Legal

Data Processing Agreement Template

Version 1.0 · Last reviewed: 2026-04-26 · For use between StudyDeck (Processor) and Customer (Controller)

1. Parties

Processor	StudyDeck, a sole proprietorship, India ("StudyDeck", "we")
Controller	[Customer legal name], a [Customer entity type] registered in [Customer country] ("Customer")
Effective date	[YYYY-MM-DD]

2. Subject matter and duration

Subject matter: Provision of the StudyDeck flashcard application and related services to Customer's authorised users.

Nature and purpose: Storage, retrieval, and AI-assisted processing of educational content (flashcards, notes, vocabulary, mind maps, study progress) on Customer's instruction.

Duration: The term of Customer's StudyDeck subscription, plus the post-cancellation retention period defined in Schedule B.

3. Categories of data subjects and personal data

Data subjects

Teachers and parents authorised by Customer.
Students enrolled by those teachers / parents (including minors, where applicable).
Customer's administrative personnel.

Personal data processed

Account identifiers: email address, display name, profile picture URL.
Authentication metadata: Google OAuth subject identifier.
Educational content uploaded by users.
Operational data: IP address, user-agent, timestamps of authentication events.
Payment metadata where applicable: gateway transaction reference, last-4 of payment method, GSTIN.

Special categories (Art. 9 GDPR): StudyDeck does not anticipate processing special categories. Customer must not upload such data without a separate written addendum.

4. Roles and instructions

Customer is the Controller. StudyDeck is the Processor and will process personal data only on documented instructions from Customer (which may be set out in this DPA, the StudyDeck Terms of Service, or in writing). StudyDeck will inform Customer if, in its opinion, an instruction infringes applicable data protection law.

5. Confidentiality

StudyDeck ensures personnel authorised to process the personal data are bound by a duty of confidentiality, including former personnel.

6. Security measures

StudyDeck implements technical and organisational measures appropriate to the risk, as documented in Schedule B. The list reflects measures actually in place; material reductions require 30 days' prior notice to Customer.

7. Sub-processors

Customer authorises StudyDeck to engage the sub-processors listed in Schedule A. StudyDeck will notify Customer in writing of any intended addition or replacement at least 30 days in advance, giving Customer the opportunity to object on reasonable grounds. If the parties cannot agree, Customer may terminate the affected portion of the Service.

StudyDeck imposes data protection obligations on sub-processors that are no less protective than those in this DPA.

8. Data subject requests

Where StudyDeck receives a request from a data subject directly, it will redirect the request to Customer. Where Customer requires assistance to respond to a request, StudyDeck will provide reasonable cooperation, including via the /admin/orgs/:id/export data export and the in-app deletion flow.

9. Personal data breach

StudyDeck will notify Customer of a personal data breach affecting Customer's data without undue delay and in any case within 72 hours of becoming aware of it. The notice will include, to the extent known: the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed to address it.

10. Audit rights

Customer may, no more than once per calendar year and on at least 30 days' notice, request information necessary to demonstrate StudyDeck's compliance with this DPA. StudyDeck will respond with documentation including the most recent third-party security assessment (where available), the in-place security measures (Schedule B), and the audit log of admin actions on Customer's data. On-site audits are available only for Schools and Chains under contract and at Customer's expense.

11. International transfers

StudyDeck primarily hosts in India. Where personal data of EU/UK data subjects is transferred outside the EEA / UK, the parties incorporate the European Commission's Standard Contractual Clauses (Module 2: controller-to-processor) by reference, with the Customer as data exporter and StudyDeck as data importer. The UK Addendum applies where UK data subjects are involved.

12. Liability

The liability provisions of the StudyDeck Terms of Service apply to this DPA.

13. Term and termination

This DPA terminates automatically when the StudyDeck subscription terminates. Sections 9 (breach notification), 14 (return / deletion), and any other section that by its nature should survive, will continue.

14. Return or deletion of data on termination

Within 30 days of subscription termination, StudyDeck makes Customer's personal data available for export via the /admin/orgs/:id/export endpoint. After the post-cancellation retention period (default 365 days, configurable per tier), StudyDeck deletes or anonymises the data and confirms the deletion to Customer in writing on request.

15. Order of precedence

In the event of conflict between this DPA and the Terms of Service, this DPA prevails on data protection matters.

16. Signatures

For Customer	Name: [name] Title: [title] Date: [date] Signature: ____________________
For StudyDeck	Name: [StudyDeck signatory name] Title: Operator Date: [date] Signature: ____________________

Schedule A — Sub-processors

Current sub-processors as of the Effective Date. The live list is mirrored at /sub-processors when published.

Sub-processor	Purpose	Location
Google LLC	OAuth sign-in (no content access)	USA
Anthropic / OpenAI / Groq / OpenRouter / Google Gemini	AI generation (only when Customer or its users elect; managed pool is opt-in per tier)	USA / EU
Resend / Postmark / SendGrid / SMTP host	Transactional email (configurable in `/admin/email`; one active at a time)	USA / EU
Razorpay / Paddle / Lemon Squeezy	Payment processing (Merchant of Record where applicable)	India / Ireland / USA
VPS host (e.g. Hetzner / DigitalOcean)	Hosting + storage	India (primary)

Schedule B — Security measures

Encryption

TLS 1.3 in transit for all client-server traffic.
AES-256-GCM at rest for secrets stored in app_settings (email API keys, payment webhook secrets) — see server source server/src/crypto.js.
Ed25519 for offline license tokens.
Database backups encrypted at rest in a different region from primary.

Access control

Google OAuth + server-side sessions (HttpOnly, Secure, SameSite=Lax cookies).
Role-based access: super_admin / chain_admin / school_admin / teacher / parent / student.
Admin actions and authentication events captured in an immutable audit log.

Operational

Nightly database backups to offsite object storage (different region).
Weekly restore drill from backup (RTO 4h, RPO 24h target).
Structured JSON server logs retained 30 days.
Error tracking (self-hosted) retained 90 days.
Uptime monitor checking /healthz at 1-minute intervals.
Kill-switch toggles in /admin/feature-flags for immediate cut-off of paid surfaces (managed AI pool, payments, signups).

Personnel

StudyDeck personnel are bound by a duty of confidentiality.
Access to production is restricted to the operator and explicitly granted helpers.
Background checks for any personnel who have direct access to production data.

Incident response

Personal data breach notification to Customer within 72 hours.
Internal runbook for triage, containment, and post-incident review.

Need a customised DPA, additional schedules, or have questions? Email hello@theconsultant.chat.