1. Parties to the Agreement

Collectively referred to as the "Parties" and individually as a "Party".

2. Background and Purpose

2.1. The Controller wishes to use the Processor's language learning platform "Studera.is" (accessible at studera.is) for educational purposes.

2.2. In providing this service, the Processor will process personal data on behalf of the Controller.

2.3. This Data Processing Agreement ("Agreement") sets out the rights and obligations of the Parties regarding the processing of personal data in accordance with Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR").

2.4. This Agreement is supplementary to and forms part of the Terms of Service for the platform.

3. Definitions

Terms used in this Agreement shall have the meanings given to them in Article 4 of the GDPR. Additionally:

• "Personal Data" means any information relating to an identified or identifiable natural person processed under this Agreement.
• "Data Subjects" means the individuals whose Personal Data is processed, including students, teachers, and staff of the Controller.
• "Services" means the language learning platform and related services provided by the Processor.
• "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.

4. Subject Matter and Duration

4.1. Subject Matter: The Processor shall process Personal Data as necessary to provide the language learning Services to the Controller's users (students, teachers, staff).

4.2. Duration: This Agreement shall remain in effect for the duration of the Controller's use of the Services, and shall automatically terminate upon termination of the service relationship.

4.3. Nature of Processing: Collection, storage, organization, retrieval, use, and erasure of Personal Data for the purpose of providing language learning services.

5. Categories of Personal Data

The Processor processes the following categories of Personal Data on behalf of the Controller:

Category	Data Elements	Purpose
Account Data	Email address, display name (optional), hashed password or Google ID	User authentication and account management
Learning Data	Practice scores, exercise attempts, mastery levels, AI feedback text	Track learning progress, power spaced repetition algorithm
Usage Data	Timestamps, session data, language preferences	Provide and improve the service

6. Categories of Data Subjects

The Personal Data processed concerns the following categories of Data Subjects:

• Students of the Controller
• Teachers and educators of the Controller
• Administrative staff of the Controller (if applicable)

7. Obligations of the Processor

The Processor agrees and warrants to:

7.1. Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by Union or Member State law.

7.2. Ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

7.3. Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption of Personal Data in transit (HTTPS/TLS)
• Secure password hashing (bcrypt)
• Access controls and authentication
• Regular security updates and monitoring

7.4. Respect the conditions for engaging Sub-processors as set out in Section 9.

7.5. Taking into account the nature of the processing, assist the Controller by appropriate technical and organizational measures for the fulfilment of the Controller's obligation to respond to requests for exercising Data Subject rights.

7.6. Assist the Controller in ensuring compliance with obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and information available to the Processor.

7.7. At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of Services, and delete existing copies unless Union or Member State law requires storage.

7.8. Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

8. Obligations of the Controller

The Controller agrees and warrants to:

8.1. Ensure that there is a legal basis for the processing of Personal Data, including obtaining any necessary consents from Data Subjects (particularly for students under 16 years of age).

8.2. Provide clear privacy information to Data Subjects about the use of the Services.

8.3. Ensure that any instructions given to the Processor comply with applicable data protection law.

8.4. Notify the Processor promptly of any Data Subject requests that require the Processor's assistance.

8.5. Ensure that users are aware of and comply with acceptable use policies.

9. Sub-processors

9.1. The Controller provides general authorization for the Processor to engage Sub-processors for the processing of Personal Data.

9.2. The Processor currently uses the following Sub-processors:

Sub-processor	Purpose	Location
Google LLC (Gemini AI)	Pronunciation scoring and feedback (text only)	USA (DPF certified)
Google LLC (Web Speech API)	Speech recognition (Chrome/Firefox)	USA (DPF certified)
Microsoft Corporation (Azure)	Speech-to-text, text-to-speech	EU/USA (DPF certified)
Áskell ehf.	Payment processing (if applicable)	Iceland

9.3. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors, giving the Controller the opportunity to object to such changes within 14 days.

9.4. The Processor shall ensure that any Sub-processor is bound by data protection obligations no less protective than those set out in this Agreement.

10. International Data Transfers

10.1. Personal Data may be transferred to and processed in the United States by Sub-processors listed in Section 9.

10.2. Such transfers are conducted in compliance with Chapter V of the GDPR through:

• EU-US Data Privacy Framework (DPF) certification of the Sub-processors
• Standard Contractual Clauses where applicable

10.3. The Processor shall inform the Controller if the legal basis for any transfer changes or becomes invalid.

11. Data Subject Rights

11.1. The Processor shall assist the Controller in responding to requests from Data Subjects to exercise their rights under GDPR, including:

• Right of access (Article 15)
• Right to rectification (Article 16)
• Right to erasure (Article 17)
• Right to restriction of processing (Article 18)
• Right to data portability (Article 20)
• Right to object (Article 21)

11.2. Data Subjects can exercise their right to erasure directly through the platform's account deletion feature.

11.3. The Processor shall notify the Controller without undue delay of any request received directly from a Data Subject.

12. Personal Data Breach

12.1. The Processor shall notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data breach affecting Controller's data.

12.2. Such notification shall include:

• Description of the nature of the breach
• Categories and approximate number of Data Subjects affected
• Likely consequences of the breach
• Measures taken or proposed to address the breach

12.3. The Processor shall cooperate with the Controller in investigating the breach and fulfilling notification obligations under Articles 33 and 34 of the GDPR.

13. Data Retention and Deletion

13.1. Personal Data shall be retained only for as long as necessary for the purposes of providing the Services.

13.2. Upon termination of this Agreement, or upon request by the Controller, the Processor shall:

• Delete all Personal Data within 30 days, or
• Return all Personal Data to the Controller in a commonly used format

13.3. The Controller may request bulk deletion of all user accounts associated with their organization at any time.

14. Audit Rights

14.1. The Processor shall make available to the Controller all information necessary to demonstrate compliance with this Agreement.

14.2. The Processor shall allow for and contribute to audits conducted by the Controller or an auditor mandated by the Controller, subject to:

• Reasonable advance notice (minimum 14 days)
• During normal business hours
• Appropriate confidentiality obligations

14.3. The Controller may request documentation of security measures, certifications, or third-party audit reports as an alternative to on-site audits.

15. Liability

15.1. Each Party shall be liable for damages caused by processing that infringes the GDPR or this Agreement, in accordance with Article 82 of the GDPR.

15.2. The Processor's total liability under this Agreement shall be limited to the fees paid by the Controller in the 12 months preceding the claim.

16. Term and Termination

16.1. This Agreement enters into force upon signature by both Parties and remains in effect for the duration of the service relationship.

16.2. Either Party may terminate this Agreement with 30 days written notice.

16.3. Sections 7.7, 12, 13, and 15 shall survive termination of this Agreement.

17. Governing Law and Jurisdiction

17.1. This Agreement shall be governed by the laws of Iceland.

17.2. Any disputes arising from this Agreement shall be subject to the exclusive jurisdiction of the courts of Iceland.

18. Amendments

18.1. This Agreement may only be amended in writing signed by both Parties.

18.2. The Processor may update the list of Sub-processors in accordance with Section 9.3.

19. Entire Agreement

This Agreement, together with the Terms of Service and Privacy Policy, constitutes the entire agreement between the Parties regarding data processing and supersedes all prior agreements on this subject.