Data Processing Addendum (DPA)

This Data Processing Addendum (“DPA”) forms part of the Terms of Service or other applicable agreement (“Agreement”) between CourseDeck (“Processor” or Service Provider) and the entity identified as the customer (“Customer” or Controller).

This DPA applies to the extent CourseDeck processes Personal Data on behalf of the Customer in connection with the CourseDeck SaaS platform and is intended to satisfy the requirements of Article 28 of the EU GDPR, the UK GDPR, and applicable U.S. state privacy laws, including the California Consumer Privacy Act (CCPA) as amended by the CPRA.

1. Definitions

Capitalized terms not otherwise defined herein have the meanings given in the Agreement, GDPR, or applicable data protection laws.

• Controller: The Customer determining the purposes and means of Processing.
• Processor: CourseDeck, processing Personal Data on behalf of the Controller.
• Service Provider: As defined under CCPA/CPRA.
• Personal Data: Any information relating to an identified or identifiable individual.
• Processing: Any operation performed on Personal Data.
• Sub-processor: Any third party engaged by CourseDeck to process Personal Data on behalf of the Customer.

2. Scope, Subject Matter, and Duration of Processing

2.1 Subject Matter

Provision of the CourseDeck SaaS platform and related services.

2.2 Duration

Processing for the duration of the Agreement, plus any period required for lawful data retention.

2.3 Nature and Purpose

Processing activities may include:

• Hosting, storage, and retrieval of data
• Authentication and access management
• Scheduling, attendance, reporting, and analytics
• Communication delivery (emails, notifications)
• Technical support and system maintenance

2.4 Categories of Data Subjects

• Customer administrators and staff
• Teachers and employees
• Students (including minors)
• Parents or guardians (if provided by Customer)

2.5 Categories of Personal Data

• Identifiers (name, email address, student ID)
• Educational and attendance records
• Performance and progress data
• Parent or guardian contact information
• Technical logs and usage metadata

3. Roles and Compliance Responsibilities

3.1 Customer (Controller)

The Customer represents and warrants that:

• It has a valid legal basis for all Processing.
• It has obtained all legally required parental or guardian consents for minors’ data (including COPPA and GDPR-K).
• It complies with all applicable data protection laws.

3.2 CourseDeck (Processor / Service Provider)

CourseDeck shall:

• Process Personal Data only on documented instructions from the Customer.
• Not process Personal Data for its own purposes.
• Notify the Customer if an instruction violates applicable law.

4. Confidentiality

CourseDeck ensures that:

• Personnel authorized to process Personal Data are subject to confidentiality obligations.
• Access to Personal Data is limited to personnel with a legitimate need to know.

5. Technical and Organizational Security Measures

CourseDeck implements appropriate technical and organizational measures designed to protect Personal Data, including:

• Access Controls: Role-based access controls and least-privilege principles.
• Row Level Security (RLS): Enforcement of data isolation at the database layer.
• Encryption in Transit: TLS version 1.2 or higher.
• Encryption at Rest: Industry-standard AES-256 encryption.
• Logical Data Segregation: Separation of Customer data within multi-tenant environments.
• Monitoring & Logging: Security monitoring and audit logging to detect unauthorized access.

These measures are reviewed periodically and updated in line with industry best practices.

6. Sub-processors

6.1 Authorization

The Customer grants general authorization for CourseDeck to engage Sub-processors.

6.2 Current Sub-processors

As of the effective date, CourseDeck may use the following Sub-processors:

Paddle processes payment-related Personal Data as an independent data controller, not as a Sub-processor.

6.3 Sub-processor Obligations

CourseDeck ensures that Sub-processors are bound by contractual obligations no less protective than this DPA.

7. International Data Transfers

Personal Data may be processed or accessed outside the EEA or UK.

• Transfers are governed by the EU Standard Contractual Clauses (SCCs), Module Two (Controller to Processor).
• For UK data, the SCCs are supplemented by the UK International Data Transfer Addendum.
• Additional technical and organizational safeguards are implemented where required.

8. Assistance with Data Subject Rights

Taking into account the nature of Processing, CourseDeck shall reasonably assist the Customer in fulfilling data subject rights requests.

CourseDeck shall not respond directly to data subjects unless legally required.

9. Personal Data Breach Notification

CourseDeck shall notify the Customer without undue delay after becoming aware of a Personal Data Breach and provide information reasonably necessary for compliance with applicable law.

10. Data Protection Impact Assessments (DPIAs)

Upon reasonable request, CourseDeck shall provide information necessary to assist the Customer in completing DPIAs or regulatory consultations.

11. Data Return and Deletion

Upon termination of the Agreement:

• The Customer may export Customer Data using the export features provided within the Service prior to termination.
• CourseDeck shall delete Personal Data within a commercially reasonable period unless retention is required by law.

12. CCPA / CPRA Compliance (U.S. Specific)

For purposes of the CCPA/CPRA:

• CourseDeck acts as a “Service Provider”.
• CourseDeck certifies that it does not sell or share Personal Data as defined under CCPA.
• CourseDeck processes Personal Data solely to provide the Service and not for cross-context behavioral advertising.

13. Liability

Any liability arising out of or relating to this DPA shall be subject to and governed by the Limitation of Liability and liability caps set forth in the Agreement.

Nothing in this DPA shall be construed to increase CourseDeck’s liability beyond the limits expressly agreed in the Agreement, except where prohibited by applicable law.

14. Data Location and Processing Regions

Unless otherwise agreed in writing:

• Primary data processing and hosting facilities are located in the United States.
• Data may be accessed globally by authorized personnel and Sub-processors for support and operational purposes.

15. Governing Law and Jurisdiction

This DPA is governed by the same law and dispute resolution provisions specified in the Agreement.

16. Order of Precedence

In the event of conflict:

1. This DPA
2. The Agreement
3. Any ancillary documents