Data Processing Agreement
This Data Processing Agreement ("DPA") forms part of our Terms of Service and governs the processing of personal data by Lesson Console on your behalf.
1. Definitions
- "Controller"
- You, the customer who determines the purposes and means of processing personal data using the Service.
- "Processor"
- Lesson Console ([COMPANY_NAME]), which processes personal data on behalf of the Controller.
- "Personal Data"
- Any information relating to an identified or identifiable natural person that is processed through the Service.
- "Processing"
- Any operation performed on personal data, including collection, storage, retrieval, use, disclosure, and deletion.
- "Sub-processor"
- Any third party engaged by the Processor to process personal data on behalf of the Controller.
- "Data Protection Laws"
- All applicable laws relating to data protection and privacy, including GDPR, CCPA, PIPEDA, and similar regulations.
2. Scope and Purpose
Subject Matter
This DPA applies to the processing of personal data that you submit to Lesson Console through your use of our studio management platform.
Duration
This DPA remains in effect for as long as we process personal data on your behalf, including any period after termination required for data deletion.
Nature and Purpose of Processing
We process personal data to provide you with studio management services, including:
- Storing and managing student contact information and records
- Scheduling lessons and sending reminders
- Processing payments and managing invoices
- Facilitating communications between you and your students/parents
- Generating reports and analytics about your studio
Categories of Personal Data
- Student Information: Names, contact details, age, skill level, lesson history, progress notes
- Parent/Guardian Information: Names, contact details, payment information
- Communication Data: Messages, notes, and attachments sent through the platform
- Financial Data: Invoices, payment records, billing addresses
Categories of Data Subjects
- Your students (including minors)
- Parents and guardians of your students
- Other contacts you add to your studio account
3. Processor Obligations
As your data processor, we agree to:
Lawful Processing
- Process personal data only on your documented instructions
- Not process data for our own purposes except as necessary to provide the Service
- Inform you if we believe an instruction violates data protection laws
Confidentiality
- Ensure all personnel processing personal data are bound by confidentiality obligations
- Limit access to personal data to authorized personnel only
- Provide security awareness training to all staff
Assistance
- Assist you in responding to data subject requests (access, correction, deletion, etc.)
- Assist with data protection impact assessments when required
- Assist with prior consultations with supervisory authorities
4. Data Subject Rights
We will assist you in fulfilling your obligations to respond to data subject requests. You acknowledge that as the Controller, you are responsible for:
- Responding to data subject access requests within required timeframes
- Verifying the identity of data subjects making requests
- Determining whether to comply with requests for correction, deletion, or restriction
We provide tools to help you:
- Export all data relating to a specific student or contact
- Delete or anonymize records upon request
- Correct inaccurate information
- Restrict processing of specific data
5. Security Measures
We implement and maintain appropriate technical and organizational measures to protect personal data, including:
- Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
- Access controls and authentication mechanisms
- Regular security testing and vulnerability assessments
- Secure software development practices
- Employee security training and background checks
- Physical security of data centers
- Business continuity and disaster recovery procedures
See our Security page for detailed information about our security practices.
6. Data Breach Notification
In the event of a personal data breach, we will:
- Notify you without undue delay, and in any event within 72 hours of becoming aware of the breach
- Provide you with sufficient information to meet your obligations to report the breach to supervisory authorities and affected data subjects
- Cooperate with you in investigating and mitigating the breach
- Document the breach and our response
The notification will include:
- Description of the nature of the breach
- Categories and approximate number of data subjects affected
- Categories and approximate number of personal data records affected
- Likely consequences of the breach
- Measures taken or proposed to address the breach
7. Sub-processors
We use third-party sub-processors to help provide our Service. You hereby authorize our use of the sub-processors listed on our Sub-processors page.
Sub-processor Requirements
We require all sub-processors to:
- Enter into written agreements imposing data protection obligations equivalent to those in this DPA
- Implement appropriate security measures
- Process data only as instructed
Changes to Sub-processors
We will notify you at least 30 days before engaging a new sub-processor by:
- Updating our Sub-processors page
- Sending notification to your registered email address
If you object to a new sub-processor, you may terminate your account within 30 days of our notification. If you do not object within this period, you are deemed to have accepted the new sub-processor.
8. International Transfers
Lesson Console is based in Canada and stores data in the United States. We ensure lawful transfers through:
- Standard Contractual Clauses (SCCs): We incorporate the EU Commission's Standard Contractual Clauses into our agreements with sub-processors located outside the EEA
- Transfer Impact Assessments: We assess the data protection laws of destination countries
- Supplementary Measures: We implement technical and organizational measures to protect transferred data
You acknowledge and agree that personal data may be transferred to and processed in Canada and the United States as necessary to provide the Service.
9. Audit Rights
You have the right to audit our compliance with this DPA. We will:
- Make available information necessary to demonstrate compliance
- Allow for and contribute to audits and inspections
- Provide access to relevant certifications, attestations, and third-party audit reports
Audit Procedures
- Audits must be requested with at least 30 days written notice
- Audits will be conducted during normal business hours
- Auditors must agree to confidentiality obligations
- Costs of audits are borne by the requesting party
As an alternative to on-site audits, we can provide copies of our security certifications, third-party audit reports, and responses to security questionnaires.
10. Termination and Data Return
Upon termination of the Service:
Data Export
You may export your data at any time through your account settings. We provide data in standard formats (CSV, JSON).
Data Deletion
Within 30 days of account termination:
- We will delete or anonymize all personal data from our active systems
- We will instruct sub-processors to delete personal data from their systems
Retention Exceptions
We may retain personal data longer if:
- Required by applicable law (e.g., tax records)
- Necessary for legal claims or disputes
- Contained in backup systems (deleted on backup rotation, typically within 90 days)
We will provide written certification of deletion upon request.
Contact Information
For questions about this DPA or to exercise your rights:
Data Protection Contact
Email: [PRIVACY_EMAIL]
Mailing Address
[COMPANY_NAME]
[COMPANY_ADDRESS]