Data Processing Agreement (DPA)

Last updated: January 15, 2025

1. Introduction

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between SuperML.org (“SuperML”, “we”, “us”, or “our”) and our users (“you” or “your”). This DPA governs the processing of personal data in accordance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

2. Definitions

Personal Data: Any information relating to an identified or identifiable natural person.

Data Controller: The entity that determines the purposes and means of processing personal data.

Data Processor: The entity that processes personal data on behalf of the controller.

Data Subject: The individual whose personal data is being processed.

Processing: Any operation performed on personal data.

3. Scope and Application

3.1 Applicability

This DPA applies when:

  • SuperML processes personal data on your behalf as a data processor
  • You are a data controller using our services
  • Personal data of EU residents is involved

3.2 Relationship Between Parties

  • You (Data Controller): Determine the purposes and means of processing
  • SuperML (Data Processor): Process personal data only on your documented instructions

4. Data Processing Details

4.1 Categories of Data Subjects

  • Website visitors and users
  • Course participants and students
  • Newsletter subscribers
  • Support ticket submitters

4.2 Categories of Personal Data

  • Contact Information: Names, email addresses
  • Technical Data: IP addresses, browser information, device identifiers
  • Usage Data: Learning progress, course interactions, preferences
  • Communication Data: Support messages, feedback, comments

4.3 Processing Operations

  • Collection and storage of personal data
  • Analysis of user behavior and engagement
  • Communication with users (emails, notifications)
  • Provision of personalized learning experiences
  • Technical support and customer service

5. Obligations of SuperML (Data Processor)

5.1 Processing Instructions

We will:

  • Process personal data only on your documented instructions
  • Immediately inform you if we believe any instruction violates GDPR
  • Not process data for our own purposes without your consent

5.2 Confidentiality

We ensure that:

  • All personnel with access to personal data are bound by confidentiality agreements
  • Access to personal data is limited to authorized personnel only
  • Regular training on data protection is provided to relevant staff

5.3 Data Security

We implement appropriate technical and organizational measures:

Technical Measures

  • Encryption: Data encrypted at rest and in transit using industry-standard protocols
  • Access Controls: Multi-factor authentication and role-based access
  • Network Security: Firewalls, intrusion detection systems, and regular security monitoring
  • Backup and Recovery: Secure backup procedures with encrypted storage

Organizational Measures

  • Security Policies: Comprehensive data protection and security policies
  • Staff Training: Regular training on GDPR compliance and data security
  • Incident Response: Documented procedures for security breach response
  • Vendor Management: Due diligence on all third-party service providers

5.4 International Transfers

When transferring data outside the EU:

  • We ensure adequate protection through approved mechanisms
  • Standard Contractual Clauses (SCCs) are used where applicable
  • We provide you with details of any transfers and safeguards

6. Your Obligations (Data Controller)

You must:

  • Ensure you have a lawful basis for processing under GDPR
  • Obtain necessary consents from data subjects where required
  • Provide clear and transparent privacy notices

6.2 Instructions and Compliance

You are responsible for:

  • Providing clear, documented processing instructions
  • Ensuring compliance with your local data protection laws
  • Responding to data subject requests within legal timeframes

6.3 Data Accuracy

You must:

  • Ensure personal data is accurate and up-to-date
  • Notify us of any corrections or updates required
  • Take reasonable steps to erase or rectify inaccurate data

7. Sub-Processing

7.1 Authorized Sub-Processors

We may engage the following categories of sub-processors:

  • Cloud Storage Providers: For secure data hosting and backup
  • Analytics Services: For website and application analytics
  • Email Service Providers: For communication and marketing services
  • Support Tools: For customer service and technical support

7.2 Current Sub-Processors

Sub-ProcessorServiceLocationSafeguards
AWSCloud hostingEU/USDPA + SCCs
Google AnalyticsWebsite analyticsGlobalPrivacy Shield successor
MailchimpEmail servicesUSDPA + SCCs
IntercomCustomer supportEU/USDPA + SCCs

7.3 Sub-Processor Changes

  • We will notify you at least 30 days before adding new sub-processors
  • You may object to new sub-processors on reasonable grounds
  • If objection cannot be resolved, you may terminate the relevant service

7.4 Sub-Processor Obligations

We ensure all sub-processors:

  • Are bound by data protection obligations equivalent to this DPA
  • Implement appropriate technical and organizational measures
  • Provide necessary cooperation for audits and inspections

8. Data Subject Rights

8.1 Assistance with Rights Requests

We will assist you in fulfilling data subject rights:

  • Access: Provide access to personal data and processing information
  • Rectification: Correct inaccurate or incomplete data
  • Erasure: Delete data when legally required
  • Restriction: Limit processing under certain circumstances
  • Portability: Provide data in structured, machine-readable format
  • Objection: Stop processing for legitimate interests or marketing

8.2 Response Timeframes

  • We will respond to your requests within 72 hours
  • Technical implementation may take up to 30 days depending on complexity
  • We will provide regular updates on progress

8.3 Verification Procedures

  • We may require verification of data subject identity
  • Requests must be submitted through designated channels
  • We will document all rights requests and responses

9. Personal Data Breaches

9.1 Notification Requirements

In case of a personal data breach:

  • We will notify you within 24 hours of becoming aware
  • Notification will include all available information about the breach
  • We will provide regular updates as investigation progresses

9.2 Breach Information

Our notification will include:

  • Description of the nature of the breach
  • Categories and approximate number of data subjects affected
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach

9.3 Assistance with Breach Response

We will:

  • Provide all necessary information for your breach assessment
  • Assist with notifications to supervisory authorities if required
  • Support communication with affected data subjects
  • Implement additional safeguards to prevent future breaches

10. Data Protection Impact Assessments (DPIA)

10.1 DPIA Support

When you are required to conduct a DPIA, we will:

  • Provide information about our processing operations
  • Describe technical and organizational measures in place
  • Assess risks associated with our processing activities
  • Suggest additional safeguards if needed

10.2 High-Risk Processing

If processing is likely to result in high risk to data subjects:

  • We will work with you to conduct a thorough DPIA
  • Additional safeguards may be implemented
  • We may engage data protection experts for consultation

11. Audits and Compliance

11.1 Audit Rights

You have the right to:

  • Conduct audits of our data processing activities
  • Review our compliance with this DPA
  • Access relevant documentation and evidence

11.2 Audit Procedures

  • Audits must be conducted during business hours with reasonable notice
  • We may charge reasonable costs for extensive audits
  • Alternative compliance demonstrations may be accepted (certifications, third-party reports)

11.3 Compliance Documentation

We maintain:

  • Records of all processing activities
  • Documentation of technical and organizational measures
  • Evidence of staff training and awareness programs
  • Incident logs and breach response records

12. Data Deletion and Return

12.1 End of Processing

At the end of our relationship:

  • We will return or delete all personal data as instructed
  • Secure deletion procedures will be followed
  • Certificates of deletion can be provided upon request

We may retain data only when:

  • Required by applicable law or regulation
  • Necessary for establishment, exercise, or defense of legal claims
  • Subject to appropriate safeguards and limited access

12.3 Backup Data

  • Backup data will be deleted according to standard retention periods
  • We will ensure backups cannot be restored for processing purposes
  • Secure deletion procedures apply to all backup systems

13. Liability and Indemnification

13.1 Limitation of Liability

  • Our liability is limited as set forth in the main Terms of Service
  • Each party is liable only for its own violations of data protection law
  • We are not liable for your failure to comply with controller obligations

13.2 Indemnification

We will indemnify you against:

  • Claims arising from our violation of this DPA
  • Unauthorized processing of personal data by us
  • Breach of security measures under our control

14. Governing Law and Jurisdiction

14.1 Applicable Law

This DPA is governed by:

  • The law of the jurisdiction where you are established
  • GDPR where applicable
  • Other applicable data protection regulations

14.2 Dispute Resolution

  • Disputes will be resolved through good faith negotiations
  • Mediation may be pursued before formal legal proceedings
  • Courts of competent jurisdiction will have authority over unresolved disputes

15. Term and Termination

15.1 Duration

This DPA:

  • Remains in effect while we process personal data on your behalf
  • Survives termination of the main Terms of Service
  • May be updated to reflect legal or operational changes

15.2 Termination Rights

Either party may terminate if:

  • The other party materially breaches this DPA
  • Continued processing would violate applicable law
  • Required by a supervisory authority order

16. Updates and Amendments

16.1 DPA Updates

We may update this DPA to:

  • Reflect changes in applicable laws
  • Incorporate new processing activities
  • Improve security and compliance measures

16.2 Notification of Changes

  • Material changes will be communicated 60 days in advance
  • You may terminate services if you object to changes
  • Continued use constitutes acceptance of updates

17. Contact Information

For DPA-related inquiries:

Data Protection Officer
Email: dpo@superml.org
Address: [Your Business Address]

Legal Department
Email: legal@superml.org
Phone: [Your Phone Number]

EU Representative (if applicable)
[EU Representative Details]

This DPA demonstrates our commitment to GDPR compliance and protecting the personal data entrusted to us. We regularly review and update our practices to maintain the highest standards of data protection.