Checkliste für Datenschutzvereinbarungen von KI-Anbietern: Worauf Sie achten sollten, bevor Ihr Bezirk etwas unterzeichnet

AI governance vendor DPA checklist

Most general-purpose AI tools are not automatically FERPA-compliant. Before any AI vendor touches student data, your district needs a signed Data Processing Agreement — and not all DPAs are written the same way.

This checklist walks IT directors, privacy officers, and district administrators through every clause that matters: what’s required under federal law, what’s strong practice, and what red flags to walk away from.

What’s Inside:

9 Sections. Every Clause That Matters.

Parties and Scope
Confirms the vendor is named as the data processor, specifies exactly which student data they’ll handle, and defines what constitutes an education record under FERPA. Vague language doesn’t cut it.

Permitted Use of Data
The most critical section for AI tools specifically. Covers prohibitions on selling student data, advertising profiling, and — the clause most generic DPAs miss — using student data to train AI models without explicit district consent.

Data Security
Encryption requirements, access controls, breach notification timelines, and third-party audit certifications. Best practice is a 72-hour breach notification window; anything vague or unlimited is a red flag.

Data Retention and Deletion
Defines maximum retention periods, requires deletion upon contract termination (30–60 days maximum), and — critically for AI tools — addresses whether AI-generated outputs derived from student data are also subject to deletion.

Subprocessors and Third Parties
AI tools often run on large cloud and AI infrastructure vendors. This section requires full subprocessor disclosure, equivalent data protections down the chain, and district notification before new subprocessors are added.

COPPA Compliance
Required for any tool used with students under 13. Covers school authorization language, data minimization, and public availability restrictions.

State Privacy Law Compliance
Federal law is the floor, not the ceiling. This section covers state-specific requirements — including CA SOPIPA, TX HB 4, and NY Ed Law 2-d — and flags where many DPAs fall short.

Audit and Accountability
Audit rights, transparency reporting, cyber liability insurance, and consequences for non-compliance beyond just termination.

AI-Specific Clauses
The section most legacy DPAs don’t have. Covers how AI/ML models interact with student data, model training prohibitions, treatment of AI-generated outputs, and subprocessor disclosure for the AI providers powering the product.

If a Vendor Won’t Sign, That’s Your Answer

A vendor unwilling to satisfy the required items is a vendor you cannot trust with student data. This checklist is built to make that determination fast — before a tool reaches a single classroom.

Download the AI Vendor DPA Checklist

Run through it before signing any agreement with an AI tool vendor.

Kostenloser und sofortiger Download: