Data Processing Addendum (DPA)

Effective date: [EFFECTIVE_DATE] Version: [DPA_VERSION]

This Data Processing Addendum ("DPA") forms part of the Agreement (the Terms of Service or a separately signed master services agreement) between [COMPANY_LEGAL_NAME] ("Processor", "we") and the customer ("Controller", "you") for the provision of the [PRODUCT_NAME] Service. It applies when the Service involves the processing of personal data of data subjects (including children) protected by EU GDPR, UK GDPR, or other applicable data protection laws.

In the event of a conflict between this DPA and the Agreement, this DPA prevails for matters of data protection.

1. Definitions

Capitalised terms not defined here have the meaning given in GDPR or UK GDPR as applicable.

• Applicable Law — GDPR, UK GDPR, Swiss FADP, and any other data-protection law applicable to the processing
• Personal Data — Customer Personal Data processed by Processor under the Agreement
• Sub-processor — any third party engaged by Processor to process Personal Data
• Standard Contractual Clauses ("SCCs") — the EU Commission Implementing Decision 2021/914 modules as updated
• UK Addendum — the UK International Data Transfer Addendum to the EU SCCs issued by the ICO

2. Subject matter, duration, nature, and purpose of processing

• Subject matter: provision of the [PRODUCT_NAME] Service.
• Duration: the term of the Agreement, plus any deletion / return period under Section 12.
• Nature: hosting, transmitting, displaying, generating responses to, and storing Customer Personal Data as needed to operate the Service.
• Purpose: delivering the Service to the Controller and its authorised users.

Categories of data subjects

• Customer's authorised users (parents, teachers, administrators)
• Children using the Service under the Customer's account or under parental consent

Categories of Personal Data

• Identifiers (name, email, account IDs)
• Authentication credentials (hashed)
• Child profile data (first name, age, language, level, parent-selected preferences)
• Session activity (mode, duration, message summaries, full transcripts if opted in)
• Safety events
• Learning progress
• Technical data (IP, user agent, log data)

Special categories

None by design. We instruct the AI to refuse health, religious, sexual, biometric, and other special-category disclosures, and we do not solicit them. If a special-category disclosure nonetheless appears in a transcript, it is not used beyond delivering the Service and is subject to the retention controls the Controller has set.

3. Roles

• The Customer is the Controller (or, where the Customer itself acts as a Processor for an end-customer, the Processor — in which case [COMPANY_LEGAL_NAME] is a Sub-processor).
• [COMPANY_LEGAL_NAME] is the Processor.

4. Processor obligations

We will:

• Process Personal Data only on documented instructions from the Controller, including those given through the Service configuration. We will inform the Controller if we believe an instruction violates Applicable Law.
• Ensure that personnel authorised to process Personal Data are under a duty of confidentiality.
• Implement appropriate technical and organisational measures as described in Annex II and the Security Whitepaper.
• Assist the Controller in fulfilling its obligations regarding data subject rights (Articles 12–22 GDPR), security (Article 32), breach notification (Articles 33–34), and DPIAs (Article 35).
• Make available all information necessary to demonstrate compliance with Article 28 GDPR, and allow for audits as described in Section 10.

5. Sub-processors

The Controller authorises Processor to engage Sub-processors. The current list is published at [SUBPROCESSORS_URL] and reproduced (as of this DPA's effective date) in our Subprocessor List.

Before engaging a new Sub-processor, Processor will:

1. Notify the Controller at least [SUBPROCESSOR_NOTICE_DAYS, e.g., 30] days in advance (in writing or via the published list with email notification).
2. Impose data-protection obligations on the Sub-processor that are no less protective than those in this DPA.

The Controller may object to a new Sub-processor on reasonable, documented data-protection grounds within the notice period. If we cannot accommodate the objection, the Controller may terminate the affected portion of the Agreement.

Processor remains fully responsible for the acts and omissions of its Sub-processors.

6. International transfers

To the extent Personal Data of EEA, UK, or Swiss data subjects is transferred to a country without an adequacy decision, the parties incorporate by reference:

• EU SCCs Module 2 (Controller-to-Processor) when [COMPANY_LEGAL_NAME] acts as Processor for a Customer in the EEA. Module 3 (Processor-to-Processor) applies where the Customer is itself a Processor. The optional Docking Clause is included. Annex I parties: as set out in the Agreement. Annex I.B: per Section 2 above. Annex II: per the Security Whitepaper. Clause 17: governed by [SCC_GOVERNING_LAW_MEMBER_STATE]. Clause 18: courts of [SCC_FORUM_MEMBER_STATE].
• UK Addendum for UK transfers, with Tables 1–4 completed by reference to the EU SCCs above.
• Swiss adaptations (FADP) where applicable.

Where an alternative valid transfer mechanism becomes available, the parties may elect to use it.

7. Data subject rights

Processor will:

• Provide Controller with the technical means to fulfil data subject requests through the Service (in-product deletion, export endpoints).
• Promptly forward to the Controller any data subject request received directly by Processor relating to Controller's data. Processor will not respond to such requests itself (other than to acknowledge receipt and redirect) without Controller instruction.
• Assist Controller with responding within statutory timelines.

8. Personal-data breach

If Processor becomes aware of a Personal Data Breach affecting Personal Data, Processor will:

• Notify the Controller without undue delay and in any event within [BREACH_NOTIFICATION_HOURS, e.g., 72] hours of confirmation.
• Provide reasonable information including the nature of the breach, categories and approximate number of data subjects and records affected, likely consequences, and measures taken/proposed to address it. Where full information is not yet available it will be provided in phases.
• Reasonably cooperate with the Controller's investigation and notification obligations.

Notifications under this Section will not be construed as an acknowledgement of fault or liability.

9. Assistance with DPIAs

Where the Controller is required to conduct a Data Protection Impact Assessment under Article 35 GDPR (e.g., because of large-scale processing of children's data), Processor will provide reasonable assistance, including information about the Service's data flows, retention, and security measures.

10. Audit

The Controller has the right to audit Processor's compliance with this DPA. Processor will satisfy audit requests, at the Controller's option, by:

• Providing relevant certifications and third-party audit reports (e.g., [SOC2_TYPE_II_REPORT_NAME], [ISO_27001_CERTIFICATE] — once obtained; see roadmap in Security Whitepaper);
• Responding to a reasonable questionnaire; or
• For Enterprise Controllers and where the above is insufficient, allowing an on-site audit conducted by mutually agreed independent auditors, no more than once per 12-month period, on at least 30 days' notice and during normal business hours.

Audits must not disrupt the Service or compromise the confidentiality of other Customers.

11. Confidentiality

Personal Data is Confidential Information of the Controller. Processor will protect it with the same standard of care as its own confidential information, but in any event no less than reasonable care. Confidentiality survives termination.

12. Deletion or return

On termination of the Agreement, the Controller may instruct Processor to:

• Return all Personal Data; or
• Delete all Personal Data and copies thereof, except to the extent retention is required by Applicable Law.

Default is delete if no instruction is given within 30 days of termination. Backups containing Personal Data will be deleted at the end of the standard backup cycle (currently [BACKUP_WINDOW, e.g., 35 days]).

Upon written request the Controller will be provided with a certificate of deletion.

13. Liability

The aggregate liability of each party arising out of or related to this DPA is subject to the limitations of liability in the Agreement. Nothing in this DPA limits any liability that cannot be limited under Applicable Law.

14. Order of precedence

In the event of a conflict between (a) this DPA, (b) the SCCs (where applicable), and (c) the Agreement, the order of precedence is (b) → (a) → (c).

15. Term and changes

This DPA takes effect on the Effective Date and runs co-terminously with the Agreement. Processor may update this DPA to reflect changes in Applicable Law or guidance; material changes will be notified with at least [DPA_NOTICE_DAYS, e.g., 30] days' notice.

Annex I — Description of the transfer

A. List of parties

B. Description of transfer

See Section 2 of this DPA.

C. Competent supervisory authority

The supervisory authority of the Controller's main establishment in the EEA, or the ICO for UK transfers, as applicable.

Annex II — Technical and organisational measures

See the Security Whitepaper, which is incorporated by reference and forms part of this DPA. Headline measures:

• Encryption in transit (TLS 1.2+) and at rest (AES-256)
• Principle-of-least-privilege access controls; SSO + MFA for staff
• Strict separation of production and non-production environments
• Audit logging of administrative actions, retained for [AUDIT_RETENTION, e.g., 1 year]
• Incident response plan with defined RTO/RPO
• Regular dependency and vulnerability scanning
• Background checks on staff with access to Personal Data
• Annual security training
• Defined sub-processor management process
• Continuous policy review

Annex III — List of sub-processors

See the live Subprocessor List at [SUBPROCESSORS_URL].