Data Processing Agreement

Effective Date: April 15, 2026

This Data Processing Agreement ("DPA") is entered into between Kalvi Software, Inc. (d/b/a EdisonOS), a C-Corporation registered in Delaware, USA ("Processor" or "EdisonOS"), and the customer identified by their EdisonOS account ("Controller" or "Customer").

This DPA supplements the EdisonOS Terms of Use (edisonos.com/terms-of-use) and Privacy Policy (edisonos.com/privacy-policy). It governs the processing of Student Personally Identifiable Information ("Student PII") and any other personal data provided by the Customer to EdisonOS in connection with the platform services.

1.Definitions

  • Personal Data — Any information relating to an identified or identifiable natural person.
  • Student PII — Personally identifiable information from the education records of a student, as defined under FERPA (20 U.S.C. § 1232g) and applicable state law.
  • Processing — Any operation performed on personal data, including collection, storage, use, disclosure, and deletion.
  • Sub-Processor — A third party engaged by EdisonOS to process personal data on behalf of the Customer.
  • Data Breach — Any unauthorized acquisition, access, use, or disclosure of personal data.
  • FERPA — The Family Educational Rights and Privacy Act.
  • COPPA — The Children's Online Privacy Protection Act.

2. Roles and Responsibilities

2.1 Customer as Controller
The Customer determines the purposes and means of processing personal data. The Customer is responsible for ensuring lawful collection and sharing of personal data with EdisonOS, including obtaining necessary consents and authorizations (e.g., parental consent under COPPA).

2.2 EdisonOS as Processor
EdisonOS processes personal data solely on behalf of and as instructed by the Customer, for the purpose of providing the platform services described in the Terms of Use. EdisonOS does not determine the purposes of processing and will not use personal data for any purpose beyond service delivery.

2.3 School Official Designation
Where the Customer is a School or educational agency, EdisonOS operates as a "School Official" with a "legitimate educational interest" as defined under FERPA. EdisonOS processes Student PII under the direction and control of the School solely for the educational purposes specified in the service agreement.

3. Data Processing scope

3.1 Categories of data processed

  • Student account data (name, email, organization affiliation).
  • Academic performance data (test scores, responses, progress metrics)
  • Usage data (login times, session duration, device/browser information)
  • Roster/enrollment data (student ID, grade, assigned teacher)
  • Parental contact data (for students under 13, where applicable)

3.2 Purpose of Processing

  • Platform operation: authentication, test delivery, analytics, reporting
  • Customer support: diagnosing and resolving technical issues
  • Product improvement: aggregate, de-identified analysis only
  • Legal compliance: FERPA, COPPA, state law obligations

3.3 Data not collected
EdisonOS does not collect Social Security Numbers, biometric data, medical/health records, financial data, or geolocation beyond city-level IP inference. See Privacy Policy Section B3.2 for the complete exclusion list.

4. Security Measures

EdisonOS implements and maintains the following technical and organizational security measures:

  • Encryption: TLS 1.2+ in transit; AES-256 at rest
  • Access control: Role-based access control (RBAC) limiting data access to authorized personnel
  • Authentication: Multi-factor authentication available for all accounts
  • Payment security: PCI-DSS compliant payment processing via Stripe (EdisonOS never stores full card details)
  • Infrastructure: US-based hosting on AWS with SOC 2 Type II certified infrastructure
  • Monitoring: Real-time error monitoring (Sentry, with PII sending disabled); automated security alerts
  • Employee training: All personnel with access to Student PII receive annual privacy and security training
  • Penetration testing: Regular third-party security assessments

5. Sub-Processors

EdisonOS engages the following sub-processors to deliver platform services. Each sub-processor is bound by contractual obligations providing equivalent data protection.

Sub-Processor
Purpose
Location
Secure file and asset storage
Amazon Web Services (S3)
United States
Railway
Application hosting, backend API
United States
Vercel
Frontend hosting, CDN
United States
PlanetScale
Database hosting
United States
SendGrid (Twilio)
Transactional email delivery
United States
Sentry
Error monitoring (PII disabled)
United States
Stripe, Inc
Payment Processing
United States
Google OAuth / Clever
SSO Authentication (when enabled)
United States
TeachEdison Solutions Pvt Ltd
Platform engineering and support
India

5.1 Changes to sub-processors
EdisonOS will notify the Customer at least 15 days before engaging a new sub-processor that will process Student PII. If the Customer objects, they may terminate the agreement by providing written notice within the 15-day period.

5.2 TeachEdison Solutions Pvt Ltd
TeachEdison Solutions Pvt Ltd (India) provides platform engineering and technical support under a separate DPA with Kalvi Software, Inc. TeachEdison personnel may access application systems and Student Data solely for development and support purposes. TeachEdison does not independently control Student PII and is contractually required to comply with FERPA, COPPA, and applicable US state student privacy laws.

6. Data retention and Deletion

Data Type
Retention Period
Deletion Method
Duration of active subscription; deleted 60 days after account closure
Student account and academic data
Secure deletion from all systems
Usage Logs
Rolling 12 months; anonymized thereafter
Automated deletion/anonymization
Backups
30 days rolling
Automated overwrite
Payment/billing records
7 years (legal/tax requirement)
Retained by Stripe; Internal records purged after hold
Support Correspondence
3 years from last interaction
Secure deletion

6.1 Post-termination
Upon termination or expiration of the agreement, EdisonOS will retain Customer and Student data for 60 days to allow export. After 60 days, all personal data will be securely deleted from production systems. Backup copies will be overwritten within the 30-day backup rotation cycle. The Customer may request earlier deletion by emailing privacy@edisonos.com.

6.2 De-identified data
EdisonOS may retain de-identified, aggregated data (from which no individual student can be identified) for product improvement purposes. De-identification is performed in accordance with FERPA's de-identification standard.

7. Data Breach Notification

7.1 Notification timeline
In the event of a confirmed Data Breach involving Student PII, EdisonOS will:

  • Notify the affected Customer within 72 hours of confirming the breach
  • Provide initial details including: nature of the breach, categories and approximate number of records affected, likely consequences, and measures taken or proposed

7.2 Ongoing Communication
EdisonOS will provide regular updates as the investigation progresses and a final incident report within 30 days of resolution, including root cause analysis and remediation steps.

7.3 Cooperation
EdisonOS will cooperate fully with the Customer's investigation and provide complete transparency regarding the incident and all remediation steps. EdisonOS will not notify parents or students directly unless instructed to do so by the Customer or required by law.

8. Customer Rights

8.1 Access and audit
The Customer may request access to or copies of all personal data processed by EdisonOS on their behalf. EdisonOS will respond to such requests within 30 calendar days. The Customer may also conduct or commission an audit of EdisonOS's data processing practices with 30 days' written notice, at the Customer's expense.

8.2 Data export
The Customer may export student data at any time through the platform's built-in export tools. Exported data is provided in standard formats (CSV, PDF).

8.3 Parental Rights
Parents or eligible students may exercise their rights under FERPA (access, correction, deletion) through the Customer (the School or Business User). The Customer is responsible for facilitating these requests. EdisonOS will cooperate with the Customer to fulfill such requests within 30 days.

9. Prohibited Uses

EdisonOS will not:

  • Use Student PII for targeted or behavioral advertising
  • Sell, rent, lease, or exchange Student PII with any third party
  • Build student profiles for non-educational purposes
  • Use Student PII to develop or market products beyond the contracted services
  • Retain Student PII beyond the retention periods specified in this DPA, except as required by law

10. Governing Law

This DPA is governed by the laws of the State of Delaware, USA. Disputes shall be subject to the exclusive jurisdiction of the courts in New Castle County, Delaware.

11. Term

This DPA remains in effect for the duration of the Customer's use of EdisonOS. Obligations relating to data deletion (Section 6), breach notification (Section 7), and prohibited uses (Section 9) survive termination.

12. Contact

For DPA-related inquiries, data access requests, or to report a security concern:

  • Privacy: privacy@edisonos.com
  • Security: security@edisonos.com
  • General support: help@edisonos.com
  • Mailing address: Kalvi Software, Inc., 131 Continental Dr, Suite 305, Newark, DE 19713, United States

Company

Customer Stories

About Us

Pricing

Careers

Help Center

Rewind'25

Resources

Bluebook Insights

Free DSAT Mock

Free ACT Mock

Podcast

Roadmap

Newsletter

FAQ

Compare

vs ScoreSmart

vs Test Innovators

vs MentoMind

vs LearnQ.ai

vs Khan Academy

Get in touch

Contact Us

Book a Demo

Legal

Privacy Policy

Terms of Use

Data Processing

Service Level

Compare
Get in touch
Copyright © 2026 Kalvi Software, Inc
SAT® and ACT® are registered trademarks belonging, respectively, to Collegeboard and ACT, Inc. Neither Collegeboard nor ACT, Inc. is involved with or affiliated with EdisonOS, nor does the SAT or ACT, Inc. endorse or sponsor any of the products or services offered by EdisonOS.
SHSAT® is a registered trademark of the New York City Department of Education. The New York City Department of Education is not involved with or affiliated with EdisonOS, nor does SHSAT endorse or sponsor any of the products or services offered by EdisonOS.