Data Processing Agreement

This Data Processing Agreement ("DPA") is entered into between:

• The Customer (the "Controller") — the educational institution, school district, or organisation that signs up for aukimi for Education and accepts these terms; and
• aukimi, operated by Sébastien Leroux ("Processor"), with registered correspondence at contact@aukimi.com.

This DPA forms part of, and is incorporated into, the Customer\'s use of the aukimi for Education programme.

The Processor processes Personal Data on behalf of the Controller solely to provide the aukimi creative suite and the related Education-tier features (account management, class sessions, project storage, exports). Processing continues for as long as the Controller uses the service, ending with the termination of the relationship and the deletion procedure described in Section 9.

• Authentication and access control for teachers and students.
• Storage of creative work produced by users (projects, exports, assets).
• Provisioning of class sessions, rosters, and teacher dashboards.
• Delivery of transactional emails to teachers (Customer staff) only.
• Aggregate, non-identifying analytics for service operation.

No Personal Data is used for marketing, behavioural advertising, profiling, or training third-party AI models.

Data subjects:

• Teachers and other Customer staff who hold an aukimi Education-tier account.
• Students enrolled in classes managed by the Customer.

Personal data — teachers / staff: name, institutional email address, country, login credentials, language preference, last-login timestamp, content of works they create.

Personal data — students: a display name (typically a first name or alias chosen by the teacher), an internal identifier, hashed personal PIN, last-active timestamp, content of works they create. No email, password, date of birth, or other PII is collected for student accounts.

1. Process Personal Data only on the documented instructions of the Controller, except where required by Union or Member State law.
2. Ensure that personnel authorised to process Personal Data are bound by appropriate confidentiality obligations.
3. Implement the technical and organisational measures described in Annex A.
4. Not engage another processor (sub-processor) without prior specific or general written authorisation. The current list of sub-processors is in Annex B; the Processor will give the Controller at least 30 days\' notice of any addition or replacement.
5. Assist the Controller, taking the nature of processing into account, in fulfilling its obligation to respond to requests by data subjects exercising their rights under the GDPR.
6. Assist the Controller in ensuring compliance with Articles 32–36 GDPR, including notifying the Controller without undue delay (no later than 72 hours) after becoming aware of a Personal Data breach.
7. Make available to the Controller all information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, on reasonable notice.

The Controller warrants that it has, and will maintain throughout the term of this DPA, a lawful basis to instruct the Processor to process Personal Data, including (where applicable) parental consent for under-16 students, or reliance on the school as a parental agent under the COPPA "School as Agent" doctrine for U.S. schools with under-13 students.

Personal Data is hosted on servers located in Switzerland operated by Infomaniak SA. Switzerland benefits from a European Commission adequacy decision (Decision 2000/518/EC, as renewed). No Personal Data is transferred outside Switzerland or the European Economic Area without the Controller\'s prior written authorisation and the implementation of appropriate safeguards under Chapter V GDPR.

See Annex B. The Processor uses a small number of sub-processors strictly necessary for service delivery (transactional email provider, infrastructure host).

At the choice of the Controller, the Processor will delete or return all Personal Data after the end of the provision of services, and delete existing copies, unless Union or Member State law requires storage. By default, archived classes are permanently deleted 12 months after archival; the Controller may request earlier deletion at any time by emailing contact@aukimi.com.

This DPA enters into effect on the date the Controller accepts it (electronically or in writing) and remains in force for as long as the Processor processes Personal Data on behalf of the Controller. Liability is governed by the underlying terms of service. To the extent of any conflict between this DPA and the terms of service in respect of Personal Data, this DPA prevails.

This DPA is governed by the substantive laws of Switzerland, without prejudice to mandatory provisions of Union law applicable to the Controller.

• Encryption in transit: TLS 1.2+ for all client–server traffic (HTTPS).
• Encryption at rest: infrastructure-level disk encryption at the hosting provider.
• Authentication: passwords stored using bcrypt (cost factor 12). Student PINs stored using bcrypt with rate-limited verification (5 wrong attempts → 15-minute lock-out).
• Access control: least-privilege role-based access internally; admin actions are audited.
• Session control for students: student logins are only possible during a class session explicitly opened by the teacher, and revoked immediately when the teacher ends the session.
• No third-party trackers on minor accounts. No advertising IDs. No data sale.
• Backups: daily encrypted backups, retained 30 days.
• Pseudonymisation: student accounts collect no email, password, or other directly-identifying information.
• Vulnerability management: dependency updates, regular security patching, security review on every major release.
• Incident response: documented procedure, 72-hour breach notification commitment.

Updates to this list are notified to the Controller at least 30 days in advance via the email address on file. The Controller may object to a new sub-processor; if no acceptable solution can be agreed, either party may terminate the affected service.