EducatorsIn

Data Processing Agreement

Last updated: March 2026

1. Definitions

For the purposes of this Data Processing Agreement (“DPA”), the following terms shall have the meanings set out below:

  • Controller — the entity that determines the purposes and means of the processing of personal data (the institution or organization subscribing to our platform).
  • Processor — EducatorsIn, which processes personal data on behalf of the Controller.
  • Data Subject — an identified or identifiable natural person whose personal data is processed (e.g., students, teachers, administrators).
  • Personal Data — any information relating to a Data Subject, including names, email addresses, enrollment records, grades, and usage data.
  • Sub-processor — any third party engaged by the Processor to assist in processing personal data on behalf of the Controller.
  • Applicable Data Protection Law — all laws and regulations relating to data protection applicable to the processing of personal data under this DPA, including the GDPR.

2. Scope and Purpose of Processing

This DPA applies to the processing of personal data by the Processor on behalf of the Controller in connection with the provision of the EducatorsIn platform services.

The purpose of processing includes:

  • Providing and maintaining the educational platform and its features
  • Managing user accounts, authentication, and access control
  • Processing student enrollments, course progress, grades, and certificates
  • Facilitating communication between teachers, students, and administrators
  • Generating reports and analytics for institutional use
  • Processing payments and managing subscriptions

The categories of data subjects include students, teachers, administrators, and other authorized users of the platform. The types of personal data processed include names, email addresses, institutional identifiers, course data, grades, attendance records, and platform usage data.

3. Data Processor Obligations

The Processor shall:

  • Process personal data only on documented instructions from the Controller, unless required by applicable law.
  • Ensure that persons authorized to process personal data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
  • Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing.
  • Not engage another processor without prior specific or general written authorization of the Controller.
  • Assist the Controller in fulfilling its obligation to respond to Data Subject requests.
  • Assist the Controller in ensuring compliance with data protection impact assessments and prior consultations with supervisory authorities.
  • At the Controller's choice, delete or return all personal data after the end of the provision of services, and delete existing copies unless applicable law requires storage.
  • Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for audits and inspections.

4. Sub-processors

The Controller provides general authorization for the Processor to engage the following sub-processors. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object.

Cloudflare, Inc.

Purpose: Infrastructure, content delivery, edge computing (Workers), database (D1), and object storage (R2).

Location: Global edge network with data stored in compliance with regional requirements.

Stripe, Inc.

Purpose: Payment processing, subscription management, and billing.

Location: United States, with data processing in accordance with Stripe's DPA.

The Processor shall impose the same data protection obligations as set out in this DPA on any sub-processor by way of a contract, ensuring that the sub-processor provides sufficient guarantees to implement appropriate technical and organizational measures.

5. Data Subject Rights

The Processor shall assist the Controller in responding to requests from Data Subjects exercising their rights under applicable data protection law, including:

  • Right of access — the right to obtain confirmation of whether personal data is being processed and access to that data.
  • Right to rectification — the right to have inaccurate personal data corrected.
  • Right to erasure — the right to have personal data deleted under certain circumstances.
  • Right to restriction — the right to restrict the processing of personal data.
  • Right to data portability — the right to receive personal data in a structured, commonly used format.
  • Right to object — the right to object to processing based on legitimate interests.

The Processor shall promptly notify the Controller of any request received directly from a Data Subject without responding to that request itself, unless otherwise authorized.

6. Security Measures

The Processor implements and maintains appropriate technical and organizational security measures, including but not limited to:

  • Encryption of personal data in transit (TLS 1.3) and at rest
  • Access controls and role-based authorization for all platform users
  • Regular security assessments, penetration testing, and vulnerability scanning
  • Automated backups and disaster recovery procedures
  • Incident detection, response, and notification procedures
  • Employee training on data protection and security best practices
  • Physical security measures at data center locations managed by sub-processors

In the event of a personal data breach, the Processor shall notify the Controller without undue delay and no later than 48 hours after becoming aware of the breach.

7. Contact

For questions regarding this Data Processing Agreement or to request a signed copy, please contact us at [email protected].

EducatorsIn — Learning Platform