# Data Processing Agreement (Processor)

**Coursfy AB / Lumeena.io — GDPR Article 28**

| Field | Value |
|-------|-------|
| **Document ID** | COURSFY-DPA-2026-1 |
| **Version** | 2026.1 |
| **Effective date** | 21 June 2026 |
| **Status** | **Electronically signed and published** |

---

## Electronic signature

This Data Processing Agreement is **signed on behalf of Coursfy AB / Lumeena.io** and published for academy owners and business customers who act as data controllers on the Coursfy platform.

| | |
|---|---|
| **Processor** | Coursfy AB / Lumeena.io |
| **Signed by** | Data Protection Officer |
| **Date** | 21 June 2026 |
| **Contact** | privacy@coursfy.com |

Countersigned customer-specific appendices (organization name, billing entity, EU residency appendix) are provided on request. This published version constitutes the standard processor terms incorporated by reference into customer contracts.

---

## 1. Parties

- **Controller:** The academy owner or organization using Coursfy to offer courses to members.
- **Processor:** Coursfy AB / Lumeena.io.

## 2. Subject matter and duration

Processing of personal data necessary to provide the Coursfy learning platform for the duration of the subscription and as required by law thereafter (including statutory retention where erasure is not permitted).

## 3. Nature and purpose

Hosting, authentication (including optional WorkOS SSO), course delivery, community features, payments (via Stripe), analytics (with consent), AI-assisted features (when enabled), and customer support.

## 4. Categories of data subjects

Academy owners, instructors, learners/members, and invited administrators.

## 5. Categories of personal data

Identity and contact data, account credentials (hashed), usage and progress data, community content, billing metadata (no full payment card numbers on Coursfy servers), SSO federation identifiers when WorkOS is enabled.

## 6. Processor obligations

- Process only on documented instructions from the Controller.
- Ensure personnel confidentiality.
- Implement appropriate technical and organisational measures (GDPR Art. 32).
- Subprocessor rules — see published list at `/legal/subprocessors` (incorporated by reference).
- Assist with data subject requests (access, rectification, erasure, portability).
- Delete or return personal data at termination, subject to legal retention.
- Notify Controller of personal data breaches without undue delay.

## 7. Data location

Primary processing in **EU/EES** when deployed per the customer appendix (see `/legal/data-residency`). International transfers rely on Standard Contractual Clauses and vendor DPAs where subprocessors process outside the EEA.

## 8. Subprocessors

Annex: current subprocessor list with **hosting regions** is published at:

**https://coursfy.com/en/legal/subprocessors**

Material changes are notified per Section 9 below.

## 9. Subprocessor changes

Processor provides at least **30 days' advance notice** of new subprocessors that process personal data, unless required by law. Controller may object on reasonable GDPR grounds.

## 10. Data subject rights

Processor assists Controller in fulfilling data subject requests. End users may exercise rights via Settings → Privacy or privacy@coursfy.com. Account deletion triggers permanent erasure per `/legal/data-processing` retention schedule.

## 11. Security measures

Summary published at `/legal/security`: RBAC, httpOnly session cookies, BFF session validation, audit logging, dependency scanning, and security headers.

## 12. Audits

Processor provides reasonable information and allows audits subject to confidentiality, minimal disruption, and at most once per year unless required by a supervisory authority.

## 13. Liability and governing law

As agreed in the main service agreement between the parties. For EU controllers, GDPR and applicable member-state law apply to processing of personal data.

## 14. Contact

**privacy@coursfy.com** — DPA requests, subprocessor questions, and data protection enquiries.

---

*Template for customer-specific countersignature: `/legal/dpa-processor-template.md`*
