Tribe AccredAI
Tribe AccredAICompliance OS
 Back to home
Legal

Data Processing Agreement

Tribe AccredAI offers a Data Processing Agreement (DPA) aligned with GDPR Article 28 for customers who process personal data on behalf of their institution.

Available on request
Request the AccredAI DPA

Our DPA is available for Professional and Enterprise plans, and for institutions evaluating the platform under procurement review. Send a short note and we'll respond within two business days with the current version for countersignature.

Email legal@accredai.comContact form

What the DPA Covers

The agreement formalizes the roles, obligations, and safeguards that govern processing of personal data through the platform:

  • Subject matter and duration — scope tied to the term of your subscription with Tribe AccredAI.
  • Nature and purpose of processing — providing accreditation, compliance, and evidence-management functionality.
  • Categories of data subjects and data — institutional staff, faculty, reviewers, and the documentation they upload.
  • Controller / processor roles — your institution acts as controller; AccredAI acts as processor.
  • Sub-processors — current list maintained on the Data Protection page, with advance notice of material changes.
  • Security measures — encryption in transit and at rest, access controls, audit logging, and least-privilege principles.
  • Personal data breach notification — written notice without undue delay after AccredAI becomes aware.
  • Data subject rights assistance — cooperation on access, rectification, deletion, and portability requests.
  • Return and deletion — export and erasure of customer personal data at end of contract.
  • Audit rights — reasonable information and audit cooperation, with confidentiality protections.

International Data Transfers

Where personal data is transferred outside the EEA / UK, the DPA incorporates the European Commission's Standard Contractual Clauses (and UK IDTA where applicable) by reference.

Custom Paper

Enterprise customers can negotiate the DPA alongside the MSA. For institutional procurement teams, we accept reasonable redlines on customer paper subject to legal review. Contact legal@accredai.com to begin.

FERPA Addendum

This addendum applies when the Customer is an educational institution subject to the Family Educational Rights and Privacy Act (FERPA, 20 U.S.C. §1232g; 34 CFR Part 99) and uploads “education records” to the Platform.

  1. School official designation. Tribe Consulting, LLC is designated as a “school official” with “legitimate educational interests” under 34 CFR §99.31(a)(1)(i)(B), performing institutional services or functions for which the Institution would otherwise use its own employees.
  2. Direct control. The Institution controls the scope of use and maintenance of education records by Tribe Consulting, LLC through configuration, administrative controls, and the instructions reflected in this DPA and the Terms of Use.
  3. Purpose limitation. Education records are processed solely to provide the accreditation evidence management services contracted by the Institution, not for advertising, independent profiling, or any other purpose.
  4. No redisclosure. Tribe Consulting, LLC will not redisclose personally identifiable information from education records except (a) back to the Institution, (b) to subprocessors bound by equivalent obligations and acting on the Institution’s behalf, (c) as instructed in writing by the Institution, or (d) as required by law.
  5. Subprocessor flow-down. Subprocessors with potential access to education records (listed on the Subprocessors page) are bound by written agreements imposing data-protection terms no less protective than this Addendum.
  6. Security measures. Encryption in transit (TLS 1.2+) and at rest; tenant isolation via row-level security; role-based access controls; immutable audit logging of evidence views, downloads, and exports; least-privilege production access; password breach-list checks (HIBP); MFA-ready authentication and SSO available on request.
  7. Breach notification. Tribe Consulting, LLC will notify the Institution without undue delay, and in any event within seventy-two (72) hours, of any confirmed unauthorized acquisition, access, use, or disclosure of education records.
  8. Return or destruction. Upon termination, the Institution may export its data; thereafter education records and related backups are destroyed within thirty (30) days, except where longer retention is required by law.
  9. Audit support. On reasonable written request, the Institution may obtain audit-log extracts covering its workspace and a summary of the security controls then in effect.
  10. Rights requests. Tribe Consulting, LLC will assist the Institution in responding to requests from parents, eligible students, or regulators to inspect, correct, or remove education records the Institution has uploaded.
  11. AI processing. Evidence flagged at upload as containing personally identifiable student records will not be sent to AI subprocessors unless the Institution has explicitly opted in through workspace settings.

Related Documents