Data Processing addendum
A Data Processing Addendum for customers that need data processing, FERPA, student-data, and subprocessor terms for dooMO.
Using this DPA
This DPA becomes effective only when it is signed, incorporated into an order form or another agreement, or otherwise accepted in writing by Tributary and the Customer.
Parties and scope
This Data Processing Addendum ("DPA") is between Tributary Studios LLC, a Minnesota limited liability company ("Tributary"), provider of dooMO, and the customer organization that uses dooMO ("Customer").
This DPA supplements the Terms of Service, order form, master services agreement, or other agreement that references it ("Agreement").
If there is a conflict between this DPA and the Agreement, this DPA controls only for the processing of Customer Data, Personal Data, Student Data, and Education Records covered by this DPA.
Definitions
- Customer Data means content and information submitted to dooMO by Customer or its authorized users, including task descriptions, comments, photos and image attachments, building data, member rosters, invitations, notification settings, and related metadata.
- Personal Data means information that identifies or can reasonably be linked to an individual.
- Student Data means Personal Data relating to a student that is submitted to dooMO by or for a K-12 school or district.
- Education Records has the meaning given under the Family Educational Rights and Privacy Act and its implementing regulations.
- Security Incident means a confirmed unauthorized access to or disclosure of Customer Data, Personal Data, Student Data, or Education Records in Tributary's possession or control.
- Subprocessor means a third-party service provider that processes Customer Data on Tributary's behalf to provide, secure, support, host, deliver, or bill for dooMO.
Roles
For Customer Data, Customer is the controller, business, educational agency, local educational agency, or equivalent data owner.
Tributary acts as a processor, service provider, contractor, or equivalent service provider that processes Customer Data only to provide, maintain, secure, support, and bill for dooMO, and as otherwise described in the Agreement, this DPA, and the Privacy Policy.
For school-district customers, when Tributary processes personally identifiable information from Education Records, Tributary intends to act as a "school official" performing an institutional service for which Customer would otherwise use employees, subject to Customer's direct control over the use and maintenance of that information.
Processing instructions
Customer instructs Tributary to process Customer Data only as necessary to: provide dooMO; maintain, secure, and support dooMO; manage accounts, organizations, roles, buildings, invitations, tasks, comments, photos, image attachments, notifications, exports, and billing metadata; prevent, detect, and address security, abuse, and operational issues; provide customer support; comply with law; enforce the Agreement; perform processing described in the Agreement, this DPA, and the Privacy Policy.
Tributary will not: sell Customer Data, Personal Data, Student Data, or Education Records; use Student Data for targeted advertising or cross-context behavioral advertising; use Customer Data, Student Data, or Education Records to build unrelated behavioral profiles; use Customer Data, Student Data, or Education Records to train machine-learning models unless a signed written addendum expressly permits it; disclose Customer Data except as described in the Agreement, this DPA, the Privacy Policy, Customer instructions, or applicable law.
K-12 use, data minimization, and staff training
dooMO is designed for authorized adult staff. Students should not be invited as users.
Customer is responsible for: training staff not to submit unnecessary student personally identifiable information; limiting task descriptions, comments, photos, locations, and attachments to information needed for facility, maintenance, and operational purposes; configuring access by role, building, and need to know; promptly removing users who no longer need access; reviewing task content for inappropriate, unnecessary, or excessive student information; requesting deletion, redaction, correction, or export when needed.
If Customer submits incidental Student Data to dooMO, Tributary will process it only for the contracted service purpose and will reasonably assist Customer with deletion, redaction, correction, access, or export requests using available product tools and support processes.
FERPA and student data
For school-district customers, Tributary will process Student Data and Education Records only to provide, maintain, secure, support, and bill for dooMO, and as otherwise instructed by Customer or required by law.
Tributary will not redisclose Student Data or Education Records except: to authorized Subprocessors listed on the Sub-processors page; as instructed by Customer; as required by law; as otherwise permitted by the Agreement, this DPA, or applicable law.
Tributary will reasonably assist Customer with parent, student, eligible-student, employee, or data-subject requests involving Customer Data, Student Data, or Education Records using available product tools and support processes.
Customer remains responsible for receiving, evaluating, and responding to those requests.
Subprocessors
Customer authorizes Tributary to use the Subprocessors listed on the Sub-processors page at /sub-processors.
Tributary remains responsible for Subprocessor performance under this DPA to the extent the Subprocessor performs services on Tributary's behalf.
Tributary will require Subprocessors to protect Customer Data under obligations materially consistent with this DPA, where available under the Subprocessor's applicable service terms, data processing terms, or written agreement.
Tributary will provide at least 30 days' advance notice before adding a new material Subprocessor where practical, unless an urgent security, continuity, or legal need requires a shorter period.
Notice may be provided by email to the organization administrator, in-product notice, update to the Sub-processors page, or another method described in the Agreement.
If Customer reasonably objects to a new material Subprocessor, Customer must notify Tributary during the notice period. The parties will work in good faith to resolve the objection.
If the objection cannot be resolved, Customer may terminate the affected paid Service and receive a pro-rata refund of prepaid unused fees for the terminated portion, unless the applicable order form states otherwise.
Security measures
Tributary will maintain commercially reasonable administrative and technical safeguards designed to protect Customer Data, including: TLS encryption in transit; managed-provider encryption at rest; Firebase Authentication; role-based and building-scoped access controls; backend authorization checks; deny-all client storage rules with Cloud Functions-mediated access; time-limited signed upload/download URLs for storage access; selected audit logs, diagnostics, and request IDs; rate limiting on selected abuse-prone endpoints; least-privilege operational access.
Cloud providers and other Subprocessors may provide physical safeguards for their own facilities and infrastructure.
dooMO does not currently require or manage multi-factor authentication. Customer is responsible for user-device security, user account hygiene, timely user removal, and choosing appropriate content to submit to dooMO.
Security incidents
If Tributary confirms a Security Incident affecting Customer Data, Personal Data, Student Data, or Education Records, Tributary will notify Customer without undue delay and, where required by contract or law, no later than 72 hours after confirmation.
The notice will describe, to the extent known at the time: the nature of the incident; affected data categories; known or likely impact; mitigation steps; recommended customer actions; follow-up information as it becomes available.
Tributary will reasonably cooperate with Customer's investigation, notice, mitigation, and remediation obligations.
Notice may be delayed if required by law enforcement, legal process, or applicable law.
Access, export, return, deletion, and retention
During the subscription term, Customer may access and export Customer Data through the export features then available in dooMO.
Self-serve export is currently available as CSV for task and statistics data. Other formats and retrieval of attachments or additional data may be provided on a support-assisted basis where technically feasible.
For 30 days after termination or organization closure, Customer may request support-assisted export or retrieval of Customer Data where technically feasible and legally permitted.
The 30-day post-termination period is a support request window. It is not a promise that every dataset is automatically retained for exactly 30 days or automatically deleted after 30 days.
Upon Customer's written request, Tributary will perform available deletion, redaction, de-identification, or purge processes for Customer Data where technically feasible and legally permitted.
Upon request, Tributary will provide written confirmation of completed deletion, redaction, de-identification, or purge actions. The confirmation may describe exceptions, including: provider backups; billing and accounting records; security, diagnostic, and audit logs; legal holds; dispute-resolution records; information retained as required by law; tombstoned account records or historical authorship references retained for security, audit, or operational integrity.
Plan history limits in dooMO are query, reporting, or export limits. They are not automatic deletion periods.
Backups, if enabled for the applicable environment, are managed through cloud-provider and operational settings and may retain deleted or changed information for a limited period before overwrite or expiration.
Billing records, invoices, tax records, and related accounting records may be retained as required by law and ordinary business needs, commonly up to 7 years. Some billing records are controlled by Stripe rather than dooMO.
Security, access, diagnostic, audit, and operational logs are retained according to operational logging settings, provider settings, legal obligations, and security needs. Tributary's target operational log retention period is up to 12 months, but provider logs may use different retention settings.
Assistance with requests
Customer is responsible for receiving, evaluating, and responding to requests from parents, students, eligible students, employees, users, regulators, and other data subjects concerning Customer Data.
Tributary will reasonably assist Customer through available admin tools and support processes, including assistance with: access; correction; export; deletion; redaction; de-identification; security information reasonably needed for procurement or compliance review.
Users should first route organization-content requests through their organization administrator.
Audits and documentation
Tributary will provide reasonable security and privacy documentation needed for Customer procurement reviews, such as this DPA, the Privacy Policy, the Sub-processors page, and reasonable questionnaire responses.
Customer may not perform invasive testing, production-system access reviews, vulnerability scans, penetration testing, or technical audits without Tributary's prior written approval.
This section does not limit Customer's rights to request documentation, deletion confirmation, subprocessor information, or Security Incident information reasonably required under the Agreement or applicable law.
State-specific student-data terms
State-specific student-data privacy terms may be added by order form, state exhibit, SDPC National Data Privacy Agreement exhibit, or separate rider.
Potential state-specific terms may include California SOPIPA, New York Education Law § 2-d, Illinois SOPPA, Texas student-data requirements, Utah student-data requirements, or other state student-data laws required by Customer.
International data transfers
dooMO is operated using cloud infrastructure configured for the United States where available and is intended for United States customers. This DPA is not currently offered for processing subject to the EU GDPR or UK GDPR. If Customer requires international-transfer terms (for example, Standard Contractual Clauses or a UK addendum), those terms must be separately agreed in writing before such processing.
Minnesota Public School District Addendum
This section applies when Customer is a Minnesota public school district, public educational agency, or institution subject to the Minnesota Government Data Practices Act, Minn. Stat. Ch. 13, and Tributary performs services under a purchase order, written agreement, or transaction with that Customer.
Order of precedence: If this section conflicts with the Agreement, Terms of Service, Privacy Policy, or any click-wrap or website terms, this section controls for Minnesota public school district data. If Customer's purchase order or transaction terms impose stricter Minnesota public-sector data obligations, those stricter terms control.
Minnesota Government Data Practices Act: Tributary acknowledges that data created, collected, received, stored, used, maintained, or disseminated by Tributary in performing the transaction may be subject to Minn. Stat. Ch. 13, and will administer such data according to the applicable requirements of Minn. Stat. Ch. 13 as if Tributary were a government entity, solely for purposes of performing the transaction. Customer remains responsible for data-classification decisions and public data request determinations. Tributary will promptly refer requests involving Customer data to Customer unless Customer instructs Tributary in writing to respond directly.
FERPA school-official treatment: To the extent the transaction allows Tributary to access identifiable student data, Tributary acknowledges that, solely for the purpose of completing specific institutional tasks directed by Customer, it is acting as a party to whom Customer has outsourced discrete institutional services or functions and, for that limited purpose, is treated as a FERPA school official under Customer's direct control with respect to the use and maintenance of the data. Tributary will use personally identifiable information from education records only for the purposes for which Customer disclosed it and will not redisclose it except as permitted by FERPA, Minn. Stat. Ch. 13, the applicable transaction, or written Customer instruction.
No property interest; no commercial use: Educational data created, received, maintained, or disseminated by Tributary pursuant or incidental to the transaction is not Tributary's property. Tributary will use educational data and other nonpublic government data only to fulfill its obligations under the transaction, will not use it for any commercial purpose (including marketing or advertising to a student or parent), and will not sell, share, or disseminate it except as permitted by Minn. Stat. Ch. 13, FERPA, the applicable transaction, a valid delegation or assignment, or written Customer instruction.
Authorized access only: Tributary will ensure that employees, contractors, agents, subprocessors, assignees, and delegates may access educational data or other nonpublic government data only if authorized and only when access is necessary to fulfill their official duties for the transaction.
Subprocessors, assignees, and delegates: Any subprocessor, assignee, delegate, contractor, or agent that creates, receives, maintains, or accesses educational data or other nonpublic government data must be subject to the same restrictions and obligations that apply to Tributary for that data.
Return or destruction within 90 days: Unless renewal of the transaction is reasonably anticipated, within 90 days after expiration of the transaction, Tributary will return or destroy educational data created, received, or maintained pursuant or incidental to the transaction. Upon Customer request, Tributary will return or destroy documents, data, and other information provided by Customer in connection with the transaction. Return or destruction will be performed through available export, deletion, redaction, de-identification, purge, storage cleanup, and support processes, and Tributary will provide written confirmation of completed return or destruction upon request.
Breach disclosure under Minn. Stat. § 13.055: If educational data or other nonpublic government data is subject to a breach of the security of the data, Tributary will disclose to Customer all information known to Tributary that is necessary for Customer to fulfill its obligations under Minn. Stat. § 13.055, following discovery or notification of the breach and without unreasonable delay, consistent with measures necessary to determine the scope of the breach, restore the reasonable security of the data, and comply with any lawful delay required by law enforcement. The disclosure will include, to the extent known: the type of data involved; the number or approximate number of individuals affected; the date or estimated date of the breach; the date of discovery; the nature of the unauthorized access or use; known or suspected cause; mitigation steps; recommended Customer actions; and information reasonably needed for Customer notices, investigation, and reporting, with updates as available.
Contact
Privacy and DPA requests should be sent to: Tributary Studios LLC / 16413 Fanning Ct, Lakeville, MN / Email: support@doomotasks.com.