This Data Processing Addendum ("DPA") supplements the ClassKeep Terms of Service and applies whenever ClassKeep processes Personal Data on behalf of a Studio (Customer). It reflects the requirements of the EU General Data Processing Regulation (GDPR) and the Brazilian Lei Geral de Proteção de Dados (LGPD).
1. Roles
For the booking flow on `/s/[slug]` and any data the Studio enters about its students, the Studio is the Controller and ClassKeep is the Processor. For account data of the Studio admin and instructors, ClassKeep is the Controller.
2. Subject matter and duration
Subject matter: provision of the ClassKeep platform. Duration: as long as the Customer's account is active. Nature and purpose: hosting, processing, and displaying class schedules, bookings, payments, and notifications. Categories of data subjects: Customer's admins, instructors, and students.
3. Subprocessors
Customer authorizes ClassKeep to engage the subprocessors listed in our Privacy Policy. We will give Customer at least 30 days' notice (via in-app banner or email) before adding or replacing a subprocessor, during which Customer may object on reasonable grounds. If the parties cannot agree on an alternative, Customer may terminate the affected service.
4. Security
ClassKeep maintains technical and organizational measures including: encryption of data in transit (TLS 1.2+), encryption of secrets at rest (AES-256), isolated production environment, role-based access control, principle-of-least-privilege for staff access, weekly dependency security scans, and continuous monitoring with Sentry. Backups are taken daily and retained for 30 days.
5. Personal data breach
ClassKeep will notify Customer without undue delay (and in any event within 72 hours) of becoming aware of a Personal Data Breach affecting Customer Data, with information needed for Customer to meet its own notification obligations.
6. Data subject requests
ClassKeep provides self-serve tooling for Customers and their students to access, export, and delete Personal Data. ClassKeep will assist Customer with additional requests at no extra charge for reasonable volumes.
7. International transfers
Personal Data may be transferred to and processed in the European Union and the United States. Transfers outside the EEA / UK / Brazil rely on the EU Standard Contractual Clauses (SCCs) and ANPD-equivalent safeguards, which the parties incorporate by reference into this DPA.
8. Audit
ClassKeep makes available all information necessary to demonstrate compliance and allows for audits by Customer or its mandated auditor, no more than once per year and on 30 days' notice, at Customer's expense.
9. Return and deletion
On termination of the Customer's account, ClassKeep will delete or return all Personal Data within 90 days, except where retention is required by law (e.g. tax records).
Signing
For early-access studios, this DPA is incorporated by reference when you accept the Terms of Service. If your jurisdiction requires a counter-signed copy, email legal@classkeep.app and we will return a signed PDF within 5 business days.