Data Processing Agreement
Version: 2.0
Effective Date: April 9, 2026
Controller: EZclass OÜ
Contact: [email protected]
Table of Contents
- Parties and Background
- Definitions
- Scope and Purpose of Processing
- Categories of Personal Data and Data Subjects
- Duration of Processing
- Data Retention Schedule
- Obligations of the Controller
- Obligations of the Processor
- Data Subject Rights
- Security Measures
- Sub-Processors
- International Data Transfers
- Personal Data Breaches
- Audit Rights
- Liability
- Term and Termination
- Governing Law and Jurisdiction
- Miscellaneous
1. Parties and Background
1.1 Controller. EZclass OÜ, a private limited company incorporated under the laws of the Republic of Estonia (registry code: 16802842), with its registered office at Harju maakond, Tallinn, Kesklinna linnaosa, Tornimäe tn 5, 10145, Estonia (“EZclass”, “Controller”), operates an online English-language learning platform offering AI-assisted placement testing, live and recorded classes, and related educational services (the “Platform”).
1.2 Customer. The entity or individual that has accepted EZclass’s Terms of Service or has separately executed a written agreement with EZclass that incorporates this Data Processing Agreement (“Customer”, “Data Controller” or, where the Customer is itself acting as a processor, “Data Processor”).
1.3 Purpose of this Agreement. This Data Processing Agreement (“DPA”) governs the processing of Personal Data by EZclass on behalf of the Customer where EZclass acts as a Processor (or Sub-Processor) under Regulation (EU) 2016/679 (“GDPR”) and any applicable national implementing legislation. It forms part of, and is incorporated into, the principal agreement between EZclass and the Customer.
1.4 Precedence. In the event of a conflict between this DPA and the principal agreement regarding the processing of Personal Data, this DPA shall prevail.
2. Definitions
For the purposes of this DPA:
“Applicable Data Protection Law” means the GDPR together with any applicable national supplementing legislation, including the Estonian Personal Data Protection Act (Isikuandmete kaitse seadus), and any successor or replacement legislation.
“Controller” has the meaning given in Article 4(7) GDPR.
“Data Subject” has the meaning given in Article 4(1) GDPR.
“Personal Data” has the meaning given in Article 4(1) GDPR.
“Personal Data Breach” has the meaning given in Article 4(12) GDPR.
“Processing” has the meaning given in Article 4(2) GDPR.
“Processor” has the meaning given in Article 4(8) GDPR.
“Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of Personal Data to third countries pursuant to EU Commission Implementing Decision 2021/914 of 4 June 2021, as may be amended or replaced by the European Commission from time to time.
“Sub-Processor” means any Processor engaged by EZclass to carry out specific processing activities on behalf of the Customer.
“Supervisory Authority” means the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) or any other competent data protection authority with jurisdiction over the processing described in this DPA.
“Transfer Impact Assessment” or “TIA” means a documented assessment of the legal framework of a third country, conducted prior to a restricted transfer of Personal Data to that country, to determine whether that framework ensures an essentially equivalent level of protection to that guaranteed within the EEA.
3. Scope and Purpose of Processing
3.1 Subject Matter. EZclass processes Personal Data in the course of providing its online English-language learning platform, including:
- AI-assisted placement and proficiency testing;
- scheduling, hosting, and recording of live online classes;
- management of student accounts, progress tracking, and certificates;
- customer support and communications;
- billing and payment processing;
- platform security, error monitoring, and operational analytics.
3.2 Processing Basis. EZclass processes Personal Data as a Controller in its own right in respect of its direct relationship with end users. Where a Customer (e.g., a corporate client or institution) engages EZclass to process Personal Data on its behalf for the Customer’s own purposes, EZclass acts as a Processor and this DPA governs such processing.
3.3 Instructions. EZclass shall process Personal Data only on the documented instructions of the Customer, except where required to do so by Union or Member State law. EZclass shall immediately inform the Customer if, in its opinion, any instruction infringes Applicable Data Protection Law.
4. Categories of Personal Data and Data Subjects
4.1 Categories of Data Subjects. The data subjects whose Personal Data may be processed under this DPA include:
- students and learners registered on the Platform;
- corporate clients’ employees or representatives;
- teachers and instructors;
- visitors to the Platform’s public-facing properties (ezclass.io and placement.ezclass.io).
4.2 Categories of Personal Data. The Personal Data processed may include:
| Category | Examples |
|---|---|
| Identity data | Full name, username, profile photograph |
| Contact data | Email address, telephone number |
| Account credentials | Hashed passwords, authentication tokens |
| Assessment data | Placement test responses, audio recordings, speech transcripts, scores |
| Learning data | Class attendance, progress records, certificates |
| Technical data | IP address, device identifiers, browser type, log data |
| Behavioural/UX data | Session replay data, clickstream analytics |
| Payment metadata | Transaction reference, billing address, last four digits of card |
| Communications data | Support tickets, emails |
4.3 Special Categories. EZclass does not intentionally collect or process special categories of Personal Data as defined in Article 9 GDPR. Customers must not submit such data unless separately agreed in writing.
5. Duration of Processing
5.1 Term. EZclass shall process Personal Data under this DPA for the duration of the principal agreement between EZclass and the Customer.
5.2 Post-Termination. Upon expiry or termination of the principal agreement, EZclass shall, at the Customer’s election, either securely delete or return all Personal Data processed on behalf of the Customer within 60 days, unless Union or Member State law requires storage for a longer period. The retention periods in Section 6 apply to EZclass’s own controller activities.
6. Data Retention Schedule
The following retention periods apply to EZclass’s processing as a Controller in its own right:
| Data Category | Retention Period |
|---|---|
| AI placement test raw data (responses, prompts, audio transcripts) | 90 days from test completion |
| Test results and certificates | 3 years from date of issue |
| Class recordings | 90 days from recording date |
| Account data | Duration of active account + 3 years post-termination |
| Payment metadata | 7 years (Estonian and EU tax/accounting obligations) |
| Error logs (Sentry) | 90 days from log creation |
| Session analytics and UX data (Contentsquare, Microsoft Clarity) | As set out in the respective sub-processor’s data retention policy; EZclass configures these tools to minimise retention periods |
| Support communications | 3 years from resolution |
At the end of each applicable retention period, Personal Data shall be securely deleted or irreversibly anonymised, except where longer retention is required by applicable law.
7. Obligations of the Controller
7.1 Lawfulness. The Customer shall ensure that there is a valid lawful basis under Article 6 GDPR (and, where applicable, Article 9 GDPR) for all Personal Data provided to EZclass for processing under this DPA.
7.2 Accuracy of Instructions. The Customer shall ensure that its processing instructions to EZclass are lawful and accurate.
7.3 Privacy Notices. The Customer shall ensure that data subjects have been provided with the information required by Articles 13 and 14 GDPR prior to their Personal Data being processed by EZclass under this DPA.
7.4 Cooperation. The Customer shall cooperate with EZclass in fulfilling its obligations under Applicable Data Protection Law, including in responding to data subject requests and regulatory enquiries.
8. Obligations of the Processor (EZclass)
8.1 Purpose Limitation. EZclass shall process Personal Data only for the purposes set out in this DPA and the principal agreement, and shall not process Personal Data for any other purpose without the Customer’s prior written consent or as required by law.
8.2 Confidentiality. EZclass shall ensure that persons authorised to process Personal Data are subject to binding confidentiality obligations.
8.3 Assistance with Data Subject Rights. EZclass shall assist the Customer in responding to data subject requests under Chapter III GDPR, taking into account the nature of the processing. This includes, but is not limited to, requests for access, rectification, erasure, restriction of processing, data portability, and objection.
8.4 Assistance with Compliance Obligations. EZclass shall assist the Customer in ensuring compliance with the obligations in Articles 32–36 GDPR (security, breach notification, data protection impact assessments, and prior consultation), taking into account the nature of the processing and the information available to EZclass.
8.5 Deletion or Return. EZclass shall, in accordance with Section 5.2, delete or return all Personal Data to the Customer upon termination, and delete existing copies unless required by applicable law to retain them.
8.6 Information and Audit. EZclass shall make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR, and shall allow for and contribute to audits and inspections conducted by the Customer or a mandated auditor, as set out in Section 14.
8.7 Notification of Unlawful Instructions. EZclass shall immediately inform the Customer if, in its opinion, an instruction given by the Customer infringes Applicable Data Protection Law.
9. Data Subject Rights
9.1 Response Timeline. EZclass, acting as Controller in respect of its own processing activities, responds to data subject requests (access, rectification, erasure, portability, restriction, and objection) without undue delay and in any event within one (1) calendar month of receipt of the request, in accordance with Article 12 GDPR. This period may be extended by a further two months where necessary, in which case EZclass will notify the data subject of the extension and the reasons for it.
9.2 Submission of Requests. Data subjects may submit requests through the following channels:
- Online form: https://ezclass.io/make-data-request
- Email: [email protected]
9.3 Verification. EZclass may request reasonable verification of a data subject’s identity before processing a request. Where EZclass is unable to verify identity, it will inform the data subject accordingly.
9.4 Right to Lodge a Complaint. Data subjects have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon, www.aki.ee) or with the supervisory authority of their EU Member State of habitual residence.
10. Security Measures
10.1 General. EZclass implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk of the processing, in accordance with Article 32 GDPR.
10.2 Measures. These measures include, as appropriate:
- encryption of Personal Data in transit (TLS 1.2 or higher) and at rest;
- pseudonymisation of Personal Data where technically and operationally feasible;
- access controls, role-based permissions, and least-privilege principles;
- multi-factor authentication for administrative access;
- ongoing confidentiality, integrity, availability, and resilience assurance for processing systems;
- procedures for regularly testing, assessing, and evaluating the effectiveness of security measures;
- employee data protection training and confidentiality obligations;
- vulnerability management and patch management processes;
- incident response and recovery procedures.
10.3 Sentry Data Minimisation. EZclass has configured Functional Software, Inc. (Sentry) to minimise the collection of Personal Data in error reports, including the filtering of request bodies and user identifiers where technically feasible. Error events are retained for a maximum of 90 days.
10.4 Datadog Data Minimisation. EZclass has configured Datadog Inc. to minimise the collection of Personal Data in application performance monitoring logs and traces, including the filtering of request bodies and user identifiers where technically feasible. Log and trace data are retained for a maximum of 90 days.
10.5 BetterStack. Better Stack, Inc. provides uptime monitoring and log aggregation for EZclass infrastructure. Server logs transmitted to BetterStack may contain IP addresses, user identifiers, and request metadata. BetterStack is an EU entity (Czech Republic) and is subject to GDPR directly.
11. Sub-Processors
11.1 Authorisation. The Customer provides general authorisation to EZclass to engage the sub-processors listed in this Section 11, subject to the notification and objection procedure in Section 11.3.
11.2 Sub-Processor Obligations. EZclass imposes, by contract, data protection obligations on each sub-processor equivalent to those imposed on EZclass under this DPA. EZclass remains fully liable to the Customer for the performance of each sub-processor’s obligations under its sub-processing agreement.
11.3 Sub-Processor Change Notification.
- EZclass shall provide the Customer with at least 30 days’ prior written notice of any intended addition to, or replacement of, a sub-processor listed in this DPA. Such notice shall be given by updating the current DPA on EZclass’s website at https://ezclass.io/legal and sending a notification to the contact email registered to the Customer’s account (or to [email protected] as specified by the Customer).
- The Customer may object to a proposed sub-processor change on reasonable grounds relating to data protection by notifying EZclass in writing within the 30-day notice period. In such case, EZclass and the Customer shall work in good faith to resolve the objection. If the parties cannot resolve the objection within a further 30 days, either party may terminate the principal agreement (and this DPA) on written notice without penalty, to the extent that the change directly affects the services received by the Customer.
- Where EZclass must engage a new sub-processor on less than 30 days’ notice due to an urgent operational necessity (including a security incident or unexpected termination of an existing sub-processor), EZclass shall notify the Customer as soon as reasonably practicable, explain the reason for urgency, and the Customer shall retain its right to object as above.
11.4 Sub-Processor List.
The following third-party sub-processors are currently engaged by EZclass:
Core Infrastructure
| Sub-Processor | Entity | Country | Purpose | Transfer Basis |
|---|---|---|---|---|
| Google Cloud Platform (GCP) | Google LLC | USA | Primary cloud hosting, database, and compute infrastructure | EU-US Data Privacy Framework |
| Firebase | Google LLC | USA | Authentication services, real-time database | EU-US Data Privacy Framework |
| Cloudflare, Inc. | Cloudflare, Inc. | USA | Content delivery network (CDN), DDoS protection, DNS | EU-US Data Privacy Framework |
| Hostinger International Ltd. | Hostinger International Ltd. | Lithuania (EU) | Supplementary web hosting | EU adequacy (Lithuania is in EU) |
Communications and Marketing
| Sub-Processor | Entity | Country | Purpose | Transfer Basis |
|---|---|---|---|---|
| ZeptoMail (Zoho) | Zoho Corporation Pvt. Ltd. | India | Transactional email delivery | Standard Contractual Clauses (EU Commission Decision 2021/914) |
| Brevo SAS | Brevo SAS | France (EU) | Marketing email and CRM | EU adequacy (France is in EU) |
Payments
| Sub-Processor | Entity | Country | Purpose | Transfer Basis |
|---|---|---|---|---|
| Stripe, Inc. | Stripe, Inc. | USA | Payment processing and billing | EU-US Data Privacy Framework |
Video Conferencing
| Sub-Processor | Entity | Country | Purpose | Transfer Basis |
|---|---|---|---|---|
| Zoom Video Communications, Inc. | Zoom Video Communications, Inc. | USA | Live class hosting and recordings | EU-US Data Privacy Framework |
Collaboration Tools
| Sub-Processor | Entity | Country | Purpose | Transfer Basis |
|---|---|---|---|---|
| Excalidraw | Excalidraw (open-source) | N/A (self-hostable) | Interactive whiteboard during classes | Processing within Platform infrastructure |
AI and Machine Learning
| Sub-Processor | Entity | Country | Purpose | Transfer Basis |
|---|---|---|---|---|
| OpenAI OpCo, LLC | OpenAI OpCo, LLC | USA | Speech-to-text transcription (Whisper API) for placement test audio | EU-US Data Privacy Framework |
| DeepSeek AI Co., Ltd. | DeepSeek AI Co., Ltd. | China | AI writing and speaking evaluation scoring (placement test) | Standard Contractual Clauses (EU Commission Decision 2021/914, Module 2: Controller to Processor) |
Analytics and User Experience
| Sub-Processor | Entity | Country | Purpose | Transfer Basis |
|---|---|---|---|---|
| Contentsquare SAS | Contentsquare SAS | France (EU) | Session replay and UX analytics (placement.ezclass.io) | EU adequacy (France is in EU) |
| Microsoft Corporation (Clarity) | Microsoft Corporation | USA | Session analytics (ezclass.io) | EU-US Data Privacy Framework |
Security and Monitoring
| Sub-Processor | Entity | Country | Purpose | Transfer Basis |
|---|---|---|---|---|
| Functional Software, Inc. (Sentry) | Functional Software, Inc. | USA | Error tracking and system diagnostics | EU-US Data Privacy Framework |
| Datadog Inc. | Datadog Inc. | USA | Application performance monitoring, log management, error tracking, Real User Monitoring (RUM) | EU-US Data Privacy Framework |
| Better Stack, Inc. | Better Stack, Inc. | Czech Republic (EU) | Uptime monitoring, log aggregation, incident alerting | EU entity — GDPR applies directly |
| Google LLC (reCAPTCHA) | Google LLC | USA | Bot protection on data request forms | EU-US Data Privacy Framework |
11.5 Internal Self-Hosted Tools. The following tools are operated by EZclass as self-hosted internal infrastructure and do not constitute third-party sub-processors:
- Directus — self-hosted headless CMS used for internal content management. No Personal Data is transmitted to any third-party Directus entity.
- ntfy — self-hosted push notification server used for internal system alerts. No Personal Data is transmitted to any third-party ntfy entity.
EZclass remains responsible for the secure configuration and operation of these self-hosted tools.
12. International Data Transfers
12.1 General. Where EZclass or any sub-processor transfers Personal Data to a country outside the European Economic Area (“EEA”) that has not been the subject of an adequacy decision under Article 45 GDPR, EZclass shall ensure that appropriate safeguards under Article 46 GDPR are in place.
12.2 EU-US Data Privacy Framework. Where a sub-processor is certified under the EU-US Data Privacy Framework (“DPF”) adopted by the European Commission’s adequacy decision of 10 July 2023 (Commission Implementing Decision (EU) 2023/1795), transfers to that sub-processor are made on the basis of that adequacy decision. Relevant sub-processors are marked accordingly in the table in Section 11.4.
12.3 DeepSeek Transfer — Standard Contractual Clauses and Transfer Impact Assessment.
EZclass OÜ has executed Standard Contractual Clauses (EU Commission Implementing Decision 2021/914, Module 2: Controller to Processor) with DeepSeek AI Co., Ltd. for the transfer of Personal Data to the People’s Republic of China for the purpose of AI-based language evaluation scoring on the Platform’s placement test.
In addition, EZclass has conducted a Transfer Impact Assessment (“TIA”) in respect of transfers to DeepSeek AI Co., Ltd., taking into account:
- the legal framework of the People’s Republic of China applicable to Personal Data, including the Personal Information Protection Law (PIPL), the Cybersecurity Law, and the Data Security Law;
- the nature of the Personal Data transferred (written test responses, speaking evaluation prompts, and audio transcripts);
- the contractual, technical, and organisational safeguards applied.
On the basis of the TIA, EZclass has determined that the SCCs, together with the supplementary measures described below, provide an essentially equivalent level of protection to that guaranteed within the EEA.
Supplementary measures applicable to DeepSeek transfers:
- Data transferred to DeepSeek AI Co., Ltd. is limited to the minimum necessary for the specific evaluation task.
- DeepSeek processes user test responses solely for the purpose of generating language evaluation scores.
- DeepSeek does not retain Personal Data beyond the processing period and does not use it for model training or any secondary purpose.
- Technical measures including encryption in transit (TLS) are applied to all transfers.
- EZclass will review the TIA at least annually, or when there is a material change in the legal framework of the People’s Republic of China.
12.4 Standard Contractual Clauses — General. For sub-processors where SCCs are the applicable transfer mechanism, EZclass has incorporated the relevant module of the SCCs into its sub-processing agreement with the relevant entity and will provide a copy to the Customer on written request.
12.5 Adequacy Decisions. Transfers to sub-processors established in EEA Member States (France, Lithuania) are not restricted transfers and require no transfer mechanism under Chapter V GDPR.
13. Personal Data Breaches
13.1 Notification by EZclass. EZclass shall notify the Customer without undue delay, and in any event within 72 hours of becoming aware of a Personal Data Breach affecting Personal Data processed under this DPA, to the extent that such notification is required by Applicable Data Protection Law or is necessary to enable the Customer to comply with its own notification obligations.
13.2 Content of Notification. Breach notifications shall, to the extent known at the time, include:
- a description of the nature of the Personal Data Breach, including the categories and approximate number of data subjects and Personal Data records affected;
- the name and contact details of the data protection point of contact at EZclass;
- a description of the likely consequences of the breach;
- a description of the measures taken or proposed to address the breach, including, where appropriate, measures to mitigate its possible adverse effects.
13.3 Investigation Assistance. EZclass shall take all reasonable steps to investigate the breach, contain any ongoing risk, and provide the Customer with timely updates as further information becomes available.
13.4 Customer Obligations. The Customer is responsible for determining whether it is required to notify the relevant Supervisory Authority and/or affected data subjects under Articles 33 and 34 GDPR, and for making any such notifications. EZclass shall reasonably assist the Customer in making those notifications.
14. Audit Rights
14.1 Information. EZclass shall, upon the Customer’s written request, make available all information reasonably necessary to demonstrate compliance with the obligations set out in Article 28 GDPR and this DPA.
14.2 Audits. The Customer (or a mandated independent auditor bound by confidentiality) may, upon not less than 30 days’ prior written notice, conduct an audit or inspection of EZclass’s data processing activities relevant to this DPA. Audits shall be conducted:
- (a) no more than once per calendar year, unless a Personal Data Breach has occurred;
- (b) during normal business hours and in a manner that minimises disruption to EZclass’s operations;
- (c) at the Customer’s cost, except where an audit reveals a material non-compliance by EZclass, in which case EZclass shall bear its own reasonable costs.
14.3 Audit Substitution. EZclass may satisfy an audit request by providing the Customer with the results of relevant third-party audits, certifications, or penetration test summaries (in appropriately redacted form), where these adequately address the scope of the Customer’s request.
14.4 Confidentiality. The Customer shall keep all audit findings and any information obtained during an audit confidential and shall use it solely for the purpose of verifying compliance with this DPA.
15. Liability
15.1 GDPR Liability. Each party’s liability to data subjects and Supervisory Authorities under GDPR Chapter VIII shall be governed by the GDPR and applicable national law.
15.2 Liability Between Parties. As between EZclass and the Customer, liability under or in connection with this DPA (whether arising in contract, tort, or otherwise) is subject to the limitations and exclusions set out in the principal agreement. Nothing in this DPA limits a party’s liability for:
- (a) death or personal injury caused by negligence;
- (b) fraud or fraudulent misrepresentation;
- (c) any liability which cannot be excluded or limited under applicable law.
16. Term and Termination
16.1 Term. This DPA comes into force on the Effective Date and remains in force for as long as EZclass processes Personal Data on behalf of the Customer under the principal agreement.
16.2 Termination. This DPA terminates automatically on termination or expiry of the principal agreement, subject to the survival provisions in Section 16.3.
16.3 Survival. The obligations in Sections 5.2 (post-termination deletion/return), 10 (security), 14 (audit rights — in relation to the period prior to termination), and 17 (governing law) shall survive termination of this DPA for a period of three (3) years, or such longer period as may be required by applicable law.
17. Governing Law and Jurisdiction
17.1 Governing Law. This DPA is governed by the laws of the Republic of Estonia and, where applicable, EU law, including the GDPR.
17.2 Jurisdiction. Any dispute arising out of or in connection with this DPA that cannot be resolved through good-faith negotiation shall be subject to the exclusive jurisdiction of the courts of the Republic of Estonia, without prejudice to a data subject’s right to lodge a complaint with or seek relief from a competent Supervisory Authority or court in their Member State of habitual residence.
18. Miscellaneous
18.1 Entire Agreement. This DPA, together with the principal agreement and any applicable Standard Contractual Clauses incorporated herein, constitutes the entire agreement between the parties with respect to the processing of Personal Data and supersedes all prior agreements, representations, and understandings relating to that subject matter.
18.2 Amendments. EZclass may amend this DPA from time to time to reflect changes in applicable law, regulatory guidance, or sub-processor arrangements. Material amendments (including changes to the sub-processor list that exceed the routine notification procedure in Section 11.3) will be notified to the Customer with not less than 30 days’ prior notice. Continued use of the Platform after the effective date of an amendment constitutes acceptance of the amended DPA. Customers who object to a material amendment may terminate the principal agreement in accordance with its terms.
18.3 Severability. If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall continue in full force and effect. The parties shall replace any invalid or unenforceable provision with a valid provision that achieves, as closely as possible, the original commercial and legal intent.
18.4 No Waiver. Failure by either party to enforce any right under this DPA shall not constitute a waiver of that right.
18.5 Contact. Questions and notices relating to this DPA should be addressed to:
EZclass OÜ — Data Protection Contact
Email: [email protected]
Website: https://ezclass.io/legal
18.6 Supervisory Authority. EZclass’s lead supervisory authority for GDPR purposes is:
Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon)
Tatari 39, 10134 Tallinn, Estonia
www.aki.ee | [email protected]
This Data Processing Agreement was prepared by EZclass OÜ. It reflects EZclass’s obligations as a data controller and, where applicable, data processor under Regulation (EU) 2016/679 (GDPR) and the Estonian Personal Data Protection Act. Version 2.0 supersedes all prior versions of this document.
Last updated: April 9, 2026