With the Student Privacy Pledge retired and 40+ states now requiring Data Privacy Agreements, schools need to verify every vendor in their edtech stack. Here are 8 education apps with the strongest DPA coverage and privacy protections.
A Data Privacy Agreement (DPA) is a legally binding contract between a school district and an edtech vendor that governs how student data is collected, used, stored, and deleted. Unlike voluntary pledges or self-attestations, a signed DPA creates enforceable obligations with real consequences for violations.
The Student Data Privacy Consortium (SDPC) has become the backbone of school-vendor privacy contracting in the United States. Since 2016, over 275,000 standard DPAs have been executed through the SDPC system, and the freely accessible Resource Registry now hosts more than 130,000 signed agreements between 12,000+ school districts and 6,674 education app providers. The SDPC operates through 28 state alliances where districts negotiate collectively, saving thousands of hours of individual contract work.
The landscape shifted significantly in April 2025 when the Future of Privacy Forum retired the Student Privacy Pledge after 10 years, citing that more than 40 states had passed student privacy laws that codified the Pledge's principles into enforceable regulation. Schools that relied on the Pledge as a trust signal now need to verify that their vendors have signed actual DPAs — either through the SDPC National DPA, state-level agreements, or direct district contracts.
We evaluated education apps based on their SDPC participation, signed National or state-level DPAs, formal privacy certifications (iKeepSafe, KidSAFE), and transparency of data practices. These 8 apps have the strongest verified DPA coverage and privacy protections for district use.
Khan Academy Kids offers free, comprehensive early learning content covering reading, math, and more for children ages 2-8.
IXL is a comprehensive adaptive learning platform covering all subjects from Pre-K through 12th grade.
DreamBox is an adaptive K–8 math program that provides rigorous and personalized instruction using interactive visuals and intelligent scaffolding. Widely used in schools and homes.
ABCmouse offers a full early learning curriculum with thousands of activities for children ages 2-8.
Starfall teaches reading through systematic phonics with engaging activities for Pre-K through 5th grade.
Zearn is a standards-aligned digital math platform offering comprehensive instruction, practice, and remediation. Free for families, premium for schools.
Newsela adapts real news articles to 5 different reading levels, making current events accessible to students grades 2-12.
A Data Privacy Agreement (DPA) is a legally binding contract between a school district and an education technology vendor that specifies how student data will be collected, used, stored, and protected. DPAs define what data the vendor can access, how long it can be retained, what security measures must be in place, and what happens to the data when the contract ends. Most states now require districts to have a signed DPA before using any edtech product that handles student information.
The SDPC National Data Privacy Agreement (NDPA) is a standardized contract template created by the Student Data Privacy Consortium, a project of Access 4 Learning (A4L). Since its launch in 2016, over 275,000 standard DPAs have been executed through the SDPC system. The NDPA streamlines the process so districts and vendors do not have to negotiate individual contracts from scratch. Version 2.2 was released in November 2025, and the SDPC Resource Registry hosts over 130,000 signed agreements between 12,000+ districts and 6,674 vendors.
The Future of Privacy Forum retired the Student Privacy Pledge on April 25, 2025, after 10 years of operation. During its tenure, approximately 500 edtech companies signed the voluntary pledge. It was retired because more than 40 states have since passed student privacy laws that codify the Pledge's principles and apply to all companies regardless of whether they signed. Schools are now directed to the SDPC National DPA and the CISA Secure by Design Pledge as stronger, enforceable alternatives.
Any education app that collects, stores, or processes personally identifiable student information should have a signed DPA with the district before classroom use. This includes apps that require student accounts, track progress, or collect any data beyond anonymous usage. Most states now mandate DPAs for edtech vendors, and districts risk violating FERPA and state privacy laws if they allow apps without signed agreements.
COPPA is a federal law that restricts how companies collect data from children under 13. A DPA is a contract between a specific school district and a vendor that governs how student data is handled. An app can be COPPA compliant without having a DPA, and vice versa. For full protection, schools should verify both: the app follows COPPA rules for under-13 data collection, and the district has a signed DPA that covers data handling, retention, and deletion.
The SDPC operates alliances in 28 states where districts collaborate to negotiate DPAs collectively. When a state alliance signs a DPA with a vendor, every district in that alliance can subscribe to the agreement rather than negotiating individually. Each state alliance can add state-specific clauses to the National DPA template to address unique requirements from their state privacy laws. This saves thousands of hours of individual negotiation across the alliance.
Visit the SDPC Resource Registry at sdpc.a4l.org, which is freely accessible and hosts over 130,000 signed DPAs. You can search by vendor name or browse by state to see which apps have agreements with districts in your state. You can also check your own district's approved vendor list, contact your district technology coordinator, or ask the vendor directly for a copy of their standard DPA.
Yes. SpellingJoy does not collect personal information from children without school or parental consent, does not serve advertising, and does not share student data with third parties. Teachers manage all student accounts through their classroom dashboard, and SpellingJoy supports district DPA requirements with transparent data practices and clear data deletion policies.
Prodigy Math leads our list with the most comprehensive privacy stack: SDPC membership, iKeepSafe COPPA + FERPA + CSPC certifications, a 92% Common Sense Privacy score, and 1EdTech TrustEd App certification. For districts that need a single, fully vetted math tool, it is the safest choice.
If your district needs free options with strong DPA coverage, Khan Academy Kids, Starfall, and Zearn are all nonprofit-backed, ad-free, and participate in the SDPC system. Free does not have to mean unvetted.
For K-12 coverage across multiple subjects, IXL and Newsela both maintain SDPC DPAs across multiple states and hold additional privacy certifications. DreamBox and ABCmouse round out the list with strong vendor-level DPA programs for their respective age groups.
With the Student Privacy Pledge retired and over 40 states now requiring DPAs by law, the message is clear: voluntary commitments are no longer sufficient. Check the SDPC Resource Registry at sdpc.a4l.org to verify that every app in your district's stack has a signed agreement, and prioritize vendors with formal certifications from iKeepSafe, KidSAFE, or 1EdTech.
Looking for a privacy-conscious spelling app? SpellingJoy is 100% free, does not collect personal information from children without consent, serves no advertising, and gives teachers full control through a classroom dashboard. Try SpellingJoy free today.
About the Author
SpellingJoy Team
The SpellingJoy team is dedicated to creating free, high-quality spelling resources for K-6 students and their families. We test every app we review and provide honest assessments to help parents make informed decisions.