day cap. There is no geofencing, no background location tracking, and no location history maintained on devices in normal use.

  7. Minimal Data Collection. UserAuthGuard collects only the data elements listed in Exhibit B — the minimum necessary to provide device management services.

  8. US Data Residency. All Student Data is stored and processed within the United States.

  9. Transparency. Provider maintains a publicly accessible privacy policy at userauthguard.com/privacy-policy/ that describes its data practices in plain language.

  10. Accountability. Provider will participate in an annual data privacy review with LEA upon request at no additional charge.

This Data Processing Agreement is modeled on the SDPC National Data Privacy Agreement (NDPA) framework and aligned with FERPA, COPPA, the PTAC Data Security Checklist, and Pennsylvania state law.