Legal
Data Processing Agreement
Effective date: May 1, 2026. Last reviewed: May 2026.
This Data Processing Agreement (“DPA”) describes how Tendril (operated by Neural Forge, Inc.) processes personal data on behalf of schools, districts, libraries, and other institutional customers (“Customer” or “Controller”). It supplements any master service agreement or order form between the Customer and Tendril. By using the Tendril institutional product, the Customer agrees to the terms of this DPA.
Scope
This DPA applies to all personal data of students, staff, and other individuals that Tendril processes in connection with providing the Tendril educational platform to the Customer. It covers data collected through managed account creation, learning activity tracking, teacher dashboards, and any other features made available under the Customer’s institutional agreement.
This DPA does not cover data that individuals submit independently through public Tendril accounts outside of the Customer’s managed environment.
Data Controller / Processor
The Customer acts as the Data Controller — the institution that determines the purposes and means of processing personal data of its students and staff.
Tendril acts as the Data Processor — processing personal data only on documented instructions from the Controller and only to the extent necessary to deliver the contracted educational services.
Tendril will not process personal data for its own commercial purposes, sell learner data, or use it for behavioral advertising. Tendril will promptly inform the Customer if it believes an instruction violates applicable data protection law.
Processing Activities
Tendril processes the following categories of data on behalf of the Customer:
| Category | Examples | Purpose |
|---|---|---|
| Account identifiers | Name, email, grade level, role | Account creation and authentication |
| Learning records | Lesson completions, quiz scores, certificates, bookmarks | Progress tracking and teacher dashboards |
| Preference data | Reading mode, notification settings, tier selection | Personalized learning experience |
| Operational logs | Server access logs, error logs | Security monitoring and reliability (retained ≤ 90 days) |
Security Measures
Tendril implements technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction:
- Encryption in transit: All data is transmitted over TLS 1.2 or higher. Plain-text HTTP connections are redirected to HTTPS.
- Encryption at rest:Databases are encrypted at rest using AES-256 via Supabase’s managed infrastructure.
- Access control: Role-based access controls (RBAC) limit data access to personnel with a documented need. Tendril employees do not access individual student records except for contracted support, security incidents, or legal compliance.
- Authentication: Multi-factor authentication is available for administrator accounts. Passwords are hashed with bcrypt. Supabase Row Level Security (RLS) enforces data isolation at the database layer.
- Audit logging: Significant data access and account modification events are logged and retained for security review.
- Vendor management: All sub-processors are bound by data processing agreements and are evaluated for their security practices.
- Incident response: Tendril maintains an incident response plan and will notify the Customer of any confirmed data breach affecting their institution within 72 hours of discovery.
Sub-Processors
Tendril engages the following sub-processors to deliver the service. Each sub-processor is permitted to process Customer data only as needed for the specified purpose:
| Sub-processor | Purpose | Location |
|---|---|---|
| Vercel | Application hosting and edge network | US (global edge) |
| Supabase | Database, authentication, and account storage | US |
| Vercel Blob | Static asset and media storage | US |
| Resend | Transactional email delivery (account notifications) | US |
Learner-identifiable data is notsent to AI model providers (Anthropic, OpenAI, Google) as part of the lesson experience. AI providers see only the curriculum-generation prompts written by Tendril’s editorial team. Tendril will provide at least 30 days notice of material changes to this sub-processor list.
Data Subject Rights
When Tendril receives a request from a data subject (student, parent, or eligible student) regarding their rights — such as access, correction, export, or deletion — Tendril will promptly notify the Customer and provide reasonable assistance so that the Customer can fulfill the request within applicable legal timeframes.
School administrators can fulfill many data subject requests directly through the Teacher Dashboard (export, account deactivation, deletion). For requests that require Tendril’s direct action, we will complete them within 30 days of a verified written request.
Contact
To request a signed copy of this DPA, ask questions about processing activities, or report a concern, contact the Tendril privacy team:
- Email: hello@neural-forge.io
- Subject line: DPA request — [Institution Name]
We will respond within 5 business days. Complex institutional negotiations or state-specific addenda may require additional time.