These documents govern your use of MilestonesIQ. They are initial drafts prepared for review by qualified legal counsel. For questions, contact [email protected].
Effective April 19, 2026 · Last updated April 19, 2026
*Template Version 1.0 — For Institutional Use*
This Institutional Data Processing Agreement ("DPA") is entered into between [INSTITUTION NAME] ("Institution") and MilestonesIQ ("Provider"). This template must be executed by an authorized representative of the Institution before the Institution's GME program may access the Platform with live trainee data.
WHEREAS, the Provider offers a cloud-based platform for graduate medical education (GME) program management, including milestone tracking, evaluation management, individualized learning plans, AI-assisted review tools, and related services ("the Platform");
WHEREAS, in the course of providing the Platform, the Provider will receive, store, process, and transmit certain Trainee Data on behalf of the Institution;
WHEREAS, the Parties recognize that Trainee Data may constitute education records subject to FERPA (20 U.S.C. § 1232g) and that both Parties have obligations to protect such data;
NOW, THEREFORE, the Parties agree as follows:
"Trainee Data" means any personally identifiable information relating to an identified or identifiable trainee (resident, fellow, or other GME participant) created, received, stored, or processed by the Provider in the course of providing the Platform. This includes: trainee name, PGY level, specialty, milestone scores, evaluation text, EPA observations, procedure logs, duty hour records, ITE scores, AI-generated summaries, ILP goals, PIP records, and any other information that could reasonably identify a specific trainee.
"School Official" refers to the Provider's designation under FERPA (34 C.F.R. § 99.31(a)(1)(i)(B)) as a contractor performing institutional services under the direct control of the Institution with respect to the use and maintenance of education records.
"AI-Generated Output" means any content, score, narrative, risk assessment, or recommendation produced by the Provider's AI systems based on Trainee Data, including risk scores, semi-annual review narratives, and AI-generated action items.
"Authorized User" means any individual granted access to the Platform by the Institution, including program directors, faculty evaluators, coordinators, and trainees accessing their own records.
"Data Breach" means any unauthorized access, acquisition, use, or disclosure of Trainee Data that compromises its security, confidentiality, or integrity.
2.1 School Official Designation. For purposes of FERPA, the Provider is designated as a School Official of the Institution with a legitimate educational interest in accessing Trainee Data solely to the extent necessary to provide the Platform. The Provider shall be under the direct control and supervision of the Institution with respect to the use and maintenance of Trainee Data.
2.2 Data Controller / Processor. The Institution is the data controller. The Provider acts as a data processor, processing Trainee Data only on behalf of and pursuant to the documented instructions of the Institution.
3.1 Permitted Use. The Provider shall process Trainee Data solely for the purpose of providing the Platform. The Provider shall not use Trainee Data for any commercial purpose, including advertising, marketing, or sale of data to third parties.
3.2 No Sale or Disclosure. The Provider shall not sell, rent, lease, or otherwise transfer Trainee Data to any third party for commercial gain.
3.3 AI Advisory Requirement. All AI-Generated Outputs are advisory in nature only and require review and disposition by a qualified Program Director before any academic or administrative action is taken. The Provider shall ensure all AI outputs are clearly labeled as requiring human review.
3.4 Bias Monitoring. The Provider shall maintain bias detection mechanisms, including warnings when a trainee's evaluation pool is statistically insufficient to support reliable AI scoring, and a faculty clarification request workflow for low-score or sparse evaluations.
3.5 Subprocessors. The Provider shall not engage any subprocessor to process Trainee Data without prior written notice to the Institution. Current approved subprocessors are listed in Exhibit C.
3.6 Trainee Rights. The Provider shall assist the Institution in fulfilling FERPA obligations to respond to trainee requests to access, correct, or dispute their Trainee Data. The Platform includes a built-in mechanism for trainees to report data inaccuracies.
3.7 Data Return and Deletion. Upon termination of the Service Agreement or upon written request, the Provider shall return all Trainee Data in machine-readable format and securely delete all copies within thirty (30) days, with written certification provided upon request.
3.8 Audit Trail. The Provider shall maintain an immutable audit log of all access to and processing of Trainee Data, retained for a minimum of seven (7) years and available to the Institution upon request.
4.1 Authorized Access. The Institution shall ensure access is limited to Authorized Users with a legitimate educational interest and shall promptly notify the Provider of any changes to Authorized User status.
4.2 Trainee Notification. The Institution shall ensure trainees are informed of the Platform's use for evaluation and milestone tracking, consistent with the Institution's FERPA annual notice.
4.3 Appropriate Use. The Institution shall ensure Authorized Users use the Platform in accordance with this DPA, the Service Agreement, and applicable law.
5.1 Security Standards. The Provider implements and maintains commercially reasonable administrative, technical, and physical safeguards, including: TLS 1.2+ encryption in transit; AES-256 encryption at rest; role-based access controls with least-privilege principle; OAuth 2.0 authentication with 15-minute session timeout; immutable append-only audit logs; and logical isolation of institutional data.
5.2 Security Review. The Provider shall conduct or commission an independent security assessment at least annually and provide a summary to the Institution upon request.
5.3 Data Residency. All Institutional Data processed under this DPA is stored on infrastructure physically located in the United States (AWS US regions). The Provider does not transfer Institutional Data outside the United States without prior written consent from the Institution, except as required by applicable law.
5.4 Logical Data Isolation. Institutional Data is logically isolated by Institution ID at the application and database layer. The Provider does not share, cross-reference, or expose one Institution's data to another Institution. Physical database separation (dedicated instances) is available upon request for Enterprise tier subscribers.
5.5 Sub-processors. The Provider uses the following sub-processors to store and process Institutional Data:
|---|---|---|
The Provider shall notify the Institution of any material changes to sub-processors with at least thirty (30) days advance notice.
6.1 Notification. In the event of a Data Breach, the Provider shall notify the Institution within forty-eight (48) hours of becoming aware of the breach, including: the nature of the breach; categories and approximate number of trainees affected; likely consequences; and measures taken to address and mitigate the breach.
6.2 Cooperation. The Provider shall cooperate fully with the Institution in investigating and remediating any Data Breach.
7.1 PD Disposition Requirement. The Platform requires a documented Program Director disposition (Confirmed / Not Confirmed / Insufficient Data) for every AI-generated risk flag or narrative before it is finalized or shared with a trainee or CCC.
7.2 No Adverse Action. No adverse academic action — including remediation, probation, or dismissal — may be taken based solely on an AI-Generated Output without independent human review.
7.3 Model Transparency. The Provider maintains a current AI Transparency Statement describing the methodology, data inputs, weighting factors, and known limitations of the Platform's AI systems, available at /legal/ai and upon request.
8.1 Term. This DPA remains in effect for the duration of the Service Agreement.
8.2 Termination for Cause. Either Party may terminate this DPA immediately upon written notice if the other Party materially breaches this DPA and fails to cure within thirty (30) days of written notice.
8.3 Survival. Sections 3.2, 3.8, 6.1, and Article IX survive termination.
9.1 Entire Agreement. This DPA, together with the Service Agreement and all Exhibits, constitutes the entire agreement between the Parties regarding the processing of Trainee Data.
9.2 Order of Precedence. In the event of conflict between this DPA and the Service Agreement regarding Trainee Data, this DPA controls.
9.3 Governing Law. This DPA is governed by the laws of the State of Illinois.
9.4 Amendments. This DPA may be amended only by a written instrument signed by authorized representatives of both Parties.
INSTITUTION: Name: ___________________________ | Authorized Representative: ___________________________ | Title: ___________________________ | Date: ___________________________ | Email: ___________________________
MILESTONESIQ: Authorized Representative: ___________________________ | Title: ___________________________ | Date: ___________________________ | Email: [email protected]
|---|---|
|---|---|---|
|---|---|---|
Provider shall notify Institution of any changes with at least 30 days advance notice.
To execute this DPA, please contact MilestonesIQ at [email protected] with the subject line "DPA Execution Request — [Institution Name]". We will provide a fully formatted, countersigned copy within five (5) business days.
This DPA template is an initial draft prepared for review by qualified legal counsel with expertise in FERPA, education technology law, and health data privacy. It is not a substitute for advice from a licensed attorney and should not be executed without independent legal review.
We will send a countersigned copy within 5 business days.