Data Processing Agreement
Effective Date: July 1, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Skedum ("Processor") and the customer using the Services ("Controller").
This DPA applies where the Controller is subject to applicable Data Protection Laws and Skedum processes Personal Data on the Controller's behalf.
1. Definitions
Unless otherwise defined in the Terms of Service:
- Controller means the customer that determines the purposes and means of processing Personal Data.
- Processor means Skedum.
- Personal Data means any information relating to an identified or identifiable natural person.
- Processing means has the meaning given by applicable Data Protection Laws.
- Subprocessor means a third party engaged by the Processor to process Personal Data on behalf of the Controller.
- Data Protection Laws means all applicable laws governing the processing of Personal Data, including the GDPR where applicable.
2. Scope of Processing
Processor processes Personal Data only:
The Controller is responsible for determining whether its use of the Services complies with applicable Data Protection Laws.
- to provide the Services;
- on behalf of the Controller;
- in accordance with this DPA and the Terms of Service.
3. Controller Responsibilities
The Controller is responsible for:
The Controller shall not use the Services to process Special Categories of Personal Data under Article 9 GDPR unless expressly permitted by Processor.
- ensuring it has an appropriate legal basis for processing Personal Data;
- providing any required notices to data subjects;
- responding to requests from data subjects unless otherwise required by law.
4. Processor Obligations
Processor shall:
- process Personal Data only as necessary to provide the Services;
- implement appropriate technical and organizational measures appropriate to the nature of the Services;
- ensure that persons authorized to process Personal Data are subject to appropriate confidentiality obligations.
5. Security
Processor maintains reasonable technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access.
The current security measures are described in Annex II.
Processor may update its security measures from time to time, provided that such updates do not materially reduce the overall level of protection.
6. Subprocessors
Controller authorizes Processor to engage Subprocessors for the provision of the Services.
Processor shall:
The current list of Subprocessors is provided in Annex III.
- maintain a current list of Subprocessors;
- require Subprocessors to protect Personal Data through written contractual obligations appropriate to the services they provide;
- remain responsible for the performance of its Subprocessors as required by applicable law.
7. International Transfers
Where Personal Data is transferred outside the European Economic Area or another jurisdiction requiring transfer safeguards, Processor shall rely on an appropriate transfer mechanism under applicable Data Protection Laws.
8. Assistance
Taking into account the nature of the Processing, Processor will provide reasonable assistance to the Controller in responding to requests from data subjects where reasonably possible.
9. Personal Data Breaches
Processor shall notify the Controller without undue delay after becoming aware of a Personal Data Breach affecting Personal Data processed under this DPA.
10. Deletion
Upon termination of the Services, Personal Data will be deleted in accordance with the Terms of Service and Processor's retention practices, unless retention is required by law or reasonably necessary for backup recovery.
11. Liability
The liability of each party under this DPA is subject to the limitations of liability set out in the Terms of Service, except where such limitations are prohibited by applicable law.
12. Governing Law
This DPA is governed by the same law and jurisdiction specified in the Terms of Service.
Annex I - Processing Details
Controller
The Customer.
Processor
Skedum.
Categories of Data Subjects
- Teachers
- Students
- Parents and legal guardians
- Contacts added by the Controller
Categories of Personal Data
- Names
- Email addresses
- Phone numbers
- Billing information
- Payment instructions
- Lesson schedules
- Attendance records
- Invoice data
- Payment records
- User account information
- IP addresses
Purposes of Processing
- Providing lesson scheduling and student management services
- Tracking attendance and lesson history
- Generating and delivering invoices
- Tracking payments and account balances
- Sending reminders and transactional notifications
- Subscription management and payment processing
- Providing customer support
- Maintaining platform security, fraud prevention, and service reliability
- Complying with legal obligations
Duration
For the duration of the Customer's use of the Services.
Annex II - Security Measures
Processor maintains security measures including:
- Encryption of data in transit using HTTPS/TLS
- Encryption at rest provided by infrastructure providers where available
- Authentication and access controls
- Principle of least privilege for administrative access
- Secure storage of secrets and credentials
- Logging and monitoring of operational events
- Regular software updates
- Backup and recovery procedures
Annex III - Subprocessors
| Provider | Purpose |
|---|---|
| Cloudflare | Hosting, databases, object storage, CDN, infrastructure and security services |
| Postmark | Transactional email delivery |
| Bird | One-time verification code delivery |
| Lemon Squeezy | Subscription management, billing, payment processing, and tax collection |
| GitHub | Source code hosting, CI/CD automation, and backup workflow execution |
| Encrypted backup storage |