Data Processing Agreement

Last Updated: Sep 12, 2025

This Data Processing Agreement (“DPA”) is an addendum to the Kiddo Terms of Service and is incorporated therein. It is entered into between Greater Than Gravity LLC d/b/a Kiddo (“Kiddo” or “Processor”) and the Center (Customer) that is using Kiddo’s Services (“Controller”). This DPA reflects the parties’ agreement with regard to the processing of Personal Data (defined below) that Kiddo performs on behalf of the Center, to help the Center provide services to families and children.

By using Kiddo’s platform as a Center, you agree to the terms of this DPA. In case of any conflict between the DPA and other agreements (like the Terms of Service) regarding processing of personal data, this DPA will prevail.

1. Definitions

• “Controller” means the entity (you, the Center) that determines the purposes and means of the processing of Personal Data. For purposes of privacy laws like GDPR, the Center is the Data Controller for the child and parent personal data that is entered into Kiddo for that Center’s purposes. (In certain contexts, a Parent could be considered a controller of their own personal data – but to simplify, we treat the Center as the primary decision-maker for enrollment data).
  
  
• “Processor” means the entity (Kiddo) that processes Personal Data on behalf of the Controller. Kiddo is a Data Processor (or “Service Provider” under CCPA) with respect to the Personal Data it handles on behalf of Centers via the Kiddo platform.
  
  
• “Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable person is one who can be identified, directly or indirectly, by reference to data such as name, ID number, location data, online identifier, or factors specific to that person’s identity. For the purpose of this DPA, Personal Data specifically refers to personal information Kiddo processes on behalf of the Center, including information about Parents, children, and any other individuals (e.g., authorized pick-up persons) that the Center inputs or collects using Kiddo. We will refer to this as “Center Data” to avoid confusion – i.e., Center Data is the Personal Data that Controller provides to Kiddo for processing.
  
  
• “Services” means Kiddo’s waitlist and enrollment management software platform and related services that Kiddo provides to Center under the Terms of Service.
  
  
• “Applicable Data Protection Law” means all privacy and data protection laws and regulations that apply to the processing of Personal Data under this DPA. This includes, where relevant: the EU General Data Protection Regulation (GDPR) and UK GDPR, Canada’s PIPEDA, the California Consumer Privacy Act (as amended by CPRA) for service providers, Australia’s Privacy Act, New Zealand’s Privacy Act, and any laws implementing or supplementing the foregoing, as well as any applicable U.S. state privacy laws and federal COPPA for children’s data.
  
  
• Other terms like “processing”, “data subject”, “personal information”, etc., have the meanings given in the relevant laws or in the Terms of Service/Privacy Policy if not defined here.
  
  

2. Details of Processing
This section describes the key aspects of the processing Kiddo will perform on behalf of Controller as required by GDPR Art. 28 and similar laws:

• Subject Matter: Kiddo’s provision of the Services to Controller, which involves processing of Center Data.
  
  
• Nature and Purpose of Processing: Kiddo will process Center Data as needed to provide and support the Services, which include storing data, organizing it for display in the platform, transmitting communications (emails/SMS) to Parents as directed by the Center, facilitating billing, and other such processing as directed by Controller in its use of the Services. Additionally, Kiddo may process Center Data to troubleshoot, secure, and improve the Services (e.g., through data analytics or debugging), and to fulfill any legal requirements. Kiddo will not use Center Data for any other purpose except as permitted under the Terms or this DPA or as required by law. In particular, Kiddo will not “sell” Center Data or process it for marketing or other commercial purposes outside the scope of providing the Service.
  
  
• Duration: Kiddo will process Center Data for the duration of the Center’s use of the Services and until deletion of all Center Data in accordance with this DPA. Essentially, we process data as long as you are an active customer, and afterward we will return or delete data as described.
  
  
• Types of Personal Data: Center Data may include (depending on what Controller inputs/collects):
  
  
  
  • Parent/guardian personal details (name, contact info, address, etc.).
    
    
  • Child personal details (name, birthdate, gender, etc.), enrollment application information (schedule needs, notes, medical info if entered, etc.).
    
    
  • Family information related to childcare (e.g., information on siblings, emergency contacts).
    
    
  • Communication records between Center and Parent via Kiddo (messages, notes).
    
    
  • Payment information related to fees (excluding full payment card numbers, which are handled by Stripe, but possibly transaction amounts, last4 of card, etc.).
    
    
  • Any other data the Center chooses to collect via custom fields/forms in Kiddo (subject to Kiddo’s acceptable use, e.g., Center should not collect social security numbers or similar via Kiddo without approval).
    
    
• Categories of Data Subjects: Primarily Parents/Guardians of children, and the children themselves (their personal data, though children are not users of the service directly), as well as Center staff (if any staff personal data is stored, like a teacher’s name associated with a classroom). Also could include emergency contacts or authorized pickup persons if that data is managed through the platform.
  
  
• Controller’s Obligations: Controller confirms that it has the authority and appropriate legal basis to collect and transfer the Center Data to Kiddo for processing. For instance, the Center has obtained any necessary consents from Parents to input a child’s personal info into Kiddo. The Center is responsible for determining that the processing activities it instructs Kiddo to perform are lawful. Controller will comply with all laws applicable to Controller’s use of the Services (for example, providing any required privacy notices to Parents, honoring Parent requests regarding their data that Controller has access to, etc.).
  
  

3. Kiddo’s Obligations as Processor
When processing Center Data on behalf of Controller, Kiddo agrees to:

a. Act only on Instructions: Kiddo will only process Center Data on documented instructions from Controller, unless required otherwise by applicable law. The Terms of Service and this DPA (and use of the Service itself) constitute the Controller’s initial instructions to Kiddo. Kiddo may also act on direct requests from Center’s authorized users (e.g., if an admin uses a Kiddo feature, that action is an instruction to process data in that way). If a law requires Kiddo to process data beyond Controller’s instructions, Kiddo will inform Controller (unless the law forbids such notice). Kiddo will not “sell” or “share” Center Data for cross-context behavioral advertising or use it for any purpose other than providing services to Controller.

b. Confidentiality: Kiddo ensures that all persons (employees, contractors) authorized to process Center Data are under an appropriate duty of confidentiality. This is achieved through employment agreements and training; any person with access is required to keep data confidential and is instructed not to share or use data except as directed for the Service.

c. Security Measures: Kiddo will implement and maintain appropriate technical and organizational security measures to protect Center Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, or disclosure. (The specific security measures are described in our Privacy Policy Section 10 and may include encryption, access controls, etc.) At a minimum, Kiddo will meet the security requirements of applicable data protection laws (e.g., GDPR Art. 32). Kiddo regularly assesses and evaluates the effectiveness of these measures.

d. Subprocessors: Controller provides a general authorization for Kiddo to engage Subprocessors as needed to deliver the Services (e.g., hosting providers, email service, etc.). A “Subprocessor” is any third-party engaged by Kiddo to process Center Data on Kiddo’s behalf. Kiddo will ensure any Subprocessor is bound by data protection obligations no less protective than those in this DPA (particularly regarding confidentiality, security, and data subject rights). Kiddo maintains a list of current Subprocessors in the Privacy Policy or on its website (e.g., AWS, Stripe, etc.). Kiddo will notify Controller of any intended addition of new Subprocessors that handle Center Data and give Controller the opportunity to reasonably object for legitimate grounds. If Controller does not object in writing within 10 days of receiving notice, the new Subprocessor will be deemed accepted. If Controller does object and the parties cannot resolve the objection (for example, by Kiddo suggesting an alternative subprocessor or taking on the processing directly), then Controller may have the right to terminate the Services for convenience (with a pro rata refund of any prepaid fees for unused services). Kiddo remains fully liable to Controller for the performance of Subprocessors it engages.

e. Assistance to Controller: Taking into account the nature of processing and the information available, Kiddo will reasonably assist Controller in fulfilling Controller’s obligations under Applicable Data Protection Law, including:

• Responding to Data Subject Requests: If a Parent or data subject sends a request to Kiddo to access, rectify, or erase Center Data, or to exercise any privacy right, Kiddo will (to the extent permitted by law) promptly inform the data subject to contact the Controller (Center) directly. Kiddo will not independently decide on such requests for Center Data; instead, we will notify Controller and await Controller’s instructions. Kiddo will assist Controller by providing available information or capabilities (through the Service or support channels) for Controller to fulfill the request. For example, Kiddo can help retrieve or delete specific data if technically possible. Controller is responsible for determining how to respond to the data subject (e.g., giving a parent a copy of their child’s records or confirming deletion). Kiddo will comply with reasonable instructions from Controller to execute such rights requests.
  
  
• Security and Breach Notification: Kiddo maintains security incident management policies. In the event Kiddo becomes aware of a personal data breach affecting Center Data, Kiddo will notify Controller without undue delay. Such notice will include (at least in preliminary form) details about the nature of the breach, affected data, and steps taken or recommended to address it. Kiddo will promptly investigate the breach and provide additional information as it becomes available. We will cooperate with Controller in any required notifications to authorities or individuals (Controller has the responsibility to notify under laws like GDPR or state breach laws, but Kiddo will assist by providing relevant information). Kiddo’s notification of a breach to Controller shall not be construed as an acknowledgement by Kiddo of any fault or liability with respect to the breach.
  
  
• Data Protection Impact Assessments: If Controller is required to perform a data protection impact assessment (DPIA) or consult with a regulator prior to processing (e.g., under GDPR Art. 35 or 36) regarding the use of Kiddo’s Services, Kiddo will provide reasonable cooperation and information to Controller upon request. This might include providing security and privacy documentation or answering questionnaires, to the extent the information is necessary for the DPIA and is within Kiddo’s control.
  
  
• Compliance: Kiddo will also generally assist Controller in ensuring compliance with obligations under Applicable Data Protection Law relating to the processing of Center Data, such as by making available information about our processing and allowing for audits, as described further below.
  
  

f. Audit and Compliance Demonstration: Kiddo shall make available to Controller all information reasonably necessary to demonstrate compliance with the obligations set forth in Article 28 of GDPR (or analogous provisions of other laws). This may include providing Controller with responses to security and privacy questionnaires, discussing our practices, and sharing third-party audit certifications or reports (like SOC 2, if available). Controller has the right to audit Kiddo’s compliance with this DPA, up to once per year and upon reasonable notice. Any such audit shall be conducted during normal business hours, in a manner that does not disrupt Kiddo’s operations. Controller may either conduct the audit itself or through an independent auditor mutually agreeable to both parties (with such auditor bound to confidentiality). Controller will bear any costs of the audit. Before any on-site audit, Controller and Kiddo will mutually agree on the scope, timing, and duration of the audit. Kiddo reserves the right to redact any information in the materials made available that is not relevant to Controller or that is Kiddo’s confidential information not related to the scope of this DPA. Instead of on-site audits, Controller may choose to rely on a third-party audit or certification that Kiddo has undergone (such as a SOC 2 Type II report or ISO certification) to satisfy itself of Kiddo’s compliance.

4. International Data Transfers
If Controller is subject to laws that restrict cross-border data transfers (such as GDPR), and Center Data is transferred outside of the jurisdiction (for example, transfer from the EEA to the U.S.), the parties agree to facilitate such transfers under appropriate safeguards:

• Standard Contractual Clauses (SCCs): By entering this DPA, the parties are deemed to have executed the European Commission’s Standard Contractual Clauses (SCCs) for transfers from Controller (as data exporter) to Processor (as data importer), including the UK International Data Transfer Addendum if applicable. Specifically, the 2021 SCCs for Controller-to-Processor (Module Two) are incorporated by reference. The details required by the SCCs (Appendix/Annex) are as follows: Annex I is fulfilled by the details in Section 2 of this DPA (Controller is data exporter, Kiddo is data importer; contact info of each party as per the main agreement; processing activities as described). Annex II (technical and organizational measures) is fulfilled by the description of security measures in Privacy Policy Sec. 10 and Section 3(c) of this DPA. Annex III (Subprocessors) – current Subprocessors are listed in the Privacy Policy or as provided to Controller (e.g., AWS, Stripe, etc.), and Controller consents to those.
  
  
• Where required, the parties will cooperate in good faith to execute or supplement additional transfer mechanisms or contractual terms necessary to legitimize international transfers, such as any updated SCCs or certification to frameworks (e.g., if a new EU-U.S. Data Privacy Framework is recognized as adequate, Kiddo will participate if feasible).
  
  
• Kiddo will, when handling EU/UK personal data, abide by the requirements of the SCCs, including if applicable: informing Controller if it receives government access requests, challenging overbroad or unlawful requests, and not disclosing data unless legally compelled.
  
  
• If the SCCs or other mechanism are invalidated, the parties will work together to find an alternative solution (like another lawful basis for transfer or additional safeguards).
  
  

5. Data Return and Deletion

• During the service term, Center personnel can access and retrieve Center Data stored in Kiddo (for example, by exporting lists or reports through the app). Kiddo encourages Controller to regularly back up its data outside the platform as needed.
  
  
• Upon termination or expiration of the Services, Controller may request return of Center Data. Kiddo can provide standard exports (likely in CSV or similar format) of key data upon written request made within a reasonable time prior to termination or within 30 days after.
  
  
• After such period, Kiddo will, upon Controller’s request or per the Terms, delete all Center Data from its systems, except to the extent retention is required by law or for legitimate business purposes as allowed (e.g., to maintain transaction records, to resolve disputes, or to comply with backup retention policies). If deletion is not feasible (for instance, archived in backups), Kiddo will instead ensure the data is archived and secured from further processing and will delete it when possible.
  
  
• Kiddo may retain anonymized or aggregated data that does not identify any individual or the Controller, for analytics and improvement purposes, even after deletion of personal data.
  
  
• Any deletion will be done in a secure manner (e.g., by overwriting and/or using secure erase).
  
  
• At Controller’s request, Kiddo can certify in writing that deletion has been completed. Alternatively, Controller may choose (in writing) to require return of data and then handle deletion itself.
  
  

6. Controller’s Responsibilities
Controller is responsible for:

• Compliance: Ensuring that the data processing instructions given to Kiddo are lawful. Controller will comply with all obligations applicable to it under data protection laws (e.g., providing privacy notices to individuals, obtaining consents where required – such as COPPA parental consent or consent for any sensitive data – and otherwise having a valid legal basis for the processing of Center Data via Kiddo).
  
  
• Data Quality: Inputting and maintaining accurate personal data in the system. If data is incorrect, Controller (or the Parent via the Center) should correct it. Kiddo provides tools to update records.
  
  
• Assessments: As noted, carrying out any required impact assessments or consultations. Kiddo will assist, but the ultimate obligation lies with Controller to ensure usage of Kiddo is compliant with its regulatory needs (for example, a school using Kiddo might need to consider FERPA in the U.S., etc.).
  
  
• Third-Party Use: If Controller allows any third-party (like a consultant or integrated software) to access the Kiddo account or data, Controller is responsible for ensuring that third party’s compliance with equivalent data protection obligations.
  
  
• End-User Communications: Handling any communications or disputes with data subjects relating to the data processed. For example, if a parent complains about how their data is used in Kiddo, the Center should address it (with Kiddo’s help if needed).
  
  

7. CCPA Service Provider Addendum (if applicable)
Insofar as the California Consumer Privacy Act (as amended by CPRA) applies and Kiddo processes “Personal Information” on behalf of Controller, the parties acknowledge and agree that Kiddo is a “Service Provider” to Controller. Kiddo certifies it understands and will comply with the following:

• Kiddo shall not sell or share (for targeted advertising) the Personal Information processed on Controller’s behalf.
  
  
• Kiddo shall not retain, use, or disclose the Personal Information for any purpose other than providing the Services and as permitted by the Controller, or as otherwise allowed by CCPA.
  
  
• Kiddo shall not retain, use, or disclose the Personal Information outside of the direct business relationship between Kiddo and Controller.
  
  
• Kiddo shall not “combine” Personal Information it processes on behalf of Controller with personal info from other sources, except as allowed under CCPA (e.g., to perform a business purpose, or if done at Controller’s direction).
  
  
• If Kiddo receives a consumer request under CCPA (like a deletion request) directly, Kiddo will either act on behalf of Controller to fulfill it or inform the consumer to submit the request to Controller (generally we’ll do the latter as described earlier).
  
  
• Kiddo grants Controller the right to take reasonable steps to ensure Kiddo’s use of personal info is consistent with Controller’s obligations under CCPA, including through measures like the audits described above.
  
  
• Kiddo acknowledges that if it subcontracts to another “service provider” (subprocessor), it will have a contract with them that imposes the same restrictions.
  If any term in this DPA (or the main Terms) would cause Kiddo to be deemed a “Third Party” under CCPA rather than a Service Provider, the parties agree to amend or interpret it to ensure Service Provider status. Both parties will comply with applicable sections of the CCPA in their respective roles.
  
  

8. Miscellaneous

• Liability: Each party’s liability under this DPA is subject to the exclusions and limitations of liability in the Terms of Service. The Center agrees that any regulatory fines or penalties incurred by Kiddo relating to Center Data that arise from or are attributable to Controller’s failure to comply with its obligations under this DPA or applicable law shall count toward any liability cap of Controller and not Kiddo. Conversely, any fines solely due to Kiddo’s negligence in its processor role (e.g., a data breach caused by Kiddo’s lack of security) would be Kiddo’s responsibility subject to the Terms.
  
  
• Termination: This DPA automatically terminates upon deletion of all Center Data by Kiddo after the end of Services, or upon termination of the Terms of Service, except for provisions that need to survive (confidentiality, data return/deletion obligations until fulfilled, etc.).
  
  
• Order of Precedence: In the event of any conflict between this DPA and the rest of the Terms of Service or Privacy Policy as they relate to the processing of Center Data, this DPA shall prevail. In case of conflict between this DPA and any Standard Contractual Clauses or mandatory law, the latter shall prevail in that narrow context.
  
  
• Amendments: Except as required by changes in law, any amendment to this DPA must be in writing and agreed by both parties. If any provision is invalid under law, the rest of the DPA remains effective, and the parties will negotiate a valid provision reflecting the intent.
  
  
• Governing Law: This DPA is governed by the same law and jurisdiction as the underlying Terms of Service, unless required otherwise by applicable data protection law (for instance, SCCs have EU law governing them by default).
  
  

By using the Kiddo Services as a Center, you are entering into this DPA with Kiddo. Kiddo’s address and contact for privacy matters is as listed in the Privacy Policy. The Center’s address and contact are as per the account registration details.

‍