Legal
Data Processing Addendum
Last updated · 12 May 2026
This Data Processing Addendum (“DPA”) forms part of the Aufsatzkorrektur Terms of Service and governs how Aufsatzkorrektur Education B.V. (the “Processor”) processes personal data on behalf of the customer (the “Controller”) under Article 28 GDPR.
1. Subject matter and duration
The Processor processes personal data only to provide the Service for the duration of the underlying agreement and for the limited periods needed for return or deletion of data.
2. Nature and purpose
AI-assisted grading, rubric generation, OCR of handwritten papers, plagiarism and AI detection, and the generation of educator-facing reports.
3. Categories of data subjects
- Customer’s authorised users (teachers, administrators).
- Students whose work the Controller chooses to upload.
4. Categories of personal data
- Identification data (where provided): student initials or pseudonyms.
- Educational content: essays, scans, photos, audio (when relevant).
- Account and usage metadata for the Controller’s users.
5. Processor obligations
- Process personal data only on documented instructions of the Controller.
- Ensure persons authorised to process the data are bound by confidentiality.
- Implement the technical and organisational measures described in Security & Compliance.
- Engage subprocessors only with prior general authorisation, listed at Subprocessors, with at least 30 days’ advance notice of changes.
- Assist the Controller with data-subject requests, DPIAs, and supervisory consultations.
- Notify the Controller of any personal data breach without undue delay and within 72 hours.
- On termination, return or delete all personal data within 30 days unless retention is required by EU or Member State law.
- Make available all information necessary to demonstrate compliance with Art. 28 and allow audits, including inspections, conducted by the Controller or an auditor mandated by it.
6. International transfers
Where the Processor transfers personal data outside the EEA, it does so under the European Commission’s Standard Contractual Clauses (Decision 2021/914), with the Controller as data exporter and the relevant Module (typically Module 2 or 3) selected based on the parties’ roles.
7. Liability
Each party’s liability under this DPA is subject to the liability provisions of the underlying agreement, except where applicable law provides otherwise.
8. Order of precedence
In the event of a conflict between this DPA and the Terms of Service, this DPA prevails with respect to the processing of personal data.
Signing this DPA
Institutional customers can request a counter-signed PDF copy of this DPA at dpo@classx.eu.
This document is provided as a starting template adapted for European education providers. It does not constitute legal advice. Have qualified counsel review and tailor it to your jurisdiction and processing activities before relying on it.