Skip to main content

Data Processing Agreement

Data Processing Agreement

Effective Date: 02.07.2025

Last Updated: 02.07.2025

This Data Processing Agreement (“DPA”) is entered into by and between EdTech Plus B.V. (“Nebius Academy” or “the Processor”), with its registered office at Gustav Mahlerlaan 300, 1082 ME, Amsterdam, the Netherlands, and the Company (“Company”), in connection with Nebius Academy’s provision of Services under the applicable Company Agreement (“Agreement”). Processor and Company each are a “Party” and together the “Parties”.

By the Company’s online acceptance, the Parties agree that this DPA forms an integral part of the Agreement. In the event of any conflict between this DPA and the Agreement, the terms of this DPA shall prevail solely with respect to the processing of Personal Data.

1. Definitions

1.1. Capitalized terms used but not defined in this DPA have the meanings given to them in the Agreement. Terms defined in this DPA have the following meanings:

1.2. “Applicable Data Protection Law” means all data protection and privacy laws and regulations applicable to the Processing of Personal Data under this DPA, including, where applicable:

  • the European Union’s General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”);
  • the “UK GDPR” (as incorporated into UK law by the Data Protection Act 2018 and related UK legislation);
  • the Swiss Federal Act on Data Protection of 19 June 1992 (as revised on 25 September 2020, “FADP”);
  • the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et seq., as amended (including the California Privacy Rights Act, “CCPA”);
  • any other sector-specific or jurisdictional data-protection or privacy laws that apply to the collection, use, disclosure, retention or other Processing of Personal Data.

1.3. The terms, “Controller”, “Processor”, “Sub-Processor”, “Processing”, “Personal Data”, “Data Subject”, “Supervisory Authority”, “Personal Data Breach”, and “Member State” have the meanings given in the GDPR.

The terms “Personal information”, “Business”, “Business Purpose”, and “Consumer” have the meanings given in the CCPA.

1.4. “Services” means the services that Nebius Academy provides to the Company under the Agreement.

1.5. “Standard Contractual Clauses” means the EU Standard Contractual Clauses for transfer of Personal Data, as set out in the Annex to Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

2. Roles

2.1. When processing Personal Data under Applicable Data Protection Law, Nebius Academy shall act as Processor on behalf of the Company (which may act either as a Controller or a Processor), and Nebius Academy may engage Sub-processors in accordance with this DPA. For purposes of the CCPA, Nebius Academy shall be deemed a "Service Provider" and the Company a "Business".

3. Nebius Academy’s Obligations and Compliance with Applicable Law

3.1. Compliance and Instructions

When processing Personal Data under Applicable Data Protection Law, Nebius Academy shall:

  1. comply with all Applicable Data Protection Law(s);
  2. process Personal Data only on the Company’s documented instructions; and
  3. process Personal Data solely for the purposes authorized by the Company.

If Nebius Academy is subject to a legal requirement under the European Union or a Member-State law that compels processing beyond the Company’s instructions, Nebius Academy will notify the Company in advance, unless prohibited by that law.

3.2. Security Measures

Nebius Academy implements and maintains appropriate technical and organizational measures to protect Personal Data. A summary of these measures is provided in Annex 3.

3.3. Confidentiality

All Nebius Academy personnel and contractors with access to Personal Data are bound by confidentiality obligations consistent with this DPA.

3.4. Sub-processors

Nebius Academy may engage Sub-processors to assist with the Services. Any Sub-processor will be bound by data-protection obligations at least as protective as those in this DPA. A current list of Sub-processors appears in Annex 1.

3.5 Notification of Sub-processor Changes

Nebius Academy will inform the Company at least ten (10) days before adding or replacing a Sub-processor. The Company may object in writing on reasonable data-protection grounds. If the Parties cannot resolve the objection within that period, the Company may terminate the affected Services without penalty, subject only to payment for Services already rendered.

3.6 Personal Data Breaches

Nebius Academy will notify the Company without undue delay upon becoming aware of any Personal Data Breach affecting Company Data. Nebius Academy will provide all information and assistance reasonably necessary for the Company to fulfil its breach-notification obligations under Applicable Data Protection Law.

3.7. Deletion or Return of Personal Data

Upon expiration or termination of the Services, Nebius Academy will, at the Company’s choice, delete or return all Personal Data processed on the Company’s behalf. Nebius Academy may retain Personal Data only to the extent required by law, and solely for as long as legally mandated.

3.8. Data Subject Requests. If Nebius Academy receives any request from a Data Subject relating to the Processing of Personal Data processed on behalf of the Company, Nebius Academy will promptly forward it to the Company and take no further action unless instructed by the Company. The Company is solely responsible for responding to such requests.

4. Company’s Obligations

4.1. Compliance with Laws. 

The Company shall:

  1. comply with all Applicable Data Protection Laws in respect of its Processing of Personal Data and the Instructions it issues to Nebius Academy; and
  2. Promptly notify Nebius Academy if the Company becomes unable to comply with any of its obligations under Applicable Data Protection Law.

4.2. Security. The Company is responsible for:

(a) Using the Services in a secure manner; and

(b) Assessing and determining whether the security measures provided by Nebius Academy meet the Company’s own obligations under Applicable Data Protection Law.

5. Controls, Audits, and Reporting

5.1. Reports. Upon the Company’s request, Nebius Academy shall assist the Company in demonstrating compliance with Articles 32-36 of the GDPR. In addition, once per calendar year and upon written request, Nebius Academy will deliver a self-assessment report detailing its adherence to this DPA and applicable laws. This report will cover every processing activities carried out by Nebius Academy during the preceding calendar year.

5.2. Audits. Nebius Academy shall permit an independent, suitably qualified auditor appointed by the Company to inspect Nebius Academy’s facilities and records to verify compliance with this DPA. Such inspections require at least 30 (thirty) days' prior written notice and may occur no more than once in any calendar year.

5.3. Costs. Nebius Academy may charge the Company for any reasonable additional expenses incurred in fulfilling the obligations set forth in this Section 5.

6. Cross-Border Data Transfers and Processing Location

6.1. Processing Location. Nebius Academy will process the Companys’ Personal Data within the geographic region selected by the Company.

6.2. Transfers under Adequacy Decisions. Personal Data may be transferred from the EEA, the United Kingdom, or Switzerland to any jurisdiction that has been recognized as providing an adequate level of data protection by the European Commission, the UK Informassion Commissioner’s Office, or the Swiss Federal Data Protection and Information Commissioner (together “Adequacy Decisions”) without requiring additional safeguards.

6.3. Standard Contractual Clauses. The EU Standard Contractual Clauses are incorporated into and form part of this Agreement by reference. A copy of those clauses is annexed hereto as Annex 2.

7. General Provisions

7.1. Severability. If any provision of this DPA is help to be invalid or unenforceable, that determination shall not affect the validity or enforceability of any other provision.

7.2. Limitation of Liability. The liability of each Party – and of their respective Affiliates – under or in connection with this DPA shall be subject to the limitations and exclusions set forth in the Agreement.

7.3. Governing Law and Jurisdiction. This DPA shall be governed by and construed in accordance with the laws of the Netherlands. The Parties agree that the courts of Amsterdam shall have exclusive jurisdiction to resolve any disputes arising out of or in connection with this DPA.

ANNEX 1 - Details of the Processing

Nature and Purpose of Processing:

  1. Providing the Services to the Company;
  2. Performing the Services as set out in the Agreement and this DPA, including handling any Company requests;
  3. Acting on the Company’s written instructions in accordance with the Agreement;
  4. Ensuring adherence to all applicable laws, regulations and the terms of this DPA.

Duration of Processing

The Processor shall process Personal Data for the term of the Agreement and shall retain such data for thirty (30) days following its termination, unless otherwise agreed in writing.

Categories of Data Subjects:

Company’s employees or other natural persons designated by the Company (Company’s users)

Categories of Personal Data. Categories of personal data processed:

Typically, these include the following categories of data:

  • Full Name
  • E-mail
  • Company Name
  • User’s training sessions

Sub-Processors

Processor may engage with the following Sub-Processors to provide the Services: 

Name of the Sub-ProcessorPurposeLocation
Amazon Web Services (AWS)Cloud ServicesEU
MailgunTransactional messagingEU
AnthropicGenerative LLM for AI assistantUS
OpenAIGenerative LLM for AI assistantUS
HubspotSending training reminders, updates, and relevant learning contentEU
TableauTracking individual student’s progressEU
PostHogProduct analytics, including insights, heatmaps, session recording and feature flagsEU

ANNEX 2 - Standard Contractual Clauses

EEA Cross-Border Data Transfers

  1. The Parties hereby agree to the Standard Contractual Clauses as outlined in the Annex of the European Commission Implementing Decision (EU) 2021/914 of June 4, 2021 (“SCC”).
  2. Module Four (processor to controller) of the SCC shall apply where Nebius Academy is a processor of the Personal Data and Company is a controller of the personal data.
  3. Module Three (processor to processor) of the SCC shall apply where Company is a processor of the personal data and Nebius Academy acts as a Sub-Processor.
  4. Clause 7 of the SCC (Docking Clause) shall not apply.
  5. For the purposes of Clause 9 of the SCC (concerning Module Three transfers), the Parties choose the option 2 “General Written Authorisation” in Clause 9 of the SCC shall apply, and specify that the processor shall inform in writing the controller of any intended changes of that list through the addition or replacement of sub-processors at least thirty (30) days in advance, thereby giving the controller sufficient time to be able to object to such changes prior to the engagement of the concerned sub-processor(s). The Parties also agree that the relevant agreed list of sub-processors is provided in Annex 1 to this DPA and may be amended from time to time as agreed in this clause.
  6. For the purposes of Clause 11 of the SCC, the optional language will not apply.
  7. For the purpose of Clause 17 of the SCC, option 1 shall apply, and the Parties agree that the SCC shall be governed by the laws of the Netherlands.
  8. For the purpose of Clause 18(b), disputes shall be resolved before the courts of the Netherlands.
  9. Annex I.A of the SCC shall be completed as indicated in Annex 1.
  10. Annex I.B of the Standard Contractual Clauses shall be completed as described in Annex I of this DPA.
  11. The period for which the personal data will be retained is for the duration of the Agreement, unless agreed otherwise in the Agreement and/or the DPA.
  12. In relation to transfers to Sub-processors, the subject matter, nature, and duration of the processing is set forth in Annex 1 of this DPA.
  13. Annex I.C of the SCC shall be completed as follows: The competent supervisory authority in accordance with Clause 13 is the supervisory authority in the Member State stipulated in Section 7 above.
  14. Annex 3 of this DPA serves as Annex II of the SCC.
  15. The Parties agree that other clauses and additional safeguards added by this DPA to the SCC do not directly or indirectly contradict the SCC or detract from the fundamental rights or freedoms of data subjects.
  16. To the extent there is any conflict between the Standard Contractual Clauses and any other terms in this DPA or the Company Agreement, the provisions of the Standard Contractual Clauses will prevail.
  17. In the event of EEA Transfer or UK Transfer the Parties agree to supplement international data transfer(s) with the appropriate safeguards and representations.

ANNEX 3 - Security and Organizational Measures

A. Technical and organisational measures

1. Information Security Governance

  • Policies & Standards
    - Access Control Policy
    - Data Protection Policy
    - Asset Management Policy
    - Device Management Policy
    - Incident Response Policy
  • Roles & Responsibilities
    - Chief Information Security Officer (CISO) performs security risk analysis
    - Legal department performs legal risk analysis
  • Risk Management
    - Information security and compliance risks re-identified, analysed and reassessed annually

2. Vulnerability & Patch Management

  • Automated Scanning
    - Continuous monitoring using SAST, DAST, SCA and IaC scanners integrated into CI/CD pipelines
  • Defect Management
    - Findings triaged in defect-management platform; confirmed vulnerabilities tracked and remediated via Jira workflow
    - Quarterly vulnerability review meetings
  • Patch Deployment
    - Critical security patches deployed promptly according to severity

3. Application Security

  • Secure SDLC
    - Security requirements and threat modelling at design phase
    - Secure coding practices enforced by training and guidelines
    - Periodic code reviews and architecture reviews
    - Dynamic (DAST) and static (SAST) testing during development and QA stages
  • Pre-Deployment Validation
    - Configuration checks and vulnerability scans prior to release

4. Network & Systems Security

  • Infrastructure
    - Production in AWS eu-west-3; ClickHouse cloud in eu-central-1
    - Private VPCs with strict network ACLs
  • Access Control
    - Multi-factor authentication (MFA) enforced for all admin and user access
    - Identity Provider ensures clients can access only their own data
  • Encryption
    - In transit: TLS 1.2+ for all network traffic
    - At rest: AES-256-GCM on storage and databases

5. Data Protection

  • Database Encryption
    - AWS RDS Aurora PostgreSQL cluster encrypted with AWS KMS (AES-256-GCM)
  • Data Handling
    - Personal data masked, hashed or anonymized where applicable
    - Encryption of all personal data at rest and in transit
  • Storage Controls
    - Data storages located in private networks, accessible only to authorized administrators

6. Incident Management

  • Detection & Response
    - monitoring for anomalies and breaches via security tools and SIEM
    - Incident Response Team activated upon detection
  • Escalation & Reporting
    - Defined escalation matrix involving CISO and Legal
    - Incident reporting to supervisory authorities per applicable data-protection laws

7. Security Awareness & Training

  • Regular Training
    - Annual security and privacy awareness training for all staff
  • Internal Guidelines
    - Published secure coding guidelines, and incident-handling playbooks

9. Continuous Improvement

  • Regular reassessment of risks and controls
  • Lessons-learned workshops post-incident or audit
  • Ongoing refinement of technical measures and organizational processes

B. Assistance with Data-Subject Rights

To support the Controller in responding to data-subject requests under the GDPR, Nebius Academy will ensure it can:

  1. Prompt Notification
    • Immediately inform the Controller of any data-subject request it receives.
  2. Cooperation & Data Provision
    • At Nebius Academy’s expense, supply all information and copies of relevant personal data within three (3) days of the Controller’s request.
    • Where applicable, providing such assistance as is reasonably requested by the data controller to comply with the relevant request within the timescales prescribed by the GDPR.

Rights-Request Handling

  • Aid the Controller in responding to requests for access, rectification, erasure, restriction, and data portability.