EZclass Data Processing Agreement (DPA)
Effective Date: January 1, 2026
Version: 1.0
1. Parties
This Data Processing Agreement ("DPA") forms part of and supplements the Terms of Service and Privacy Policy of EZClass OÜ.
Controller:
EZClass OÜ
Harju maakond, Tallinn, Kesklinna linnaosa, Tornimäe tn 5, 10145, Estonia Registry number: 16802842
Email: privacy@ezclass.io
Processor / Sub-Processor:
Each third-party service provider or subcontractor engaged by EZClass OÜ that processes personal data on its behalf as described in the Privacy Policy and listed in the Sub-Processor List below.
For the purposes of Article 28 of the General Data Protection Regulation (GDPR) (EU) 2016/679, EZClass OÜ acts as the Data Controller of personal data collected via its platform (ezclass.io and subdomains).
EZclass OÜ uses Google Cloud Platform (GCP) as its primary infrastructure provider and Firebase for push notifications and real-time features. Both are provided by Google Cloud EMEA Limited and Google LLC, operating under the EU Standard Contractual Clauses and the EU-U.S. Data Privacy Framework.
Certain processors and teacher contractors may act as Processors or Sub-Processors when performing services on behalf of EZClass OÜ.
2. Scope and Purpose
This DPA governs the processing of personal data in the context of EZClass OÜ’s platform and services, including:
Online English language classes
Subscriptions
Educational tools
Video conferencing
Digital whiteboards
Customer support
Payment processing
Data analytics
Personal data processed under this DPA includes data relating to:
Students
Parents/legal guardians
Teachers
Visitors to the platform
The purpose of processing is to enable EZClass OÜ to deliver, manage, improve, and secure its educational services.
Processing also includes hosting, notification delivery, analytics, and secure email communication through approved third-party processors (GCP, Firebase, ZeptoMail, Brevo, Hostinger, Stripe, Cloudflare, Zoom, and Excalidraw).
3. Categories of Personal Data
The types of personal data processed include:
Identifiers: name, email, account credentials
Contact information: phone, address (where applicable)
Profile data: educational background, bio, profile picture/video
Class participation data: video, audio, chat messages, whiteboard content
Payment data: limited metadata (processed securely by Stripe)
Device data: IP address, device identifiers, browser type
Usage data: platform interactions, attendance, performance analytics
Sensitive data: identification documents (teachers), where required for compliance
Notification metadata (device tokens, delivery status, timestamps)
Email delivery metadata (recipient address, delivery logs, bounce data)
System diagnostics (error logs, performance metrics pseudonymized)
Data Subjects
Students aged sixteen (16) and older, including users aged sixteen (16) or seventeen (17) where a parent or legal guardian is involved solely in payment, onboarding, or support communications, as described in the Privacy Policy.
Parents/legal guardians of students
Teachers (independent contractors engaged by EZClass OÜ)
Visitors to the EZClass OÜ platform
Duration
This DPA remains in effect for the duration of the relationship between EZClass OÜ and each Processor.
Deletion shall include deletion from active systems and shall occur within a reasonable period following termination, subject to technical backup retention cycles. Personal data stored in backups shall be securely isolated and deleted upon expiration of the backup retention period.
Upon termination of services, personal data must be returned or deleted in accordance with this DPA and applicable law.
6. Obligations of the Controller (EZClass OÜ)
EZClass OÜ as Controller shall:
Process personal data in compliance with GDPR and applicable data protection laws
Clearly inform data subjects via its Privacy Policy
Maintain a record of processing activities (Article 30 GDPR)
Obtain valid consent where required
Respond to data subject requests (access, rectification, erasure, etc.)
Ensure an adequate legal basis for international transfers
Maintain up-to-date Data Processing Agreements (DPAs) with all processors, including GCP, Firebase, ZeptoMail, Brevo, Hostinger, and Stripe, ensuring each complies with Article 28 GDPR and applies Standard Contractual Clauses for international data transfers.
7. Obligations of the Processor
Each Processor acting on behalf of EZClass OÜ shall:
Process personal data only on documented instructions from EZClass OÜ, including with regard to transfers of personal data to a third country or an international organization, unless required to do so by Union or Member State law to which the Processor is subject (in which case the Processor shall inform EZClass OÜ of that legal requirement before processing, unless prohibited by law).
Implement appropriate technical and organizational measures to ensure data security
Ensure that all persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
Cooperate with EZClass OÜ on data subject rights requests
Assist with data protection impact assessments (DPIAs) where required
Notify EZClass OÜ without undue delay in case of personal data breach
Where a breach involves GCP or Firebase systems, Google LLC shall notify EZclass OÜ in accordance with the Google Cloud Data Processing Addendum (“Google Cloud DPA”), which meets the requirements of Article 28 GDPR. EZClass OÜ will coordinate notifications to supervisory authorities and data subjects as necessary.
Return or delete personal data upon termination of services
Allow for audits and inspections by EZClass OÜ or its appointed auditor, subject to reasonable notice, confidentiality obligations, and without unreasonably interfering with the Processor’s business operations.
Not engage sub-processors without prior authorization or general written consent (Article 28(2))
Ensure any sub-processors are bound by equivalent data protection obligations
Assist EZClass OÜ, taking into account the nature of the processing and the information available to the Processor, in ensuring compliance with obligations pursuant to Articles 32 to 36 GDPR (security of processing, breach notification, data protection impact assessments, and prior consultation).
EZClass OÜ provides general written authorization for the engagement of sub-processors listed in Section 9. EZClass OÜ will inform relevant parties of any intended changes and provide an opportunity to object where required by law.
8. International Data Transfers
When personal data is transferred outside the European Economic Area (EEA), EZClass OÜ and its processors implement the following safeguards:
Standard Contractual Clauses (SCCs) — used for GCP, Firebase, Stripe, ZeptoMail (Zoho Corporation Pvt Ltd), and Brevo (Sendinblue SAS) where relevant.
EU-U.S. Data Privacy Framework (DPF) — relied upon for Google LLC services (Firebase and GCP) and Zoho Corporation Pvt Ltd (ZeptoMail) where applicable.
Encryption & Access Controls — data in transit and at rest is encrypted (AES-256 or TLS 1.2+), with role-based access and audit logging implemented on GCP infrastructure.
EU Data Residency Preference — production servers and databases are primarily hosted in EU regions (Frankfurt and Netherlands) to minimize cross-border flows.
9. Sub-Processors
EZClass OÜ engages the following approved sub-processors:
Processors (Data Processors) — Act on Our Behalf
| Service | Purpose | Location | Legal Safeguard |
| Standard | |||
| Stripe Payments Europe, | Processing customer | Ireland / US | Contractual |
| Ltd. | payments (subscriptions, | Clauses (SCCs), | |
| bookings) | EU-U.S. Data | ||
| Privacy Framework | |||
| Zoom Video SDK (Zoom | SCCs, EU-U.S. | ||
| Data Privacy | |||
| Video Communications, | Embedded video classes | US | |
| Framework, DPA | |||
| Inc.) | |||
| with Zoom | |||
| Google Cloud Platform, | Hosting of databases and | EU (Frankfurt, | SCCs + DPF |
| LLC (GCP) | application servers | Netherlands) / US | |
| (backups) | |||
| ZeptoMail (Zoho Corp | Transactional and | India / France / | SCCs + DPF / EEA |
| Pvt Ltd), Brevo | |||
| (Sendinblue SAS), | operational emails | Lithuania | jurisdiction |
| Hostinger Intl Ltd | |||
| Hostinger | Email service & domain | Lithuania (EU) | GDPR Compliant |
| registration (emails, domain | |||
| DNS) | |||
| Google LLC (Google | Analytics & performance | EU/US | SCCs + DPF |
| Cloud & Analytics) | monitoring | ||
| Enty OÜ or other | Legal, accounting, | Estonia (EU) | GDPR Compliant, |
| authorized advisors | compliance services | DPA with Enty | |
| Cookie consent | Manages cookie | ||
| Usercentrics A/S | management, banner | ||
| display, consent logging | Denmark (EU) | consent per GDPR | |
| (Cookiebot CMP) | |||
| (required under GDPR Art. | Art. 7(1) | ||
| 7(1), Art. 30) | |||
| Cloudflare, Inc. | CDN, DDoS protection, | Global (with SCCs / | IP address, traffic |
| metadata, essential | |||
| security proxy | DPF safeguards) | cookies | |
| Content management and | DPA, access | ||
| Strapi | EEA / US | controls, Processor | |
| handling form submissions | agreement; access | ||
| restricted | |||
| Excalidraw Inc | Collaborative classroom | EU | SCCs |
| tools | |||
| Firebase Cloud | Push notifications for | ||
| Messaging (Google | EU/US | SCCs + DPF | |
| classes & system updates | |||
| LLC) | |||
| Hosted on | |||
| NTFY (self-hosted) | Internal notifications (non- | EU-based | EZclass’s own |
| infrastructure via | |||
| sensitive system events) | infrastructure | ||
| GCP. No third- | |||
| party data sharing. | |||
| Headless CMS for admin | SCCs, access- | ||
| Directus | U.S. (DigitalOcean) | restricted, GDPR- | |
| content & dashboard forms | compliant. Internal- | ||
| only. |
NTFY and Directus are used exclusively for internal system operations and administrator interfaces. These services are hosted on secure GCP infrastructure, access-controlled by EZclass. They do not handle external user content or marketing data.
EZclass OÜ may update this list periodically. Material changes will be published on ezclass.io/legal or communicated to partners in advance.
Third-Party Controllers (Independent Legal Responsibility — Not Our Processors)
| Service | Purpose | Location | Legal Role |
| Wise Payments | Outgoing teacher payouts & | Separate | |
| EEA/UK/US | Controller (AML, | ||
| Limited | rare refunds | KYC, Tax Law | |
| obligations) | |||
| Hostinger (Domain | Domain WHOIS registration | ||
| registration) | & DNS (public record) | ||
| Facebook / Meta | If user clicks on our ad and | Separate controller | |
| is redirected to EZclass | relationship — Meta | ||
| (retargeting pixel) | Privacy Policy applies | ||
| Google (Google Ads) | Same as above — if using | Separate controller | |
| retargeting or ad pixels | relationship |
This list may be updated from time to time. EZClass OÜ will notify Processors of material changes.
Legal Counsel and Consultants
Our legal advisors, GDPR consultants, and similar professional service providers (for example, Enty OÜ or other authorized advisors) may access personal data when necessary to support EZClass
OÜ’s compliance with legal obligations, data protection requirements, accounting, tax reporting, or to assist with audits or disputes. Such access is limited, controlled, and subject to confidentiality obligations.
10. Data Security Measures
Each Processor must implement appropriate technical and organizational measures, including:
Encryption of personal data in transit and at rest
Secure hosting environments
Access controls and authentication
Regular vulnerability testing
Incident response plans
Data minimization
Annual security and privacy reviews of sub-processors (GCP, Firebase, Stripe, Zoho, and Brevo).
Zero-trust access policies enforced for administrative users via two-factor authentication and logging on GCP and Firebase consoles.
11. Liability and Indemnity
Each party shall be liable for its own processing of personal data under this DPA and applicable law.
Processors are liable for breaches caused by their own acts or omissions and those of authorized sub-processors.
Where processors operate under their own DPAs (e.g. Google Cloud DPA or Stripe Data Processing Agreement), EZClass OÜ acknowledges that liability is allocated per those agreements in line with Article 82 GDPR.
12. Termination
Upon termination of the services, Processors must:
Delete or return all personal data, unless retention is required by law
Confirm to EZClass OÜ in writing that deletion has occurred
13. Miscellaneous
This DPA is governed by Estonian law and EU GDPR.
In case of conflict between this DPA and other agreements, this DPA prevails with respect to data protection.
In the event of conflict between this DPA and a Processor’s standard data processing terms, this DPA shall prevail with respect to the processing of personal data on behalf of EZClass OÜ, unless mandatory law requires otherwise.
14. Contact
For questions about this DPA:
Controller:
EZClass OÜ
privacy@ezclass.io
Registry number: 16802842
Harju maakond, Tallinn, Kesklinna linnaosa, Tornimäe tn 5, 10145, Estonia
15. Signatures
This DPA is automatically binding on Processors engaged by EZClass OÜ through contract or service agreement.
No separate signature is required unless explicitly requested.