Trust Center for Schools & Procurement

Status: Active | Version: 1.0

1. Executive Summary

Edudata.io is an enterprise-grade Governance, Risk, and Compliance (GRC) SaaS platform engineered exclusively for the educational sector, currently serving municipalities, school boards, and learning institutions across Finland and Sweden. The platform centralizes data protection, cybersecurity, accessibility, and artificial intelligence compliance into a unified operational hub.

Rather than building rigid localized data borders, Edudata.io acts as a compliance enabler, helping cross-border educational ecosystems seamlessly navigate complex European regulations—including the GDPR, the NIS2 Directive, the EU AI Act, and European accessibility mandates.

2. Core Functional Modules

• Edudata Compliance & Library: Centralizes a global database of thousands of pre-assessed educational applications. It tracks vendor Data Processing Agreements (DPAs) and privacy policies, dynamically updating compliance status when vendors alter their legal terms.
• Automated RoPA & Mapping: Programmatically generates and maintains an institution's Record of Processing Activities (RoPA). When an app is cleared or blocked by administration, the system instantly logs data flows and specific student data points.
• Edudata Transparency: A public-facing interface (transparency.edudata.io) giving students, parents, and guardians real-time visibility into the exact apps approved for classroom use and their corresponding data retention rules.

3. Advanced Technical Architecture: The CAG AI Engine

The core analytical heartbeat of Edudata.io is its deterministic, legally anchored AI Engine. The system utilizes a specialized Cache-Augmented Generation (CAG) paradigm, entirely abandoning legacy RAG infrastructures that relied on vector databases, indexing, and text splitters.

Infrastructure & Hydration

• Model Layer: Built on Gemini 3.1 Pro, utilizing its expansive native context window to ingest entire regulatory libraries without structural compression.
• Vertex AI Context Caching: The entire un-fragmented European legal framework, National Curriculums (including Finnish and Swedish standards), and proprietary Edudata grading rules are kept permanently hydrated in high-speed GPU RAM.
• Retrieval-Free Processing: Because the engine does not perform real-time external database lookups or semantic chunk extraction, it operates without the typical context degradation or informational blindspots inherent to classic search pipelines.

Core Architectural Guarantees

• Zero-Hallucination Legal Reasoning: By evaluating user queries against complete, unbroken source regulations and school policies rather than fragmented text snippets, the system guarantees legally sound, hallucination-free reasoning.
• Millisecond Latency: Bypassing the multi-step database retrieval bottleneck minimizes Time-To-First-Token (TTFT), delivering near-instant safety assessments.
• 100% Deterministic Mathematical Grading: The model acts as a reliable logical interpreter over locked grading rules, ensuring that risk metrics are mathematically predictable, reproducible, and precise.

4. Pan-European Data Governance & Cloud Security

• EU Data Sovereignty: To fulfill the rigorous data protection demands of the public education sector while facilitating cross-border operational scaling, all context caching, inference, and telemetry storage are hosted strictly within secure, sovereign EU-based cloud regions (leveraging Google Cloud's European infrastructure).
• Cross-Border Regulatory Harmonization: The platform is natively designed to map compliance assessments simultaneously against overarching EU directives and country-specific educational nuances unique to Finland and Sweden.
• Human-in-the-Loop Validation: The CAG engine works as an expert legal assistant. While it parses policies and calculates risk scores with total mathematical precision, final institutional approval requires human confirmation from a certified privacy professional or DPO.
• Tenant Isolation: Client configuration data, school profiles, and audit logging metrics are securely siloed in independent database layers, ensuring zero cross-contamination between municipalities using the shared application.

Effective Date: March 11, 2026

These Terms of Service ("Terms") describe your rights and obligations when using the Edudata.io service ("Service"), operated by Cloudpoint Oy ("us," "we," "our," or "Company"). Please read these Terms carefully before using any version of the Edudata.io Service.

The Service is provided by Cloudpoint Oy, Malminkaari 17-19B 00700 Helsinki, Finland, Business ID 2325703-6.

Furthermore, access to and use of this Service, including the structure, organization, presentation of its data, and the insights it reveals into Edudata.io's proprietary methodology and know-how, is strictly limited to eligible education providers and bound by these Terms. Any use by competitors, for competitive analysis, reverse engineering, or to gain unauthorized insights into Edudata.io's processes, data curation, or business model, is expressly prohibited and subject to significant financial consequences and predetermined damages as detailed in these Terms.

1. General Service Overview and Version Descriptions

Edudata.io is used to assess data protection, AI and security compliance as well as overall suitability of digital services used in education. The Service is intended for Customers, (e.g., cities, municipalities, education providers, educational institutions), “hereinafter either Customer” or “Education provider”.

Edudata.io supports the provider of the education in maintaining up-to-date documentation of the processing of student personal data in various digital services used in education.

Edudata.io Service Components:

• EDUDATA Compliance: Consists of the Edudata.io platform itself and a curated list of digital services used in education, along with detailed information about them.
• EDUDATA Compliance Service: A professional service where the Company or a Partner evaluates digital educational services, allowing the Customer to map and manage related risks and submit services for evaluation.
• EDUDATA Privacy: A transparency tool that allows a student to see the digital services in use, the data processed in those services, the data retention period, and when the user has logged in with their EDU credentials.
• EDUDATA Security: A component that collects first- and second-level login data from separately defined learning environments and, after pseudonymization, is stored and managed by the Customer (Data Controller). This component also offers analytics tools for the collected data.

Edudata.io Service Versions:

• a. Edudata Starter: Provides basic access to the Edudata.io Compliance platform and the list of services. Users conduct their own risk assessments. This version does not provide specific recommendations or AI-assisted features, nor does it include access to the EDUDATA Privacy App. Features and functionalities of the Free Version are subject to change or limitation at Company's sole discretion. Please note that the Free Version does not include any technical support, service level agreements (SLAs), or guarantees of uptime. Offered "as is" and without guarantee of continuous provision, support, or maintenance.
• b. Edudata Advanced: A paid service tier where risk assessments are augmented by Artificial Intelligence capabilities integrated into the Edudata.io Compliance platform. The Edudata AI has been trained with assessments and evaluations made by legal advisors. The AI provides assistance and insights, but the ultimate responsibility for validating and acting upon the assessments remains with the Customer. This version includes access to the EDUDATA Privacy App.
• c. Edudata Premium: A paid service tier that includes the Edudata.io Compliance platform and where risk assessments are conducted by Edudata.io's legal advisors (as part of Edudata.io Compliance Service). These assessments and recommendations are provided as professional guidance and the responsibility for the final decision and compliance remains solely with the Customer. This version also includes access to the Edudata.io Privacy App.

2. Acceptance of Terms & Authority to Bind Organization

• a. Binding Agreement: These Terms form a legally binding agreement between your organization and Edudata.io.
• b. Authority: By creating an account, accessing, or using any version of the Edudata.io Service, the individual doing so ("Authorized Individual") personally warrants and represents that:
  • i. They are accepting these Terms on behalf of a legally recognized organization (e.g., an educational institution).
  • ii. They possess the full legal authority to enter into and bind that organization to these Terms.
  • iii. The organization they represent agrees to be, and shall be, fully bound by all terms and conditions herein.
• c. Reliance on Representation: Edudata.io relies on this representation of authority. If the Authorized Individual does not have such authority, they will be held individually liable for any breaches of these Terms and any resulting damages or losses incurred by Edudata.io, in addition to any liability of the organization.
• d. Acceptance: By proceeding with account creation, access, or use of the Service, the Authorized Individual, on behalf of their organization, signifies that their organization has read, understood, and agrees to be bound by these Terms. If your organization does not agree with these Terms, or if the Authorized Individual lacks the authority to bind the organization, neither the Authorized Individual nor the organization may access or use the Service.

3. Privacy and Contact Information

We process personal data in accordance with the Edudata.io data processing agreement between us and the Customer organization.

You can contact us by emailing us at info@edudata.io. In case we need to contact the customer, we will do so by writing to the email address provided by the Customer. "By writing" shall mean emails for all formal communications under these Terms.

4. User Access and Security

The use of the Service must be in compliance with these Terms. The user shall access the Service by signing in with a third-party single sign-on such as Google or Microsoft, and using a password only known by them.

The Customer accepts the personal data processing practices as stated in the data processing agreement, privacy policy and these Terms. We may terminate the account at any time due to failure to adhere to these and other agreements in force between Customer and us.

The Customer shall maintain appropriate security measures, including but not limited to, the use of updated virus protection and frequent password changes in order to prevent the Customer's system from contaminating the Service with malicious content of any kind.

5. Eligibility and Account Registration

• a. Recognized Education Provider: Access to and use of any version of the Edudata.io Service is strictly limited to institutions or entities that are formally recognized as education providers under the national law of their country of operation (e.g., schools, colleges, universities, accredited vocational training institutions and cities and municipalities (limited to their education sector)).
• b. Organizational Warranty: By registering for or using the Service, your organization, through its Authorized Individual, warrants and represents that it meets this eligibility criterion and is not, and is not affiliated with, a competitor of Edudata.io or any entity engaged in providing similar risk assessment, data privacy, or app evaluation services to educational institutions or other entities.
• c. Verification: Edudata.io reserves the right to request documentation or otherwise verify your organization's status as a recognized education provider, or its competitive status, at any time. Failure to provide satisfactory proof of eligibility upon request will result in immediate termination of your organization's access to the Service.
• d. Account Responsibility: Your organization is responsible for maintaining the confidentiality of account credentials and for all activities that occur under its account. Your organization agrees to notify Edudata.io immediately of any unauthorized use of its account.

6. Permitted Use and Restrictions

• a. License: Subject to your organization's compliance with these Terms and any applicable Subscription Agreement, Edudata.io grants your organization a limited, non-exclusive, non-transferable, non-sublicensable, revocable license to use the Service solely for its internal, non-commercial educational purposes, consistent with the specific version subscribed to.
• b. Prohibited Uses: All users must comply with the following rules regarding the acceptable use of the Service. Therefore, the user of the service must not:
  • i. Use the Service in any unlawful manner, for any unlawful purpose, or in any manner inconsistent with these Terms, or act fraudulently or maliciously;
  • ii. Transmit or otherwise use any material that is defamatory, offensive or otherwise objectionable in relation to the use of the Service;
  • iii. Use the Service in a way that could damage, disable, overburden, impair or compromise our systems security, or interfere with other users;
  • iv. Infringe our intellectual property rights.
  • v. Use the Service, or any data, information, insights, methodologies, or any derivative thereof gained from the Service, for competitive analysis, benchmarking, product development, reverse engineering, or any other purpose that would compete with, provide intelligence to, or otherwise undermine Edudata.io's current or future services or business interests.
  • vi. Rent, lease, distribute, sell, resell, assign, or otherwise transfer its rights to use the Service or its outputs, except as part of the normal use of the Service permitted herein.
  • vii. Collect or harvest any information or data from the Service or our systems in order to attempt to decipher any transmissions to or from the servers running the Service;
  • viii. Copy the Service or the content within it, except as part of the normal use of the Service as permitted by these Terms;
  • ix. Translate, merge, adapt, vary, alter or modify the Service nor permit the Service to be combined with, or become incorporated in any other programs, except as necessary to use the Service as permitted by these Terms;
  • x. Disassemble, de-compile, reverse engineer, or create applications or services based on the whole or any part of the Service.

In addition to any other remedies that may be available to us, we reserve the right to take remedial action we deem necessary, including immediate suspension or termination of a user, upon notice without liability, should there be any failure to abide by these acceptable use provisions or, if at the Company’s sole discretion, such action is deemed necessary to prevent disruption to the Services or harm to others.

For clarity on Permitted Use of Assessments and Recommendations: Acceptable use includes the use of the risk assessment service and related data to request assessment of digital teaching services, to make recommendations about them, and to share the decisions made on the basis of these recommendations with persons belonging to the Customer’s organization. Recommendations or assessments made by the Company (specifically in AI-Assisted or Premium versions) are shared with the Customer's personnel, representatives, or Authorized Users whose access is necessary for performing their tasks. These recommendations or assessments cannot be shared with other organizations or persons outside the Customer’s own organization without prior written consent from Edudata.io. The Customer can publish without restrictions the decisions they have made themselves, which do not contain the specific recommendation or assessment information provided by the Company.

7. Unauthorized Use by Non-Education Providers and Competitive Misuse

The Edudata.io Service is exclusively intended for and strictly limited to recognized education providers as defined in Section 5(a). Any access or use of the Service by an organization that does not meet this eligibility criterion, or any use for competitive purposes as prohibited in Section 6.b.v, without a separate, explicit written agreement with Edudata.io for such use, constitutes a material breach of these Terms and will result in severe consequences.

In the event Edudata.io determines that your organization is using the Service without meeting the eligibility requirements or for any prohibited competitive purpose:

• a. Banned: Your organization will be immediately and permanently banned from using any Edudata.io services. This includes both our free and any paid offerings.

• c. Legal Remedies: Edudata.io reserves the right to pursue any and all other legal remedies available, including but not limited to injunctive relief and additional damages, against the unauthorized organization and any individuals responsible for the misuse.

8. Confidentiality and Proprietary Information

• a. Definition: You acknowledge that the compilation, selection, arrangement, structure, organization, categorization, and presentation of the app details and related information within the Service, as well as any non-public features, functionalities, underlying methodologies, processes, business strategies, and know-how of the Edudata.io platform (collectively, "Proprietary Information"), constitute valuable trade secrets and confidential information of Edudata.io. This Proprietary Information derives economic value from not being generally known to, or readily ascertainable by proper means by, other persons who can obtain economic value from its disclosure or use, and Edudata.io has taken reasonable measures to keep it secret.
• b. Obligation: Your organization agrees to maintain the strict confidentiality of all Proprietary Information accessed through the Service. You shall not disclose, copy, reproduce, distribute, or otherwise use Proprietary Information for any purpose other than your internal, non-commercial educational use as permitted by these Terms. The Customer shall protect all Confidential Information of the Company as well as it protects its own Confidential Information, and not less than a reasonable standard of care. The Customer will not disclose any Confidential Information of the Company to any person other than its personnel, representatives or Authorized Users whose access is necessary to enable them to exercise their rights or perform their obligations under the Agreement, provided that these persons in question have undertaken to keep the information confidential.
• c. Prohibited Use by Competitors: Specifically, you shall not use Proprietary Information to develop, enhance, or offer any competing product or service, or to advise or assist any third party in doing so, nor shall you disclose it to any competitor or any third party for competitive purposes. The Customer shall not disclose any information regarding the risk assessments or recommendations to any third party outside the Customer organization.
• d. Survival: This Section 8 shall survive the termination or expiration of these Terms.

9. Intellectual Property Rights

The Company owns and retains ownership of the Service, including all intellectual property rights related to the Service. The rights related to the service are licensed to Customers for the duration of contract. For this reason, the Customer does not receive any intellectual property rights, but only the right to use the service in accordance with these Terms for the duration of the contract.

The Company has the right to use the information added to the Service by the Customer by the Customer’s users, which is not classified as personal data, without limitation and free of charge. Such information may include descriptions of third-party applications or websites as well as risk assessments made by the Customer organization. This information is used to develop and improve the Service.

The Company reserves all rights to the risk assessments and recommendations made by the Company. The Customer has access to these Customer-specific assessments and recommendations for the duration of the contract depending on the service version.

10. Changes and Updates to the Service

The Company may change the Service to comply with the relevant laws and regulations, add new features and/or to implement technical improvements, such as improving the security against cyber threats. These changes do not significantly affect the use of the Service. We will notify the Customer when we make larger changes.

The Company may update the Service or oblige the Customer to update the Service. It is the Customer’s responsibility to ensure that the updates are installed without delay.

11. Responsibility for Loss or Damages (Limitation of Liability)

Our liability for any loss or damage suffered by the Customer, whether foreseeable or not, is strictly limited to the maximum amounts specified below for each Service Version. We are responsible for foreseeable damages caused by our activities. If we fail to comply with these Terms, we carry responsibility for the loss or damage suffered by the Customer, subject to the limitations stated herein. However, reasonable measures may be taken only in the case where the loss or damage is a foreseeable result of us breaking our contractual obligations with you or our failing to use reasonable care and skill. Consequently, we are not liable for any loss or damage that cannot be reasonably considered as foreseeable.

Loss or damage is foreseeable if either it is obvious that it will happen or if, at the time the contract was made, both parties knew it might happen, for example, if you discussed it with us before purchasing the Service.

We do not exclude or limit our liability in any way to the Customer where it would be unlawful. We are not liable for consequential or indirect damages.

Specific Liability Limitations per Service Version:

• For the Free Version: The maximum amount of damages that the Company can be liable for is One Hundred Euros (€100).
• For the Advanced & Premium Versions: The maximum amount of damages that the Company can be liable for is the amount paid by the Customer for the use of the Service during the last 12 months.

Edudata.io commits to exercising due professional diligence in generating AI-assisted recommendations for assessments and in providing legal advisor recommendations in the Premium Version. The purpose of the assessments and recommendations provided by the Service is to support and enhance the customer's own risk management and decision-making.

Edudata.io continuously develops its AI models and ensures the quality of legal advisor assessments through reviews and validations. Notwithstanding these efforts, the customer understands and accepts that these assessments are recommendations in nature and based on available information and communication with the service provider as well as with the customer. They do not supersede the customer’s own independent judgment, due diligence obligation, decision-making, or compliance with statutory requirements.

Edudata.io shall not be liable for any damages, errors, or omissions, that result from (a) incorrect or incomplete input provided by the customer, (b) decisions made by the customer based on the assessments or recommendations provided by the Service, or (c) the use of assessments or recommendations other than those expressly provided by the Service.

12. Indemnification

Your organization agrees to defend, indemnify, and hold harmless Edudata.io, its affiliates, directors, officers, employees, and agents from and against any and all claims, damages, obligations, losses, liabilities, costs, or debt, and expenses (including but not limited to attorney's fees) arising from:

• (a) your organization's use of and access to the Service, including any data or content transmitted or received by your organization;
• (b) your organization's violation of any term of these Terms, including without limitation your breach of any of the representations and warranties above;
• (c) your organization's violation of any third-party right, including without limitation any right of privacy or intellectual property rights;
• (d) your organization's violation of any applicable law, rule, or regulation;
• (e) any claim or damages that arise as a result of any of your organization's content or any content that is submitted via your organization's account; or
• (f) any other party's access and use of the Service with your organization's unique username, password, or other appropriate security code.

13. Term and Termination

These Terms shall remain in force until the Service contract expires or the Service is terminated in accordance with the specific terms applicable to your Service version (e.g., Subscription Agreement for paid versions).

Upon expiration, termination or cancellation of the Service, the Company may immediately deactivate the Customer’s account.

Personal data is deleted or returned in accordance with the Data Processing Agreement between Edudata.io and the Customer.

14. Miscellaneous Provisions

• a. Transfer of Rights and Obligations: We may transfer our rights and obligations under these Terms and this Agreement to another organization. In this case, we will be in contact with Customers well in advance before starting such actions. If the Customer does not accept the transfer, the Customer can contact us and terminate the contract with a 30-day notice period.
• b. Transfer of Customer User Rights: Company’s written consent is required to transfer user rights to another person. This means that rights and/or obligations can only be transferred with a written consent. However, the Company has the right to reject the transfer request if a violation of Terms or other illegality appears during the evaluation of the transfer.
• c. Third-Party Rights: The rights under these Terms can only be exercised by the original user or a person to whom the right has been properly and legally transferred. Other persons do not have the right to demand the enforcement of any Terms.
• d. Severability: If a court finds any part of this contract illegal, the other parts of the contract will remain in force. Therefore, each point of these Terms must be evaluated separately. If any provision of these Terms is held to be invalid, illegal, or unenforceable, such provision shall be deemed modified to the minimum extent necessary to make it valid, legal, and enforceable while preserving to the maximum extent possible the original intent and economic effect of such provision. If such modification is not possible, the provision shall be severed from these Terms, and the remaining provisions shall continue in full force and effect. The parties agree to negotiate in good faith to replace any invalid, legal, or unenforceable provision with a valid, legal, and enforceable provision that achieves, to the greatest extent possible, the objectives of the original provision.
• e. No Waiver: If we do not invoke the agreement or Terms immediately when a violation of the Terms comes to our attention, we retain the right to invoke it at a later time. We can take legal action if the Customer intentionally violates the Terms of Service or otherwise acts unlawfully. We reserve the right to do this despite the fact that the Customer’s breach may lead to the immediate termination of the contract.
• f. Governing Law and Dispute Resolution: All disputes and claims related to these Terms or their interpretation, validity or termination shall be resolved in the District Court of Helsinki. Finnish law and the General Data Protection Regulation apply to these Terms.
• g. Data Storage and Technical Infrastructure (Specific to Edudata.io Security Component): For Customers utilizing the EDUDATA Security component, Edudata’s data is stored in a Google Cloud Project owned and managed by the Customer organization. The data is stored in a separate Firestore database. The Customer is required to pay for the expenses (Cloud costs) resulting from the use of the Cloud.

15. Changes to these Terms

We reserve the right to change these Terms if necessary, so that they correspond to: (a) Changes in applicable legislation; (b) New regulations and guidelines; and (c) Improvements and additions to our Service.

We will notify you in advance when changes are made to these Terms. If the changes are significant, we will provide a more prominent notice within the Service. The Customer can contact us if the Customer is dissatisfied with the changes to the Terms.

Last Updated: May 28, 2026 | Status: Active

This Cookie Policy explains how Cloudpoint Oy ("we", "us", and "our") uses cookies and similar technologies to recognize you when you visit our websites and applications. It explains what these technologies are, why we use them, and your rights to control our use of them in accordance with the General Data Protection Regulation (GDPR) and applicable ePrivacy directives.

1. Scope of This Policy

This policy applies to the following EDUDATA.IO domains and their respective subdomains:

• www.edudata.io: Our public-facing corporate and marketing website.
• compliance.edudata.io: Our B2B compliance management application for school administrators and data protection officers.
• transparency.edudata.io (and privacy.edudata.io): Our student-facing transparency tools allowing end-users to view their digital footprint.

2. What Are Cookies?

Cookies are small data files placed on your computer or mobile device when you visit a website. Website owners widely use cookies to make their websites function securely and efficiently, as well as to provide reporting information and personalized experiences.

3. Why Do We Use Cookies?

We use first-party and third-party cookies for several reasons. Some cookies are required for technical reasons for our websites and applications to operate securely ("Strictly Necessary" cookies). Other cookies enable us to track and target the interests of our B2B users to enhance the experience on our public website ("Analytics" and "Targeting" cookies).

4. Types of Cookies We Use

Based on regular audits of our domains, we utilize the following categories of cookies:

A. Strictly Necessary (Essential) Cookies

These cookies are strictly necessary to provide you with services available through our websites and applications, to ensure security (bot protection), and to authenticate your login sessions. You cannot refuse these cookies without impacting the functioning of our services.

B. Analytics and Performance Cookies

These cookies collect aggregate information to help us understand how our public website and B2B portals are being used. This helps us improve the user experience and resolve technical issues. These are disabled by default until consent is granted.

C. Targeting and Advertising Cookies

These cookies are used to make advertising messages more relevant to you.

5. How Can I Control Cookies?

You have the right to decide whether to accept or reject non-essential cookies:

• Cookie Consent Banner: You can exercise your cookie rights by setting your preferences in the Cookie Consent Banner that appears when you first visit www.edudata.io.
• Browser Controls: You can set or amend your web browser controls to accept or refuse cookies entirely.
• Impact of Refusal: If you choose to reject strictly necessary cookies via your browser settings, your access to core functionality—such as logging into the compliance.edudata.io portal or viewing your data on transparency.edudata.io—will be severely restricted or broken.

6. Updates to This Policy

We may update this Cookie Policy from time to time in order to reflect changes to the cookies we use or for other operational, legal, or regulatory reasons. Please revisit this Cookie Policy regularly to stay informed about our use of cookies and related technologies.

7. Contact Us

For more information on how we protect your data, please review our Privacy Policy and Data Processing Agreement (DPA).

If you have any questions about our use of cookies or other technologies, please contact our Data Protection team at: privacy@cloudpoint.fi.

Last updated: 15.12.2025

This is Edudata.io’s Privacy Policy in accordance with the EU General Data Protection Regulation (GDPR), describing the principles under which Edudata.io (hereinafter also "Edudata" or "Data Controller") processes personal data when acting as a Data Controller in connection with the Edudata.io service ('Service'). Edudata complies with Finnish law and the EU General Data Protection Regulation in all its operations.

1. Data Controller and Contact Information

Data Controller: Edudata.io
Business ID: 3460068-8
Address: Malminkaari 17-19B, 00700 Helsinki, Finland
Phone: +358 9 4257 9280
Website: www.edudata.io
Data Protection Officer: Lauri Kaski, email: lauri.kaski@edudata.io

2. Name of the Register

Edudata Customer, Contract, and Marketing Register.

3. Edudata’s Roles and Purpose of Processing

Edudata’s role in processing personal data within the Edudata.io Service is twofold:

A. Edudata as a Data Processor

In the core operation of the Service (Edudata.io), the Customer (education provider) is the Data Controller and Edudata is the Data Processor. In this case, the Customer determines the purposes and means of processing. This processing takes place in accordance with a separate Data Processing Agreement (DPA).

B. Edudata as a Data Controller

Edudata processes personal data as its own Data Controller for the following purposes:

• Customer Relationship Management: We process data to manage the customer relationship and to fulfill contractual obligations. This may include setting up the customer relationship, support, billing, and reporting.
  Legal basis: Legitimate interest and performance of a contract.
• Sales and Marketing: We process data for the sales and marketing of our services, direct marketing, and sending newsletters.
  Legal basis: Legitimate interest and consent.
• Customer Communication: We process personal data to handle customer feedback and support requests, as well as to send notifications regarding the services.
  Legal basis: Legitimate interest and performance of a contract.
• Fulfillment of Legal Obligations and Compliance with Laws: We may process personal data to fulfill statutory obligations, such as those related to accounting and taxation.
  Legal basis: Legal obligation.
• Service Development: The company has the right to use data added to the Service by the Customer, which is not classified as personal data, for the development and improvement of the Service.

We do not perform automatic decision-making or profiling based on personal data that would have legal effects on the data subject.

4. What Personal Data Do We Process and Collect as a Controller?

We collect personal data related to our customers mainly from the individuals themselves or from public sources. The data we process may include:

• Contact Information: First name, last name, email address, phone number, other contact details (address).
• Organization Information: Job title, name of the organization.
• Customer Relationship Information: Information on ordered services and changes to them, billing information, other information related to the customer relationship and ordered services.
• Marketing Information: Marketing consents/bans.
• Website and Contact Information: Technical data (usage data, device data), cookies, content of the contact.

5. Sources of Personal Data

We process and collect personal data that the user has provided or submitted to us (e.g., contacts, contracts). In addition, we collect data from public sources such as public registers and documents, websites, and social media services.

6. Sharing and Disclosing Personal Data

We use external service providers and subcontractors who process personal data on behalf of Edudata. These include, for example:

• Google Ireland
• Hubspot Ireland
• Visma AB
• Cloudpoint Oy
• Online Partner AB

Subcontractors process personal data on our behalf and may not use personal data for their own purposes. All our service providers are committed to complying with the EU General Data Protection Regulation.

7. Transfer of Personal Data Outside the EU and EEA

Personal data may be transferred outside the EU or EEA, as some of the service providers we use are located outside the area (e.g., cloud services).

If personal data is transferred to a country for which the EU Commission has not issued an adequacy decision regarding data protection (and the recipient is not certified under the EU-US Data Privacy Framework), the transfer will take place in accordance with the Standard Contractual Clauses approved by the EU Commission and other necessary safeguards.

8. Retention and Deletion of Personal Data

Your personal data will not be retained longer than is necessary for the fulfillment of its purpose of use, the customer relationship, or the contract. Data will also be deleted if you withdraw your consent or request the deletion of your data, provided there is no lawful basis for the processing. Billing and accounting material is retained for the period required by the Accounting Act.

9. How We Protect Your Personal Data

We implement appropriate physical, technical, and organizational measures to protect your personal data from unauthorized access or damage.

• Employees with access to personal data have a separate non-disclosure agreement and a statutory duty of confidentiality.
• Access is restricted only to employees who have a need and grounds to process personal data based on their job description.
• Employees use two-factor authentication.
• Our office access control is electronically monitored, and the property has 24/7 camera surveillance and guarding.

10. What Rights Do You Have?

You have the following rights under the GDPR regarding your personal data:

• Right of access: The right to know what personal data we process about you and to obtain a copy of it.
• Right to rectification: The right to request the correction or completion of incorrect, outdated, or incomplete personal data.
• Right to erasure: The right to request the deletion of your personal data if there is no longer a basis for its processing.
• Right to restriction of processing: The right to request the restriction of the processing of your personal data in certain situations.
• Right to object: The right to object to processing if it is based on legitimate interest and there is no compelling legitimate ground to continue processing.
• Right to data portability: The right to receive the data concerning you that has been provided to us based on a contract or consent.
• Right to withdraw consent: The right to withdraw your consent at any time if the processing is based on consent.
• Right to prohibit direct marketing: The right to prohibit the processing of your personal data for direct marketing purposes at any time.

You can exercise your rights by contacting us at: info@edudata.io.

11. Right to Lodge a Complaint with a Supervisory Authority

You have the right to lodge a complaint with a supervisory authority (in Finland, the Office of the Data Protection Ombudsman).

12. Procedure in Data Breach Situations

In the event of a potential data breach, we follow the measures and timeframes defined in the General Data Protection Regulation. If necessary, we will notify the supervisory authority and the data subjects of the data breach without delay.

13. Cookies

We use cookies on our website to provide the best possible user experience. Cookies are small text files stored on your terminal device. The user can give their consent or refuse cookies via a separate cookie banner.

14. Changes

We reserve the right to make changes to this privacy policy. If we make material changes, we will notify you in advance.

Effective: 23.7.2025

This Data Processing Agreement (DPA) is for EDUDATA (‘Service’), which is run and provided by Cloudpoint Oy and is supplemental to, and forms an integral part of the main agreement, including, the Terms of Service (‘ToS’) and is effective upon its acceptance. In case of any conflict or inconsistency with the terms of the entirety of the Agreements, this DPA will take precedence to the extent of such conflict or inconsistency.

1. Definitions

• Data Controller: Means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law; (“Controller”).
• Data Processor: Means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller; (“Processor”).
• GDPR: General Data Protection Regulation EU 2016/679.
• Personal Data: Any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
• Processing: Means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Any other terms not defined in this DPA shall have the same meaning as in the GDPR.

2. Background and Purpose

The Controller has selected the service provider (Cloudpoint Oy) to act as a Processor in accordance with Article 28(3) of Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation, “GDPR”).

This DPA forms an integral part of the Main Agreement concluded between the Parties under which the Processor shall provide the Controller with the Edudata service, which consists of Edudata Compliance, Edudata Compliance Service, Edudata Privacy and Edudata Security, unless otherwise agreed in the Main Agreement.

The Processor will process information relating to an identified or identifiable natural person on behalf of the Controller. The detailed data processing practices are described in the Annex 1 of this DPA.

The purpose of this DPA is to agree on the rights and obligations of the Parties involved in the processing activities as required by the GDPR and to safeguard the freedoms and rights of the data subject during processing.

3. Roles and Responsibilities

The Processor shall process personal data in accordance with this DPA and the documented instructions of the Controller. The Processor shall not use personal data for any purpose other than agreed in this DPA and in the instruction of the Controller. The instructions of the Controller must be compliant with the applicable data protection laws and consistent with this DPA.

If the Processor notices that any instruction given by the Controller is not compliant with the applicable laws or if they are insufficient, the Processor shall inform the Controller of such non-compliance.

The Controller is responsible for having a legal basis for the processing of personal data, for informing the data subjects of the processing of their personal data and for other data controller obligations set out in the GDPR.

The Controller is responsible for informing the Processor of the contact details of their Data Protection Officer and to ensure the contact details are up to date. Contact details are required in order for the Processor to comply with the notification obligations in case of a data breach incident.

4. Technical and Organizational Measures

The Processor shall maintain appropriate technical and organizational security measures to protect against unauthorized or unlawful processing or access and against accidental loss, destruction or damage. When choosing the security measures, the Processor must take into account the state of the art, the costs of implementation and the nature, scope, context and purpose of the processing as well as the risk of varying likelihood and severity to the rights and freedoms of natural persons.

Detailed description of the employed measures are stipulated in the Annex 2 of this DPA.

5. Obligation to Assist

The Processor processes personal data in accordance with this DPA and the instructions from the Data Controller and in compliance with the data protection legislation. The Processor must take the necessary measures to protect personal data from processing practices that are not in line with the terms of this DPA, the instructions or data protection legislation.

The Processor undertakes to ensure that those working for the Processor comply with the terms of this DPA and are informed of the relevant legislation. The Processor supports the Controller in ensuring the fulfillment of the obligations laid down in Articles 32-36 of the GDPR, when requested by the Controller.

The Processor undertakes, without undue delay, to inform the Controller of all requests of the data subjects concerning the exercise of the data subject’s rights under the GDPR. The Processor undertakes to support the Controller with appropriate technical and organizational measures so that the Controller is able to respond to requests regarding the exercise of the data subject’s rights.

If the support requested from the Processor requires measures that are likely to cause additional costs for the Processor, the Controller will pay the processor a reasonable compensation for providing the support.

6. International Transfers

We process personal data on servers located in the European Economic Area (EEA). As a rule, there are no regular transfers of personal data beyond the EEA.

The Controller accepts that in order to provide the Service, the Processor may have Personal Data processed by, and accessible to, its subprocessors outside the Controller’s country of domicile.

In case Personal Data is transferred to a country outside the EEA to a subprocessor, or otherwise transferred to, any country outside the EEA that is not recognised by the European Commission as providing an adequate level of protection for personal data, the Processor provides for appropriate safeguards (GDPR V) for example by standard contractual clauses, adopted approved by the European Commission and applicable to the processing by the non-EEA subprocessor, or by any other appropriate safeguard as foreseen in the Regulation.

The storage location and international transfers outside of the EEA are specified in Annex 1.

7. Duty of Confidentiality

The Processor and all natural persons working for the Processor shall observe both confidentiality and professional secrecy during the Processing. The Processor ensures that all natural persons working for the Processor are bound by a confidentiality agreement.

The Processor ensures that there is a non-disclosure agreement with the subprocessors and confidentiality agreement in place between the subprocessor and all natural persons working for the subprocessor participating in the processing.

8. Right to Audit

The Controller shall have the right to reasonably audit the facilities and processing activities of the Processor to examine the level of protection and security provided for under this DPA, and to assess the Processor’s compliance with the provisions of this DPA.

The Controller shall bear all costs for undertaking an audit. The Controller shall inform the Processor at least 30 working days in advance before conducting the audit.

The Controller's right to audit shall be exercisable no more than once every twelve (12) months, unless a specific data breach or substantiated concern necessitates an earlier audit.

Where an audit may lead to the disclosure of business or trade secrets of the Processor, or threaten the intellectual property rights of the Processor, an independent expert must be employed to carry out the audit, and such expert shall agree to be bound by a confidentiality agreement.

9. Subprocessors

The Processor shall have the right to involve subprocessors to process personal data in connection with the provision of the Service, to the extent such appointment does not lead to non-compliance with the Processor’s obligations under this DPA.

The Processor ensures that the involved subprocessors will operate under a data processing agreement with the Processor and comply with data processing obligations substantially similar to the ones contained herein.

The Processor has the right to change its subprocessors. The Processor shall provide the Controller with a prior notice concerning subprocessor changes. In case the Controller objects to the change or to the addition of subprocessors, the Controller shall have the right to terminate the Service.

10. Breaches

The Processor shall, without undue delay after having become aware of it, inform the Controller in writing about any data breaches relating to the personal data, and any other events where the security of personal data processed on behalf of the Controller has been compromised. The Processor’s notification about the breach to the Controller shall include at least the following:

• Description of the nature of the breach;
• Name and contact details of the Processor’s contact point;
• Description of the measures taken by the Processor to address the breach, including, where appropriate, measures to mitigate its possible adverse effects.

11. Deletion of Personal Data

Within a reasonable time, but no more than 180 days, after the termination or expiry of this DPA, and after the Controller has permanently ceased to use the Service, the Processor shall return or permanently delete all personal data from the Processor’s storage, unless specifically instructed otherwise, or unless the Processor is required by law to retain such personal data.

User data is deleted from the user database automatically when 366 days have passed since the system’s last processing of login information.

12. Limitation of Liability

The Processor shall not be liable for any indirect or consequential damages under this DPA.

The aggregate maximum liability of the Processor to the Controller under this DPA shall be limited to a sum corresponding to 100% of the payments made by the Controller to the Processor for the Service during the previous 12 months.

The Processor does not limit its liability, when such limitation would be unlawful.

13. Term

This DPA enters into force on the date written below and shall continue to be in force until the Processor has ceased to process the Controller’s personal data, or until replaced by another agreement between the Parties with regard to the data processing.

14. Dispute Resolution and Jurisdiction

This DPA shall be subject to the provisions regarding dispute resolution and jurisdiction set out in the Main Agreement.

15. Amendments

We reserve the right to make amendments to this DPA. The amended version will enter into force only after the acceptance by both parties.

---

ANNEX 1: Description of the Data Processing

1. Purpose of the processing of Personal Data

The Processor shall process personal data on behalf of the Controller for the purposes of providing the Service, to the extent such provision of the Service requires processing of personal data by the Processor. The processing shall be carried out in accordance with the Main Agreement, this DPA, and the instructions given by the Controller.

2. Categories of Data Subjects

The processing of personal data concerns the following categories of data subjects:

• Students
• Teachers and other personnel of the Customer that use the Service

3. Types of Personal Data

The Processor may process the following types of personal data under this DPA (processed in Edudata Compliance, Edudata Compliance Service, Edudata Privacy, and Edudata Security across roles: Student, Teacher, Teacher+, Draftsman, Decision Maker, Customer Admin):

• First name
• Last name
• Email address
• IP-address
• Login data
• Browser details
• Device Data
• 3rd party service login information
• Edudata ID
• Language
• User creation date
• User last login
• Profile picture
• Role of the user
• Organization (Customer name) name and domain

4. Duration of the processing of Personal Data

Personal data shall be processed under this DPA for the duration of the Term of the Main Agreement. After the Main Agreement has been terminated or expired, and the Processor has ceased to provide the Service, and has conducted all the actions set out in this Agreement relating to the return and deletion process of personal data. Following this, for a maximum period of 180 days, the Processor shall no longer process or store any Customer personal data, except to the extent the Processor is under a statutory obligation to retain the personal data after the termination of the Main Agreement.

The Controller determines the duration of the processing activities and is responsible for ensuring that personal data is deleted accordingly.

Edudata's data is stored in a Google Cloud Project owned and managed by the Customer's organization. In the project, the data is stored in a separate Firestore database. Only system log data is stored in the Edudata.io system from the processing, which is automatically deleted within 30 days.

In case the Customer terminates the use of the Edudata Service, the databases remain under the control and responsibility of the Customer. The Processor will process data only in accordance with this Agreement and only for the duration of the Agreement.

• Edudata log data stored: 30 days
• User data deletion: Automatically deleted from the user database when 366 days have passed since the last login information was updated.
• Third party services log data: 18 months
• Assessments, decisions and requests: Stored for 3 years
• Role request timeout: Denied or unresponded requests within 30 days are automatically deleted from the user database. Approved requests transition to the standard 366-day rule.
• System logs upon deletion: Deleted in 180 days after deletion process starts.

5. Subprocessors

The Processor shall have the right to involve subprocessors to process personal data in connection with the provision of the Service:

6. International transfers

Personal data is stored on servers located in the European Economic Area. As a rule, there are no regular transfers of personal data beyond the EEA.

In case personal data is being transferred outside the EEA by subprocessors to a country that the EU Commission has not determined to have an adequate level of data protection, the basis for transfer shall be in accordance with the Chapter V of the GDPR, such as the Standard Contractual Clauses approved by the EU Commission.

---

ANNEX 2: Security measures

The Processor shall implement and maintain appropriate technical and organizational security measures designed to protect and preserve the security of personal data.

The Processor shall ensure that any person authorized by the Processor to process personal data (including its staff, agents, subcontractors) shall be under appropriate obligations of confidentiality.

Our security measures are documented and reviewed twice a year. Our staff regularly participate in data privacy and data security training.

• Our office is access controlled, guarded and has 24/7 camera surveillance.
• All access to the data environments are controlled by IAM and logged.
• All user logins are using enforced 2FA and strong authentication keys (Yubico).

Software Development Security Controls:

• Security aspects highlighted in orientation of new employees.
• Security-related training provided to developers via Google Cloud certifications.
• Access to code repositories only by approval of a senior developer.
• Local development only in laptops with encrypted disks.
• Peer review to the code.
• Regular vulnerabilities check and update of software libraries.
• Regular monitoring of news channels about cyber-threats and vulnerabilities.

Customer Responsibility:

Ownership and management of data warehouses implemented in Google's Cloud Services is the Customer's responsibility. The Customer, as the data controller, is responsible for taking the appropriate security measures.

The service is hosted in Google’s Cloud Service. Google employs various security measures in respect of its Cloud Services. More information can be found in the Google Cloud Security Whitepapers.

Version 1.0 | Effective: 10.7.2025

This AI Policy outlines Edudata.io's commitment to the responsible and ethical use of Artificial Intelligence (AI) in fulfilling its mission to safeguard student privacy and ensure GDPR compliance for European Union schools. Edudata.io leverages AI to enhance the efficiency, accuracy, and comprehensiveness of its risk assessment processes for third-party digital services used in educational settings. It is crucial to understand that these AI-powered assessments provide recommendations and are not binding decisions. Edudata.io commits to continuously monitor and improve the AI's performance and accuracy based on feedback and evolving data. Nevertheless, the responsibility for adopting or rejecting these recommendations, and for ensuring compliance with all applicable laws, rests solely with the customer and their designated decision-makers. Edudata.io is not liable for any decisions made based on these recommendations or for any errors or omissions in the AI-assisted assessment.

1. Our Commitment to Responsible AI

At Edudata.io, we're dedicated to developing and deploying AI technologies that align with our core values of privacy, security, transparency, and accountability. We understand the profound impact of digital services and AI on children's privacy. We strive to ensure AI is used as a tool to further, not compromise, the fundamental rights of students in the evolving digital environment. Our approach is guided by relevant regulations, including GDPR, the EU AI Act, and best practices in ethical AI development.

2. Purpose of AI at Edudata.io

AI is integral to Edudata.io's process for creating comprehensive risk assessments of third-party digital services. Specifically, our AI systems are designed to:

• Analyze Documentation: Process and extract relevant information from various service documentation, including Privacy Policies, Terms of Service, Data Processing Agreements (DPAs), AI Policies, and Security Policies.
• Incorporate Expert Knowledge: Leverage insights from human-made (legal advisor) previous risk assessments for the same service to inform and enhance the AI's analysis, providing a feedback loop for continuous improvement and contextual understanding.
• Support Risk Assessment for Privacy (GDPR Compliance): The AI's analytical capabilities are tailored to identify and evaluate critical aspects of personal data processing in accordance with the General Data Protection Regulation (GDPR).
• Support Risk Assessment for Security: The AI helps identify and evaluate the security posture of the third-party service by extracting and analyzing information on:
  • Implemented technical and organizational security measures (TOMs).
  • Specific controls against fraudulent use of personal data by staff or unauthorized persons.
• Support Suitability for Education & Marketing Assessment: The AI contributes to evaluating the pedagogical appropriateness and commercial impact by assessing:
  • Whether the service supports the organization of teaching in various educational levels (preschool, primary, secondary).
  • The target group of the service and the suitability of its content for users, particularly minors.
  • Any presence of marketing or advertising directed at the user within the service, especially for students.
• Support Assessment of AI Use within the Third-Party Service: Recognizing the critical importance of AI in third-party services, Edudata.io's AI analyzes documentation to assess the service provider's use of AI:
  • Identifying if AI is used in the service's provision or operations, its specific role, and its type (reactive, predictive, or generative).
  • Determining if AI is involved in personal data processing and the measures for transparency and explainability, including clear indication of AI functionalities.
  • Evaluating if the AI's use falls into categories of high risk or prohibited use as per the EU AI Act (e.g., for determining access/admission to educational institutions, evaluating learning outcomes, or monitoring student behavior).
  • Reviewing documented measures taken to minimize risks and negative impacts of the AI system, including specific safeguards for vulnerable groups and mechanisms for human oversight and accountability.

Note: We do not use AI to process any customer personal data.

3. Principles for AI Use

Our AI operations are governed by the following key principles:

• Privacy by Design: AI systems are developed with data protection and privacy considerations embedded from the outset.
• Security: Robust security measures are implemented to protect all data processed by AI models.
• Transparency: While the complexity of AI models can be high, we aim for transparency regarding the role of AI in our risk assessment methodology and the criteria it evaluates.
• Human Oversight: AI serves as a powerful tool, but Customers and its users, legal experts and advisors retain oversight. The customer has the decision-making authority over all risk assessments.
• Fairness and Non-discrimination: Our AI systems are designed to assess services objectively, without bias, to ensure equitable and fair evaluations.
• Compliance: All AI activities strictly adhere to GDPR, national data privacy laws, and other applicable legal frameworks.

4. Data Handling and Privacy

Edudata.io handles data used by its AI systems with the utmost care, in accordance with our commitment to privacy:

• Input Data: The AI processes publicly available documentation and internal, previous human-made risk assessments. We don't knowingly provide any personal data of students or other sensitive user information as direct input to the AI models for generating assessments.
• Data Processing: Data submitted to AI features for processing (e.g., text from privacy policies) is handled securely. We partner with reputable and secure AI service providers that offer robust data protection assurances and don't use our data to train their models.
• Confidentiality: Customers (schools, education providers) are advised against including confidential or sensitive information in any documentation provided if it's not necessary for the risk assessment.
• Data Minimization: We adhere to the principle of data minimization, ensuring that only necessary and relevant data is processed by the AI for its intended purpose.

5. Human Oversight and Accountability

AI at Edudata.io functions as an assistive technology, augmenting the capabilities of our human experts:

• Expert Validation: Every AI-generated risk assessment or recommendation undergoes thorough review and validation by the Customer and/or Edudata.io's team.
• Decision-Making: The final decision regarding the suitability of a digital service and its associated risks rests with the Customer and its decision-makers.
• Accountability: While Edudata.io strives to provide the most accurate and legally compliant AI-assisted risk assessments, the nature of AI models means they may contain errors or require contextual interpretation. Therefore, the accountability and responsibility for the decision to implement or continue using any digital service, and for ensuring its full compliance with all applicable laws and regulations (including GDPR), lies with the Customer. We emphasize that customers must exercise their own due diligence in reviewing Edudata.io recommendations and making their final informed choices.

6. Accuracy and Reliability

We're committed to the accuracy and reliability of AI-assisted risk assessments:

• Continuous Evaluation: Our AI models and their outputs are evaluated for accuracy, relevance, and consistency. This includes regular testing against new and challenging data sets to identify potential biases or inaccuracies.
• Quality Assurance: We implement rigorous quality assurance processes to identify and correct any inaccuracies or biases that may arise from AI analysis.
• User Review: We emphasize to our Customers the importance of reviewing and understanding the AI-generated components of the risk assessments, encouraging them to engage with our experts for clarification and further customization.

7. Compliance and Ethical Considerations

Edudata.io ensures that its AI policy and practices are fully compliant with all relevant regulations:

• GDPR: Our AI use fully supports GDPR compliance, particularly concerning third-party digital service risk assessments.
• Legislation for Education: We ensure that AI aids in assessing compliance with specific legislation pertinent to digital services in education, including aspects like ad-free environments.
• Ethical AI: We adhere to ethical guidelines for AI development, focusing on beneficial use, preventing harm, and promoting trust in AI systems.

8. Continuous Improvement and Monitoring

The field of AI, digital threats and legislation are evolving. Edudata.io is committed to:

• Updates: Update our AI models, methodologies, and policies to reflect the latest advancements in AI technology, changes in legislation, and emerging risks.
• Performance Monitoring: Monitoring the performance of our AI systems to ensure they consistently deliver high-quality and reliable risk assessments.
• Feedback Integration: Incorporating feedback from our legal team, customers, and the broader privacy community to refine our AI applications and policies.

9. User Responsibilities (for Edudata.io Customers)

While Edudata.io strives to provide robust AI-powered risk assessments, the Customer also has responsibilities:

• Review and Verification: Customers should carefully review and verify the content of the risk assessments provided, especially the sections informed by AI, to ensure they align with their specific context and requirements.
• Accurate Input: Provide accurate and complete documentation of the third-party digital services to enable the AI to perform the most effective assessment.
• Policy Adherence: Ensure internal policies and practices align with the recommendations and findings of the risk assessments.

10. Contact Information

For any questions or concerns regarding Edudata.io's AI Policy or practices, please contact us at: info@edudata.io

Application: edudata.io | Version: 1.0 | Status: Active

1. Executive Summary

At edudata.io, we recognize that our platform handles highly sensitive educational, administrative, and student data. Securing this information is not just a regulatory obligation; it is our foundational commitment to the schools, districts, and municipalities we serve.

This Security & Architecture Whitepaper provides a comprehensive overview of how edudata.io protects customer data. By embedding "Privacy by Design" into our engineering lifecycle and enforcing stringent, continuous monitoring, we ensure the absolute confidentiality, integrity, and availability of our information systems.

2. ISO 27001:2022 Framework Alignment

Our Information Security Management System (ISMS) is built to align with the rigorous, globally recognized standards of ISO/IEC 27001:2022. We are actively progressing toward formal certification.

To achieve and maintain this posture, our ISMS relies on the following pillars:

• Comprehensive Policy Framework: Our security posture is governed by a strict hierarchy of internal policies, including our Information Security Policy, Access Control Policy, Data Management Policy, Secure Development Policy, and Third-Party Management Policy.
• Continuous Compliance Monitoring: We utilize Vanta as our automated continuous monitoring platform to actively track compliance against ISO 27001:2013 and ISO 27001:2022 control frameworks in real time.
• Asset Lifecycle Management: We maintain a strict inventory of all informational and physical assets. All organizational assets undergo enforced tracking from provisioning through termination and return (Controls AST-4 through AST-9).
• Shared Responsibility: Information security is a collaborative effort. All employees and contractors undergo security training and are bound by strict acceptable use and confidentiality agreements.

3. Infrastructure & Network Security

We leverage enterprise-grade cloud architecture to ensure high availability, resilience, and data protection.

• Cloud Hosting & Physical Security: The edudata.io platform is hosted on Google Cloud Platform within the European Economic Area (EEA). We rely on our cloud provider's ISO 27001-certified data centers for world-class physical security, including biometric access controls, 24/7 surveillance, and environmental threat protections.
• Network Security & Hardening: Our supporting infrastructure is routinely patched and hardened against security threats as part of our scheduled maintenance protocols (Control VPM-38). We employ isolated virtual networks, security groups, and tightly configured firewalls to minimize our external attack surface.
• Data Encryption:
  • In Transit: All data transmitted between client devices and our servers, as well as internally between microservices, is encrypted using TLS 1.2 or higher.
  • At Rest: All persistent storage, databases, and backups are encrypted at rest using AES-256. Furthermore, all company-issued devices utilized by our staff are secured with Full Disk Encryption to negate the risk of data recovery in the event of loss or theft.
• Ephemeral Storage: Temporary files (e.g., IaaS /tmp storage) are destroyed automatically the moment the associated computing process finishes.

4. Access Control & Identity Management

Protecting access to our systems is handled through a strict, zero-trust approach, ensuring that users and internal staff only have access to the data necessary for their roles.

• Role-Based Access Control (RBAC): We enforce the Principle of Least Privilege across our entire organization. By default, all system access is prohibited. Access rights are granted exclusively based on legitimate business needs and are continuously reviewed.
• Identity Verification & MFA: Administrative access to production environments and root accounts requires highly complex, rotated passwords alongside mandatory Multi-Factor Authentication (MFA).
• Source Code & Intellectual Property: Access to program source code, designs, and validation plans is strictly controlled, logged, and audited. This prevents unauthorized functional changes and protects the integrity of our software development lifecycle.
• Personnel Onboarding & Offboarding: Access provisioning is tightly controlled by HR and our Security Delegate. Upon termination of employment or contract, all physical assets must be returned, and all system access is immediately revoked.

5. Data Privacy & Governance

To effectively protect customer data, we enforce a strict Data Management Policy that dictates how information is classified, handled, and securely disposed of.

• Data Classification: We categorize information into three tiers, with Customer Data and Personally Identifiable Information (PII) designated as Confidential. Confidential data requires the highest level of protection, strict access restrictions, and executive or data-owner approval prior to any external sharing.
• Multi-Tenancy & Logical Separation: Customer environments and databases are strictly segregated to prevent data leakage between distinct school districts. The Firestore databases are logically segregated by Google Cloud project configurations, ensuring isolated security boundaries.
• Data Retention & Disposal: We adhere to the following retention schedules to comply with GDPR data minimization principles:
  • Customer Data: Securely deleted within 90 days following contract termination.
  • Security & Event Logs: Cloud/Host instance logs are retained for 1 year to assist in forensic auditing, while on-premises security logs are retained indefinitely.
  • Temporary Files: Ephemeral data is purged automatically upon process completion.

6. Vulnerability & Incident Management

We operate under the assumption that the threat landscape is constantly evolving. As such, we have established proactive monitoring and rapid-response mechanisms.

• Vulnerability & Patch Management: We continuously obtain and evaluate intelligence regarding technical vulnerabilities (Control VPM-3). Our infrastructure is routinely patched, and our vulnerability management tools actively scan our environments. Host vulnerability data is retained until the underlying asset is removed and purged.
• Penetration Testing: We conduct rigorous, independent security assessments and penetration tests annually with trusted, certified third-party cybersecurity firms.
• Incident Response Plan: We maintain a formalized Incident Response Plan managed by our Security Delegate.
  • Reporting & Triage: Security events are immediately escalated and categorized by severity.
  • Containment & Remediation: In the event of an Indicator of Compromise (IOC)—such as abnormal account activity or disabled logging—our response team follows strict runbooks. Steps include immediately contacting cloud support, rotating root passwords/keys, and revoking mutating access to stop the threat ("stop the bleeding").
  • Post-Mortem: Every security incident concludes with a thorough root-cause analysis. We document the findings, fix underlying structural issues, and update our runbooks to prevent future recurrences.

This accessibility report exclusively covers the privacy.edudata.io service (Edudata Privacy Application (PWA)) | Date Updated: 19/05/2026 | Target Compliance: WCAG 2.1 Level AA / EN 301 549

1. Compliance Status

This statement applies exclusively to the public privacy.edudata.io service, which is the only end-user facing interface of the platform. Based on the initial evaluation conducted on 23/12/2025, this application is Partially Compliant with the WCAG 2.1 Level AA standards.

2. Non-Accessible Content (Known Issues)

The following features are currently non-accessible but are scheduled for remediation (or have been recently remediated):

• A. Perceivable (Visuals) - Contrast Issue (WCAG 1.4.3): Placeholder text in form fields (Login, Profile) previously fell below the 4.5:1 contrast ratio against the background. Remediated
• B. Operable (Navigation) - Focus Management (WCAG 2.4.3): The Confirmation Dialogs (Modals) do not currently "trap" the keyboard focus. This allows keyboard users to accidentally navigate behind the open dialog. In Progress
• C. Understandable (Code & Labels) - Custom Toggles (WCAG 4.1.2): The "Privacy Settings" toggle switches lack the role="switch" and aria-checked attributes. Screen readers currently cannot announce whether a setting is "On" or "Off." Scheduled

3. Remediation Roadmap (2026 Compliance Plan)

To meet the "Universal Design" requirements of the European Accessibility Act (EAA), we have committed to the following development timeline:

4. Verification & Certification Strategy

• Current State: Self-Assessment (Technical & Expert Review).
• Future Validation: To align with municipal requirements for independent verification ([ACC-00]), we have scheduled a 3rd Party Accessibility Audit (VPAT/ACR) to be conducted upon completion of the remediation items above.
• Target Audit Date: Q4 2026 (November).

5. Feedback and Contact Information

If you encounter accessibility barriers or need information in an alternative format to exercise your GDPR rights (such as data portability requests), please contact us:

Email: info@edudata.io
Response Time: We aim to respond within 7 working days.

6. Enforcement Procedure

If you are not satisfied with the response you receive from us regarding your accessibility request, you may contact the relevant supervisory authority in your jurisdiction:

• Finland: ESAVI
• Sweden: DIGG
• Norway: Uu-tilsynet