Acuerdo de procesamiento de datos
Data Processing Agreement (DPA) — GDPR Article 28
Last updated: March 27, 2026
1. Parties
This agreement is entered into between:
- The Data Controller: The school (hereinafter "the Client") subscribing to EduGame services.
- The Data Processor: EduGame, educational SaaS platform (hereinafter "EduGame").
2. Purpose of processing
EduGame processes personal data on behalf of the Client in the context of providing AI-powered exam generation services, academic progress tracking, and educational gamification.
Processing purposes
- Personalized exam generation (AI pipeline)
- Automatic grading and scoring
- Progress tracking and pedagogical analytics
- Class and student management
- Teacher-family communication
3. Categories of data processed
| Category | Data | Protection |
|---|---|---|
| Identification | Name, email, username | AES-256-GCM |
| Academic | Grades, exam answers, progress | RBAC |
| Technical | IP, session ID, logs | PII redaction |
| Consent | Parental consent (<16) | Audit trail |
4. Data subjects
- Students (including minors under 16)
- Teachers and educational staff
- Parents and legal representatives
5. EduGame's obligations (Data Processor)
In accordance with GDPR Article 28, EduGame commits to:
- Process data only on documented instructions from the Client.
- Ensure confidentiality: all personnel with data access are bound by a confidentiality obligation.
- Implement appropriate security measures (GDPR Article 32) — see section 7.
- Not engage another sub-processor without prior written authorization from the Client — see section 6.
- Assist the Client in fulfilling its obligations (data subject rights, DPIA, breach notification).
- Delete or return data at the end of the service, at the Client's choice.
- Make available the information necessary to demonstrate GDPR compliance and contribute to audits.
6. Sub-processors
EduGame uses the following sub-processors, approved by the Client:
| Sub-processor | Purpose | Location | Guarantees |
|---|---|---|---|
| Neon (PostgreSQL) | Database hosting | EU (AWS eu-central-1) | SOC 2 |
| Google Cloud (Gemini) | AI generation | EU (eu-west) | DPA Google, ISO 27001 |
| Hostinger | Application hosting | EU (Lithuania) | GDPR compliant |
| Resend | Transactional emails | US (DPF certified) | Data Processing Framework |
| Lemon Squeezy | Payments (MoR) | US (DPF certified) | PCI DSS |
| Sentry | Error monitoring | US (DPF certified) | PII redacted |
EduGame will inform the Client of any changes to the sub-processor list with 30 days' notice.
7. Security measures (GDPR Article 32)
- Encryption: AES-256-GCM for PII in database. HTTPS/TLS 1.3 for data in transit. HSTS with preload.
- Access control: 4-level RBAC (student, teacher, parent, admin). HttpOnly/Secure signed sessions. Authentication proxy on all private routes.
- Pseudonymization: Students can use a username instead of their email. Logs are redacted (no PII in plain text).
- Integrity: Zod validation on all inputs. Parameterized SQL queries (zero injection). DOMPurify sanitization against XSS.
- Availability: Automatic Neon backups (PITR). PM2 with auto-restart. Automated rollback scripts.
- Security testing: Static analysis (Semgrep), secret scanning (Gitleaks), dependency audits (Trivy), automated daily scans.
8. Breach notification
In case of a personal data breach, EduGame commits to notifying the Client within 48 hours of becoming aware. The notification will include:
- The nature of the breach
- The categories and approximate number of affected individuals
- The likely consequences
- The measures taken or proposed to remedy it
9. Data subject rights
EduGame assists the Client in responding to data subject rights requests:
- Right of access (Art. 15): user data export
- Right of rectification (Art. 16): modification from profile
- Right to erasure (Art. 17): complete deletion with cascade and audit trail
- Right to portability (Art. 20): JSON/CSV data export
- Parental consent (Art. 8): integrated consent system for minors under 16
10. Duration, return, and deletion
This agreement is valid for the entire duration of the contractual relationship. At its end, EduGame commits to:
- Return all data to the Client in a standard format (JSON/CSV) within 30 days.
- Permanently delete all data within 60 days after return, unless legally required to retain it.
- Provide a certificate of destruction upon request.
11. Audits
The Client may conduct or commission GDPR compliance audits, with reasonable notice of 15 business days. EduGame commits to full cooperation and to providing all necessary documents.
12. Contact
For any questions regarding personal data processing:
Need a signed version?
Contact us at [email protected] for a PDF version of the DPA to be signed between your institution and EduGame.