Data Processing Agreement
Last updated: July 18, 2026
1. PURPOSE AND NATURE OF THE AGREEMENT
This Data Processing Agreement (the "Agreement") governs the processing of personal data that Edena Software S.L. (Tax ID: B27627462; "Edena") carries out on behalf of the client organization in the context of providing the service, in accordance with Article 28 of Regulation (EU) 2016/679 (GDPR). The Agreement forms an integral part of the service's Terms and Conditions.
For the purposes of this Agreement, the client organization (the educational center) is the Data Controller and Edena acts as the Data Processor.
2. NATURE, PURPOSE AND DURATION OF THE PROCESSING
Edena will process the personal data provided or generated by the controller solely to provide the platform's services (management of people and records, billing, communications and associated features), for the duration of the contractual relationship.
3. DATA SUBJECTS AND CATEGORIES OF DATA
- Data subjects: students, families and guardians, center staff and other users managed by the controller in the platform.
- Categories of data: identification and contact data, academic data, billing data and, where applicable, essential health data (allergies or special needs) entered under the center's responsibility.
4. INSTRUCTIONS FROM THE CONTROLLER
Edena will process the data exclusively following the controller's documented instructions, including the configuration and use the controller makes of the platform, unless required otherwise by European Union or Member State law; in that case, Edena will inform the controller before processing, unless that law prohibits it.
5. CONFIDENTIALITY
Edena guarantees that the persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
6. SECURITY OF PROCESSING
Edena applies appropriate technical and organizational measures in accordance with Article 32 of the GDPR, including encryption of data in transit and at rest, role-based access control (least privilege), data isolation between organizations, periodic backups and activity logging.
7. SUB-PROCESSORS
The controller authorizes Edena to engage the following sub-processors, which offer adequate GDPR compliance guarantees:
- Supabase — database and authentication.
- Cloudflare R2 — file storage.
- Google Cloud — application hosting.
- Resend — transactional email delivery.
Edena will inform the controller of any intended changes to this list, giving the controller the opportunity to object.
8. ASSISTANCE TO THE CONTROLLER
Edena will assist the controller, taking into account the nature of the processing, in responding to requests to exercise data subject rights (access, rectification, erasure, objection, restriction and portability), as well as in complying with security obligations, notification of data breaches and impact assessments.
The platform includes tools to export and anonymize a data subject's data, enabling the controller to fulfil access, portability and erasure rights.
9. DATA OF MINORS
It is the controller's responsibility, as an educational center, to obtain any necessary consents from parents or legal guardians before entering minors' data in the platform. Edena does not use minors' data for any purpose other than providing the service to the controller.
10. NOTIFICATION OF DATA BREACHES
Edena will notify the controller without undue delay after becoming aware of a personal data breach, providing the relevant available information so that the controller can comply with its notification obligations to the supervisory authority and to data subjects.
11. DELETION OR RETURN OF THE DATA
Upon termination of the service, Edena will delete or return to the controller, at the controller's choice, the personal data and existing copies, unless it must retain them under a legal obligation (for example, billing records subject to tax obligations), in which case they will remain blocked for the legally required periods.
12. AUDIT
Edena will make available to the controller the information necessary to demonstrate compliance with the obligations of Article 28 of the GDPR and will allow and contribute to reasonable audits, including inspections, in accordance with a procedure agreed between the parties.
13. INTERNATIONAL TRANSFERS
Where a sub-processor processes data outside the European Economic Area (EEA), Edena will ensure the existence of valid transfer mechanisms under the GDPR, such as the European Commission's Standard Contractual Clauses or adequacy decisions.
14. CONTACT
For any questions related to this Agreement you can write to us at [email protected].
