# Data Processing Agreement (Processor Template)

**Coursfy / Lumeena.io — GDPR Article 28**

> This is a **template** for business customers (academy owners, organisations).  
> Request a countersigned PDF: privacy@coursfy.com

## 1. Parties

- **Controller:** [Customer legal name]  
- **Processor:** Coursfy / Lumeena.io  

## 2. Subject matter and duration

Processing of personal data necessary to provide the Coursfy learning platform for the duration of the subscription and as required by law thereafter.

## 3. Nature and purpose

Hosting, authentication, course delivery, payments (via Stripe), analytics (with consent), and support.

## 4. Categories of data subjects

Academy owners, instructors, learners/members.

## 5. Categories of personal data

Identity, contact, usage, progress, billing metadata (no full card numbers on Coursfy).

## 6. Processor obligations

- Process only on documented instructions  
- Confidentiality of personnel  
- Security measures (Art. 32 GDPR)  
- Subprocessor rules — see published list at `/legal/subprocessors`  
- Assist with data subject requests  
- Delete or return data at termination  
- Breach notification without undue delay  

## 7. Data location

Primary processing in **EU/EES** when deployed per customer appendix (see `/legal/data-residency`).

## 8. Subprocessors

Annex: current subprocessor list incorporated by reference from the Coursfy website.

## 9. Audits

Processor provides reasonable information and allows audits subject to confidentiality and minimal disruption.

## 10. Contact

privacy@coursfy.com