Legal

Data Processing Agreement

Template v1.0 · Last updated: May 2026

Enterprise customers: request a signed DPA

This page shows our standard DPA terms. To receive a countersigned DPA for your organisation, contact enterprise@coursefoundry.com. EU customers can request EU SCCs (Standard Contractual Clauses, 2021/914/EU) and UK customers can request a UK IDTA addendum.

1. Parties

This Data Processing Agreement ("DPA") is entered into between:

  • Data Controller ("Customer"): the organisation or individual subscribing to CourseFoundry services.
  • Data Processor ("CourseFoundry"): CourseFoundry, operated by John Jennings, Ireland. Contact: privacy@coursefoundry.com.

2. Subject Matter & Duration

CourseFoundry processes personal data on behalf of the Customer solely to provide the CourseFoundry platform services described in the applicable subscription agreement. Processing continues for the duration of the subscription and ceases upon account deletion, with data permanently purged within 30 days of deletion.

3. Nature & Purpose of Processing

  • Storing and serving course content created by the Customer.
  • Authenticating users and managing access to Customer content.
  • Processing prompts and content via AI APIs to provide AI-assisted authoring features.
  • Sending transactional emails (account notifications, invitations).
  • Processing subscription payments via Stripe.

4. Categories of Personal Data

  • Identity data: name, email address, username.
  • Account data: plan, usage history, progression data (XP, badges).
  • Content data: course files and materials uploaded or created by the Customer.
  • Technical data: IP addresses, user-agent strings, access logs.
  • Payment data: handled exclusively by Stripe; CourseFoundry does not store card details.

5. Data Subject Categories

Customers' employees, contractors, and students who access CourseFoundry under the Customer's subscription.

6. Obligations of CourseFoundry

  • Process personal data only on documented instructions from the Customer.
  • Ensure personnel authorised to process data are bound by confidentiality.
  • Implement appropriate technical and organisational security measures (Article 32 GDPR).
  • Assist the Customer in responding to data subject rights requests.
  • Notify the Customer within 48 hours of becoming aware of a personal data breach.
  • Delete or return all personal data upon termination of the agreement.
  • Provide all information necessary to demonstrate compliance with this DPA.

7. Sub-processors

CourseFoundry uses the sub-processors listed on our Trust page. The Customer provides general authorisation for these sub-processors. CourseFoundry will give 30 days' prior written notice of any new sub-processor. The Customer may object in writing within that period.

8. International Data Transfers & Data Residency

EU Data Residency (Enterprise): Enterprise Customers may elect to pin their workspace and course data to the European Union (Frankfurt, Germany) via Settings → Data Residency. When EU residency is enabled, course content, lesson files, and workspace metadata are stored in a Supabase PostgreSQL instance hosted in Frankfurt and do not leave the EEA at rest. User authentication data (email addresses, JWT sessions) is handled by Supabase Auth and is subject to the transfer mechanisms below.

Where personal data is transferred outside the EEA or UK (including authentication data and AI processing), CourseFoundry ensures an appropriate transfer mechanism is in place:

  • EU Standard Contractual Clauses (Commission Decision 2021/914/EU) for EU personal data transferred to the USA.
  • UK International Data Transfer Agreement (IDTA) for UK personal data.
  • EU-US Data Privacy Framework self-certification (in progress).

Customers who require a transfer impact assessment (TIA) or supplementary measures documentation may request these from enterprise@coursefoundry.com.

9. Security Measures

CourseFoundry implements and maintains the technical and organisational measures described on our Trust page, including TLS encryption in transit, AES-256 encryption at rest, row-level security, access controls, and annual penetration testing.

10. Audit Rights

CourseFoundry will provide, on reasonable notice, information necessary to demonstrate compliance with this DPA, including making available relevant audit reports (SOC 2, pen test executive summary) under NDA. On-site audits may be agreed on a case-by-case basis at the Customer's cost.

11. Data Subject Rights

Customers can export all personal data at any time via Settings → Export My Data (GDPR Article 20). Account deletion permanently erases all data within 30 days (Article 17). CourseFoundry will assist Customers in fulfilling data subject access, rectification, and erasure requests within statutory timeframes.

12. Contact

To request a countersigned DPA, EU SCCs, or UK IDTA addendum, contact enterprise@coursefoundry.com. For privacy queries: privacy@coursefoundry.com.