Data Processing Agreement (DPA)

1. Introduction

This Data Processing Agreement ("DPA") forms part of the contract between StudentNotes.co.uk ("Controller" or "we") and third-party service providers ("Processor" or "you") for the processing of Personal Data in compliance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

2. Definitions

• Personal Data: Any information relating to an identified or identifiable natural person
• Processing: Any operation performed on Personal Data
• Controller: StudentNotes.co.uk
• Processor: Third-party service provider processing data on our behalf
• Sub-processor: Any processor engaged by the Processor
• Data Subject: Individual to whom Personal Data relates

3. Scope and Purpose

This DPA applies to the processing of Personal Data by the Processor on behalf of the Controller for the following purposes:

• AI content generation and analysis
• Authentication and user management (OAuth providers)
• Analytics and advertising (Google Analytics, Google Ads)
• Email delivery services
• Cloud hosting and storage
• Payment processing (if applicable)

4. Processor's Obligations

4.1 Compliance

The Processor shall process Personal Data only:

• On documented instructions from the Controller
• In compliance with GDPR and applicable data protection laws
• For the specific purposes outlined in Section 3

4.2 Confidentiality

The Processor shall ensure that all personnel authorized to process Personal Data:

• Are bound by confidentiality obligations
• Receive appropriate data protection training
• Process Personal Data only as instructed

4.3 Security Measures

The Processor shall implement appropriate technical and organizational measures, including:

• Encryption of data in transit and at rest
• Access controls and authentication mechanisms
• Regular security testing and vulnerability assessments
• Incident response and breach notification procedures
• Data backup and disaster recovery plans
• Secure data destruction when no longer needed

4.4 Sub-processors

The Processor may engage sub-processors only with:

• Prior written consent from the Controller
• Equivalent data protection obligations imposed on sub-processors
• Maintenance of a current list of sub-processors
• Notification of any intended changes to sub-processors

5. Data Subject Rights

The Processor shall assist the Controller in responding to Data Subject requests, including:

• Right of access (Art. 15 GDPR)
• Right to rectification (Art. 16 GDPR)
• Right to erasure (Art. 17 GDPR)
• Right to restriction of processing (Art. 18 GDPR)
• Right to data portability (Art. 20 GDPR)
• Right to object (Art. 21 GDPR)

6. Data Breach Notification

In the event of a Personal Data breach, the Processor shall:

• Notify the Controller without undue delay (within 24 hours of becoming aware)
• Provide detailed information about the breach
• Cooperate with the Controller's investigation
• Implement remedial measures to prevent future breaches
• Document all breaches and corrective actions taken

7. Data Transfers

International transfers of Personal Data shall only occur when:

• The transfer is to a country with adequate data protection (Art. 45 GDPR)
• Appropriate safeguards are in place (Art. 46 GDPR), such as Standard Contractual Clauses
• Explicit consent has been obtained from Data Subjects

8. Audits and Inspections

The Processor shall:

• Make available all information necessary to demonstrate compliance
• Allow for and contribute to audits (including inspections) by the Controller
• Provide annual SOC 2 or ISO 27001 certification (where applicable)
• Maintain records of processing activities

9. Data Retention and Deletion

Upon termination of services, the Processor shall:

• Delete or return all Personal Data within 30 days
• Provide certification of deletion upon request
• Securely destroy all copies, backups, and archives
• Exception: Retention required by applicable law (with notification to Controller)

10. Liability and Indemnification

The Processor shall indemnify the Controller against:

• Claims arising from breach of this DPA
• Regulatory fines and penalties due to non-compliance
• Costs of breach notification and remediation
• Legal fees and damages from Data Subject claims

11. Specific Service Provisions

11.1 AI Service Providers (OpenAI, Anthropic)

• Data used solely for providing services (not for training models without consent)
• Data retained only for the duration necessary to provide services
• API logs retained for 30 days maximum
• Zero-retention option available upon request

11.2 OAuth Providers (Google, Microsoft)

• Only essential profile data accessed (name, email, profile photo)
• No access to user emails, files, or other services without explicit permission
• Token refresh only when necessary for authentication
• Revocation support via OAuth provider settings

11.3 Analytics Providers (Google Analytics)

• IP anonymization enabled
• Advertising features disabled by default (requires cookie consent)
• Data retention set to minimum necessary (14 months)
• User-ID feature not used for cross-device tracking

12. Term and Termination

This DPA:

• Remains in effect for the duration of the service agreement
• Survives termination for data retention obligations
• Can be terminated by Controller with 30 days' notice
• Terminates automatically upon cessation of all processing

13. Governing Law

This DPA is governed by:

• General Data Protection Regulation (EU) 2016/679
• UK Data Protection Act 2018
• Laws of England and Wales

14. Contact Information