Data Processing Agreement (DPA)

The school or teacher using Qyoza with their students is the data controller. 3108 SRLS ("Qyoza") is the data processor under Art. 28 GDPR. Qyoza processes personal data solely on the controller's documented instructions.

The subject matter of the processing is the provision of the Qyoza formative-assessment service. The duration matches the duration of the contractual relationship between the controller and Qyoza, subject to retention obligations required by law.

The processing serves to enable quiz creation, run sessions, and aggregate answers to provide teachers with comprehension signals. Operations include collection, recording, organization, storage, retrieval, and erasure of data.

The processing concerns the following categories of data subjects and personal data:

• Students (often minors): pseudonymous nickname chosen by the student, quiz answers, technical and security data (e.g. IP address, session identifier)
• Teachers/users: name, email address, school name, content of the quizzes created

As processor, Qyoza undertakes to:

• Process data only on the controller's documented instructions
• Ensure that persons authorized to process the data are bound by a duty of confidentiality
• Implement appropriate technical and organizational measures under Art. 32 GDPR (encryption in transit, access control, security logs)
• Engage sub-processors only with prior authorization and equivalent contractual safeguards (see list below)
• Assist the controller in responding to data subject requests and in security, breach-notification, and impact-assessment obligations
• At the controller's choice, delete or return personal data at the end of the service, subject to legal retention obligations
• Make available to the controller the information needed to demonstrate compliance and allow for reasonable audits

The controller authorizes Qyoza to use the following sub-processors. Qyoza will inform the controller of any changes, giving the opportunity to object.

Stripe (payments, USA/Ireland), PostHog (product analytics, USA), Anthropic (AI content generation, USA), Sentry (error monitoring, USA), Resend (transactional email, EU), Hetzner (hosting, EU - Germany).

For sub-processors located in the United States (Stripe, PostHog, Anthropic, Sentry), transfers of data outside the European Economic Area rely on the Standard Contractual Clauses (SCCs) approved by the European Commission in Decision 2021/914/EU, supplemented by additional measures where necessary.

Many of the data subjects are minor students. The controller (school/teacher) is responsible for determining the lawful basis and obtaining any required consent. The controller undertakes not to ask students to enter their real first and last name or other identifying data as the nickname. In Italy, the age for a minor's own consent is 14.

This DPA is governed by Italian law and is to be interpreted consistently with the GDPR (Reg. EU 2016/679). In case of conflict between this DPA and the Terms of Service on data protection matters, this DPA prevails.

For requests relating to data processing or to obtain a copy of the SCCs, contact [email protected]. Data processor: 3108 SRLS, Milan, Italy.