EZclass Data Processing Agreement (DPA)



 

Effective Date: June 1, 2025


 

Version: 1.0



 

1. Parties


 

This Data Processing Agreement ("DPA") forms part of and supplements the Terms of Service and Privacy Policy of EZClass OÜ.

Controller:


 

EZClass OÜ


 

Harju maakond, Tallinn, Kesklinna linnaosa, Tornimäe tn 5, 10145, Estonia Registry number: 16802842

Email: [email protected]


 

Processor / Sub-Processor:


 

Each third-party service provider or subcontractor engaged by EZClass OÜ that processes personal data on its behalf as described in the Privacy Policy and listed in the Sub-Processor List below.


 

For the purposes of Article 28 of the General Data Protection Regulation (GDPR) (EU) 2016/679, EZClass OÜ acts as the Data Controller of personal data collected via its platform (ezclass.io and subdomains).


 

Certain processors and teacher contractors may act as Processors or Sub-Processors when performing services on behalf of EZClass OÜ.


 

2. Scope and Purpose


 

This DPA governs the processing of personal data in the context of EZClass OÜ’s platform and services, including:


 

  • Online English language classes


 

  • Subscriptions


 

  • Educational tools


 

  • Video conferencing


 

  • Digital whiteboards


 

  • Customer support


 

  • Payment processing


 

  • Data analytics
     

Personal data processed under this DPA includes data relating to:


 

  • Students


 

  • Parents/legal guardians


 

  • Teachers


 

  • Visitors to the platform


 

The purpose of processing is to enable EZClass OÜ to deliver, manage, improve, and secure its educational services.


 

3. Categories of Personal Data


 

The types of personal data processed include:


 

  • Identifiers: name, email, account credentials


 

  • Contact information: phone, address (where applicable)


 

  • Profile data: educational background, bio, profile picture/video


 

  • Class participation data: video, audio, chat messages, whiteboard content


 

  • Payment data: limited metadata (processed securely by Stripe)


 

  • Device data: IP address, device identifiers, browser type


 

  • Usage data: platform interactions, attendance, performance analytics


 

  • Sensitive data: identification documents (teachers), where required for compliance



 

4. Data Subjects


 

  • Students (including minors with parental consent)


 

  • Parents/legal guardians of students


 

  • Teachers (independent contractors engaged by EZClass OÜ)


 

  • Visitors to the EZClass OÜ platform



 

  1. Duration
     


 

This DPA remains in effect for the duration of the relationship between EZClass OÜ and each Processor.
 

Upon termination of services, personal data must be returned or deleted in accordance with this DPA and applicable law.


 

6. Obligations of the Controller (EZClass OÜ)


 

EZClass OÜ as Controller shall:


 

  • Process personal data in compliance with GDPR and applicable data protection laws


 

  • Clearly inform data subjects via its Privacy Policy


 

  • Maintain a record of processing activities (Article 30 GDPR)


 

  • Obtain valid consent where required


 

  • Respond to data subject requests (access, rectification, erasure, etc.)


 

  • Ensure an adequate legal basis for international transfers



 

7. Obligations of the Processor


 

Each Processor acting on behalf of EZClass OÜ shall:


 

  1. Process personal data only on documented instructions from EZClass OÜ


 

  1. Implement appropriate technical and organizational measures to ensure data security


 

  1. Ensure confidentiality of staff with access to personal data


 

  1. Cooperate with EZClass OÜ on data subject rights requests


 

  1. Assist with data protection impact assessments (DPIAs) where required


 

  1. Notify EZClass OÜ without undue delay in case of personal data breach


 

  1. Return or delete personal data upon termination of services


 

  1. Allow for audits and inspections by EZClass OÜ (with reasonable notice)


 

  1. Not engage sub-processors without prior authorization or general written consent (Article 28(2))
  2. Ensure any sub-processors are bound by equivalent data protection obligations



 

8. International Data Transfers


 

When personal data is transferred to third countries outside the EEA:
 

  • Standard Contractual Clauses (SCCs) will be used where applicable


 

  • EU-U.S. Data Privacy Framework will be relied upon where available


 

  • Additional safeguards (encryption, access controls) are implemented to ensure an adequate level of protection


 

9. Sub-Processors


 

EZClass OÜ engages the following approved sub-processors:


 

Processors (Data Processors) — Act on Our Behalf



 

Service

Purpose

Location

Legal Safeguard

 
   

Standard

 

Stripe Payments Europe,

Processing customer

EEA / US

Contractual

 

Ltd.

payments (subscriptions,

Clauses (SCCs),

 

bookings)

 

EU-U.S. Data

 
   

Privacy Framework

 

Zoom Video SDK (Zoom

  

SCCs, EU-U.S.

 
  

Data Privacy

 

Video Communications,

Embedded video classes

US

 

Framework, DPA

 

Inc.)

   
  

with Zoom

 
    

DigitalOcean, LLC

Hosting platform (servers,

San Francisco, US

SCCs, encryption

 

at rest/in transit,

 
 

databases)

 

role-based access

 
    

Brevo (Sendinblue SAS)

Transactional emails (class

 

GDPR Compliant

 

booked, payment failed,

France (EU)

 

(EU-hosted)

 
 

etc.)

  
    

Hostinger

Email service & domain

Lithuania (EU)

GDPR Compliant

 

registration (emails, domain

 
 

DNS)

   

Google LLC (Google

Analytics & performance

 

SCCs, IP

 

US

Anonymization,

 

Cloud & Analytics)

monitoring

EU-U.S. Data

 
   

Privacy Framework

 

Enty OÜ

Legal, accounting,

Estonia (EU)

GDPR Compliant,

 

compliance services

DPA with Enty

 
   
 

Cookie consent

 

Manages cookie

 

Usercentrics A/S

management, banner

  

display, consent logging

Denmark (EU)

consent per GDPR

 

(Cookiebot CMP)

 

(required under GDPR Art.

 

Art. 7(1)

 
 

7(1), Art. 30)

   

Cloudflare, Inc.

CDN, DDoS protection,

Global (with SCCs /

IP address, traffic

 

metadata, essential

 
 

security proxy

DPF safeguards)

cookies

 
    
 

Content management and

 

DPA, access

 

Strapi

EEA / US

controls, Processor

 

handling form submissions

agreement; access

 
   

restricted

 






 

Third-Party Controllers (Independent Legal Responsibility — Not Our Processors)


 

Service

Purpose

Location

Legal Role

 

Wise Payments

Outgoing teacher payouts &

 

Separate

 

EEA/UK/US

Controller (AML,

 

Limited

rare refunds

KYC, Tax Law

 
   

obligations)

 

Hostinger (Domain

Domain WHOIS registration

   

registration)

& DNS (public record)

   

Facebook / Meta

If user clicks on our ad and

Separate controller

  

is redirected to EZclass

relationship — Meta

  
 

(retargeting pixel)

Privacy Policy applies

  

Google (Google Ads)

Same as above — if using

Separate controller

  

retargeting or ad pixels

relationship

  



 

This list may be updated from time to time. EZClass OÜ will notify Processors of material changes.


 

Legal Counsel and Consultants


 

Our legal advisors, GDPR consultants, and similar professional service providers (for example, Enty OÜ or other authorized advisors) may access personal data when necessary to support EZClass OÜ’s compliance with legal obligations, data protection requirements, accounting, tax reporting, or to assist with audits or disputes. Such access is limited, controlled, and subject to confidentiality obligations.


 

10. Data Security Measures


 

Each Processor must implement appropriate technical and organizational measures, including:


 

  • Encryption of personal data in transit and at rest


 

  • Secure hosting environments


 

  • Access controls and authentication


 

  • Regular vulnerability testing


 

  • Incident response plans
     
  • Data minimization



 

11. Liability and Indemnity


 

Each party shall be liable for its own processing of personal data under this DPA and applicable law.


 

Processors are liable for breaches caused by their own acts or omissions and those of authorized sub-processors.


 

12. Termination


 

Upon termination of the services, Processors must:


 

  • Delete or return all personal data, unless retention is required by law


 

  • Confirm to EZClass OÜ in writing that deletion has occurred



 

13. Miscellaneous


 

  • This DPA is governed by Estonian law and EU GDPR.


 

  • In case of conflict between this DPA and other agreements, this DPA prevails with respect to data protection.


 

14. Contact


 

For questions about this DPA:


 

Controller:


 

EZClass OÜ


 

[email protected]


 

Registry number: 16802842


 

Harju maakond, Tallinn, Kesklinna linnaosa, Tornimäe tn 5, 10145, Estonia


 

15. Signatures


 

This DPA is automatically binding on Processors engaged by EZClass OÜ through contract or service agreement.
 


 

No separate signature is required unless explicitly requested.
 


 

Copyright © 2025 EZClass | all rights reserved | Patented
BlogsPrivacy PolicyCookie PolicyLegal NoticeRefund PolicyTerms and ConditionsData Processing AgreementMake a Data Request