Data Processing Agreement
Last updated: 18 March 2026
This Data Processing Agreement ("Agreement") forms part of the Terms & Conditions between:
As identified in the subscription agreement or account registration
This Agreement applies where the Processor processes personal data on behalf of the Controller in connection with the OverToo platform ("Service"). By accepting the Terms & Conditions, the Controller agrees to the terms of this Agreement.
1. Subject Matter and Scope
This Agreement governs the processing of personal data by the Processor on behalf of the Controller in accordance with Article 28 of the GDPR (EU) 2016/679. Processing is limited to what is necessary to provide the Service.
2. Roles of the Parties
- The Controller determines the purposes and means of processing personal data.
- The Processor processes personal data solely on behalf of the Controller.
The Processor shall not process personal data for its own purposes.
3. Nature and Purpose of Processing
Processing activities carried out by the Processor on behalf of the Controller include:
- Hosting and storage of data
- User account management
- Scheduling and session management
- Communication and notifications
- Payment processing facilitation
- Technical support and system maintenance
4. Categories of Data and Data Subjects
- Students
- Teachers
- School staff
- Platform users
- Identity and contact data
- Account and authentication data
- Educational and attendance records
- Communication data
- Technical and usage data
- Limited billing-related data
5. Instructions
The Processor shall process personal data only:
- on documented instructions from the Controller,
- as necessary to provide the Service,
- or as required by applicable law (in which case the Processor shall inform the Controller, unless prohibited by law).
6. Confidentiality
The Processor ensures that all personnel authorised to process personal data are bound by appropriate confidentiality obligations and receive suitable data protection training.
7. Security Measures
The Processor implements appropriate technical and organisational measures including:
- Encryption in transit (TLS/HTTPS)
- Secure password hashing
- Role-based access controls
- Logical separation of tenant data
- Monitoring and logging
- Regular security assessments
8. Sub-processors
The Controller authorises the Processor to engage the following categories of sub-processors:
| Category | Examples |
|---|---|
| Hosting & infrastructure | Server and cloud hosting provider |
| Payment processing | Stripe, PayPal, Przelewy24 |
| Email delivery | School-configured SMTP provider (e.g. Gmail, Outlook 365) |
The Processor ensures sub-processors are bound by equivalent data protection obligations. A current list of sub-processors is available upon request at .
9. International Transfers
Where personal data is transferred outside the EEA, the Processor ensures appropriate safeguards including Standard Contractual Clauses (SCCs) or other lawful transfer mechanisms under GDPR Chapter V.
10. Assistance to Controller
The Processor shall assist the Controller, taking into account the nature of processing, with:
- responding to data subject requests (access, rectification, erasure, portability, objection),
- ensuring compliance with GDPR obligations relating to security and breach notification,
- data protection impact assessments (DPIAs) where applicable.
11. Personal Data Breach
The Processor shall:
- notify the Controller without undue delay after becoming aware of a personal data breach affecting Controller data,
- provide all relevant information to support the Controller's compliance with GDPR Articles 33 and 34.
12. Data Retention and Deletion
Upon termination of the Service:
- personal data will be deleted or, at the Controller's written request, returned to the Controller,
- unless retention is required by applicable law.
The Controller is responsible for requesting a data export prior to termination. Export requests should be sent to .
13. Audit Rights
The Processor shall make available information reasonably necessary to demonstrate compliance with this Agreement. Audits shall be reasonable and proportionate, subject to prior written notice, and shall not compromise the security of other customers.
14. Liability
Each party remains responsible for its own compliance with GDPR. The Processor is liable only for damages caused by breaches of its specific obligations under this Agreement or applicable data protection law.
15. Governing Law
This Agreement is governed by the laws of Poland, subject to applicable EU data protection law including the GDPR.
16. Relationship with Terms
This Agreement forms part of and is incorporated into the Terms & Conditions governing use of the Service. In the event of a conflict between this Agreement and the Terms & Conditions, this Agreement prevails with respect to data protection matters.
17. Contact
For data protection queries or to request a signed copy of this Agreement: