Ready to execute. Calibrated to where your data is and what protects it.

Roles and scope

• Controller / processor. The institution is the data controller (and, for FERPA-covered institutions, the holder of education records). Eve-Education, LLC is the data processor under Article 28 GDPR and the school official under FERPA, processing data only on documented instructions from the controller.
• Categories of data. Identity data (institutional identifiers), educational records (enrollment, lesson progress, assessment artifacts), reasoning telemetry (aggregate, no content), and system audit logs.
• Data subjects. Students, teachers, faculty, instructors, trainers, employees, parents (where applicable), institutional administrators.
• Duration. The duration of the executed institutional agreement, plus the contracted retention period after termination, plus any statutory retention obligation (FERPA 7-year audit retention design target where applicable).

Article 28 obligations (the core)

• Documented instructions only. The processor processes personal data only on documented instructions from the controller, including international transfers.
• Confidentiality. Persons authorized to process the personal data are bound by confidentiality obligations.
• Technical and organizational measures. Appropriate measures aligned to Article 32 GDPR; described in the Trust Center security pillars and security FAQ.
• Sub-processor governance. Sub-processor engagement is disclosed; material changes are notified with a documented notice period and customer right to object. Current list at /trust/subprocessors/.
• Data-subject rights assistance. Eve-Education assists the controller in fulfilling data-subject rights (access, rectification, erasure, restriction, portability, objection) through technical features and operational support.
• Breach notification. Eve-Education notifies the controller without undue delay (target: within 72 hours of confirmed unauthorized access to personal data) so the controller can meet its Article 33 GDPR obligation. See incident response.
• Audit rights. The controller may audit Eve-Education's compliance with the DPA on documented terms (advance notice, confidentiality, scope, frequency).
• Return or deletion at end of processing. At the choice of the controller, personal data is returned or deleted at the end of the processing period, with written confirmation.

International transfers

For data subjects in the European Economic Area, the United Kingdom, and jurisdictions with comparable transfer-restriction regimes, the DPA incorporates the European Commission's Standard Contractual Clauses (Module 2: Controller to Processor) and the UK International Data Transfer Addendum where applicable. Transfers to U.S. Azure regions rely on the Standard Contractual Clauses and supplementary measures (encryption in transit and at rest, key management, audit logging).

FERPA-school-official terms

For FERPA-covered U.S. educational institutions, the DPA incorporates the school-official model: Eve-Education performs an institutional service or function for which the institution would otherwise use its own employees; is under direct control of the institution with respect to the use and maintenance of education records; and is subject to FERPA's requirements governing the use and redisclosure of personally identifiable information from education records (34 CFR §99.31(a)(1)(i)(B)).

Regional regimes (non-EU/non-US)

The DPA is structured so additional regional terms can be incorporated for specific jurisdictions: the Kenya Data Protection Act 2019, the Nigeria Data Protection Act 2023, the Pakistan personal-data-protection regime as adopted, and the East African Community member-state frameworks engaged through the IUCEA partnership. Each regional incorporation is reviewed by local counsel before execution.