Back home

Calmiverse · Policies

Data Processing Agreement

Last updated: April 21, 2026

This Data Processing Agreement ('DPA') applies when Calmiverse, Inc. ('Processor') processes Personal Data on behalf of a school, district, employer, or other organization ('Controller') that has signed up for Calmiverse. It is incorporated by reference into the Terms of Service. Individual families using Calmiverse directly do not need a DPA — their relationship is governed by our Privacy Policy.

1. Definitions

Capitalized terms have the meanings given in the GDPR, UK GDPR, CCPA/CPRA, FERPA, and COPPA, as applicable. "Personal Data" means any information relating to an identified or identifiable natural person processed by Calmiverse on behalf of the Controller.

2. Roles

The Controller determines the purposes and means of processing. Calmiverse acts as Processor (or Service Provider under the CCPA, or School Official under FERPA where applicable).

3. Scope & nature of processing

  • Subject matter: providing the Calmiverse service.
  • Duration: term of the underlying agreement plus deletion period.
  • Categories of data subjects: Controller's authorized end users (e.g., students, staff, parents).
  • Categories of Personal Data: account identifiers, age/grade, in-app activity (journal entries, mood, progress), technical/diagnostic data.

4. Processor obligations

  • Process Personal Data only on documented instructions from the Controller.
  • Ensure personnel are bound by confidentiality.
  • Implement appropriate technical and organizational security measures (Annex A).
  • Engage sub-processors only under written contracts with equivalent obligations (Annex B).
  • Assist the Controller with data-subject requests, DPIAs, and breach notifications.
  • Notify the Controller without undue delay of any Personal Data breach.
  • Delete or return Personal Data at the end of the engagement, at the Controller's choice.

5. International transfers

Where Personal Data is transferred from the EEA, UK, or Switzerland to the United States, the parties agree to incorporate the EU Standard Contractual Clauses (Module 2) and the UK International Data Transfer Addendum, as applicable.

6. Audits

Calmiverse will make available information necessary to demonstrate compliance with this DPA, including a current SOC 2 / penetration-test summary on request, and will allow for audits subject to reasonable confidentiality and notice.

7. FERPA-specific terms (US schools)

For US K-12 customers, Calmiverse is designated as a "school official" with a "legitimate educational interest" under 34 CFR § 99.31(a)(1). Calmiverse will use student records only for the authorized educational purpose, will not re-disclose them except as permitted by FERPA, and is under the direct control of the school regarding the use and maintenance of such records.

8. CCPA / CPRA-specific terms

Calmiverse will not (a) sell or share Personal Data, (b) retain, use, or disclose Personal Data outside the direct business relationship, or (c) combine Personal Data with information received from other sources, except as permitted by the CCPA/CPRA.

9. Liability

Each party's liability under this DPA is subject to the limitations set out in the underlying Terms of Service.

10. Annexes

Annex A — Technical and Organizational Measures (encryption in transit and at rest, RBAC, logging, vulnerability management, incident response). Annex B — Approved Sub-processors (current list available on request from operations@sunrisingsolutions.com).

11. Signing this DPA

Controllers wishing to enter this DPA should email operations@sunrisingsolutions.com with their organization name and Calmiverse account email. We will counter-sign and return a PDF copy.

This document is provided for general informational purposes and does not constitute legal advice. Please consult a qualified attorney to confirm compliance with COPPA, GDPR-K, FERPA, and any applicable laws in your jurisdiction.