Data Processing Agreement (DPA)

The Processor undertakes to process personal data entrusted by the Controller solely for the purpose of providing the EvalProf platform and in accordance with the Controller's documented instructions. This DPA takes effect on the date of the main contract and terminates automatically upon its termination.

• Student identity data: first name, last name only.
• Academic data: grades, results, teacher comments.
• Content data: digital exam papers and files submitted by students (stored on AWS S3, Paris eu-west-3).
• Teacher account data: email, first name, last name.

Expressly excluded data: photographs, biometric data, date of birth or age, health data, any sensitive data under Art. 9 GDPR.

Data subjects: students (potentially minors) and teachers of the Institution. The Controller is solely responsible for assessing lawfulness of processing minors' data (Art. 8 GDPR).

• Process data only on the Controller's documented instructions, except where required by law.
• Ensure confidentiality through contractual commitments with staff.
• Implement the technical and organisational security measures (TOMs) listed in Article 8.
• Notify the Controller of any personal data breach within 72 hours.
• Assist with data subject rights requests.
• Assist with Data Protection Impact Assessments (DPIAs) where required.
• On contract termination, delete all personal data within 30 days and provide written confirmation (unless legal retention obligations apply).
• Make available all information necessary to demonstrate GDPR compliance; allow audits on reasonable request (or provide access to relevant sub-processor SOC 2 reports / trust centres).

EvalProf uses the Anthropic Claude API (professional B2B service — distinct from the claude.ai consumer product) to assist with grading. The following rules apply:

• Data minimisation: only data strictly necessary for the grading task is sent to the API (submission content, marking scheme, instructions). Student names are only transmitted if the Controller has explicitly configured this and it is necessary for grading.
• Data excluded from AI: no photographs, biometric data, age, health data, or sensitive data (Art. 9 GDPR) is sent to the API.
• No training: by default, inputs and outputs sent via the Claude API are not used to train Anthropic's models, unless the Development Partner Programme is opted into or data is submitted as feedback/bugs. EvalProf has not enrolled in these programmes. This policy is documented and archived (anthropic.com/legal/aup).
• Anthropic retention: data sent via the standard API is not retained beyond the immediate processing of the request. Some Anthropic features have specific retention policies; EvalProf uses only the standard API without extended retention features.
• Human-in-the-loop: all AI suggestions are reviewed and validated by the teacher before being recorded or communicated to the student. No automated decision with legal effects on the student (Art. 22 GDPR) is made without human intervention.
• Shared responsibility: the Controller undertakes not to enter student data beyond what is necessary. EvalProf undertakes not to enrich AI prompts with unnecessary personal data.

Contractual safeguard: archived Anthropic DPA (anthropic.com/legal/data-processing-addendum) + SCCs for the transfer outside the EU.

The Controller authorises EvalProf to engage the sub-processors listed in Annex A. EvalProf will give 30 days' written notice of any intended addition or replacement, during which the Controller may object in writing.

EvalProf's primary computing and storage infrastructure is in the EU: Vercel (Paris cdg1), Railway (Amsterdam EU West), MongoDB Atlas (AWS Paris eu-west-3), AWS S3 (Paris eu-west-3), Brevo (France). Cloudflare is used in DNS-only mode (no HTTP proxy): application data does not transit through Cloudflare.

Governed transfers outside the EU may occur for secondary operations (provider technical support, monitoring, AI processing). Details and safeguards are listed in Annex A.

All transfers outside the EU are governed by SCCs (Decision 2021/914) and, where applicable, the EU-US Data Privacy Framework for certified providers.

• Encryption in transit: HTTPS/TLS.
• Encryption at rest: SSE-S3 for files (AWS S3), Atlas encryption for the database.
• Password hashing: bcrypt.
• Authentication: httpOnly JWT tokens.
• Access control: production data access restricted to authorised personnel.
• S3 versioning enabled; old versions auto-deleted after 30 days (Lifecycle policy).
• S3 Block Public Access enabled. ACLs disabled (Bucket owner enforced).
• Security logs retained 12 months.
• MongoDB Atlas backups: to be activated before the first school client (not available on current free plan).

This DPA is governed by French law. The courts of Paris have exclusive jurisdiction. For a signed copy or any questions, contact us via the contact form at evalprof.com.

Student data (names, grades, exam papers) only transits through Vercel, Railway, MongoDB Atlas, AWS S3 and Anthropic. Stripe, Meta, LinkedIn, Plausible and ipapi.co never process student data.