Data Processing Agreement

1. Subject matter + duration

• Subject: the processing of personal data necessary to provide the Tactile History service (license + content + tutor).
• Duration: the term of the underlying subscription, plus 30 days for return / deletion of data on termination.

2. Nature + purpose of processing

• The Processor processes personal data only to provide the service described in the Terms.
• The Processor does not process personal data for any other purpose, including advertising, profiling, or sale.
• The Processor does not 'further process' the data (GDPR Art. 28(10)) without the Controller's written instruction.

3. Categories of data + data subjects

• Data subjects: students and educators at the Controller's school.
• Categories of personal data: device fingerprints, quiz answers, LLM transcripts, school admin email addresses.
• Special categories: none. We do not knowingly process data revealing racial or ethnic origin, political opinions, religious beliefs, etc.

4. Controller's obligations

• The Controller is responsible for establishing a lawful basis for processing under GDPR Art. 6 (typically 'legitimate interest' or 'consent' for K-12 education).
• The Controller warrants that it has the right to share the data with the Processor for the purpose of the service.
• The Controller is responsible for fulfilling data-subject rights (access, rectification, erasure, etc.) — we assist on request.

5. Processor's obligations

• Process the data only on documented instructions from the Controller (Art. 28(3)(a)).
• Ensure that persons authorized to process the data are bound by confidentiality (Art. 28(3)(b)).
• Implement appropriate technical and organizational measures (Art. 32) — see the Security section below.
• Engage sub-processors only with the Controller's prior written consent (Art. 28(2)) — the list of sub-processors is published above (see the FERPA page).
• Assist the Controller in fulfilling data-subject rights (Art. 28(3)(e)).
• On termination, delete or return all personal data (Art. 28(3)(g)).
• Make available all information necessary to demonstrate compliance (Art. 28(3)(h)).

6. Sub-processors

• The Controller provides general consent for the use of the sub-processors listed in the FERPA disclosure.
• The Processor will notify the Controller of any new sub-processor at least 30 days in advance; the Controller may object in writing.
• The Processor is liable for the acts and omissions of sub-processors as if they were the Processor's own (Art. 28(4)).

7. International transfers

• The Processor stores and processes data in the United States (Google Cloud us-central1).
• For transfers from the EEA / UK, the Processor relies on the EU Standard Contractual Clauses (SCCs, 2021/914) and the UK International Data Transfer Addendum.
• On request, the Processor will execute the SCCs as a separate addendum to this DPA.

8. Security measures

• Encryption in transit (TLS 1.2+) and at rest.
• Access controls (least-privilege, role-based).
• Logging + monitoring (24/7 alerting on suspicious activity).
• Annual penetration test; SOC 2 Type II report on request.
• Incident response: 72-hour breach notification to the Controller.

9. Data-subject rights

• The Processor will assist the Controller in responding to data-subject requests within 30 days.
• The Processor will not respond directly to data subjects unless instructed by the Controller in writing.

10. Governing law + jurisdiction

This DPA is governed by the laws of Ireland (for EEA Controllers) or England and Wales (for UK Controllers). Disputes are resolved in the courts of Ireland or England and Wales, respectively.