Data Processing Agreement

Effective: March 29, 2026

This Data Processing Agreement ("DPA") forms part of the agreement between the entity identified as the customer ("Controller") and Origo Oy ("Processor") for the provision of the Origo math learning platform ("Service").

This DPA is entered into pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and reflects the parties' agreement on the processing of personal data by the Processor on behalf of the Controller.

1. Definitions

"Controller": — The school, educational institution, or other entity that determines the purposes and means of processing personal data and has entered into a service agreement with Origo Oy.
"Processor": — Origo Oy (business ID: 3573617-3), a Finnish limited liability company based in Tampere, Finland.
"Personal Data": — Any information relating to an identified or identifiable natural person processed under this DPA.
"Data Subject": — Students, teachers, or school administrators whose personal data is processed through the Service.
"Sub-processor": — A third party engaged by the Processor to process personal data on behalf of the Controller.
"Applicable Data Protection Law": — The GDPR, the Finnish Data Protection Act (Tietosuojalaki 1050/2018), and any other applicable EU or national data protection legislation.

2. Scope and Roles

The Controller determines the purposes and means of processing personal data. The Processor processes personal data only on documented instructions from the Controller, unless required to do so by EU or member state law — in which case the Processor shall inform the Controller of that legal requirement before processing, unless prohibited by law.

The Processor shall not process personal data for any purpose other than providing the Service as described in this DPA and the underlying service agreement.

3. Details of Processing

Nature and purpose

Provision of an AI-powered math learning platform including: student account management, delivery of curriculum-aligned exercises, AI-assisted tutoring hints, progress tracking, teacher dashboards, and subscription management.

Duration

For the term of the service agreement between Controller and Processor. Upon termination, Section 9 of this DPA applies.

Categories of Data Subjects

Students (aged 13 and above, per Finnish law)
Teachers and school administrators

Categories of Personal Data

Identity data: name, email address, authentication provider identifiers, role, school affiliation
Learning data: task submissions, written answers, editor content, AI chat messages, hint usage, progress and completion records
Payment data: subscription status and billing identifiers (card details are handled exclusively by Stripe and never stored by the Processor)
Technical data: IP address, session tokens, device information, error logs

4. Authorized Sub-processors

The Controller grants general authorization for the Processor to engage the sub-processors listed below. The Processor shall notify the Controller at least 15 days in advance of any intended addition or replacement of a sub-processor by email to the Controller's designated contact.

If the Controller objects to a new sub-processor within the 15-day notice period, the parties shall work in good faith to find a resolution. If no resolution is reached, the Controller may terminate the affected portion of the Service.

Sub-processor	Purpose	Location	Transfer mechanism
Google Cloud / Firebase	Core infrastructure — database (Firestore), authentication, file storage	EU (europe-west1)	Google Cloud DPA + EU SCCs
Stripe	Payment processing and subscription management	US	Stripe DPA + EU SCCs
OpenRouter	AI/LLM provider for math tutoring hints (no user identifiers transmitted — mathematical content only)	US	OpenRouter DPA
PostHog	Product analytics	EU (eu.posthog.com)	EU hosting — no international transfer
Langfuse	AI quality monitoring and observability	EU	EU hosting — no international transfer
Upstash	Rate limiting and short-lived response caching (Redis)	EU	EU hosting — no international transfer
Resend	Transactional email delivery	US	Resend DPA + EU SCCs
Sentry	Error monitoring and application performance	US	Sentry DPA + EU SCCs

Each sub-processor is bound by data processing terms providing at least the same level of protection as this DPA.

5. Security Measures

The Processor implements and maintains appropriate technical and organizational measures to protect personal data, including:

Authentication: Firebase Authentication with Google and Microsoft OAuth; HTTP-only, Secure, SameSite session cookies
Encryption in transit: all data transmitted over HTTPS/TLS
Encryption at rest: Google-managed encryption for all data stored in Firebase/Google Cloud
Access control: server-side session validation on every protected route; teacher data access scoped to owned classrooms only
Rate limiting: per-user and per-IP rate limits on AI endpoints to prevent abuse
Input validation: schema-based validation on all user inputs
Payment security: PCI DSS compliance through Stripe — card data never stored on Processor's systems
Data minimization in AI processing: no user identifiers (names, emails, IDs) are transmitted to LLM providers — only mathematical content
Error monitoring: application errors tracked via Sentry with automated PII scrubbing

6. Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligations to respond to data subject requests under GDPR Articles 15–22, including requests for access, rectification, erasure, restriction of processing, data portability, and objection.

Upon receiving a data subject request directly, the Processor shall promptly redirect the request to the Controller unless otherwise instructed. The Processor shall not independently respond to data subject requests except to confirm receipt and redirect.

7. International Data Transfers

The Processor stores the primary database and core infrastructure within the European Union (Google Cloud, europe-west1). Certain sub-processors operate in the United States (see Section 4). For each US-based sub-processor, the Processor ensures that an appropriate transfer mechanism is in place — specifically the EU Standard Contractual Clauses (SCCs) as adopted by the European Commission.

The Processor shall not transfer personal data to any country outside the EEA without ensuring that adequate safeguards are in place in accordance with GDPR Chapter V.

8. Data Breach Notification

The Processor shall notify the Controller without undue delay — and in any event within 48 hours — after becoming aware of a personal data breach. The notification shall include:

A description of the nature of the breach
The categories and approximate number of data subjects affected
The likely consequences of the breach
Measures taken or proposed to mitigate its effects

The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.

9. Term, Termination, and Data Deletion

This DPA remains in effect for the duration of the service agreement. Upon termination of the service agreement, the Processor shall:

At the Controller's election, return or delete all personal data processed on behalf of the Controller within 30 days, unless EU or member state law requires further storage
Provide written confirmation of deletion upon the Controller's request
Ensure that sub-processors delete their copies of the data within the same timeframe

The Controller may request a machine-readable export of all personal data prior to termination.

10. Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with Article 28 of the GDPR. The Controller (or an independent auditor appointed by the Controller) may conduct audits, including inspections, upon reasonable written notice of at least 30 days.

The Processor shall contribute to such audits and immediately inform the Controller if, in its opinion, an instruction from the Controller infringes applicable data protection law.

11. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the underlying service agreement. Nothing in this DPA limits either party's liability to data subjects or data protection authorities under applicable data protection law.

12. Contact

For questions about this DPA or to exercise any rights under it, contact:

Origo Oy
Business ID: 3573617-3
Email: [email protected]