didaflow
Get in touch

Data Processing Addendum

Last updated: April 29, 2026

Controller and processor roles

The client institution is the Data Controller for student, staff, applicant, and institutional records uploaded into didaflow. Didaflow Srl acts as Data Processor and processes personal data only on documented instructions from the Controller.

Processing scope

Purpose

Analytics, prediction, reporting, and decision-support workflows requested by the institution.

Data categories

Identifiers, academic events, enrolment status, exam records, support interactions, and derived risk indicators.

Data subjects

Students, applicants, graduates, academic staff, administrative users, and authorized institutional contacts.

Duration

For the contract term, plus deletion or return windows agreed with the Controller.

Technical and organizational measures

  • Role-based access control, least-privilege administration, and audit logging
  • TLS encryption in transit and encryption at rest for managed storage
  • EU-hosted infrastructure, backup procedures, and environment separation
  • Incident monitoring and data protection training for authorized personnel

Processor commitments

Confidentiality

Personnel with access to personal data are bound by confidentiality obligations.

Assistance

didaflow assists the Controller with data subject requests, DPIAs, security assessments, and regulator inquiries where reasonably required.

Breach notice

didaflow will notify the Controller without undue delay after becoming aware of a personal data breach affecting Controller data.

Subprocessors

didaflow may use vetted subprocessors for hosting, infrastructure, authentication, email delivery, monitoring, and model execution. Subprocessors are bound by written data protection terms that preserve the same level of protection required by this DPA.

Material subprocessor changes will be notified through contractual channels or the service changelog where applicable.

International transfers

Data is processed primarily in the European Union. Where a transfer outside the EEA is necessary, didaflow uses an adequacy decision, Standard Contractual Clauses, or another valid GDPR transfer mechanism.

Return and deletion

At contract termination, didaflow will return or delete Controller personal data according to documented instructions, unless retention is required by law. Aggregated, anonymous statistics may be retained when they no longer identify data subjects.