This Data Processing Addendum (“DPA”) forms part of the agreement between SomePass (“Processor”) and the educational institution / organization operating a workspace (“Controller”), regarding the processing of personal data under the Services (the “Services”).
1. Definitions
“Personal Data”, “Processing”, “Controller”, “Processor”, “Data Subject”, “Supervisory Authority” have the meanings set out in the GDPR.
“Workspace Data” means Personal Data processed on behalf of the Controller within a workspace, such as learner/student data, instructor data, content and submissions, assessment artifacts (feedback, rubrics), and technical logs necessary to provide, secure, and operate the Services.
2. Subject-matter, scope and duration
- Subject-matter: provision of the Services (learning workflows, collaboration, hosting of content and deliverables, access control, evaluation artifacts).
- Scope: Processing is performed only for workspace operations configured or initiated by the Controller (admins/instructors) and the Controller’s users.
- Duration: for the term of the Services agreement, plus limited periods for deletion/return and backups as described in section 9.
3. Processor obligations
- Process Workspace Data only on documented instructions from the Controller (including configuration and admin actions in the workspace).
- Ensure persons authorized to process Workspace Data are bound by confidentiality obligations.
- Implement appropriate technical and organizational measures (“TOMs”) to protect Workspace Data (see Annex 2).
- Assist the Controller in fulfilling GDPR obligations (Articles 32–36) as reasonably required given the nature of processing and available tools.
- Notify the Controller without undue delay after becoming aware of a Personal Data Breach affecting Workspace Data (see section 8).
- Make available information necessary to demonstrate compliance and allow audits as described in section 10.
4. Controller obligations
- Ensure a valid legal basis for processing and provide required notices to learners/staff and other users.
- Ensure data minimization and avoid uploading special categories of data unless strictly necessary and lawful.
- Manage permissions, access, and user lifecycle (invites, role assignment, revocation) within the workspace.
- Use the Services in compliance with applicable data protection and education laws.
5. Confidentiality
Processor ensures that persons authorized to process Workspace Data are under an appropriate duty of confidentiality, whether contractual or statutory.
6. Subprocessors
The Controller grants a general authorization for the Processor to engage subprocessors as necessary to provide the Services. The Processor remains responsible for each subprocessor’s performance of its obligations.
The Processor will maintain an up-to-date list of subprocessors (Annex 3) and will provide notice of material changes where reasonably possible. If the Controller objects to a new subprocessor on reasonable data protection grounds, the parties will work in good faith to resolve the objection. If no resolution is feasible, the Controller may terminate the affected part of the Services in accordance with the main agreement.
7. International transfers
Processing is hosted in France. Where a subprocessor processes Workspace Data outside the EEA/UK/Switzerland (as applicable), Processor will implement appropriate safeguards (e.g., adequacy decision and/or Standard Contractual Clauses), and additional measures where required by law.
8. Incident response & breach notification
- Processor will notify Controller without undue delay after becoming aware of a Personal Data Breach affecting Workspace Data.
- Notification will include (to the extent available): nature of breach, categories and approximate number of data subjects and records affected, likely consequences, and remediation steps taken or proposed.
- Controller is responsible for any regulatory notifications and communications to data subjects unless otherwise agreed in writing.
9. Deletion / return of Workspace Data
Upon termination or expiry of the Services, Processor will, at the Controller’s choice and where technically feasible: (a) return Workspace Data; and/or (b) delete Workspace Data.
Processor may retain Workspace Data where required by law, or where data remains in secure backups for a limited retention period, during which it is isolated and protected and not processed further except for restoration testing or security purposes.
10. Audit & compliance support
Processor will provide reasonable information necessary to demonstrate compliance with this DPA and Article 28 GDPR. Where possible, audits will be satisfied through documentation, written responses, and security reports.
If an on-site audit is required, it must be: (i) pre-scheduled with reasonable notice, (ii) limited in scope to Workspace Data processing, (iii) conducted during business hours, (iv) subject to confidentiality, and (v) not unreasonably disruptive.
11. Assistance with data subject requests
Processor will provide reasonable assistance to enable the Controller to respond to requests to exercise data subject rights (access, rectification, deletion, restriction, portability, objection), taking into account the nature of processing and available tools. Requests can be initiated via the privacy request form.
12. Liability
Liability under this DPA follows the main agreement, subject to mandatory data protection law.
Annex 1 — Processing details
- Categories of data subjects: learners/students, instructors/teachers, workspace admins, invited partners and reviewers (as applicable).
- Categories of Personal Data: identifiers (name, email, username), role and affiliation, workspace participation and activity data, course/project content and submissions, deliverables and attachments, assessment artifacts (rubrics, feedback, grades if enabled), audit/security logs necessary to operate the Services.
- Special categories of data: not intended. Controller should avoid uploading special categories unless strictly necessary and lawful.
- Processing operations: hosting, storage, retrieval, display, collaboration features, access control, backups, security monitoring, support troubleshooting (as instructed).
- Frequency of processing: continuous during use of the Services.
Annex 2 — Technical & organizational measures (TOMs)
| Area | Measures |
|---|---|
| Access control | Role-based access control (RBAC), least privilege, admin-managed invitations, separation between workspaces/tenants. |
| Encryption | TLS in transit; encryption at rest where supported by infrastructure/storage layers; secrets managed securely. |
| Logging & monitoring | Security and audit logs to detect abuse, investigate incidents, and support operational troubleshooting. |
| Backups | Regular backups; restricted access; retention limits; restoration procedures; secure disposal. |
| Secure development | Code reviews, dependency management, vulnerability remediation process, environment separation (dev/staging/prod as applicable). |
| Incident response | Triage, containment, remediation, communications workflow, post-incident review and corrective actions. |
| Business continuity | Operational procedures for service recovery; backup validation; change management for critical components. |
Annex 3 — Subprocessors
Subprocessors are engaged under written agreements with data protection obligations. Locations may vary by region/configuration.
| Subprocessor | Purpose | Location |
|---|---|---|
| OVHcloud | Hosting infrastructure (compute, databases, storage), backups | EU / Global |
| Cloudflare, Inc. | DNS, CDN, WAF / DDoS protection, performance & security (limited technical logs) | Global |
| Postmark | Transactional email delivery (account emails, notifications) | US / Global |
| Airwallex | Payment processing (billing, invoicing, fraud prevention) | Global |