Data Processing Agreement

Effective Date: April 11, 2026

Version: 2026-04-11

1. Parties and Scope

This Data Processing Agreement applies where a tenant uploads, stores, or otherwise submits personal data to the platform and applicable privacy law requires a processor agreement.

The tenant is the data controller or business, and we are the data processor or service provider for tenant-submitted data processed on the tenant's behalf.

2. Subject Matter and Duration

We process tenant personal data for the duration of the tenant's use of the platform and as necessary afterward for retention, security, backup, legal compliance, and deletion workflows.

3. Nature and Purpose of Processing

Processing may include collection, storage, organization, retrieval, hosting, support, transmission, deletion, and other actions necessary to provide the platform and related support services.

4. Categories of Data

Depending on tenant use, data may include:

• account details
• contact information
• parent and student details
• attendance, schedule, lesson, and payment records
• communications and support data
• audit and security log data

5. Controller Obligations

The tenant is responsible for:

• determining the legal basis for processing
• providing required notices to its users and contacts
• obtaining necessary permissions or consents
• responding to data subject requests where the tenant acts as controller
• configuring the service lawfully and appropriately

6. Processor Obligations

We will:

• process tenant personal data only on documented instructions from the tenant, except where law requires otherwise
• maintain appropriate technical and organizational measures
• restrict internal access to authorized personnel or contractors with a need to know
• assist the tenant with reasonable privacy and security requests, subject to feasibility and applicable law
• notify the tenant of a confirmed personal data breach affecting tenant data without undue delay after becoming aware of it

7. Subprocessors

We may use subprocessors and infrastructure vendors to operate the platform, including hosting, database, authentication, email, logging, and backup providers.

We remain responsible for managing subprocessors consistent with applicable law and our contractual obligations.

8. Security Measures

We maintain reasonable security controls appropriate to the nature of the service, which may include:

• encrypted transport
• password hashing
• logical access controls
• role-based authorization
• audit logging
• infrastructure-level protections and monitoring

No representation is made that any measure eliminates all risk.

9. Confidentiality

Personnel with access to tenant personal data are subject to confidentiality obligations or professional duties of confidentiality.

10. Data Subject Requests

Where we receive a request directly from a data subject relating to tenant-controlled data, we may direct the requester to the relevant tenant unless law requires otherwise.

We may assist the tenant with reasonable requests where technically feasible.

11. Deletion and Return

At the end of the service relationship, we may delete or anonymize tenant personal data in accordance with our retention, backup, and legal obligations unless law requires continued retention.

12. Audit and Information Requests

We may provide reasonable information about our processing practices and security controls in a manner appropriate to the sensitivity of the service and our confidentiality obligations.

13. Cross-Border Processing

Tenant data may be processed in jurisdictions where our service providers operate, subject to applicable safeguards where required.

14. Liability

This DPA is subject to the liability limitations set forth in the Terms of Service unless prohibited by applicable law.

15. Conflict

If there is a conflict between this DPA and the Terms of Service concerning personal data processing, this DPA controls to the extent of that conflict.