eDoer logo
Legal

Data Processing Agreement

Version: June 2026

between

the customer using eDoer under a Master Service Agreement
(“Controller”)

and

Education4All GmbH
Registered office: Hildesheim, Germany
Registered with the commercial register of the Local Court of Hildesheim under HRB 210458
as provider of the “eDoer” learning platform
(“Processor”)

Processor and Controller together: the “Parties”.

This Data Processing Agreement (“DPA”) is an integral part of the Master Service Agreement (“MSA”) of the Parties.

1. Subject Matter and Duration of Processing

1.1 This DPA governs the processing of personal data by the Processor on behalf of the Controller in connection with the provision of the “eDoer” learning platform.

1.2 This DPA applies exclusively to personal data that the Processor processes exclusively on behalf of the Controller.

1.3 Processing activities that the Processor performs as an independent controller (see Section 5.4) are not subject to this DPA.

1.4 The Processor provides a multi-tenant learning management platform (“eDoer”) that enables the Controller to:

  • Create and manage organizations
  • Register and manage users
  • Create and manage learning paths, modules, and courses
  • Conduct assessments and examinations
  • Issue certificates
  • Enable communication within the organization
  • Store educational content and related materials
  • Configure AI-assisted functions, including files from the organization’s knowledge base and learner background documents, where enabled
  • Permit optional document imports from approved third-party sources, where enabled

The Processor processes personal data solely to provide these contractually agreed services.

1.5 Processing takes place for the duration of the Master Service Agreement.

After termination of the Agreement, personal data will be deleted or returned in accordance with the provisions of the DPA, unless statutory retention obligations prevent this.

2. Nature and Purpose of Processing

2.1 Processing is carried out primarily by automated means within secured server infrastructure and may include in particular:

  • Collection
  • Recording
  • Organization and structuring
  • Storage
  • Retrieval and use
  • Limited transmission to authorized sub-processors
  • AI-assisted processing, where enabled
  • Import of documents from approved third-party sources, where enabled
  • Deletion or anonymization

2.2 Personal data is processed exclusively for the following purposes:

  • User administration within the Controller’s organization
  • Management of courses and learning paths
  • Provision and organization of educational content
  • Conducting and documenting assessments
  • Creation of certificates
  • Internal communication through the platform
  • AI-assisted educational support configured by the Controller
  • Technical maintenance and support

The Processor does not process personal data for its own marketing purposes or for independent commercial exploitation. Processing is limited to what is necessary to provide the services.

The Processor processes personal data exclusively on documented instructions of the Controller.

3. Categories of Data Subjects

The categories of data subjects may include:

  • Learners (students)
  • Teachers / curators
  • Organization administrators
  • Other users designated by the Controller

4. Categories of Personal Data

Processing may include categories of personal data; a precise list is provided in Annex I Section 1.

The Processor does not require or process special categories of personal data within the meaning of Article 9 GDPR.

5. Roles of the Parties

5.1 The Controller determines the purposes and means of processing educational data within the platform.

5.2 The Processor processes personal data exclusively on behalf of the Controller pursuant to Article 28 GDPR.

5.3 The Parties clarify that no joint controllership pursuant to Article 26 GDPR exists.

5.4 The Processor acts as an independent controller with respect to the following processing activities:

  • Security logging and fraud prevention
  • System stability and infrastructure monitoring
  • Consent-based global usage analytics
  • Management of consent records

These processing activities are governed by the Processor’s Privacy Policy and are not subject to this DPA.

6. AI-Assisted Functions

6.1 The platform may use AI services to support education-related functions, in particular for:

  • Learning path generation
  • Creation and support of educational content
  • Creation of examination tasks
  • Retrieval from and grounding in files from the Controller’s organization knowledge base
  • Individual support using learner background documents, where enabled

6.2 Only the following data is transmitted to AI service providers:

  • Learning path metadata
  • Educational content created by the Controller
  • Files from the organization’s knowledge base
  • Files uploaded by learners, where present
  • Attachments submitted by users, where present
  • Voluntarily entered free-text requests

6.3 The Processor does not intentionally transmit learner performance data, assessment results, learning progress data, or platform account identifiers as separate structured AI inputs. However, such data may be contained in content, files, prompts, attachments, or background documents intentionally submitted for AI processing by the Controller or an authorized user.

6.4 The Processor takes data minimization measures and does not intentionally request special category data for AI processing. The Controller remains responsible for determining whether submitted AI inputs contain personal data, including special category data, and whether such transmission is lawful.

6.5 If recognized document-source integrations such as Roxtra are enabled by platform-level administration and the Controller, the Processor may process the connecting user’s integration username and encrypted credentials in order to authenticate with the third-party source, search documents, and import selected files into eDoer.

6.6 Imported third-party files are stored in eDoer and are then processed according to the Controller’s instructions like other files uploaded to the platform.

6.7 Third-party source systems designated by the Controller for search and import are not sub-processors engaged by the Processor unless expressly listed in Annex III.

7. Sub-Processors

7.1 The Controller grants the Processor general authorization to engage sub-processors. A list of current sub-processors is provided in Annex III.

7.2 Sub-processors may include in particular:

  • Cloud hosting providers
  • Object storage providers
  • Email service providers
  • Infrastructure providers
  • AI service providers (e.g., OpenAI, Google Cloud/Gemini)

7.3 The Processor undertakes to:

  • Enter into written agreements with sub-processors pursuant to Article 28 GDPR
  • Require sub-processors to ensure the same level of data protection and information security as agreed in this DPA
  • Remain fully responsible for compliance with data protection obligations by sub-processors

7.4 Enterprise AI agreements provide that transmitted data is not used to train AI models, where applicable.

7.5 The Controller will be informed of material changes to the sub-processors used. In the case of general written authorization, the Processor informs the Controller, giving the Controller the opportunity to object to such changes within 7 days. In that case, the Controller is entitled to terminate the agreement.

8. International Data Transfers

8.1 Where personal data is transferred to countries outside the European Union or the European Economic Area, the Processor ensures that appropriate safeguards pursuant to Chapter V GDPR are in place.

8.2 Data transfers are based in particular on:

  • Standard Contractual Clauses (SCCs)
  • the EU-US Data Privacy Framework, where applicable

Further details are set out in Annex III.

8.3 The Processor carries out and documents a Transfer Impact Assessment (TIA).

9. Technical and Organizational Measures

The Processor implements appropriate technical and organizational measures to ensure a level of protection appropriate to the risk, in particular:

  • Encrypted data transmission (TLS)
  • Role-based access control
  • Tenant-separated data processing at organization level
  • Logging of administrative access
  • Encryption of stored credentials for third-party integrations
  • Procedures for detecting and handling security incidents

A summary of the technical and organizational measures is attached as Annex II.

10. Rights of Data Subjects

  1. The Processor supports the Controller, in accordance with Article 28(3)(e) GDPR, in fulfilling data subject rights pursuant to Articles 15 to 22 GDPR.
  2. Responsibility for the legal assessment and response to such requests remains with the Controller.

11. Notification of Personal Data Breaches

The Processor informs the Controller without undue delay after becoming aware of a personal data breach, insofar as it concerns personal data processed under this DPA. Pursuant to Article 28(3)(f) GDPR, the Controller is supported in complying with the obligations referred to in Articles 32 to 36 GDPR.

12. Deletion and Return of Data

  1. After termination of the MSA, the Processor will delete or return personal data at the Controller’s choice.
  2. Storage will occur only to the extent that statutory retention obligations exist.
  3. Backup copies are deleted in accordance with the Processor’s usual deletion and retention periods.

13. Control and Audit Rights

13.1 The Processor makes available to the Controller all information necessary to demonstrate compliance with the obligations under Article 28 GDPR.

13.2 Reviews, including inspections, carried out by the Controller or another auditor appointed by the Controller are enabled. Audits must be conducted reasonably, proportionately, and while preserving confidentiality.

13.3 Existing audit reports, certifications, or equivalent evidence may be used to satisfy control requirements.

14. Liability

The liability of the Parties is governed by the provisions of the Master Service Agreement and Article 82 GDPR.

Mandatory statutory liability provisions remain unaffected.

Annex I - Description of Processing

This Annex forms part of the Data Processing Agreement entered into between the Parties.

1. Categories of Personal Data

Processing may include the following categories of data:

1.1 Identification and Account Data

  • Name
  • Email address
  • User role
  • Organizational affiliation

1.2 Education-Related Data

  • Enrollment information
  • Learning progress data
  • Assessment results
  • Submitted assignments
  • Completion status

1.3 Certificate Data

  • Name
  • Grade or completion status
  • Date of issuance

1.4 Communication Data

  • Messages within the platform
  • Attachments uploaded by users

1.5 Files and Reference Material

  • Uploaded files
  • Files from the organization’s knowledge base and related reference materials, where enabled
  • Learner background documents, where enabled
  • Imported files from approved third-party document sources, where enabled

1.6 Optional Integration Data

  • Username for the third-party document source of the connecting user
  • Encrypted credentials required for authentication and file import
  • Import metadata and logs

1.7 Technical Data

  • Timestamps
  • Log data, insofar as required for system operation
  • IP address, where technically necessary

2. Instruction Limitation

The Processor processes personal data exclusively on documented instructions of the Controller and determines neither the purposes nor the essential means of processing under this Annex.

Annex II - Technical and Organizational Measures (TOMs)

This Annex describes the technical and organizational measures implemented by the Processor to ensure a level of protection appropriate to the risk pursuant to Article 32 GDPR.

1. Organizational Measures

1.1 Governance and Responsibilities

  • Clear internal allocation of data protection responsibilities
  • Management-level monitoring of data protection compliance
  • Documented data protection and information security policies
  • Access to production systems exclusively for authorized personnel

1.2 Confidentiality Obligations

  • All employees are bound to confidentiality
  • Access to personal data is granted exclusively on a need-to-know basis
  • Enforcement of role-based access concepts

1.3 Training and Awareness

  • Employees in development and operations receive regular training on data protection and information security
  • Developers are made aware in particular of data minimization and privacy-compliant AI integration

2. Access Control

2.1 Logical Access Control

  • Use of Role-Based Access Control (RBAC)
  • Authentication for all administrative measures
  • Enforcement of appropriate password requirements
  • Password hashing using industry-standard algorithms (e.g., bcrypt or argon2)

2.2 Administrative Access

  • Administrative access is limited to authorized persons
  • Super-admin access is used exclusively for the following purposes:
    • Technical error analysis
    • Security investigations
    • Documented support requests
  • Administrative activities are logged
  • Access is subject to internal approval procedures, where applicable

3. Infrastructure Security

3.1 Hosting Environment

  • Application and database servers are hosted on infrastructure provided by Hetzner in data centers within the EU
  • Firewalls are used to restrict unnecessary inbound connections
  • Database servers are not publicly accessible

3.2 Network Security

  • Encrypted data transmission via TLS (HTTPS)
  • Application traffic is routed through Cloudflare proxy
  • DDoS protection mechanisms and traffic filtering are enabled
  • Secure DNS configuration

3.3 Database Security

  • Access to the database exclusively through the application layer
  • No publicly accessible database endpoints
  • Secure storage of credentials using environment variables
  • Regular updates and patch management of system software

4. Tenant Separation (Multi-Tenant Architecture)

  • Strict data isolation at organization level through application architecture
  • Authorization checks for all data access
  • No cross-organization access to data
  • AI requests are processed tenant-specifically; no mixing of tenant data

5. Encryption

  • Enforcement of TLS 1.2 or higher for all external connections
  • Encrypted API communication with sub-processors (e.g., OpenAI, Google Cloud, Mailgun)
  • Credentials for third-party integrations are stored in encrypted form
  • Signed or time-limited file URLs are used for non-public file access, where applicable

6. Backup and Recovery

  • Daily automated database backups
  • Secure storage of backup files
  • Access to backups exclusively for authorized personnel

7. Logging and Monitoring

  • Application error logging enabled
  • Logging of security-relevant events
  • Logging of administrative access
  • Retention of logs only to the operationally required extent
  • Protection of log data against unauthorized modification

8. Data Minimization in AI Processing

  • AI processing is limited to:
    • Educational content
    • Learning path metadata
    • Examination texts
    • voluntary free-text requests
  • No intentional transmission of:
    • Learner performance data
    • Assessment results
    • Account identifiers
    • special categories of personal data
  • Enterprise AI agreements prohibit, where applicable, the use of transmitted data for model training
  • AI processing takes place exclusively in a request-response model; no bulk data export

9. Development and Test Environment

  • Logical separation of development and production environments
  • AI analytics is disabled in development environments
  • Test data does not contain production personal data
  • Controlled deployment processes

10. Physical Security

  • Physical security measures are ensured by infrastructure providers, including DigitalOcean and Cloudflare
  • The providers use industry-standard physical access controls

11. Regular Review

  • Regular review of the technical and organizational measures
  • Adjustments based on:
    • Risk analyses
    • Infrastructure changes
    • Regulatory developments

Annex III - Sub-Processing

The sub-processors are listed below using the following sub-items:

  1. Address
  2. Service
  3. Processing location
  4. Transfer mechanism

OpenAI Ireland Ltd.

  1. 117-126 Sheriff Street Upper, Dublin 1, D01 YC43, Ireland
  2. AI-assisted content processing and generation
  3. European Union (primary processing entity); possible onward transfer to affiliated companies in the United States
  4. Standard Contractual Clauses (SCC) and EU-US Data Privacy Framework (DPF)

Google Cloud (Google LLC / Google Ireland Ltd.)

  1. Gordon House, Barrow Street, Dublin 4, Ireland
  2. AI services (Gemini)
  3. European Union
  4. Standard Contractual Clauses (SCC) and EU-US Data Privacy Framework (DPF)

Hetzner Online GmbH / Hetzner Finland Oy

  1. Industriestr. 25, 91710 Gunzenhausen, Germany
  2. Application, object storage, and database hosting
  3. Germany / Finland (EU)
  4. Not applicable

Cloudflare, Inc.

  1. 101 Townsend Street, San Francisco, California, 94107-1934, USA
  2. Reverse proxy, Content Delivery Network (CDN), DDoS protection, TLS termination
  3. European Union / United States
  4. Standard Contractual Clauses (SCC) and EU-US Data Privacy Framework (DPF), where applicable

Mailgun Technologies, Inc.

  1. 112 E Pecan Street #1135, San Antonio, TX 78205, USA
  2. Transactional email delivery
  3. European Union
  4. If a third-country transfer occurs: Standard Contractual Clauses (SCC) and EU-US Data Privacy Framework (DPF), where applicable