DATA PROCESSING AGREEMENT (DPA)
1. PURPOSE
This DPA governs the processing of Personal Data by the Processor on behalf of the Customer in connection with the services provided under the applicable Service Agreement.
The Parties agree that this DPA establishes their respective rights and obligations concerning Personal Data processed under applicable Data Protection Laws.
2. DEFINITIONS
For purposes of this DPA:
Applicable Data Protection Laws
Means all applicable privacy and data protection laws, including:
  • GDPR (EU Regulation 2016/679)
  • UK GDPR
  • India’s Digital Personal Data Protection Act (DPDP Act)
  • CCPA/CPRA (where applicable)
  • Other applicable privacy regulations
Personal Data
Any information relating to an identified or identifiable natural person.
Processing
Any operation performed on Personal Data including collection, storage, use, disclosure, deletion, transfer, or destruction.
Data Subject
The individual to whom Personal Data relates.
Controller
The entity that determines the purposes and means of Processing.
Processor
The entity processing Personal Data on behalf of the Controller.
Subprocessor
Any third party engaged by the Processor to Process Personal Data.
3. PROCESSING OF PERSONAL DATA
Processor shall:
  • Process Personal Data only on documented instructions from Customer.
  • Use Personal Data solely for providing contracted Services.
  • Not sell Personal Data.
  • Not use Personal Data for independent purposes except where legally required.
  • Ensure Processing complies with Applicable Data Protection Laws.
4. NATURE AND PURPOSE OF PROCESSING
The Processor may Process Personal Data for:
  • User account administration
  • Educational service delivery
  • Software functionality
  • Customer support
  • Authentication and security
  • Data hosting and storage
  • Analytics and service improvement
  • Compliance and audit requirements
5. CATEGORIES OF DATA SUBJECTS
Personal Data may relate to:
  • Students
  • Educators
  • Employees
  • Administrators
  • Contractors
  • Customers
  • Prospective customers
  • Website users
6. TYPES OF PERSONAL DATA
Personal Data may include:
Identity Information
  • Name
  • Username
  • User ID
Contact Information
  • Email address
  • Phone number
  • Mailing address
Account Information
  • Login credentials
  • Authentication records
Educational Information
  • Student identifiers
  • Enrollment information
  • Academic records
  • Course participation
Technical Information
  • IP addresses
  • Device identifiers
  • Browser information
  • System logs
Usage Information
  • Activity logs
  • Access records
  • Platform interactions
7. CONFIDENTIALITY
Processor shall:
  • Ensure authorized personnel are subject to confidentiality obligations.
  • Restrict access to Personal Data on a need-to-know basis.
  • Provide privacy and security training where appropriate.
  • Maintain written confidentiality commitments.
8. SECURITY MEASURES
Processor shall implement appropriate technical and organizational measures, including:
Technical Controls
  • Encryption in transit
  • Encryption at rest
  • Secure authentication
  • Access control mechanisms
  • Network security monitoring
  • Vulnerability management
Administrative Controls
  • Security policies
  • Risk assessments
  • Employee training
  • Vendor management
Physical Controls
  • Secure facilities
  • Access restrictions
  • Environmental safeguards
9. SUBPROCESSORS
Customer authorizes Processor to engage Subprocessors as necessary for Service delivery.
Processor shall:
  • Maintain a list of Subprocessors.
  • Impose equivalent data protection obligations.
  • Remain responsible for Subprocessor compliance.
  • Notify Customer of material Subprocessor changes where required by law.
10. INTERNATIONAL DATA TRANSFERS
Where Personal Data is transferred internationally, Processor shall implement appropriate safeguards including:
  • Standard Contractual Clauses (SCCs)
  • Adequacy decisions
  • Approved transfer mechanisms
  • Contractual protections
11. DATA SUBJECT REQUESTS
Processor shall reasonably assist Customer in responding to:
  • Access requests
  • Correction requests
  • Deletion requests
  • Restriction requests
  • Objection requests
  • Data portability requests
Processor shall promptly notify Customer of any request received directly from a Data Subject.
12. SECURITY INCIDENTS
Processor shall:
  • Maintain incident response procedures.
  • Investigate suspected breaches.
  • Take corrective actions.
  • Notify Customer without undue delay following confirmation of a Personal Data Breach.
Notification shall include:
  • Nature of incident
  • Categories of affected data
  • Estimated impact
  • Remediation measures
13. AUDIT RIGHTS
Upon reasonable notice, Customer may request information demonstrating Processor’s compliance.
Processor may satisfy audit obligations by providing:
  • Security certifications
  • Compliance reports
  • Audit summaries
  • Independent assessment reports
Audits shall not unreasonably interfere with Processor operations.
14. ASSISTANCE OBLIGATIONS
Processor shall provide reasonable assistance regarding:
  • Data protection impact assessments
  • Regulatory inquiries
  • Security investigations
  • Compliance reviews
  • Data Subject rights requests
15. RECORDS OF PROCESSING
Processor shall maintain records of Processing activities where required by applicable law.
Records may include:
  • Processing purposes
  • Data categories
  • Security measures
  • Transfer mechanisms
  • Retention schedules
16. DATA RETENTION AND DELETION
Upon termination of Services, Processor shall:
  • Delete Personal Data; or
  • Return Personal Data to Customer;
unless retention is required by law.
Backup copies may be retained temporarily in accordance with security and business continuity requirements.
17. LIABILITY
Liability under this DPA shall be governed by the limitation of liability provisions contained in the primary Service Agreement unless prohibited by applicable law.
18. GOVERNING LAW
This DPA shall be governed by the laws specified in the Service Agreement.
Where GDPR applies, applicable EU and Member State laws shall apply to relevant Processing activities.
19. TERM
This DPA shall remain effective for as long as Processor Processes Personal Data on behalf of Customer.
20. ORDER OF PRECEDENCE
In the event of conflict:
  1. Applicable Data Protection Laws
  2. This DPA
  3. Service Agreement
shall govern in that order.
ANNEX I – PROCESSING DETAILS
Subject Matter
Provision of software and educational technology services.
Duration
For the duration of the Services and any lawful retention period.
Nature of Processing
Collection, storage, organization, transmission, retrieval, deletion, and support-related processing.
Categories of Data Subjects
  • Students
  • Faculty
  • Staff
  • Customers
  • Users
Categories of Personal Data
  • Identity data
  • Contact data
  • Technical data
  • Educational data
  • Usage data
ANNEX II – SECURITY MEASURES
The Processor maintains:
  • Encryption at rest and in transit
  • Role-based access controls
  • Multi-factor authentication
  • Security logging
  • Backup and recovery procedures
  • Vulnerability assessments
  • Incident response plans
  • Vendor due diligence processes
  • Security awareness training