Data Processing Agreement

"Personal Data" means any information relating to an identified or identifiable natural person, including but not limited to: child information, guardian contact details, staff information, and any other data processed through the KidsDaily platform.

"Processing" means any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, use, disclosure, erasure, or destruction.

"Data Subject" means the individual to whom the Personal Data relates (children, parents/guardians, or staff members).

"Sub-processor" means any third party engaged by KidsDaily to process Personal Data on behalf of the Controller.

KidsDaily processes Personal Data solely for the purpose of providing the childcare management services described in our Terms of Service, including:

• Managing child enrollment and attendance records
• Facilitating parent-teacher communication
• Generating daily activity reports
• Processing billing and payments
• Storing and sharing photos and media
• Managing staff schedules and records
• Providing analytics and reporting to the Controller

3.1 Children

• Full name and date of birth
• Classroom and enrollment information
• Medical information (allergies, medications, conditions)
• Attendance records
• Photos and videos
• Daily activity and development reports

3.2 Parents/Guardians

• Full name and contact information
• Email address and phone number
• Billing and payment information
• Communication records
• Account credentials (hashed)

3.3 Staff Members

• Full name and contact information
• Employment role and classroom assignments
• Account credentials (hashed)
• Activity logs

The Controller (childcare center) agrees to:

• Ensure all Personal Data is collected lawfully and with appropriate consent from Data Subjects (or their legal guardians for children)
• Provide clear privacy notices to parents and staff about how their data will be processed
• Obtain necessary consents for photo and video collection and sharing
• Not upload any Personal Data that violates applicable laws or regulations
• Respond to Data Subject requests (access, correction, deletion) and inform KidsDaily when assistance is needed

KidsDaily agrees to:

• Process Personal Data only on documented instructions from the Controller, unless required by law
• Ensure that persons authorized to process Personal Data have committed to confidentiality
• Implement appropriate technical and organizational security measures
• Assist the Controller in responding to Data Subject requests
• Notify the Controller without undue delay (within 72 hours) upon becoming aware of a Personal Data breach
• Delete or return all Personal Data upon termination of services, at the Controller's choice
• Make available information necessary to demonstrate compliance with this DPA

KidsDaily implements the following technical and organizational measures to protect Personal Data:

• Encryption: All data is encrypted in transit (TLS 1.3) and at rest (AES-256)
• Access Control: Role-based access controls with multi-factor authentication for administrative access
• Infrastructure Security: Hosted on SOC 2 Type II certified cloud infrastructure
• Network Security: Firewalls, intrusion detection, and regular vulnerability assessments
• Data Isolation: Logical separation of customer data with row-level security
• Backup & Recovery: Daily encrypted backups with tested recovery procedures
• Monitoring: 24/7 monitoring and logging of system access
• Employee Training: Regular security awareness training for all staff

The Controller authorizes KidsDaily to engage the following sub-processors:

KidsDaily will notify the Controller before adding or replacing sub-processors, giving reasonable time to object based on data protection grounds.

In the event of a Personal Data breach, KidsDaily will:

• Notify the Controller without undue delay, and in any event within 72 hours of becoming aware of the breach
• Provide details of the breach including: nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed to address the breach
• Cooperate with the Controller in investigating and remedying the breach
• Document all breaches, including remedial actions taken

KidsDaily will assist the Controller in fulfilling Data Subject requests including:

• Access: Providing copies of Personal Data
• Rectification: Correcting inaccurate data
• Erasure: Deleting data upon valid request
• Portability: Exporting data in a machine-readable format
• Restriction: Limiting processing in certain circumstances

The Controller is responsible for responding to Data Subject requests. KidsDaily provides tools within the platform to facilitate these requests.

During the subscription: Data is retained for the duration of the service agreement and accessible to the Controller.

Upon termination:

• The Controller may export all data within 30 days of termination
• After 30 days, KidsDaily will delete all Personal Data unless legally required to retain it
• Deletion will be complete within 90 days, including backups
• Upon request, KidsDaily will provide written certification of deletion

Personal Data may be transferred to and processed in the United States. For transfers from the European Economic Area (EEA), UK, or Switzerland, KidsDaily relies on:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• The UK International Data Transfer Agreement (IDTA) for UK transfers

Copies of the applicable transfer mechanisms are available upon request.

KidsDaily will make available to the Controller information necessary to demonstrate compliance with this DPA. This includes:

• Annual SOC 2 Type II audit reports (available upon request under NDA)
• Security questionnaire responses
• Evidence of security certifications

The Controller may conduct audits at its own expense with reasonable notice, during business hours, and subject to confidentiality obligations.

Each party's liability under this DPA is subject to the limitations set forth in the Terms of Service. KidsDaily's aggregate liability for all claims arising under this DPA shall not exceed the amounts paid by the Controller in the twelve (12) months preceding the claim.

This DPA shall remain in effect for the duration of KidsDaily's processing of Personal Data on behalf of the Controller. Upon termination of the underlying service agreement, the provisions of this DPA relating to data deletion and confidentiality shall survive.

For questions about this DPA or to report data protection concerns:

• Email: privacy@mykidsdaily.com
• Address: KidsDaily, Inc., Privacy Team