Terms of Service & Data Processing Agreement

This document combines (A) Terms of Service for institutional use of InternationalGPA.com and (B) a Data Processing Agreement ("DPA") describing how we handle institutional and student data.

Part A: Terms of Service

Governing access to and use of InternationalGPA.com

1. Parties and agreement

These Terms of Service ("Terms") govern access to and use of InternationalGPA.com (the "Service") provided by Insight Digital Agency LLC ("Provider", "we", "us", "our") to a subscribing educational institution or organization ("Customer", "you", "your").

By using InternationalGPA.com, you agree to these Terms. If you have a separate written agreement with us covering the Service, that agreement will control to the extent of any conflict.

2. Service description

InternationalGPA.com is a cloud-delivered SaaS application that enables international admissions and credential evaluation teams to convert international grades and credentials into U.S.-style GPAs and to use those results in admission, scholarship, and related workflows.

We may update the Service from time to time, including by adding, modifying, or removing features, provided we do not materially reduce core functionality during a paid subscription term without reasonable notice.

3. Customer accounts and responsibilities
  • You are responsible for maintaining the confidentiality of your account credentials and for all activities that occur under your account.
  • You must ensure that only authorized personnel access the Service and that they use it in accordance with these Terms and applicable law.
  • You must not share login credentials or permit unauthorized use or resale of the Service.

If you become aware of unauthorized access or suspicion of compromise, you must promptly notify us.

4. Acceptable use

You may use the Service only for lawful purposes and in accordance with these Terms. You may not:

  • Use the Service in any manner that could damage, disable, or impair it or interfere with others' use;
  • Attempt to gain unauthorized access to the Service or related systems;
  • Use the Service to store or transmit content that is unlawful, infringing, or that violates privacy rights;
  • Reverse engineer, decompile, or create derivative works of the Service except to the extent permitted by law.
5. Intellectual property

All content and software associated with InternationalGPA.com are owned by Insight Digital Agency or its licensors and are protected by intellectual property laws. You receive a non-exclusive, non-transferable, revocable license to use the Service during your subscription, solely for your internal educational and administrative purposes.

You obtain no ownership rights in the Service.

6. Fees, billing, and cancellation

Fees, billing terms, and subscription duration are set forth in your order or agreement.

Unless otherwise specified:

  • Subscriptions renew according to the agreed billing cycle.
  • To cancel, you must email Support@InternationalGPA.com at least 31 days before your next billing date; access continues until the end of the then-current billing period, and no refunds are provided for partially used terms.

If technical issues materially prevent use of the Service, you must notify us within one business day at the support address for troubleshooting.

7. Third-party services and links

Certain services are delivered by third parties under contract; by using the Service, you authorize us to share necessary information with such providers to deliver the functionality you request (e.g., hosting, email delivery).

8. Warranties and disclaimers

We will use commercially reasonable efforts to provide the Service in a professional and workmanlike manner and to maintain reasonable administrative, physical, and technical safeguards to protect data as described in our Information Security Policy and this DPA.

Except as expressly stated:

  • The Service is provided "as is" and "as available", without additional warranties of any kind, whether express, implied, statutory, or otherwise, including implied warranties of merchantability, fitness for a particular purpose, and non-infringement.
9. Limitation of liability

To the maximum extent permitted by law:

  • Neither party will be liable for any indirect, incidental, consequential, or punitive damages arising out of or related to the Service or these Terms, even if advised of the possibility of such damages.
  • Each party's aggregate liability arising out of or relating to the Service or these Terms will not exceed the fees paid or payable by Customer for the Service during the twelve (12) months preceding the event giving rise to the claim.

Some jurisdictions do not allow certain limitations, so parts of this section may not apply in all situations.

10. Term, suspension, and termination

These Terms apply for as long as you have an active subscription to the Service.

We may suspend or terminate access if:

  • You materially breach these Terms and do not cure within a reasonable period after notice;
  • Your use presents a security or legal risk; or
  • Required by law.

Upon termination, your right to use the Service ceases, and data handling will follow the Data Return and Deletion provisions in the Data Processing Agreement below.

11. Governing law

Unless otherwise agreed in writing, these Terms are governed by the laws of the State of Kansas, excluding conflict-of-law rules, and disputes will be resolved in the appropriate courts of that State.

12. Changes to these Terms

We may update these Terms from time to time. When we do, we will:

  • Revise the "Last updated" date, and
  • Where changes are material, provide reasonable notice (for example, via email or in-app notification).

Part B: Data Processing Agreement (DPA)

This DPA forms part of the Terms when the Customer is an educational institution or similar organization providing student/applicant data for processing.

1. Definitions
  • "Customer Data" means all data submitted to the Service by or on behalf of Customer, including Student Data and staff data.
  • "Student Data" means education records and related personal data about students and applicants processed by the Service (e.g., GPA, course history, identifiers).
  • "Institutional User Data" means personal data about Customer's staff who use the Service.
  • "Controller" / "data controller" and "Processor" / "data processor" have the meanings given in GDPR, as applicable.
  • "FERPA" means the U.S. Family Educational Rights and Privacy Act.

Customer is the Controller of Student Data; Provider acts as Processor and, in the FERPA context, as a "school official" with legitimate educational interest.

2. Subject-matter, duration, nature and purpose of processing
  • Subject-matter: Processing of Student Data and Institutional User Data to provide the InternationalGPA.com Service.
  • Duration: For the term of Customer's subscription and any data retention period agreed or required by law.
  • Nature and purpose: Hosting and processing data to calculate GPA conversions, support admission/scholarship workflows, generate reports, and provide related analytics and support.
3. Instructions

Provider will process Customer Data only:

  • On documented instructions from Customer (including via configuration of the Service and this DPA); and
  • As required to comply with applicable law.

If we believe an instruction violates applicable law, we will inform Customer unless prohibited by law.

4. Compliance with FERPA and other laws

Provider will:

  • Use Student Data only for purposes permitted by Customer and FERPA;
  • Not disclose Student Data to third parties except as permitted under FERPA (e.g., to sub-processors acting as our agents) and this DPA;
  • Adhere to the core principles of GDPR/UK GDPR for applicable data subjects, including transparency, security, and data minimization.
5. Confidentiality

Provider will ensure that persons authorized to process Customer Data:

  • Are bound by appropriate confidentiality obligations; and
  • Receive appropriate training on information security and privacy consistent with the Information Security Policy.
6. Security of processing

Provider will implement and maintain appropriate technical and organizational measures to protect Customer Data, including:

  • Formal Information Security Policy (ISP) covering all systems and personnel, reviewed annually.
  • Access control and MFA: Principle of least privilege; admin access restricted to two System Administrators; mandatory MFA for Supabase, Cloudflare, Netlify; mandatory use of 1Password and strong password criteria.
  • Encryption:
    • In transit – TLS 1.2+ for all communications over public networks.
    • At rest – database encryption at rest in Supabase, validated as part of Supabase's SOC 2 Type II certification.
  • Tenant isolation: Row Level Security (RLS) to ensure each institution can only view its own records.
  • Endpoint security: FileVault full-disk encryption, macOS security controls, and seven-day patching SLA for admin endpoints.
  • BCP/DRP: RTO 4 hours, RPO 24 hours, serverless architecture with Cloudflare/Netlify redundancy, Supabase backups and point-in-time recovery, with annual review and failover testing.

Customer is responsible for maintaining appropriate security for their own systems, credentials, and network connections to the Service.

7. Sub-processors

Customer authorizes Provider to engage sub-processors for the purposes of providing the Service, including:

  • Supabase (managed Postgres/database)
  • Cloudflare Pages and Netlify (application hosting/CDN)
  • Resend (email delivery for transactional emails from notifications.internationalgpa.com)
  • Unsplash (image hosting for education system cover photos and illustrations - images loaded directly from their servers)
  • HighLevel (GoHighLevel) for marketing/scheduling staff contacts only; no Student Data is stored there.

Provider will:

  • Impose data protection obligations on sub-processors substantially similar to those in this DPA; and
  • Remain responsible for sub-processors' performance.

Provider maintains an internal list of sub-processors and will provide it to Customer upon request.

8. International transfers

Customer Data is hosted in the United States (US-East-2).

Where Customer Data originates from the EEA or UK, Provider will ensure that transfers to the U.S. are supported by appropriate safeguards, including Standard Contractual Clauses (SCCs) or equivalent mechanisms, and will assist Customer in documenting these mechanisms as required.

9. Assistance with data subject rights and DPIAs

Taking into account the nature of the processing, Provider will:

  • Assist Customer, by appropriate technical and organizational measures, in responding to data subject requests under FERPA, GDPR/UK GDPR, or similar laws (e.g., access, correction, deletion), where they concern data within the Service.
  • Provide reasonable assistance with data protection impact assessments (DPIAs) and consultations with supervisory authorities relating to the Service, to the extent required by law and mutually agreed.
10. Security incidents and breach notification

If Provider becomes aware of a Security Incident (confirmed unauthorized access, disclosure, or loss of Customer Data):

  • Provider will activate its Incident Response Plan, promptly investigate, contain, and remediate the incident, and preserve relevant logs.
  • Provider will notify Customer without undue delay and, for FERPA-protected data, immediately upon confirmation of unauthorized access or disclosure of PII, via designated contacts.
  • Where GDPR/UK GDPR applies and notification to a DPA is required, Provider will assist Customer in meeting the 72-hour deadline.

Notifications will include:

  • The nature of the incident;
  • Types of data affected;
  • Known or suspected impact;
  • Actions taken or planned; and
  • Recommendations for Customer.
11. Audits and information

Upon reasonable request and subject to confidentiality:

  • Provider will make available information necessary to demonstrate compliance with this DPA (e.g., copies or summaries of ISP/IRP, description of controls, third-party certifications of sub-processors).
  • Customer may conduct (or appoint a third party to conduct) a security and privacy assessment limited to the Service, primarily through document review and remote interviews. On-site audits may be permitted where required by law and subject to reasonable notice, scope, and cost-sharing.

Provider will also reasonably support institutional vendor assessments, including completion of HECVAT 4 questionnaires, where appropriate.

12. Data return and deletion

Upon termination or expiration of the Service, or upon Customer's written request:

  • Provider will, within a reasonable period, provide Customer with an export of Customer Data (if feasible within the Service's standard functionality) and then delete Customer Data from active systems.
  • Deleted data may persist only in Supabase's automated backups for the duration of the defined backup retention window (aligned with the 24-hour RPO), after which it is overwritten. Provider will not retain or export deleted PII outside this environment.

Where applicable law requires retention beyond these periods, Provider may retain minimal necessary data in a secure manner solely for compliance purposes.

13. Miscellaneous

If any provision of this DPA is held invalid, the remaining provisions remain in effect. In case of conflict between the main Terms and this DPA regarding data protection, this DPA controls.

14. Changes to this DPA

We may update this DPA from time to time. When we do, we will:

  • Revise the "Last updated" date, and
  • Where changes are material, provide reasonable notice (for example, via email or in-app notification).
Contact us

For questions about these Terms, the Data Processing Agreement, data protection, or security:

Insight Digital Agency LLC – InternationalGPA.com
Attn: Security & Privacy

Privacy & Data Subject Requests:

privacy@internationalgpa.com
For data access, deletion, correction requests, and privacy policy questions

Security Incidents:

security@internationalgpa.com
For breach reports, vulnerability disclosures, and security concerns

General Support:

support@insightdigitalagency.com
For technical support and general questions

Sales & Partnerships:

pro@internationalgpa.com
For subscription inquiries, demos, and partnership opportunities

Phone:

913-513-1525 (24/7 voice AI receptionist, with routing and escalation)

Effective as of December 11, 2025
Last Updated: December 11, 2025

← Back to Home