SAFE
Data Processing Agreement (DPA)
This Data Processing Agreement (“DPA”) forms part of the SAFE Terms of Service (“Terms”) between ORRO GROUP a.s., with its registered office at Budilova 161/15, 301 00 Plzeň, Czech Republic, ID No.: 04365569 (“Processor” or “ORRO GROUP”) and the professional teacher or tutor accessing or using SAFE (“Controller” or “You”).
1. Definitions and Interpretation
- “Applicable Data Protection Law” means Regulation (EU) 2016/679 (General Data Protection Regulation – “GDPR”) and any applicable national implementing laws.
- “Student Personal Data” means any personal data of Your students processed by ORRO GROUP on Your behalf in connection with providing the SAFE services.
- Terms such as “Controller”, “Processor”, “Personal Data”, “Processing”, and “Personal Data Breach” shall have the meanings given to them in the GDPR.
2. Scope and Instructions
- Role of the Parties: The parties acknowledge and agree that with respect to the Processing of Student Personal Data, You are the Data Controller and ORRO GROUP is the Data Processor.
- Instructions: Processor shall process Student Personal Data solely on Your documented instructions, including with regard to transfers of personal data to a third country. The Terms and this DPA constitute Your complete and finalized instructions to the Processor.
- Compliance: Processor shall immediately inform You if, in its opinion, an instruction infringes Applicable Data Protection Law.
3. Confidentiality and Security
- Confidentiality: Processor shall ensure that persons authorized to process the Student Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- Technical and Organizational Measures: Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as required by Article 32 GDPR. These measures include encrypted connections (HTTPS) and access controls.
4. Sub-processors
- Prior Authorization: You grant ORRO GROUP a general written authorization to engage sub-processors to perform specific processing activities on Your behalf.
- Approved Sub-processors: You hereby approve the engagement of the following sub-processors: Supabase (authentication and database hosting) and Vercel (application hosting and delivery).
- Changes to Sub-processors: Processor shall inform You of any intended changes concerning the addition or replacement of sub-processors by updating its Privacy Policy or notifying You via email, thereby giving You the opportunity to object to such changes. If You object on reasonable data protection grounds, either party may terminate the subscription.
- Contractual Flow-down: Processor shall impose data protection obligations no less restrictive than those set out in this DPA on each sub-processor.
5. Data Subject Rights and Cooperation
- Data Subject Requests: Processor shall, insofar as is professionally possible, assist You by appropriate technical and organizational measures for the fulfilment of Your obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of the GDPR.
- Assistance: Processor shall assist You in ensuring compliance with the obligations pursuant to Articles 32 to 36 GDPR (Security, Breach Notification, DPIAs), taking into account the nature of processing and the information available to the Processor.
6. Personal Data Breach
Processor shall notify You without undue delay (and in any case within 48 hours) after becoming aware of a Personal Data Breach affecting Student Personal Data. The notification shall contain sufficient information to allow You to meet your reporting obligations under Article 33 GDPR.
7. Audit Rights
Processor shall make available to You all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR. Processor shall allow for and contribute to audits, including inspections, conducted by You or another auditor mandated by You, at Your sole expense, upon reasonable prior notice and no more than once per calendar year.
8. Term and Termination
- Duration: This DPA shall remain in effect for the duration of Your active account under the Terms.
- Deletion or Return: Processor shall, at Your choice, delete or return all Student Personal Data to You after the end of the provision of services relating to processing, and delete existing copies unless Applicable Data Protection Law requires storage of the personal data. Transient student data is automatically deleted or anonymized within 24 hours.
Annex A: Details of Processing
Categories of Data Subjects: Students of the Controller who utilize the SAFE-EN interface provided by the teacher.
Types of Personal Data: Transient technical data: IP addresses, device identifiers, log data, and vocabulary content (if backup/sync features are explicitly used).
Nature and Purpose of Processing: Hosting, synchronization, and transmission of technical data and vocabulary content strictly as necessary to deliver the vocabulary practice services.
Duration of Processing: For the duration of the student’s active browser session, with automated deletion/anonymization taking place within 24 hours (except for synced data which persists until deleted by the teacher).