Perundangan

Perjanjian Pemprosesan Data

Last updated: June 23, 2026

This Data Processing Agreement ("DPA") forms part of the agreement between Classroom Labs, Inc. ("Classroom," "Processor," "we," or "us") and the customer organization that accepts our Terms of Service or executes an order for the Service ("Customer," "Controller," or "you").

This DPA applies when Classroom processes Personal Data on Customer's behalf in providing the Classroom.so platform. If there is a conflict between this DPA and the Terms regarding processing of Personal Data on Customer's behalf, this DPA controls.

Contact for DPA matters: legal@classroom.so

1. Definitions

  • "Personal Data" means information relating to an identified or identifiable individual that Customer submits to or processes through the Service.
  • "Process," "Processing" have the meanings given in applicable Data Protection Laws.
  • "Data Protection Laws" means GDPR, UK GDPR, CPRA, and other applicable privacy and data protection laws.
  • "Subprocessor" means a third party engaged by Classroom to Process Personal Data on Customer's behalf.
  • "Security Incident" means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data Processed by Classroom on Customer's behalf.

2. Roles and scope

Customer is the Controller (or Business) of Personal Data it submits about students, families, staff, and other individuals. Classroom is the Processor (or Service Provider) with respect to that data.

Classroom Processes Personal Data only to:

  • Provide, maintain, and support the Service according to the Terms and Customer's documented instructions (including organization settings, roles, and in-product actions)
  • Comply with applicable law
  • As otherwise permitted by this DPA and the Terms

Customer instructs Classroom to Process Personal Data by using the Service and configuring its organization account.

3. Customer responsibilities

Customer is responsible for:

  • Having a lawful basis and, where required, obtaining consents for Processing (including parental consent for children's information where applicable)
  • Complying with FERPA, COPPA, state student-privacy, childcare, and employment laws that apply to Customer
  • Ensuring data entered into the Service is accurate and limited to what Customer is permitted to collect
  • Configuring roles, access, and retention appropriately
  • Responding to data subject requests regarding data Customer controls, using export and deletion tools where available

4. Classroom obligations

Classroom will:

  • Process Personal Data only on Customer's documented instructions unless required by law (in which case we will inform Customer unless prohibited)
  • Ensure personnel authorized to Process Personal Data are bound by confidentiality
  • Implement appropriate technical and organizational measures as described in Section 6
  • Engage Subprocessors under Section 5
  • Assist Customer with data subject requests and security assessments as described in Sections 7 and 8, where applicable and taking into account the nature of Processing
  • Delete or return Personal Data upon termination as described in Section 9, subject to legal retention requirements

5. Subprocessors

Customer provides general authorization for Classroom to engage Subprocessors listed on our Subprocessors page. We will notify Customer of material additions or changes (for example, by updating that page and, where required by law, providing notice before the new Subprocessor Processes Personal Data). Customer may object on reasonable grounds relating to data protection by contacting legal@classroom.so within 30 days of notice. If we cannot reasonably accommodate the objection, Customer may terminate the affected Service.

Classroom remains responsible for Subprocessors' performance of their data protection obligations.

6. Security

Classroom maintains measures designed to protect Personal Data, including:

  • Encryption in transit (TLS)
  • Access controls and authentication for production systems
  • Logical separation of customer organizations (multi-tenant isolation)
  • Monitoring and logging for security events
  • Regular review of vendors and critical infrastructure

Details may be supplemented by a security overview provided upon request for enterprise customers.

7. Data subject requests

If Classroom receives a request from an individual regarding Personal Data that Customer controls, we will redirect the individual to Customer unless required by law to respond directly. Classroom will provide reasonable assistance to Customer in fulfilling requests, taking into account the nature of Processing and information available to us.

8. Security incidents

Classroom will notify Customer without undue delay after becoming aware of a Security Incident affecting Customer's Personal Data. Notification will include, to the extent known: nature of the incident, categories of data affected, likely consequences, and measures taken or proposed. Classroom will provide reasonable cooperation to help Customer meet its breach-notification obligations.

9. Deletion and return

Upon termination of the Service, Customer may export organization data in-product while the account remains active. After termination, Classroom will delete or anonymize Customer Personal Data within 90 days, except where retention is required by law or permitted under the Privacy Policy (for example, billing records or backup cycles).

10. International transfers

Where Personal Data is transferred outside the EEA, UK, or Switzerland, Classroom will implement appropriate safeguards such as Standard Contractual Clauses where required. Customer may request additional information about transfer mechanisms by contacting legal@classroom.so.

11. Audits

Upon reasonable written request, Classroom will provide information necessary to demonstrate compliance with this DPA. For enterprise customers, we may offer a summary of third-party audit reports or questionnaires under confidentiality, rather than on-site audits, unless required by Data Protection Laws and agreed in writing.

12. Term

This DPA remains in effect for as long as Classroom Processes Personal Data on Customer's behalf. Provisions that by nature should survive termination (including confidentiality and incident cooperation for incidents discovered before termination) will survive.

13. Order of precedence

If Customer and Classroom execute a separate written data processing agreement or enterprise order form with conflicting terms regarding Processing, that signed agreement controls over this online DPA to the extent of the conflict.

14. Contact

Classroom Labs, Inc.
2261 Market Street #5022, San Francisco, CA 94114, United States
legal@classroom.so