Data processing agreement (DPA)

Last updated: 2026-03-08

1. Introduction

This Data Processing Agreement (the "DPA") forms part of the contract between the customer (the "Controller") and TeachersFlow (the "Processor") and applies where the Processor processes personal data on behalf of the Controller in connection with the Service.

Processor identification: Jan Maxa, Business ID (IČ): 24495689, Renoirova 652/16, 152 00 Prague 5, Czech Republic.

This DPA is intended to address Article 28 GDPR requirements. If you need a signed copy, contact info@teachersflow.com.

2. Definitions

  • Controller and Processor have the meanings given in the GDPR.
  • Personal Data means any information relating to an identified or identifiable natural person.
  • Processing means any operation performed on Personal Data.
  • Subprocessor means any third-party processor engaged by the Processor.

3. Processing details

The subject matter, duration, nature, and purpose of Processing, as well as the types of Personal Data and categories of Data Subjects, are described in Annex 1.

4. Controller obligations

  • Ensure the Controller has a valid legal basis for Processing and provides required notices to Data Subjects.
  • Ensure the Controller’s instructions are lawful and do not violate applicable law.
  • Be responsible for the accuracy, quality, and legality of Personal Data provided to the Service.

5. Processor obligations

The Processor will:

  • Process Personal Data only on documented instructions from the Controller (including as needed to provide the Service).
  • Ensure persons authorized to process Personal Data are bound by confidentiality.
  • Implement appropriate technical and organizational measures as described in Annex 2.
  • Assist the Controller, where applicable, with Data Subject requests and GDPR compliance obligations.
  • Notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a personal data breach affecting the Controller's data.
  • Delete or return Personal Data at the end of the provision of services, subject to applicable law and Annex 1.

6. Subprocessors

The Controller authorizes the use of Subprocessors listed in Annex 3. The Processor will impose data protection obligations on Subprocessors that are no less protective than those in this DPA.

The Processor will notify the Controller (e.g., via email or service update) at least 30 daysbefore adding or replacing a Subprocessor. The Controller may object to such changes on reasonable grounds related to data protection by contacting info@teachersflow.com.

If the parties cannot resolve the objection, the Controller may terminate the Service for convenience as its sole remedy.

7. International transfers

The Service may involve transfers of Personal Data outside the EEA (for example, to the United States) depending on the Subprocessors used. Where required, the Processor will implement appropriate safeguards (such as contractual protections) for such transfers.

8. Security measures (summary)

The Service uses a combination of application-level and infrastructure-level measures. A non-exhaustive list is provided in Annex 2.

9. Return and deletion

At the end of the provision of services, the Processor will delete or return Personal Data in accordance with Annex 1 and the Service’s deletion functionality, unless retention is required by applicable law.

10. Annexes

Annex 1 — Processing details

  • Subject matter: Provision of the TeachersFlow Service to the Controller.
  • Duration: For the term of the Controller's use of the Service; until deletion/termination and completion of deletion workflows.
  • Nature of processing: Collection, storage, organization, retrieval, use, and deletion of Personal Data as required to provide Service features.
  • Purpose: Provide educational workflows (class management, assessments, activities, and other features) and related support, billing, and security.
  • Categories of Data Subjects: (a) Individual teachers — standalone users on a personal plan; (b) Organization administrators (org admins) — users who create and manage an organization, its teachers, and its subscription; (c) Organization teachers (org teachers) — teachers linked to an organization by an org admin, whose access and AI usage quota are managed at the organization level; (d) Students — as entered by teachers or org admins; (e) Activity participants — end users (students) who access and submit activities via a shared link.
  • Types of Personal Data: account identifiers (name, email); for org admins: organization name, website, and list of linked teacher email addresses; for org teachers: organization name and org linkage status; usage and plan counters (individual or shared org pool); names and educational records and notes (as entered); uploaded documents and submissions; and (if used) images uploaded for image-based features and saved images.

Annex 2 — Technical and organizational measures (TOMs)

  • Access controls: logical access restrictions to production systems; least-privilege practices where applicable.
  • Transport security: TLS for web traffic (where deployed behind HTTPS).
  • Password security: passwords are hashed before storage (email/password accounts).
  • Rate limiting: application and API rate limiting to reduce abuse.
  • Data deletion: account deletion removes data from primary databases and deletes uploaded files associated with the account, where applicable.
  • Vendor management: use of third-party providers for payments, AI processing, and storage.

Annex 3 — Subprocessors

  • Google Cloud — cloud hosting/infrastructure for running the Service
  • OpenAI — AI model provider (including vision models for image-based features)
  • Google — authentication/document access (where enabled), analytics/ads tags (Google Tag/Google Analytics), and email delivery via Gmail SMTP
  • Stripe — payments and subscription management
  • MongoDB Atlas — database hosting/storage and vector search for personalization features
  • Third-party content delivery (e.g., Google Fonts, jsDelivr) — delivery of client-side fonts/libraries such as MathJax

11. Governing law

This DPA is governed by the laws of the Czech Republic.

12. Contact

For questions about this DPA, contact info@teachersflow.com.