Data Processing Agreement

This Data Processing Agreement (the "DPA") governs the Processor's processing of personal data on behalf of the Controller. The DPA forms part of, and applies together with, the main agreement on the use of the Schackappen service (the "Main Agreement"). In the event of a conflict regarding the processing of personal data, the DPA prevails over the Main Agreement.

1. Parties

The parties are referred to below individually as a "Party" and jointly as the "Parties".

2. Background and purpose

The Processor provides the web-based chess education service Schackappen, including a student app and a teacher portal. For the service to work, the Processor processes certain personal data about students, teachers and principals on behalf of the Controller. The purpose of the DPA is to meet the requirements of Article 28 of the EU General Data Protection Regulation (GDPR) and to protect the rights of the data subjects.

3. Definitions

Terms such as "personal data", "processing", "controller", "processor", "sub-processor", "data subject" and "personal data breach" have the same meaning as in the GDPR (Regulation (EU) 2016/679).

4. Subject matter, duration, nature and purpose

• Subject matter: processing of personal data required to deliver and operate the Schackappen service for the Controller.
• Duration: the processing continues for as long as the Main Agreement is in force and the Controller's account, classes or school are active, and for the short period thereafter required for deletion or return.
• Nature of the processing: collection, storage, structuring, display, updating, backup and deletion, and the sending of necessary account and invitation emails.
• Purpose: to provide chess teaching, student login, and teachers' and principals' monitoring of students' progress.

5. Types of personal data

About the student (child):

• First name (chosen by the teacher or the student)
• Chosen avatar/figure
• Gameplay statistics: playing strength, number of games, wins, completed sagas and lessons, stars and last activity
• Class code and a personal PIN for login (no email, surname or personal identity number)

About the teacher or principal (adult):

• Name and email address
• Role (teacher or principal) and associated school and classes
• Passwords are never stored in plain text (handled hashed by the authentication provider)

About the school: the school's name, contact email, subscription and trial status, and email addresses of invited teachers.

6. Categories of data subjects

• Students (children) of the Controller
• Teachers
• Principals and other administrative users of the Controller

7. The Processor's obligations

1. Documented instructions. The Processor processes personal data only in accordance with the Controller's documented instructions, which consist of the Main Agreement, this DPA and the normal use of the service, unless otherwise required by EU or Swedish law. If the Processor considers that an instruction infringes data protection rules, the Controller shall be informed.
2. Confidentiality. Persons who process personal data at the Processor are bound by confidentiality.
3. Security. The Processor implements appropriate technical and organisational security measures under Article 32 (see section 11).
4. Sub-processors. The Processor may engage sub-processors in accordance with section 9.
5. Data subjects' rights. The Processor assists the Controller, as far as possible, in responding to requests from data subjects (access, rectification, erasure, portability, objection, etc.).
6. Assistance. The Processor assists the Controller in fulfilling obligations regarding security, notification of personal data breaches and, where necessary, data protection impact assessments (DPIAs), taking into account the nature of the processing and the information available.
7. Deletion or return. Upon the end of the processing, the Processor deletes or returns, at the Controller's choice, all personal data and deletes existing copies, unless storage is required by law.
8. Audit. The Processor makes available to the Controller the information necessary to demonstrate compliance with the obligations in Article 28 and allows for and contributes to audits and inspections.

8. Personal data breaches

The Processor notifies the Controller without undue delay after becoming aware of a personal data breach and assists with information reasonably needed for the Controller's possible notification to the supervisory authority and the data subjects.

9. Sub-processors

The Controller gives the Processor a general written authorisation to engage sub-processors in order to deliver the service. The Processor ensures that each sub-processor is bound by data protection obligations equivalent to those in this DPA. The Controller is informed in advance of any planned changes to sub-processors so that objections can be made. At the time of signing, the following sub-processors are engaged:

10. Transfers to third countries

Personal data is stored primarily within the EU/EEA (Supabase). Some sub-processors (Netlify and Resend) are US-based. Such transfers are made on the basis of valid transfer mechanisms under GDPR Chapter V, primarily the EU-US Data Privacy Framework and the European Commission's Standard Contractual Clauses (SCCs). No other transfers to third countries take place without such a mechanism in place.

11. Security measures (Article 32)

• Row-level access control in the database, so that a teacher only sees their own classes and students
• Encryption of data in transit (TLS/HTTPS)
• Passwords stored hashed, never in plain text
• Rate-limiting and logging of login attempts as protection against misuse
• Data minimisation as a principle: no unnecessary data is collected about children
• Backups held with the database provider within the EU
• Logging of administrative actions for traceability

12. The Controller's obligations

The Controller is responsible for ensuring that there is a legal basis for the processing, that the data subjects (or their guardians) have been informed to the extent required, and that the instructions given to the Processor are lawful.

13. Liability

The Parties' liability for damages is governed by Article 82 of the GDPR and by the liability provisions of the Main Agreement. Limitations of liability in the Main Agreement also apply to this DPA to the extent compatible with mandatory law.

14. Term and termination

The DPA applies for as long as the Processor processes personal data on behalf of the Controller. Upon termination, the personal data is deleted or returned in accordance with section 7.7. When a student, class or school is removed in the service, the associated personal data is deleted.

15. Amendments

Amendments to this DPA must be in writing. The version in force from time to time is published on this page with an updated date. Material changes to sub-processors are notified in accordance with section 9.

16. Governing law and disputes

This DPA is governed by Swedish law. Disputes shall be settled by the Swedish general courts, with Stockholm District Court as the court of first instance, unless otherwise required by mandatory law.

17. Signatures

This DPA is signed in two copies, one for each Party.