Data Processing Agreement

Last Updated: April 28, 2026

For institutional partners only. A Data Processing Agreement (DPA) is executed with each higher-education institution that contracts with Quarlo. Individual consumer users are not covered by a DPA — your data rights are described in our Privacy Policy.

1. What Is a DPA

A Data Processing Agreement is a legally binding contract between Quarlo Software LLC ("Quarlo") and a partner institution ("Institution" or "Controller") that governs how Quarlo processes student education records on the Institution's behalf. It documents Quarlo's obligations as a "school official" with a "legitimate educational interest" under FERPA §99.31(a)(1), as well as data security, retention, sub-processor, and breach-notification commitments. The summary below mirrors the operative terms of Quarlo's standard DPA template.

2. Standard DPA Template — Operative Terms

The following are the standard clauses that appear in Quarlo's template DPA. Institutions may redline against their own template; we will execute reasonable modifications. The structure below is provided for procurement review.

2.1 Roles and Definitions

Quarlo acts as a Service Provider / Processor with respect to Personal Information that the Institution discloses to Quarlo or that Quarlo collects from the Institution's users in the course of providing the Service. The Institution is the Business / Controller. Quarlo's school-official designation under FERPA is incorporated by reference from the Master Subscription Agreement ("MSA").

2.2 Scope and Purpose

Quarlo will process Personal Information only to deliver the Service to the Institution and its authorized users (interview preparation, related career- readiness features, and platform administration), and only as instructed in writing by the Institution. Quarlo will not use Personal Information to build advertising profiles or for any purpose unrelated to the Service.

2.3 Categories of Personal Information

  • Authentication identifiers (institutional email, name)
  • Resume content uploaded by the user
  • Job and employer information added by the user
  • AI-generated interview-prep outputs
  • Voluntarily-submitted community contributions (interview questions)
  • Voice recordings during interview practice (deleted within 24 hours; transcripts retained)
  • Service usage logs (page views, feature use, access times)
  • IP address (for security and rate limiting)

2.4 Sub-processor Categories

Quarlo engages the following categories of sub-processors. The current legal names of each sub-processor in each category are disclosed to the Institution as part of contract execution and on request thereafter; named lists are not posted publicly. Quarlo flows down obligations to each sub-processor that are at least as protective as those in this DPA.

CategoryPurposeRegion
Database, Authentication, and StoragePrimary data store for accounts, resumes, preps, contributions; encrypted at rest and in transitUnited States
Application HostingWeb hosting and serverless function executionUnited States
Language Model Provider (Primary)AI generation of prep content; zero/short-retention API terms; no model training on submitted dataUnited States
Language Model Provider (Backup) and Speech-to-TextFallback LLM inference and transcription of practice audio; no retention beyond requestUnited States
Embedding ServiceVector embeddings for semantic search over de-identified textUnited States
Company Research APIPublic-source company and interview-process research using non-personal queries onlyUnited States
Transactional EmailAccount verification, password reset, notification deliveryUnited States
Error MonitoringApplication reliability and incident responseUnited States

Quarlo will provide at least 30 days' advance written notice of any change in sub-processor category or any addition of a new category. The Institution may object to a proposed change within that period; if a reasonable accommodation cannot be reached, the Institution may terminate the affected Service for material breach without penalty.

2.5 Security Measures

  • Encryption in transit (TLS 1.2+) and at rest (AES-256)
  • Role-based access controls with least-privilege defaults
  • Row-level security at the database tier
  • Audit logging of administrative actions
  • Vendor risk management for sub-processors (SOC 2 Type II or equivalent for primary infrastructure)
  • Incident response plan with defined containment, notification, and post-incident review steps
  • Regular security review of dependencies and configuration

2.6 Audit and Attestation Rights

The Institution may, no more than once per year and on at least 30 days' advance written notice, request (a) Quarlo's most recent third-party security assessment or attestation; (b) Quarlo's written responses to a reasonable security questionnaire (HECVAT or equivalent); and (c) for cause arising from a Security Incident affecting the Institution's data, an audit conducted by an agreed independent assessor at the Institution's expense, subject to reasonable confidentiality and operational protections.

2.7 Breach Notification

Quarlo will provide an initial notification within 72 hours of discovering a Security Incident affecting Personal Information processed under this DPA, with a preliminary description of the incident, the categories of data affected, and immediate containment steps. A formal written report will follow without undue delay and will include all information the Institution reasonably needs to satisfy any statutory deadline under applicable state breach-notification law (FERPA itself does not impose a deadline; state law and the Institution's obligations control). See the FERPA Compliance page for the breach-report contents.

2.8 Data Retention, Return, and Destruction

  • While the contract is active, Personal Information is retained for the lifetime of the user's account, subject to user-controlled deletion.
  • Audio recordings from interview practice are deleted within 24 hours of transcription. Only the text transcript and analytical scores are retained thereafter.
  • On contract termination or account deletion, Personal Information is deleted from production systems within 30 days, subject to a rolling 90-day backup-retention window cleared on its own cycle.
  • Anonymized community contributions (interview question text with all personal identifiers removed) may be retained in the shared community corpus consistent with the Terms of Service §5.2 license grant. Institutions may contractually require full removal in lieu of anonymized retention.
  • Data return on request — before termination, Quarlo will provide an export of institutional student data in a reasonable structured format on Institution request.

2.9 GDPR Article 28 Addendum

For institutions with EEA, UK, or Swiss data subjects, a GDPR / UK GDPR Article 28 processor addendum is available on request. The addendum incorporates the European Commission's 2021 Standard Contractual Clauses and the UK International Data Transfer Addendum where the Institution requires them.

2.10 State-Specific Addenda and NDPA Compatibility

Quarlo's standard DPA is designed to comply with applicable U.S. state student-data-privacy laws on a substantive basis — including, without limitation, New York Education Law §2-d and 8 NYCRR Part 121, California SOPIPA (Cal. Bus. & Prof. Code §22584), and Illinois SOPPA (105 ILCS 85/) — through clauses on purpose limitation, prohibition of targeted advertising and non-educational student profiles, prohibition of sale of student data, security, deletion on request, breach notification, and sub-processor disclosure in the signed DPA. Where an Institution's procurement office requires a state-specific addendum, a published supplement, or terms aligned with the Student Data Privacy Consortium's National Data Privacy Agreement (NDPA), Quarlo will execute the Institution's required addendum or an equivalent at contract execution.

A Parents' Bill of Rights for Data Privacy and Security supplement, formatted to satisfy the SUNY/CUNY and broader NY public-system requirements under §2-d, is available to Institutions pre-execution on request to legal@quarlo.co.

2.11 Insurance

Quarlo maintains commercially reasonable cyber liability and technology errors- &-omissions insurance coverage. Specific coverage amounts and certificate-of- insurance availability are confirmed during contract execution.

2.12 Term and Survival

This DPA is effective from execution and remains in force for the term of the MSA, including any renewal. Sections governing breach notification, data return and destruction, audit cooperation, and confidentiality survive termination to the extent necessary to give effect to the parties' obligations regarding Personal Information processed prior to termination.

3. Requesting a Signed DPA

The terms above are Quarlo's standard. We expect institutional procurement offices to redline the document against their own template, and we will negotiate in good faith. To request a signed DPA:

  1. Email legal@quarlo.co with subject "DPA Request — [Institution Name]"
  2. Include your institution's name, state, and primary contact for legal review
  3. Indicate any state-specific addenda required (e.g., NY §2-d Parents' Bill of Rights, NDPA, CA SOPIPA, IL SOPPA)
  4. We will respond within 5 business days with a draft DPA

See also our FERPA Compliance page for additional context on FERPA-specific commitments.

Note: The terms summarized above are subject to mutual execution. The signed DPA is the operative legal instrument; this page is descriptive and is not itself a binding contract.