Data Processing Agreement

The Data Processor provides managed Moodle LMS hosting services to the Data Controller. In the course of delivering these services, the Data Processor processes Personal Data on behalf of the Data Controller.

The categories of Personal Data processed may include:

• a.User account information (names, email addresses, usernames)
• b.Course enrollment and completion records
• c.User activity logs and learning analytics
• d.Assessment submissions and grades
• e.User-generated content (forum posts, assignments, messages)
• f.Authentication and access control data
• g.Any other personal data entered into the Moodle LMS by the Data Controller or its users

The data subjects may include the Data Controller's students, learners, educators, administrators, and other users of the Moodle LMS platform.

Processing is carried out for the duration of the Service Agreement and for the purposes of providing the hosted Moodle LMS services as described in the Service Agreement.

The Data Processor shall:

• a.Process Personal Data only on documented instructions from the Data Controller, unless required by applicable law
• b.Ensure that persons authorized to process Personal Data are bound by appropriate confidentiality obligations
• c.Implement appropriate technical and organizational security measures, including encryption of data in transit and at rest, access controls, regular security updates, and intrusion detection systems
• d.Respect the conditions for engaging Sub-processors as set out in this DPA
• e.Assist the Data Controller in responding to data subject requests to exercise their rights under applicable data protection law
• f.Assist the Data Controller in ensuring compliance with obligations related to security, data breach notification, data protection impact assessments, and prior consultation with supervisory authorities
• g.At the Data Controller's choice, delete or return all Personal Data upon termination of the Service Agreement, unless retention is required by applicable law
• h.Make available to the Data Controller all information necessary to demonstrate compliance with the obligations set out in this DPA

The Data Controller has the right to:

• a.Issue documented instructions regarding the processing of Personal Data
• b.Request access to and copies of Personal Data processed on its behalf
• c.Request the correction, deletion, or restriction of processing of Personal Data
• d.Conduct audits or inspections, either directly or through an appointed third-party auditor, to verify the Data Processor's compliance with this DPA, subject to reasonable notice and confidentiality obligations
• e.Be informed of any Sub-processors engaged by the Data Processor and object to the appointment of new Sub-processors
• f.Receive prompt notification of any Data Breach affecting Personal Data processed under this DPA

The Data Controller provides general authorization for the Data Processor to engage Sub-processors for the delivery of the services. The Data Processor shall inform the Data Controller of any intended changes to its Sub-processors and provide the Data Controller with an opportunity to object.

The Data Processor currently engages the following categories of Sub-processors:

• a.Hetzner Online GmbH (infrastructure hosting provider, data centers located in the European Union and the United States)
• b.Support and communication tools used for providing customer assistance
• c.Monitoring and security services to maintain platform availability and integrity

The Data Processor shall impose data protection obligations on Sub-processors that are no less protective than those set out in this DPA. The Data Processor remains liable for the acts and omissions of its Sub-processors.

In the event of a Data Breach, the Data Processor shall:

• a.Notify the Data Controller without undue delay and in any event within 72 hours of becoming aware of the Data Breach
• b.Provide the Data Controller with sufficient information to enable the Data Controller to meet its obligations to report the breach to the relevant supervisory authority and affected data subjects
• c.Cooperate with the Data Controller and take reasonable steps to investigate, mitigate, and remediate the Data Breach
• d.Document the Data Breach, including its effects and the remedial actions taken

The notification shall include, where possible, the nature of the Data Breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to address the breach.

The Data Processor implements and maintains the following technical and organizational security measures to protect Personal Data:

• a.Encryption of data in transit (TLS/SSL) and at rest
• b.Access controls and authentication mechanisms, including role-based access
• c.Regular backups with encrypted storage
• d.Firewalls, intrusion detection, and DDoS protection
• e.Regular security patches and software updates
• f.Logging and monitoring of access to Personal Data
• g.Physical security measures at data center facilities
• h.Employee training on data protection and information security