Data Processing Agreement (DPA)
Pursuant to Art. 28 GDPR
Last updated: February 1, 2026
Preamble
This Data Processing Agreement ("Agreement" or "DPA") specifies the data protection obligations of the contracting parties arising from the service relationship described in the Terms of Service ("Main Agreement").
It applies between:
- the Customer (Teacher, School, or Educational Institution), hereinafter referred to as "Controller", and
- Intelligrade / Kevin Peters, Kevin Peters, Heidehofring 10, 22850 Norderstedt, Germany, hereinafter referred to as "Processor".
1. Subject Matter and Duration
1.1 Subject Matter
The Processor provides services to the Controller in the area of digital exam administration and grading, as described in the Main Agreement. This includes access to personal data of students, parents, and teachers.
1.2 Duration
The term of this Agreement corresponds to the term of the Main Agreement. It ends automatically upon termination of the Main Agreement and the subsequent deletion of all order-related data.
2. Nature and Purpose of Processing
2.1 Nature of Processing
The processing includes the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction of data. Specifically: Hosting of the platform, storage of student accounts and exam data, automated evaluation (partially AI-supported), provision of results.
2.2 Purpose of Processing
The purpose is the provision of the Intelligrade platform for conducting, managing, and grading exams and assessments on behalf of the Controller.
2.3 Type of Data
The subject of processing includes the following types of data:
- Master Data: Names (or pseudonyms), class affiliation.
- Authentication Data: Passwords (for students/parents), user identifiers.
- Content Data: Exam questions, student answers (free text, multiple choice, etc.), correction notes, ratings, grades.
- Metadata: Timestamps of submissions, processing duration, log files.
2.4 Categories of Data Subjects
- Students
- Parents / Legal Guardians
- Teachers (insofar as their data is processed on behalf of the school)
3. Rights and Obligations of the Controller
3.1 The Controller is solely responsible for compliance with the statutory provisions of data protection laws, in particular for the lawfulness of the data transfer to the Processor and for the lawfulness of the data processing ("Master of the Data").
3.2 The Controller has the right to issue instructions regarding the type, scope, and procedure of data processing. Oral instructions must be confirmed immediately in writing or in text form (e.g., email).
4. Obligations of the Processor
The Processor undertakes to:
4.1 Processing on Instruction: Process data exclusively within the framework of the agreements made and according to the instructions of the Controller, unless required to do so by Union or Member State law to which the Processor is subject (e.g., investigations).
4.2 Confidentiality: Ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
4.3 Security: Take all measures required pursuant to Art. 32 GDPR (see Annex 3: TOMs).
4.4 Assistance: Assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 GDPR (security, breach notification, DPIA) to the best of its ability.
4.5 Data Subject Rights: Assist the Controller in responding to requests for exercising data subject rights (e.g., access, erasure). If a data subject contacts the Processor directly, the Processor will forward the request to the Controller without delay.
5. Place of Processing
Data processing generally takes place within the European Union (EU) or the European Economic Area (EEA). If data is processed in a third country (e.g., by sub-processors), the Processor ensures that the special requirements of Art. 44 et seq. GDPR are met (e.g., adequacy decision, Standard Contractual Clauses).
6. Sub-processing
6.1 The Controller authorizes the engagement of the sub-processors listed in Annex 2.
6.2 The Processor may engage further sub-processors. The Processor shall inform the Controller in advance of any intended change. The Controller may object to such changes.
6.3 Contractual agreements are made with sub-processors that guarantee a level of data protection equivalent to that of this Agreement.
7. Deletion and Return
Upon completion of the provision of processing services or upon request by the Controller, the Processor shall, at the choice of the Controller, either delete or return all personal data, unless there is a legal obligation to store the data.
Annex 1: Specification of Processing
See Section 2 of this Agreement.
Annex 2: Sub-processors
The Controller agrees to the engagement of the following service providers:
| Service Provider | Location | Service | Data Protection Guarantee |
|---|---|---|---|
| Hetzner Online GmbH | Germany (EU) | Hosting, Databases, Infrastructure | Server location Germany, ISO 27001 certified |
| Mistral AI | France (EU) | AI-supported text analysis & grading | Server location EU, GDPR compliant |
| Brevo (formerly Sendinblue) | France (EU) | Transactional email sending (notifications) | Server location EU, GDPR compliant |
| **Creem (Armitage Labs OÜ) ** | Estonia (EU) | Payment processing & Merchant of record (Pro subscriptions) | Company based in Estonia |
Note: Creem acts as a merchant of record for our Pro subscription. The processing of payment data is carried out exclusively to fulfill the contract and is subject to Creem's privacy policy.
Annex 3: Technical and Organizational Measures (TOMs)
The Processor implements the following measures to ensure the security of processing:
1. Confidentiality (Art. 32 (1) (b) GDPR)
- Physical Access Control: No physical access to server rooms by unauthorized persons (ensured by hosting provider Hetzner).
- System Access Control: Secure passwords for administrative access, no storage of passwords in plain text (hashing via Argon2/Bcrypt or similar).
- Data Access Control: Authorization concepts, access to data only for authorized personnel for troubleshooting or maintenance.
- Separation Control: Logical separation of tenant data in the database (multi-tenancy architecture).
2. Integrity (Art. 32 (1) (b) GDPR)
- Transmission Control: Encryption of data transmission (TLS/SSL) during transport over public networks.
- Input Control: Logging of inputs and changes in the system (audit logs for critical actions).
3. Availability and Resilience (Art. 32 (1) (b) GDPR)
- Availability Control: Automated backups of databases are performed approximately every 24 hours and stored on separate systems. Protection against DDoS attacks is provided by the hosting provider.
- Recoverability: Processes for timely restoration of availability after physical or technical incidents. In the event of data loss, recovery will be attempted from the most recent available backup.
- Backup Limitations: Due to the nature of backup processes, data created or modified between the last backup and a system failure may not be recoverable. The Processor does not guarantee that all data can be recovered in all circumstances. Data loss may occur due to technical failures, infrastructure issues, misconfigurations, or other unforeseen events beyond the Processor's reasonable control.
- Data Export Recommendation: The Controller is strongly encouraged to regularly export data using the JSON backup functionality available in the account settings and to maintain independent records of critical data.
4. Procedures for Regular Testing (Art. 32 (1) (d) GDPR)
- Data Protection Management: Regular review of security measures and adaptation to the state of the art.
- Order Control: Selection of sub-processors according to due diligence criteria.
- Privacy by Design: Data minimization when developing new features (e.g., AI grading only with anonymized/pseudonymized text fragments where possible).