Data Processing Agreement
Last updated: 4 April 2026
This Data Processing Agreement ("DPA") forms part of the agreement between Bloom AI Pty Ltd ("Bloom", "Processor") and the educational institution or Space Owner ("Institution", "Controller") that has accepted Bloom's Terms and Conditions.
Table of Contents
1. Definitions
Capitalised terms not defined here have the meanings given in Bloom's Terms and Conditions and Privacy Policy.
- "Personal Data" means any information relating to an identified or identifiable natural person, including Education Records and Student Data.
- "Education Records" means records directly related to a student that are maintained by an educational agency or institution, or by a party acting for such agency or institution, as defined under FERPA (20 U.S.C. § 1232g).
- "Student Data" means Personal Data of students who access the Services through the Institution, including student-generated content such as conversations, quiz responses, and written work.
- "Controller" means the Institution that determines the purposes and means of processing Personal Data.
- "Processor" means Bloom AI Pty Ltd, which processes Personal Data on behalf of the Controller.
- "Sub-processor" means any third party engaged by Bloom to process Personal Data on behalf of the Controller.
- "School Official" means a party to whom the Institution has outsourced institutional services or functions for which the Institution would otherwise use employees, under 34 CFR § 99.31(a)(1).
- "De-identified Data" means data from which all direct and indirect identifiers have been removed, with a commitment not to attempt re-identification.
- "Data Breach" means any unauthorised access to, acquisition of, disclosure of, or loss of Personal Data.
2. Scope and purpose of processing
Categories of data subjects
- Students (including minors) enrolled in the Institution's Teaching Space
- Educators and staff of the Institution
- Administrators managing the Institution's Teaching Space
Types of Personal Data processed
- Account information: Names, email addresses, roles, authentication identifiers
- Student-generated content: AI tutor conversations, quiz responses, canvas/essay work, uploaded documents
- Usage data: Pages visited, features used, message counts (anonymised in analytics)
- Technical data: IP addresses, device type, browser type
Purpose of processing
Bloom processes Personal Data solely to provide and improve the educational tutoring Services described in the Terms and Conditions. Bloom shall not process Personal Data for any purpose other than as instructed by the Controller or as permitted by this DPA.
Duration of processing
Processing continues for the duration of the service agreement between the Institution and Bloom, plus any retention period described in Section 9.
3. FERPA compliance
This section applies when the Institution is a US educational agency or institution subject to the Family Educational Rights and Privacy Act (20 U.S.C. § 1232g; 34 CFR Part 99).
3.1 School Official designation
The Institution designates Bloom as a "School Official" with a "legitimate educational interest" under 34 CFR § 99.31(a)(1)(i)(B). Bloom performs an institutional service or function for which the Institution would otherwise use its own employees, is under the direct control of the Institution with respect to the use and maintenance of Education Records, and is subject to the requirements of 34 CFR § 99.33(a) governing the use and re-disclosure of personally identifiable information from Education Records.
3.2 Purpose limitation
Bloom shall use Education Records solely for the purpose of providing the educational tutoring Services. Bloom shall not use Education Records for any commercial purpose, including advertising, marketing, or building user profiles for non-educational purposes.
3.3 Re-disclosure prohibition
Bloom shall not disclose Education Records to any third party except to Sub-processors listed in Section 7 that are bound by equivalent obligations, or as required by law. Sub-processors receive only the minimum data necessary to perform their function, and personally identifiable information is not shared with analytics providers.
3.4 No sale of Student Data
Bloom does not sell, rent, or trade Student Data or Education Records. Bloom does not use Student Data for targeted advertising.
3.5 Parent and eligible student access
Bloom shall cooperate with the Institution to facilitate parental and eligible student access to Education Records upon request, and shall not act as a barrier to the exercise of FERPA rights.
4. COPPA compliance
This section applies when students under the age of 13 access the Services through the Institution, subject to the Children's Online Privacy Protection Act (15 U.S.C. §§ 6501–6506).
4.1 School consent
The Institution consents on behalf of parents and guardians to Bloom's collection and use of student Personal Data solely for educational purposes, in accordance with the COPPA school consent exception. The Institution warrants that it has the authority to provide this consent and has provided appropriate notice to parents.
4.2 Data minimisation
Bloom collects only the Personal Data reasonably necessary to provide the educational Services. Bloom does not condition a child's participation on providing more information than is necessary.
4.3 Parental rights
Parents retain the right, exercised through the Institution, to review their child's Personal Data, request corrections, and request deletion. Bloom shall facilitate such requests within 10 business days.
4.4 Access restrictions
Users under 13 may not create accounts independently and may only access Bloom via an institutional invite. Users under 13 are prohibited from using Guest Chat.
5. GDPR compliance (Article 28)
This section applies when the Institution is subject to the EU General Data Protection Regulation (Regulation 2016/679) or the UK GDPR.
5.1 Processing on instructions
Bloom shall process Personal Data only on documented instructions from the Controller, including with regard to international transfers. If Bloom believes an instruction infringes applicable data protection law, it shall inform the Controller without delay.
5.2 Confidentiality
Bloom ensures that all persons authorised to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
5.3 Security measures
Bloom implements appropriate technical and organisational measures as described in Section 6, in accordance with Article 32 of the GDPR.
5.4 Sub-processor obligations
Bloom shall not engage a Sub-processor without the Controller's prior general written authorisation. Bloom maintains a current list of Sub-processors (Section 7) and shall notify the Controller at least 30 days before adding or replacing a Sub-processor, giving the Controller the opportunity to object. Sub-processors are bound by equivalent data protection obligations.
5.5 Data subject rights assistance
Bloom shall assist the Controller in fulfilling its obligations to respond to data subject requests (access, rectification, erasure, portability, restriction, and objection) within 10 business days.
5.6 Deletion or return
At the Controller's choice, Bloom shall delete or return all Personal Data after the end of the Services, as described in Section 9.
5.7 Audit rights
Bloom shall make available all information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits conducted by the Controller or an auditor mandated by the Controller, as described in Section 12.
6. Data security measures
Bloom implements the following technical and organisational security measures to protect Personal Data. For more detail, see our Security page.
| Category | Measures |
|---|---|
| Encryption | TLS 1.2+ in transit; AES-256 at rest (Google Cloud default encryption) |
| Access controls | Role-based access, principle of least privilege, multi-factor authentication for administrative access |
| Network security | Google Cloud Armor (DDoS protection, WAF), load balancer with default Cloud Run URL disabled |
| Application security | Auth0 session-based authentication, server-side authorisation checks, input validation and sanitisation, content moderation filters |
| Data segregation | Logical separation of Teaching Space data via Firestore document-level security and role-based permission checks |
| Monitoring | Google Cloud audit logging, error reporting, application-level logging (secrets excluded) |
| Analytics privacy | Analytics requires user consent; all text inputs masked in session recordings; student email addresses not shared with analytics providers |
| Infrastructure | Google Cloud Platform (SOC 1/2/3, ISO 27001, ISO 27017, ISO 27018 certified); ephemeral container filesystem (no data persisted on compute instances) |
7. Sub-processors
Bloom uses the following Sub-processors to deliver the Services. By accepting this DPA, the Controller provides general written authorisation for Bloom to engage these Sub-processors. Bloom will notify the Controller at least 30 days before adding or replacing a Sub-processor.
| Sub-processor | Entity | Location | Purpose | Data processed |
|---|---|---|---|---|
| Google Cloud Platform | Google LLC | US / Australia | Cloud infrastructure, database (Firestore), file storage | All service data |
| Auth0 | Okta, Inc. | US | Authentication and single sign-on | Names, emails, authentication credentials |
| Azure OpenAI Service | Microsoft Corp. | US / Australia | Primary AI model inference for tutoring | Conversations, prompts (not used for model training) |
| OpenAI | OpenAI, LLC | US | Alternative AI model inference | Conversations, prompts (not used for model training) |
| Google Vertex AI | Google LLC | Australia | Alternative AI model inference | Conversations, prompts (not used for model training) |
| Azure Cognitive Services | Microsoft Corp. | Australia | Text-to-speech | Voice interaction data |
| Neo4j Aura | Neo4j, Inc. | US | Knowledge graph and vector search for content retrieval | Educational content embeddings |
| Stripe | Stripe, Inc. | US | Payment processing and subscription management | Billing information, names, emails of paying users |
| PostHog | PostHog, Inc. | US | Product analytics and feature flags (consent-based) | Anonymised usage data; text inputs masked |
| Loops | Loops, Inc. | US | Transactional and onboarding email | Names, email addresses |
| Microsoft Graph | Microsoft Corp. | US | Transactional email delivery | Names, email addresses |
| Cloudflare | Cloudflare, Inc. | US / Global | CDN, DDoS protection, bot verification | IP addresses, page request metadata |
Objection to Sub-processor changes
If the Controller objects to a new Sub-processor within 30 days of notification, Bloom shall work in good faith to make a reasonable change to the Services to avoid processing by the objected-to Sub-processor. If no such change is reasonably available, either party may terminate the affected Services without penalty.
8. Data breach notification
8.1 Notification timeline
Bloom shall notify the Controller of a confirmed Data Breach without undue delay and in any event within 72 hours of becoming aware of the breach.
8.2 Content of notification
The breach notification shall include, to the extent known:
- The nature of the breach (what happened)
- Categories and approximate number of data subjects and records affected
- Contact details of Bloom's privacy contact
- Description of the likely consequences
- Description of measures taken or proposed to address and mitigate the breach
8.3 Cooperation
Bloom shall cooperate with the Controller in investigating and remediating the breach, assist with any required regulatory notifications, and preserve evidence related to the breach.
9. Data deletion and return
9.1 Upon termination
Upon termination or expiration of the service agreement, at the Controller's election:
- Data export: Bloom shall make Personal Data available for export in a structured, commonly used, machine-readable format within 30 days of termination.
- Deletion: Bloom shall delete all Personal Data from active systems within 30 days after termination (or after the export period). Encrypted backups are purged within 90 days as backup rotation cycles complete.
9.2 During the agreement
The Controller may request deletion of specific records at any time. Students and parents may request deletion of their data through the Institution. Bloom shall fulfil such requests within 30 days.
9.3 De-identified and aggregated data
Bloom may retain de-identified, aggregated data after termination, provided it cannot reasonably be used to identify any individual. Bloom commits to not attempting re-identification.
9.4 Certification of deletion
Upon request, Bloom shall provide written confirmation that all Personal Data has been deleted in accordance with this section.
10. Data subject rights
Bloom shall assist the Controller in responding to data subject and parental rights requests, including:
- Right of access: Provide copies of Personal Data held about a data subject.
- Right of rectification: Correct inaccurate Personal Data upon instruction.
- Right of erasure: Delete Personal Data upon instruction, subject to legal retention requirements.
- Right to data portability: Export data in a structured, commonly used, machine-readable format.
- Right to restriction: Restrict processing upon instruction from the Controller.
Bloom shall respond to the Controller's data subject rights requests within 10 business days to allow the Controller sufficient time to meet its own regulatory deadlines.
11. AI-specific provisions
11.1 No training on Student Data
Student Data, including conversations, quiz responses, and written work, is not used to train, fine-tune, or improve Bloom's AI models or any third-party AI models, unless the Controller has explicitly opted in via the Improvement Data Toggle in their Teaching Space settings. Paid plans have this toggle OFF by default.
11.2 Third-party AI provider commitments
All AI model providers listed in Section 7 (Azure OpenAI, OpenAI, Google Vertex AI) operate under API data processing terms that prohibit the use of customer input and output data for model training. Specifically:
- Azure OpenAI Service: Customer data is not used to train or improve Microsoft or third-party models (per Azure OpenAI data, privacy, and security documentation).
- OpenAI API: API data is not used to train OpenAI models (per OpenAI API data usage policy, effective since March 2023).
- Google Vertex AI: Customer data is not used to train Google models (per Google Cloud data processing terms).
11.3 No automated consequential decisions
Bloom's AI provides educational assistance, feedback, and tutoring support. It does not make consequential decisions about students (such as grades, admissions, or disciplinary actions) without human review. Under GDPR Article 22, data subjects have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects.
11.4 Data minimisation in AI processing
Bloom sends only the minimum data necessary to AI providers for inference. Personally identifiable information is not included in prompts where it is not required for the educational interaction.
12. Audit and compliance
12.1 Right to audit
The Controller has the right to verify Bloom's compliance with this DPA. Bloom shall make available compliance documentation upon reasonable request. Where available, Bloom will provide third-party audit reports or certifications in lieu of on-site audits.
12.2 Infrastructure certifications
Bloom's primary infrastructure provider (Google Cloud Platform) maintains the following certifications: SOC 1/2/3, ISO 27001, ISO 27017, ISO 27018, and FedRAMP. These certifications cover the infrastructure on which Bloom operates.
12.3 Compliance with applicable laws
Bloom complies with applicable data protection laws including the Australian Privacy Act 1988 (Cth), FERPA, COPPA, the EU GDPR, the UK GDPR, and applicable US state student privacy laws (including California SOPIPA, New York Education Law 2-d, Illinois SOPPA, and others as applicable).
13. International data transfers
Bloom hosts data primarily on Google Cloud in Australia. Where Personal Data of EEA or UK residents is transferred outside the EEA or UK, Bloom relies on:
- Standard Contractual Clauses (2021) approved by the European Commission;
- UK International Data Transfer Addendum;
- Supplementary measures including encryption in transit and at rest, access controls, and audit logging.
Bloom has appointed DataRep as its EU and UK representative. Contact details are available in the Privacy Policy.
14. Term and termination
14.1 Term
This DPA is effective from the date the Controller accepts Bloom's Terms and Conditions and continues for the duration of the service agreement.
14.2 Termination for breach
Either party may terminate this DPA if the other party materially breaches its obligations and fails to cure the breach within 30 days of written notice. The Controller may terminate immediately if Bloom can no longer meet its data protection obligations.
14.3 Survival
Sections 3 (FERPA), 4 (COPPA), 8 (Breach notification), 9 (Deletion), and 12 (Audit) survive termination of this DPA.
15. Contact
For questions about this DPA, data protection requests, or to report a data breach:
Bloom AI Pty Ltd ACN 671 399 107
Email: privacy@bloom.study
Address: 425/1 Hutchinson Walk, Zetland NSW 2017, Australia
To request a signed copy of this DPA for your institution, contact legal@bloom.study with your institution name and contact details.