Data Processing Agreement

This Data Processing Agreement (DPA) governs the processing of personal data by Klasstra on behalf of educational institutions using our services.

Effective Date: October 25, 2025

View Processing DetailsContact Legal Team

Agreement Overview

Key terms and commitments under this Data Processing Agreement.

Parties and Roles

Data Controller

The educational institution or organization that uses Klasstra services.

  • • Determines purposes and means of processing
  • • Ensures legal basis for processing
  • • Provides processing instructions
  • • Handles data subject rights requests

Data Processor

Klasstra processes personal data on behalf of the Controller.

  • • Processes data only on documented instructions
  • • Implements appropriate security measures
  • • Assists with data subject rights
  • • Notifies of any data breaches

Processing Purposes

Klasstra processes personal data solely for the following purposes as instructed by the Controller:

Primary Purposes

  • Student information management
  • Academic records and performance tracking
  • Communication facilitation
  • Administrative operations

Support Purposes

  • Platform maintenance and support
  • Security monitoring and incident response
  • Service improvement and optimization
  • Legal compliance and regulatory requirements

Categories of Personal Data

Types of personal data that may be processed under this agreement.

Student Information

Personal data of students including enrollment, academic records, and attendance.

Examples:

  • Names and contact details
  • Academic performance
  • Attendance records
  • Health information

Staff Data

Information about teachers, administrators, and other educational staff.

Examples:

  • Employee records
  • Qualifications
  • Performance data
  • Contact information

Administrative Data

Institutional data necessary for system administration and operation.

Examples:

  • User accounts
  • System logs
  • Configuration data
  • Usage analytics

Financial Information

Payment and billing information for educational services.

Examples:

  • Fee payments
  • Financial aid records
  • Billing information
  • Transaction history

Security Safeguards

Technical and organizational measures implemented to protect personal data.

Technical Measures

Access Control

  • Multi-factor authentication for all user accounts
  • Role-based access control with principle of least privilege
  • Regular access reviews and deprovisioning procedures
  • Secure authentication and session management

Data Security

  • AES-256 encryption for data at rest
  • TLS 1.3 encryption for data in transit
  • End-to-end encryption for sensitive communications
  • Secure key management and regular key rotation

Infrastructure

  • ISO 27001 certified data centers
  • Network segmentation and firewalls
  • Intrusion detection and prevention systems
  • Regular security patching and updates

Monitoring

  • Continuous security monitoring and alerting
  • Comprehensive audit logging and retention
  • 24/7 security operations center (SOC)
  • Regular penetration testing and vulnerability assessments

Organizational Measures

Governance

  • Appointment of Data Protection Officer (DPO)
  • Privacy by Design and by Default implementation
  • Data protection impact assessments (DPIAs)
  • Regular privacy compliance audits

Personnel

  • Background checks for all personnel with data access
  • Mandatory data protection training for all staff
  • Confidentiality agreements and data handling policies
  • Regular security awareness training and updates

Incident Response

  • Documented incident response procedures
  • Data breach notification within 72 hours
  • Regular incident response drills and testing
  • Coordination with data protection authorities

Business Continuity

  • Automated daily backups with encryption
  • Disaster recovery and business continuity plans
  • Regular backup testing and restoration procedures
  • Geographic redundancy and failover systems

Sub-processors

Third-party service providers authorized to process personal data.

Sub-processor Authorization

The Controller authorizes Klasstra to engage sub-processors for specific processing activities, subject to the following conditions:

  • Sub-processors must provide equivalent data protection guarantees
  • Written agreements must be in place with appropriate safeguards
  • Controllers will be notified of any changes to sub-processors
  • Klasstra remains fully liable for sub-processor performance

Current Sub-processors

Service ProviderService TypeData LocationSafeguards
Amazon Web ServicesCloud InfrastructureEU/USSCCs, Adequacy Decision
StripePayment ProcessingGlobalSCCs, Certification
ZendeskCustomer SupportEU/USSCCs, BCRs

Data Subject Rights Assistance

How Klasstra assists Controllers in fulfilling data subject rights requests.

Our Commitments

  • Assist with data subject access requests within 7 days
  • Implement data rectification and deletion requests promptly
  • Provide data portability in standard formats
  • Restrict processing when requested and legally required

Request Process

1

Controller receives request

Data subject contacts Controller directly

2

Controller forwards to Klasstra

Using our dedicated support channel

3

Klasstra processes request

Within agreed timeframes

4

Response provided

Controller communicates to data subject

Data Breach Notification

Our commitment to prompt breach notification and incident response.

Notification Timeline

  • !

    Immediate: Detection & Assessment

    Within 1 hour of discovery

  • 24

    24 Hours: Controller Notification

    Full details and impact assessment

  • 72

    72 Hours: Authority Notification

    Assist Controller with regulatory filing

Notification Content

  • Nature and scope of the breach
  • Categories and approximate number of affected data subjects
  • Likely consequences and potential impact
  • Measures taken to address the breach
  • Recommendations for Controller actions
  • Contact information for further details

DPA Contact Information

For questions or requests related to this Data Processing Agreement.

Legal Team

Contract terms, amendments, and legal inquiries

Contact Legal

Data Protection Officer

Privacy matters and data protection compliance

Contact DPO

Account Management

Service-related questions and support requests

Contact Support

This Data Processing Agreement is incorporated by reference into our Terms of Service and forms part of the overall agreement between Klasstra and our customers. For the most current version of this DPA, please visit this page or contact our legal team.