EZclass Data Processing Agreement (DPA) 

Effective Date: June 1, 2025


 

Version: 1.0



 

1. Parties


 

This Data Processing Agreement ("DPA") forms part of and supplements the Terms of Service and Privacy Policy of EZClass OÜ.

Controller:


 

EZClass OÜ


 

Harju maakond, Tallinn, Kesklinna linnaosa, Tornimäe tn 5, 10145, Estonia Registry number: 16802842

Email: [email protected]


 

Processor / Sub-Processor:


 

Each third-party service provider or subcontractor engaged by EZClass OÜ that processes personal data on its behalf as described in the Privacy Policy and listed in the Sub-Processor List below.


 

For the purposes of Article 28 of the General Data Protection Regulation (GDPR) (EU) 2016/679, EZClass OÜ acts as the Data Controller of personal data collected via its platform (ezclass.io and subdomains).


 

EZclass OÜ uses Google Cloud Platform (GCP) as its primary infrastructure provider and Firebase for push notifications and real-time features. Both are provided by Google Cloud EMEA Limited and Google LLC, operating under the EU Standard Contractual Clauses and the EU-U.S. Data Privacy Framework.


 

Certain processors and teacher contractors may act as Processors or Sub-Processors when performing services on behalf of EZClass OÜ.


 

2. Scope and Purpose


 

This DPA governs the processing of personal data in the context of EZClass OÜ’s platform and services, including:


 

  • Online English language classes


 

  • Subscriptions


 

  • Educational tools


 

  • Video conferencing


 

  • Digital whiteboards


 

  • Customer support
     
  • Payment processing


 

  • Data analytics


 

Personal data processed under this DPA includes data relating to:


 

  • Students


 

  • Parents/legal guardians


 

  • Teachers


 

  • Visitors to the platform


 

The purpose of processing is to enable EZClass OÜ to deliver, manage, improve, and secure its educational services.


 

Processing also includes hosting, notification delivery, analytics, and secure email communication through approved third-party processors (GCP, Firebase, ZeptoMail, Brevo, Hostinger, Stripe, Cloudflare, Zoom, and Excalidraw).


 

3. Categories of Personal Data


 

The types of personal data processed include:


 

  • Identifiers: name, email, account credentials


 

  • Contact information: phone, address (where applicable)


 

  • Profile data: educational background, bio, profile picture/video


 

  • Class participation data: video, audio, chat messages, whiteboard content


 

  • Payment data: limited metadata (processed securely by Stripe)


 

  • Device data: IP address, device identifiers, browser type


 

  • Usage data: platform interactions, attendance, performance analytics


 

  • Sensitive data: identification documents (teachers), where required for compliance


 

  • Notification metadata (device tokens, delivery status, timestamps)


 

  • Email delivery metadata (recipient address, delivery logs, bounce data)


 

  • System diagnostics (error logs, performance metrics pseudonymized)



 

  1. Data Subjects
     


 

  • Students (including minors with parental consent)
     
  • Parents/legal guardians of students


 

  • Teachers (independent contractors engaged by EZClass OÜ)


 

  • Visitors to the EZClass OÜ platform



 

  1. Duration


 

This DPA remains in effect for the duration of the relationship between EZClass OÜ and each Processor.


 

Upon termination of services, personal data must be returned or deleted in accordance with this DPA and applicable law.


 

6. Obligations of the Controller (EZClass OÜ)


 

EZClass OÜ as Controller shall:


 

  • Process personal data in compliance with GDPR and applicable data protection laws


 

  • Clearly inform data subjects via its Privacy Policy


 

  • Maintain a record of processing activities (Article 30 GDPR)


 

  • Obtain valid consent where required


 

  • Respond to data subject requests (access, rectification, erasure, etc.)


 

  • Ensure an adequate legal basis for international transfers



 

Maintain up-to-date Data Processing Agreements (DPAs) with all processors, including GCP, Firebase, ZeptoMail, Brevo, Hostinger, and Stripe, ensuring each complies with Article 28 GDPR and applies Standard Contractual Clauses for international data transfers.


 

7. Obligations of the Processor


 

Each Processor acting on behalf of EZClass OÜ shall:


 

  1. Process personal data only on documented instructions from EZClass OÜ


 

  1. Implement appropriate technical and organizational measures to ensure data security


 

  1. Ensure confidentiality of staff with access to personal data


 

  1. Cooperate with EZClass OÜ on data subject rights requests


 

  1. Assist with data protection impact assessments (DPIAs) where required
     
  2. Notify EZClass OÜ without undue delay in case of personal data breach


 

Where a breach involves GCP or Firebase systems, Google LLC shall notify EZclass OÜ in accordance with the Google Cloud Data Processing Addendum (“Google Cloud DPA”), which meets the requirements of Article 28 GDPR. EZClass OÜ will coordinate notifications to supervisory authorities and data subjects as necessary.


 

  1. Return or delete personal data upon termination of services


 

  1. Allow for audits and inspections by EZClass OÜ (with reasonable notice)


 

  1. Not engage sub-processors without prior authorization or general written consent (Article 28(2))
  2. Ensure any sub-processors are bound by equivalent data protection obligations



 

8. International Data Transfers


 

When personal data is transferred outside the European Economic Area (EEA), EZClass OÜ and its processors implement the following safeguards:


 

  • Standard Contractual Clauses (SCCs) — used for GCP, Firebase, Stripe, ZeptoMail (Zoho Corporation Pvt Ltd), and Brevo (Sendinblue SAS) where relevant.


 

  • EU-U.S. Data Privacy Framework (DPF) — relied upon for Google LLC services (Firebase and GCP) and Zoho Corporation Pvt Ltd (ZeptoMail) where applicable.


 

  • Encryption & Access Controls — data in transit and at rest is encrypted (AES-256 or TLS 1.2+), with role-based access and audit logging implemented on GCP infrastructure.


 

  • EU Data Residency Preference — production servers and databases are primarily hosted in EU regions (Frankfurt and Netherlands) to minimize cross-border flows.


 

9. Sub-Processors


 

EZClass OÜ engages the following approved sub-processors:


 

Processors (Data Processors) — Act on Our Behalf

Service

Purpose

Location

Legal Safeguard

   

Standard

Stripe Payments Europe,

Processing customer

Ireland / US

Contractual

Ltd.

payments (subscriptions,

 

Clauses (SCCs),

bookings)

 

EU-U.S. Data

   

Privacy Framework

Zoom Video SDK (Zoom

  

SCCs, EU-U.S.

  

Data Privacy

Video Communications,

Embedded video classes

US

Framework, DPA

Inc.)

  
  

with Zoom

   


 




 

Google Cloud Platform,

Hosting of databases and

EU (Frankfurt,

SCCs + DPF

LLC (GCP)

application servers

Netherlands) / US

 

(backups)

 
   

ZeptoMail (Zoho Corp

Transactional and

India / France /

SCCs + DPF / EEA

Pvt Ltd), Brevo

(Sendinblue SAS),

operational emails

Lithuania

jurisdiction

Hostinger Intl Ltd

   

Hostinger

Email service & domain

Lithuania (EU)

GDPR Compliant

registration (emails, domain

 

DNS)

  

Google LLC (Google

Analytics & performance

EU/US

SCCs + DPF

Cloud & Analytics)

monitoring

  

Enty OÜ or other

Legal, accounting,

Estonia (EU)

GDPR Compliant,

authorized advisors

compliance services

DPA with Enty

 
 

Cookie consent

 

Manages cookie

Usercentrics A/S

management, banner

 

display, consent logging

Denmark (EU)

consent per GDPR

(Cookiebot CMP)

(required under GDPR Art.

 

Art. 7(1)

 

7(1), Art. 30)

  

Cloudflare, Inc.

CDN, DDoS protection,

Global (with SCCs /

IP address, traffic

metadata, essential

 

security proxy

DPF safeguards)

cookies

   
 

Content management and

 

DPA, access

Strapi

EEA / US

controls, Processor

handling form submissions

agreement; access

   

restricted

Excalidraw Inc

Collaborative classroom

EU

SCCs

tools

   

Firebase Cloud

Push notifications for

  

Messaging (Google

EU/US

SCCs + DPF

classes & system updates

LLC)

  
   

 

EZclass OÜ may update this list periodically. Material changes will be published on ezclass.io/legal or communicated to partners in advance.


 

Third-Party Controllers (Independent Legal Responsibility — Not Our Processors)


 

Service

Purpose

Location

Legal Role

Wise Payments

Outgoing teacher payouts &

 

Separate

EEA/UK/US

Controller (AML,

Limited

rare refunds

KYC, Tax Law

   

obligations)

Hostinger (Domain

Domain WHOIS registration

  

registration)

& DNS (public record)

  

Facebook / Meta

If user clicks on our ad and

Separate controller

 

is redirected to EZclass

relationship — Meta

 
 

(retargeting pixel)

Privacy Policy applies

 

Google (Google Ads)

Same as above — if using

Separate controller

 

retargeting or ad pixels

relationship

 

 


This list may be updated from time to time. EZClass OÜ will notify Processors of material changes.


 

Legal Counsel and Consultants


 

Our legal advisors, GDPR consultants, and similar professional service providers (for example, Enty OÜ or other authorized advisors) may access personal data when necessary to support EZClass OÜ’s compliance with legal obligations, data protection requirements, accounting, tax reporting, or to assist with audits or disputes. Such access is limited, controlled, and subject to confidentiality obligations.


 

10. Data Security Measures


 

Each Processor must implement appropriate technical and organizational measures, including:


 

  • Encryption of personal data in transit and at rest


 

  • Secure hosting environments


 

  • Access controls and authentication


 

  • Regular vulnerability testing


 

  • Incident response plans


 

  • Data minimization


 

  • Annual security and privacy reviews of sub-processors (GCP, Firebase, Stripe, Zoho, and Brevo).


 

  • Zero-trust access policies enforced for administrative users via two-factor authentication and logging on GCP and Firebase consoles.


 

11. Liability and Indemnity


 

Each party shall be liable for its own processing of personal data under this DPA and applicable law.


 

Processors are liable for breaches caused by their own acts or omissions and those of authorized sub-processors.


 

Where processors operate under their own DPAs (e.g. Google Cloud DPA or Stripe Data Processing Agreement), EZClass OÜ acknowledges that liability is allocated per those agreements in line with Article 82 GDPR.
 

12. Termination


 

Upon termination of the services, Processors must:


 

  • Delete or return all personal data, unless retention is required by law


 

  • Confirm to EZClass OÜ in writing that deletion has occurred



 

13. Miscellaneous


 

  • This DPA is governed by Estonian law and EU GDPR.


 

  • In case of conflict between this DPA and other agreements, this DPA prevails with respect to data protection.


 

14. Contact


 

For questions about this DPA:


 

Controller:


 

EZClass OÜ


 

[email protected]


 

Registry number: 16802842


 

Harju maakond, Tallinn, Kesklinna linnaosa, Tornimäe tn 5, 10145, Estonia


 

15. Signatures


 

This DPA is automatically binding on Processors engaged by EZClass OÜ through contract or service agreement.


 

No separate signature is required unless explicitly requested.


 

Copyright © 2025 EZClass | all rights reserved | Patented