Data Processing Addendum (DPA) — LearnCore Systems

Need the executable version? Email legal@learncore.systems with your entity name. We send a pre-signed PDF with the SCCs attached.

Roles

Customer (the academy operator) — Data Controller.
LearnCore Systems — Data Processor.
End users (students, tutors) — Data Subjects.

Subject matter & duration

LearnCore processes Customer Data solely to provide the Service for the duration of the subscription. Processing ends when the subscription ends; data is deleted within 30 days, except where retention is required by law.

Categories of data subjects & data

Subjects: Customer's admins, tutors, and students.
Identification data: Name, email, role, language preference, optional avatar.
Learning data: Course progress, homework submissions, grades, AI-review drafts, certificates issued.
Communication data: Tutor-chat transcripts, system notifications.
Technical data: Login timestamps, IP address (truncated to /24 after 30 days), user-agent.

Sub-processors

The Customer authorises the following sub-processors. We give 30 days' notice before adding new ones (you can object in writing — we'll find a path that works for both sides or, if we can't, you can terminate without penalty).

Anthropic Ireland Ltd.: AI homework review & tutor chat — Claude Opus 4.7 / Sonnet 4.6. EU regions where available. Zero-retention enterprise agreement. Terms.
OpenAI Ireland Ltd.: AI homework review & tutor chat — GPT-5.5. EU regions where available. Zero data-retention agreement. Terms.
Google Ireland Ltd.: AI homework review & tutor chat — Gemini 3.1 via Vertex AI. EU regions where available. No-training tier. Terms.
Hetzner Online GmbH (DE): Hosting & storage. Frankfurt for EU tenants. ISO 27001 certified. Terms.
Stripe Payments Europe Ltd. (IE): Billing & payment processing. PCI DSS Level 1. Card data never touches LearnCore servers.
Postmark / SendGrid: Transactional email (verification, certificate notifications). Configurable per-tenant.

Security measures

See /security for the operational details. Headline:

TLS 1.3 in transit, AES-256 at rest.
Role-based access; mandatory 2FA for staff with production access; access reviewed monthly.
Daily encrypted backups, 30-day retention, restore tested monthly.
Audit logging on admin actions; 12-month retention on Growth, 24 months on Enterprise.
SOC 2 Type II audit in progress (target Q3 2026).

Data subject rights

The Customer fields data-subject requests directly. LearnCore assists within 5 business days of receiving a documented request. Self-serve export is available from the academy admin panel.

International transfers

EU tenants' Customer Data stays in the EU by default. If a sub-processor with EU data needs to transfer outside the EEA (e.g. an LLM provider falling back to the US for an unavailable model), the SCCs (EU 2021/914) apply, attached to the signed DPA.

Data deletion

On Customer request: within 14 days.
On termination: within 30 days, unless legal retention applies (e.g. invoicing 7 years).
Backups: encrypted; passively expire within 30 days.

Audits

Customer may audit LearnCore's compliance once per 12 months on reasonable notice, at Customer's cost, subject to NDA. We provide our SOC 2 report (when available) under NDA in lieu of on-site audits.

Breach notification

We notify the Customer's primary security contact within 72 hours of confirming a personal data breach, with the facts known at the time and an estimated impact.

Liability

The liability cap in the main agreement applies to this DPA, except where law forbids capping liability for breach of data-protection obligations.