Skip to content
Sprout

Data Processing Addendum

Last updated: June 16, 2026

This Data Processing Addendum ("DPA") is part of the Terms of Service between Sprout Innovations LLC ("Sprout," "we," "us") and the customer that uses the Service ("Customer," "you"). It applies when we process personal data on your behalf. If any part of this DPA conflicts with the Terms about how personal data is processed, this DPA controls.

1. Definitions

Terms such as "personal data," "processing," "controller," "processor," "service provider," "sub-processor," and "data subject" have the meaning given in the data protection laws that apply to you, including the EU General Data Protection Regulation (GDPR), the UK GDPR, the Australian Privacy Act 1988 and the Australian Privacy Principles, and US state privacy laws such as the California Consumer Privacy Act as amended (CCPA). "Your Data" has the meaning given in the Terms.

2. Roles of the parties

For the personal data in Your Data, you are the controller (or business), and Sprout is the processor (or service provider) acting on your behalf. You are responsible for the lawful basis and any consents required to provide the personal data to us, including parental or guardian consent for information about children. We process personal data only to provide and support the Service and on your documented instructions, which include the Terms, this DPA, and your use of the Service's features.

3. Our commitments as processor

  • We process personal data only on your instructions, unless the law requires otherwise, in which case we will tell you where allowed.
  • We make sure the people who process personal data are bound by confidentiality.
  • We keep appropriate technical and organizational security measures, described in Annex 2.
  • We help you respond to data subject requests, taking into account the nature of the processing.
  • We help you with security, breach notification, and data protection assessments, as reasonably needed.
  • We will not sell or share personal data, and we will not use it for our own purposes outside providing the Service. For CCPA purposes, we act as a service provider.

4. Payment card data

Neither Sprout nor you store full payment card numbers within the Service. Card information is collected and stored by our payment sub-processor, Stripe, under your Stripe merchant account. Stripe is certified to the Payment Card Industry Data Security Standard (PCI DSS) that governs payment card data. This means card data stays within Stripe's certified environment and is not held in Sprout's systems or in your organization's records inside the Service.

5. Security

We maintain reasonable administrative, technical, and physical safeguards designed to protect personal data against unauthorized access, loss, or disclosure. A summary is in Annex 2. No system is perfectly secure, but we work to keep our measures appropriate to the risk.

6. Sub-processors

You authorize us to use sub-processors to help provide the Service, including those listed in Annex 3. We impose data protection obligations on our sub-processors that are consistent with this DPA, and we remain responsible for their performance. If we add or replace a sub-processor, we will update Annex 3 and, where required, give you a chance to object on reasonable data protection grounds.

7. International transfers

We are based in the United States, and personal data may be processed there and in other countries where we or our sub-processors operate. Where personal data is transferred from the EU, UK, or Australia, we rely on recognized transfer mechanisms, such as the Standard Contractual Clauses or the UK International Data Transfer Addendum, which are incorporated into this DPA by reference where they apply.

8. Data subject requests

If we receive a request from one of your data subjects, we will, where allowed, direct them to you. We will provide reasonable help so you can meet your obligations to respond to requests to access, correct, delete, or otherwise act on personal data.

9. Personal data breaches

If we become aware of a breach of security leading to the unlawful destruction, loss, alteration, or unauthorized disclosure of personal data we process for you, we will notify you without undue delay and provide the information you reasonably need to meet your own notification duties.

10. Audits

On reasonable request, we will give you information needed to show our compliance with this DPA. Where data protection law gives you an audit right, we will allow audits on reasonable prior notice, during business hours, no more than once a year unless required by a regulator, and subject to confidentiality.

11. Return and deletion

When the Service ends, we will make Your Data available for export for a reasonable period as described in the Terms, and then delete it, unless the law requires us to keep it.

12. Liability

Each party's liability under this DPA is subject to the limitations of liability in the Terms.


Annex 1: Details of processing

  • Subject matter: our provision of the Service to you.
  • Duration: for as long as you use the Service, plus any export and deletion period in the Terms.
  • Nature and purpose: hosting and processing personal data to run class and enrollment management, scheduling, attendance, billing, and communication features.
  • Types of personal data: names and contact details of your staff, parents and guardians, and students (who may be children); enrollment, schedule, and attendance records; messages and communication history; billing and payment records (but not full card numbers, which Stripe holds); and the recipients and content of text messages you send.
  • Categories of data subjects: your staff and authorized users, the parents and guardians of enrolled families, and the children enrolled at your facility.

Annex 2: Security measures

  • Encryption of data in transit, and at rest where supported by our infrastructure.
  • Access controls and authentication, with role-based permissions you manage for your users.
  • Use of reputable cloud infrastructure with physical and network security.
  • Payment card data handled only by Stripe, a PCI DSS certified provider, never stored by Sprout.
  • Logging and monitoring designed to detect and respond to issues.
  • Confidentiality obligations for personnel who handle personal data.

Annex 3: Sub-processors

  • Stripe for payment processing and storage of payment card data.
  • Our SMS provider for sending text messages you initiate.
  • Cloudflare for hosting and delivery.
  • Our email and support tools, used to communicate with you and your users.

Contact

Questions about this DPA? Email us at hello@enrollwithsprout.com.