Data Processing Agreement (DPA)
Template for signature. Fields in [brackets] are completed by the institution on signing. Not legal advice.
This Data Processing Agreement (the "Agreement") is entered into between [institution name], reg. no. [reg. no.] (the "Controller") and Lukas Thrane (sole proprietorship), reg. no. 936 043 925, Vegamot 1N, 7049 Trondheim, Norway (the "Processor", "Graidable"). It governs the Processor's processing of personal data on behalf of the Controller in connection with use of Graidable, under GDPR Art. 28.
1. Purpose and scope
The Processor processes personal data only to deliver the Graidable service (AI-assisted draft assessment and feedback) and only on the Controller's documented instructions as set out in this Agreement and the main agreement/terms. The Processor shall not process the data for its own purposes.
2. Duration
The Agreement applies for as long as the Processor processes personal data on the Controller's behalf, and ends when processing ceases and the data is deleted/returned (clause 9).
3. Nature of processing, categories and data subjects
The nature and purpose of processing, categories of personal data and data subjects are set out in Annex A. Processing includes student submissions, identifiers and assessment data.
4. Processor obligations
The Processor shall:
- process personal data only on documented instructions, and notify if an instruction is considered to infringe data protection law;
- ensure persons with access are bound by confidentiality;
- implement appropriate technical and organisational measures under GDPR Art. 32 (see Annex B);
- assist the Controller in fulfilling obligations regarding data-subject rights, security, data protection impact assessments (Art. 35) and prior consultation (Art. 36);
- not use customer or student content to train AI models, and impose the same on sub-processors.
5. Personal data breach
The Processor shall notify the Controller without undue delay after becoming aware of a breach, and assist with the information needed for the Controller to meet its obligations under Art. 33–34.
6. Sub-processors
The Controller gives general prior authorisation for the sub-processors in Annex A. The Processor shall impose obligations equivalent to this Agreement on sub-processors, and notify the Controller of intended changes (new or replacement sub-processors) with reasonable notice so the Controller can object.
7. International transfers
The storage and OCR chain is configured within the EU/EEA. For any transfer outside the EEA (e.g. certain LLM providers), a valid transfer mechanism shall apply, normally the EU Standard Contractual Clauses (SCC) with necessary supplementary measures.
8. Audit
The Processor shall make available the information necessary to demonstrate compliance with Art. 28, and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by it.
9. Return and deletion
On termination of the service, the Processor shall, at the Controller's choice, delete or return all personal data and delete existing copies, unless retention is legally required. Deletion is performed without undue delay on request.
10. Liability and governing law
The Agreement is governed by Norwegian law, with venue Trøndelag District Court (Trondheim). Each party is liable under data protection law and the main agreement. Data subjects may complain to the Norwegian Data Protection Authority (Datatilsynet).
Annex A – Processing overview and sub-processors
Purpose: AI-assisted draft assessment and feedback on student work. Data subjects: students; teachers and teaching assistants. Categories: identifiers (name, student ID, email), submission content (may contain special-category data in free text), assessment data, account/log data.
| Sub-processor | Function | Location | Transfer mechanism |
|---|---|---|---|
| Railway | App hosting, database (Postgres), queue (Redis/RabbitMQ) | EU – EU West (Amsterdam) | DPA + SCC (US company; data in EU) |
| Amazon Web Services | Storage (S3), OCR (Textract), email (SES) | EU – eu-west-1 (Ireland) | AWS DPA; EU region |
| LandingAI | OCR / document analysis | EU (eu-west-1) or US – on demand | DPA; Zero Data Retention in both regions; local/on-prem for full data ownership (enterprise) |
| OpenRouter / LLM provider | AI assessment | EU / self-hosted / Norway-hosted (configurable) | DPA; zero retention + no training; SCC if US |
| Stripe | Billing | EU (Ireland) | Does not process student data |
Annex B – Technical and organisational measures (Art. 32)
Encryption in transit (TLS) and at rest; access control and role-based access; per-submission isolation; logging; EU/EEA-based hosting; data minimisation (student names are not sent to the LLM – submissions are keyed by internal ID); breach-handling procedures and notification within the Art. 33 deadlines.
Signature
| Controller | Processor (Graidable) | |
|---|---|---|
| Name | [name] | Lukas Thrane |
| Date | ||
| Signature |