Version 1.0 · Effective Date: 16 July 2026
Published at: youmultiply.com/legal/dpa-v1.0
This Data Processing Addendum ("DPA") forms part of the agreement between Educative Tech LLC, a Delaware limited liability company, trading as YouMultiply, of 8 The Green, Suite R, Dover, DE 19901, USA ("YouMultiply") and the client identified in the applicable Order Form or, for services purchased through checkout, the purchasing institution or account holder (the "Client"), and applies to any engagement in which YouMultiply processes Personal Data on the Client's behalf in providing services under the YouMultiply Customer Terms of Service (the "Terms") — including YouMultiply Education Ecosystem engagements, engagements for individual components of the ecosystem (for example, a dedicated ReachLMS or ReachSIS instance), shared-instance services purchased through checkout (for example, ReachLMS Saver), and other services identified in an Order Form or applicable product section. It is incorporated into the agreement by the Order Form or the applicable product terms. In case of conflict, this DPA controls over the Order Form and the Terms for matters concerning the processing of Personal Data.
1. Definitions
1.1 "Personal Data" means any information relating to an identified or identifiable natural person that YouMultiply processes on the Client's behalf in providing the Services, including Education Records.
1.2 "Education Records" has the meaning given in the Family Educational Rights and Privacy Act, 20 U.S.C. §1232g, and its regulations at 34 CFR Part 99 ("FERPA"), to the extent FERPA applies to the Client.
1.3 "Data Protection Laws" means all laws applicable to the processing of Personal Data under the agreement, which may include FERPA, the EU and UK General Data Protection Regulation ("GDPR"), and other applicable privacy laws, in each case to the extent applicable to the Client and the processing concerned.
1.4 "Data Subject", "Controller", "Processor", "processing", and "Personal Data Breach" have the meanings given in the GDPR, applied by analogy where the GDPR does not itself apply.
1.5 "Sub-processor" means a third party engaged by YouMultiply to process Personal Data on the Client's behalf.
1.6 "Services", "Order Form", "Kick-off", "Setup Delivery", "Go-Live", "Permitted Users", and "Active Records" have the meanings given in the Terms and the Order Form, in each case to the extent applicable to the engagement concerned.
2. Roles of the parties
2.1 The Client is the Controller (and, where FERPA applies, the educational agency or institution) of the Personal Data. YouMultiply is a Processor acting on the Client's behalf.
2.2 Each party will comply with the Data Protection Laws applicable to it in its role.
3. FERPA — school official designation
3.1 Where FERPA applies to the Client, the Client designates YouMultiply as a "school official" with a "legitimate educational interest" in Education Records, within the meaning of 34 CFR §99.31(a)(1), solely to the extent necessary to provide the Services.
3.2 YouMultiply agrees that it: (a) performs an institutional service or function for which the Client would otherwise use its own employees; (b) is under the direct control of the Client with respect to the use and maintenance of Education Records, as set out in this DPA; (c) uses Education Records only for the purposes for which the disclosure was made (providing the Services) and for no other purpose; and (d) will not re-disclose Education Records except as permitted by this DPA, directed by the Client, or required by law.
3.3 The Client is responsible for including its designation of service providers as school officials, and the criteria for legitimate educational interest, in its annual FERPA notification where required.
4. Scope of processing
4.1 The subject matter, duration, nature and purposes of the processing, and the categories of Data Subjects and Personal Data, are set out in Annex A.
4.2 YouMultiply will process Personal Data only: (a) to provide, maintain, secure, and support the Services; (b) on the Client's documented instructions, including the Terms, the Order Form, this DPA, and instructions given through the Client's configuration and use of the Services; and (c) as required by law, in which case YouMultiply will inform the Client of the legal requirement before processing unless the law prohibits this. YouMultiply will inform the Client if, in its opinion, an instruction infringes Data Protection Laws.
4.3 YouMultiply will not sell Personal Data, use it for advertising, or use it to train generalised artificial-intelligence models, and will not process it for any purpose other than as described in §4.2 and §11 (De-identified Data).
5. Confidentiality and personnel
5.1 YouMultiply will ensure that persons authorised to process Personal Data are bound by contractual or statutory obligations of confidentiality.
5.2 Access to Personal Data is limited to personnel who need it to perform the Services, on a least-privilege basis.
6. Security
6.1 YouMultiply will implement and maintain appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, as described in Annex B. YouMultiply may update Annex B from time to time provided the overall level of protection is not materially reduced.
7. Personal Data Breach
7.1 YouMultiply will notify the Client without undue delay, and in any event within twenty-four (24) hours, after becoming aware of a Personal Data Breach affecting the Client's Personal Data, so that the Client can meet its own notification obligations (including any 72-hour regulator deadline applicable to the Client).
7.2 The notification will, to the extent then known, describe the nature of the breach, the categories and approximate numbers of Data Subjects and records concerned, the likely consequences, the measures taken or proposed, and a contact point; information may be provided in phases as it becomes available.
7.3 YouMultiply will take reasonable steps to contain and remediate the breach and will reasonably cooperate with the Client's own notification obligations. YouMultiply will not notify Data Subjects or authorities on the Client's behalf unless required by law or agreed with the Client.
8. Sub-processors
8.1 The Client authorises YouMultiply to engage the Sub-processors listed in Annex C, which is published as part of this DPA at youmultiply.com/legal/dpa-v1.0.
8.2 YouMultiply will give the Client at least thirty (30) days' notice (by email to the Order Form notices address or the account email, or by update to the published Annex C with email notification) before adding or replacing a Sub-processor. The Client may object in writing on reasonable data-protection grounds within that period; the parties will discuss in good faith, and if no resolution is reached the Client may terminate the affected Services per the Terms, with a pro-rata refund of prepaid, unused subscription fees.
8.3 YouMultiply will impose data-protection obligations on each Sub-processor that are materially no less protective than this DPA, and remains responsible for its Sub-processors' performance.
9. Hosting locations and international transfers
9.1 Personal Data is hosted in the United States by default; alternative hosting regions are available and, where agreed with the Client, are recorded in the Order Form. YouMultiply operates a distributed team, and Personal Data may be accessed by authorised YouMultiply personnel from the locations in which that team operates — currently including the United States, South Africa, and India — in all cases subject to the confidentiality, security, and access controls in this DPA.
9.2 This §9.2 applies only to an engagement in which the transfer of Personal Data from the EEA, the United Kingdom, or Switzerland to YouMultiply is subject to the GDPR or its UK or Swiss equivalents, and has no effect otherwise. For such an engagement: (a) the parties will promptly execute the European Commission's Standard Contractual Clauses (Module Two: Controller to Processor), completing all required options, annexes, and party details on the basis of Annexes A–C of this DPA, together with the UK International Data Transfer Addendum (with its required selections) where UK data is concerned and the adaptations required for Swiss data where Swiss data is concerned; and (b) pending that execution, those clauses are deemed incorporated into this DPA with the Client as data exporter, YouMultiply as data importer, Annexes A–C serving as the clause annexes, the clauses governed by the law of Ireland, and disputes under them subject to the courts of Ireland. YouMultiply will reasonably assist the Client with any transfer impact assessment the Client is required to perform.
9.3 Where the Protection of Personal Information Act, 2013 (South Africa) ("POPIA") applies to the Client, this DPA constitutes the written contract between responsible party and operator required by POPIA section 21 and the agreement providing an appropriate level of protection for transfers under POPIA section 72, and the additional provisions of Annex D apply. Where other jurisdictions' transfer rules apply to a particular Client, the parties will document the applicable mechanism in the Order Form or an addendum.
10. Assistance and Data Subject requests
10.1 Taking into account the nature of the processing, YouMultiply will assist the Client by appropriate technical and organisational measures, insofar as possible, in fulfilling the Client's obligations to respond to Data Subject requests (access, rectification, erasure, restriction, portability, objection) and, under FERPA, requests by parents and eligible students to inspect and review Education Records. In the first instance, the Services' own administrative tools are the means of assistance.
10.2 If YouMultiply receives a request directly from a Data Subject, parent, or eligible student relating to the Client's Personal Data, it will redirect the requester to the Client and will not respond substantively except on the Client's instruction or where legally required.
10.3 YouMultiply will provide reasonable assistance with the Client's data-protection impact assessments and consultations with supervisory authorities, to the extent they concern the Services, and may charge reasonable fees for assistance that is materially disproportionate to the subscription.
11. De-identified and aggregated data
11.1 YouMultiply may create and use data derived from the use of the Services that has been aggregated and de-identified such that it does not identify the Client or any natural person, and no longer constitutes Personal Data or an Education Record, for its internal research, service improvement, benchmarking, and product development. YouMultiply will not attempt to re-identify such data and will prohibit its recipients from doing so. Title to such de-identified data vests in YouMultiply and this §11 survives termination.
12. Audit and demonstration of compliance
12.1 YouMultiply will make available to the Client information reasonably necessary to demonstrate compliance with this DPA, including, on written request no more than once per year: a summary of its security measures, completed security questionnaires, and available third-party audit reports or certifications. On-site or technical audits are available only where required by Data Protection Laws or a supervisory authority, on at least thirty (30) days' notice, during business hours, at the Client's cost, subject to confidentiality, and no more than once per year.
12.2 Liability under this DPA is subject to the limitations and exclusions in the Terms — including the enhanced cap in Section 2.6(a) of the Terms for breaches of confidentiality obligations and of this DPA — except to the extent Data Protection Laws provide otherwise.
13. Client obligations
13.1 The Client warrants and agrees that: (a) it has, and will maintain, a lawful basis for the Personal Data it provides to the Services and its instructions to YouMultiply, including for the special categories described in Annex A where its use involves them; (b) it will provide all notices to, and obtain any consents from, Data Subjects (including students and, for minor students, their parents or guardians) required by Data Protection Laws for the processing described in this DPA; (c) it will not provide payment-card primary account data or health records subject to sector-specific regimes, and will provide special categories of Personal Data only as described in Annex A, without YouMultiply's prior written agreement and an updated Annex A; (d) the Services are offered for secondary (high-school), post-secondary, and adult education, and it will not use the Services to enrol, or to process the records of, children under thirteen (13) years of age as students; and (e) it is responsible for the accuracy and quality of the Personal Data and for its own users' compliance with the Terms.
14. Return and deletion
14.1 On termination or expiry of the engagement, YouMultiply will make a complete export of the Client's data available per Section 7.9 of the Terms or the equivalent export provision applicable to the engagement (and, where none applies, in standard machine-readable formats, available for at least thirty (30) days), and will thereafter delete the Personal Data from its systems, with backup copies deleted as they expire in the ordinary cycle described in Annex B, except to the extent retention is required by applicable law. The retention carve-outs in Section 2.3 of the Terms apply to Personal Data only insofar as the retained materials are YouMultiply's own business records of the engagement (such as the contract, invoices, and correspondence); they do not permit retention of the Client's student records or database contents. On the Client's written request, YouMultiply will confirm completion of deletion in writing.
14.2 The export and deletion commitments apply to Personal Data in systems under YouMultiply's control; they do not extend to Data Subjects' own accounts with third parties (for example, individual Logos or EVERYWORD accounts) or data held by app stores, which are governed by those providers' terms.
15. General
15.1 This DPA takes effect on acceptance of the Order Form that incorporates it or, for services purchased through checkout, on your acceptance of the Terms at checkout, and continues for as long as YouMultiply processes Personal Data for the Client.
15.2 This DPA is governed by the governing-law and dispute-resolution provisions of the Terms, except where the Standard Contractual Clauses (where applicable under §9.2) require otherwise.
15.3 YouMultiply may publish updated versions of this DPA at a new versioned URL; the version incorporated by the Client's Order Form continues to govern that engagement unless the parties agree otherwise or an update is required by Data Protection Laws (in which case YouMultiply will give notice).
Annex A — Processing details
| Item | Description |
|---|---|
| Subject matter | Provision of the YouMultiply services identified in the Order Form or purchased through checkout — the YouMultiply Education Ecosystem in whole or in part (dedicated ReachLMS and/or ReachSIS instances, white-label mobile application, Logos Library Access Manager, EVERYWORD promotional access), shared-instance services (ReachLMS Saver), and related setup, migration, support, and hosting, or such other services as the Order Form identifies. Rows below apply to the extent relevant to the services actually engaged. |
| Duration | The term of the engagement plus the export and deletion period in §14. |
| Nature and purpose | Hosting, storage, transmission, and display of records; migration of Active Records (and historical records where that add-on is selected); account provisioning and authentication; learning-management and student-information processing (enrolment, courses, grades, attendance, transcripts, communications, and billing records where the billing add-on is selected); delivery of notifications and transactional email; mobile push notification delivery; technical support; backups; security and usage monitoring of system metrics. |
| Categories of Data Subjects | Enrolled students and applicants, who may include minors aged thirteen (13) and older where the Client is a secondary institution (children under 13 are not enrolled — §13.1(d)); parents and guardians of minor students, and emergency contacts and next-of-kin, as recorded by the Client; faculty, staff, and authorised contractors; alumni and former students only where the historical-migration add-on is selected; donors only where the Client configures related ReachSIS modules. |
| Categories of Personal Data | Identity and contact data; enrolment, academic, and attendance records; grades, assessments, and transcripts; user-generated content within courses; authentication data and device/push tokens; billing and payment records (excluding card primary account numbers, which are handled by payment providers); support communications; technical logs, usage events, and system metadata. |
| Special categories | To the extent inherent in the Client's use of the Services, the Services may process: health and disability information recorded by the Client (for example, accommodations and emergency medical details); religious affiliation and related information (inherent to faith-based institutions and course content); and Personal Data of minor students aged thirteen (13) and older where the Client enrols them (children under 13 are not enrolled — §13.1(d)). YouMultiply processes these categories solely as part of the records the Client chooses to maintain in the Services, under the safeguards in Annex B and this DPA, and the Client is responsible for the lawful basis, notices, and any consents such processing requires (§13), including parental consents or notices required for minor students. The Client must not submit payment-card primary account data or health records subject to sector-specific regimes (such as HIPAA-covered clinical records) without prior written agreement. |
Annex B — Security measures
Tenant isolation appropriate to the service purchased: dedicated single-tenant application instances and databases per client for Education Ecosystem engagements (underlying cloud infrastructure may be shared), and logical tenant separation through platform tenancy and permission controls for shared-instance services (ReachLMS Saver); encryption of data in transit (TLS/SSL); database backups performed at least daily and retained at least seven (7) days; file storage held in durable, versioned object storage with redundant replication, with prior object versions retained at least seven (7) days enabling recovery of deleted or overwritten files; extended retention available as additional services per the Terms and Order Form; role-based access control and least-privilege administrative access; multi-factor authentication available for the Client's user and administrator accounts, recommended by YouMultiply, and enforceable at the Client's election through platform configuration; personnel confidentiality obligations per §5; vulnerability patching and update management; logging and monitoring of system metrics and service usage (not the content of individual user activity beyond what the Services themselves store); physical and environmental security via the hosting Sub-processor's data centres; secure deletion practices per §14; an incident-response procedure supporting the §7 notification commitment. Reduced-resource hosting during agreed dormancy periods maintains the same security and backup posture.
Annex C — Sub-processors
Sub-processors are engaged to the extent relevant to the services in the Client's engagement (for example, the Logos and EVERYWORD providers apply only where those components are included).
| Sub-processor | Role | Location |
|---|---|---|
| DigitalOcean, LLC | Cloud infrastructure hosting of dedicated instances and backups | United States by default; other regions where agreed in the Order Form |
| Apple Inc. (Apple Push Notification service) | Delivery of mobile push notifications (device tokens and notification content) | United States / global |
| Google LLC (Firebase Cloud Messaging) | Delivery of mobile push notifications (device tokens and notification content) | United States / global |
| Resend, Inc. | Transactional email delivery (names, email addresses, and notification content) | United States |
| Google LLC (Google Workspace) | Support email and business communications | United States / global |
| PostHog, Inc. | Product analytics and service usage monitoring (user identifiers and usage events) | United States |
| Faithlife Corporation (Logos) | Logos Research Subscription licence provisioning via the Library Access Manager (user identifiers and booking data) | United States |
| Leadership Ministries Worldwide | EVERYWORD Premium access provisioning (user identifiers for access grants) | United States |
| Educative Tech (Pty) Ltd | Affiliated service-delivery personnel (engineering and support) | South Africa |
YouMultiply also employs personnel directly in the locations described in §9.1 (currently including the United States, South Africa, and India); directly employed personnel are not Sub-processors and are bound by the confidentiality obligations in §5.
Annex D — POPIA Operator Schedule
This Annex D applies where the Protection of Personal Information Act, 2013 (South Africa) ("POPIA") applies to the Client's processing. Terms defined in POPIA ("responsible party", "operator", "personal information", "special personal information") apply in this Annex.
1. Roles. The Client is the responsible party; YouMultiply is an operator processing personal information on the Client's behalf. This DPA is the written contract required by POPIA section 21(1).
2. Operator obligations. YouMultiply will: (a) process personal information only with the knowledge or authorisation of the Client and in accordance with §4 of this DPA; (b) treat personal information as confidential and not disclose it except as required for the Services, permitted by this DPA, or required by law (POPIA section 20); and (c) secure the integrity and confidentiality of personal information through the measures in Annex B, consistent with POPIA section 19.
3. Security compromise notification. Where there are reasonable grounds to believe that personal information of a Data Subject has been accessed or acquired by an unauthorised person, YouMultiply will notify the Client immediately on becoming aware, and in any event within the period stated in §7.1 of this DPA, so that the Client can meet its obligations under POPIA section 22. YouMultiply will provide the cooperation described in §7 of this DPA.
4. Special personal information and children. The special categories described in Annex A include categories that constitute special personal information under POPIA (including religious beliefs and health) and, where the Client enrols minor students, personal information of children (persons under 18 under POPIA). YouMultiply processes these only as part of the records the Client maintains in the Services; the Client is responsible for ensuring an applicable authorisation ground under POPIA sections 27–33 and, for children's information, section 35. Children under thirteen (13) are not enrolled in the Services (§13.1(d) of this DPA).
5. Transfers. The Client authorises the trans-border flows of personal information described in §9.1 (hosting in the United States by default; access by authorised personnel from the locations there described). This DPA, including Annexes A–D, constitutes the binding agreement providing an adequate level of protection for the purposes of POPIA section 72(1)(a), upholding principles for reasonable processing and provisions substantially similar to POPIA's conditions relating to the further transfer of personal information.
6. Sub-operators. The Sub-processors in Annex C are engaged as further operators on terms consistent with §8 of this DPA.