1. Scope
This Data Processing Agreement (DPA) applies whenever Edulexa processes personal data on behalf of a customer in connection with the Edulexa platform.
2. Roles
Customer is the data controller. Edulexa is the data processor. Each subprocessor listed at /legal/dpa is the sub-processor of Edulexa.
3. Subprocessors
AWS (us-east-1, eu-west-1, ap-south-1), Cloudflare (edge), Twilio (voice), Vapi (LLM orchestration), Stripe (billing). 30 days notice for any addition or replacement.
4. Security measures
AES-256 encryption at rest, TLS 1.3 in transit, SOC 2 Type II audited controls, quarterly third-party pen tests, immutable audit logs retained 7 years.
5. International transfers
EU SCCs (2021 controller-to-processor module) and UK IDTA executed as part of this DPA. No transfers to jurisdictions without an adequacy decision unless customer explicitly opts in.
6. Breach notification
Edulexa will notify the customer within 48 hours of confirming a personal data breach, with full incident report within 7 days.
7. Audit rights
Customer may audit Edulexa's compliance once per year on 30 days notice, or more frequently if required by law. SOC 2 reports satisfy the audit obligation by default.
8. Term and termination
This DPA terminates with the underlying MSA. On termination, Edulexa returns or deletes all personal data within 90 days.