Data Processing Agreement (DPA)

1. Parties

This Data Processing Agreement ("DPA") is entered into between:

• Data Controller: The customer organization that has signed up for the Edpire platform ("Customer").
• Data Processor: Edpire ("Processor"), the provider of the assessment digitalization platform, reachable at privacy@edpire.com.

This DPA forms part of the Terms of Service and governs the processing of personal data by Edpire on behalf of the Customer.

2. Subject Matter and Duration

The Processor provides assessment creation, administration, grading, and results reporting services. The Processor will process personal data on behalf of the Controller for the duration of the active service subscription, and will delete or return data within 30 days of subscription termination upon written request.

3. Nature and Purpose of Processing

The Processor processes personal data to:

• Create and manage user accounts for organization administrators, teachers, and learners.
• Administer and deliver digital assessments to learners.
• Record and store learner responses, scores, and grading results.
• Deliver webhook notifications with submission results to customer-configured endpoints.
• Generate aggregated analytics and reports for the Controller.

4. Categories of Personal Data

Edpire does not process special category data (health, biometric, financial, etc.) and customers must not submit such data without prior written agreement.

5. Categories of Data Subjects

• Organization administrators
• Teachers / assessment authors
• Learners / students taking assessments

6. Processor Obligations

Edpire as Processor commits to:

• Process personal data only on documented instructions from the Controller (these Terms and this DPA constitute those instructions).
• Ensure that all personnel authorized to process personal data are bound by confidentiality obligations.
• Implement appropriate technical and organizational security measures as described in §7.
• Assist the Controller in responding to data subject rights requests (access, erasure, portability) within reasonable timeframes.
• Notify the Controller within 72 hours of becoming aware of a personal data breach affecting the Controller's data.
• Delete or return all personal data upon termination of the service, at the Controller's choice.
• Make available all information necessary to demonstrate compliance with this DPA and allow for audits upon reasonable notice.

7. Technical & Organizational Security Measures

• All data in transit encrypted using TLS 1.2+
• Passwords hashed using bcrypt; API keys hashed using SHA-256
• Database access restricted to the application layer (no public endpoint)
• Session tokens expire automatically (30-day TTL)
• Assessment answer keys excluded from all client-facing API responses
• Webhook payloads signed with HMAC-SHA256
• Role-based access control for all platform features
• Automated purging of webhook delivery logs after 90 days

8. Sub-Processors

The Controller provides general authorization for Edpire to engage the following sub-processors. Edpire will notify the Controller of any material changes to this list.

All international transfers to the United States are governed by Standard Contractual Clauses (SCCs) as approved by the European Commission, or the EU–US Data Privacy Framework where applicable.

9. Controller Obligations

The Controller agrees to:

• Ensure a lawful basis exists for submitting personal data to Edpire.
• Obtain any required consents from learners or their guardians.
• Provide accurate and up-to-date data subject rights requests to Edpire.
• Not submit special category data without prior written agreement.

10. How to Sign This DPA

This DPA is incorporated by reference into the Edpire Terms of Service and takes effect automatically for all customers. If you require a countersigned copy (e.g., for procurement), email privacy@edpire.com with the subject line "DPA Request — [Your Organization Name]".