Data Processing Addendum

This Data Processing Addendum (DPA) forms part of the agreement between you (Customer, also referred to as Controller where you determine the purposes and means of processing Personal Data) and Oholingo (Oholingo, we, us, or Processor) governing use of the Oholingo services (the Service), including where Customer is a school, university, employer, or other institution that deploys Oholingo for its end users. If you are an individual consumer, the primary relationship is typically governed by our consumer-facing terms and privacy notice; this DPA applies where Customer acts as a Controller for Personal Data processed in connection with an enterprise, education, or similar subscription.

This DPA reflects the requirements of the EU General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) and the UK GDPR as defined in the Data Protection Act 2018 (together, UK GDPR). Capitalised terms not defined here have the meanings given in the Main Agreement (as defined below) or, where applicable, in Article 4 GDPR / UK GDPR.

Ordering document priority: Where Customer signs an order form, data protection schedule, or institution agreement (Main Agreement), those terms control to the extent they explicitly conflict with this online DPA. Otherwise, this DPA supplements any Oholingo terms of service, privacy policy, or similar terms located at https://www.oholingo.com/terms (incorporated by reference). This document is not a substitute for legal advice. Organisations should have qualified counsel review it alongside their procurement and privacy requirements.

Applicable Data Protection Laws means all laws relating to privacy, security, and processing of Personal Data that apply to the respective party in its role, including the GDPR, UK GDPR, Swiss FADP where applicable, and any implementing or replacement legislation.

Controller, Processor, Processing, Data Subject, Personal Data, Personal Data Breach have the meanings in Article 4 GDPR / UK GDPR (as context requires).

EEA means the European Economic Area, EU means the European Union, and UK means the United Kingdom.

Restricted Transfer means a transfer of Personal Data that is subject to Chapter V GDPR / UK GDPR (or equivalent) to a country not recognised as ensuring an adequate level of protection.

Security Incident means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data processed by Oholingo for Customer, whether or not it constitutes a Personal Data Breach under Applicable Data Protection Laws.

Subprocessor means any third party engaged by Oholingo to process Personal Data on behalf of Customer in connection with the Service.

This DPA applies where Oholingo processes Personal Data on behalf of Customer in delivering the Service.

• In-scope activities include hosting, storage, authentication, learning progress features, analytics strictly necessary to operate the Service, customer support, security monitoring, and activities described in Annex A.
• Out of scope includes processing where Customer, and not Oholingo, hosts data outside the Service, or where Customer acts as an independent controller for unrelated purposes. Public content Customer chooses to publish outside the Service remains Customer’s responsibility.

The details of Processing—including subject matter, duration, nature and purpose, categories of Data Subjects and Personal Data, and processing obligations—are set out in Annex A and may be updated when the Service materially changes, with notice as described in the Main Agreement and Section 7.

For the processing described in this DPA, Customer is the Controller and Oholingo is the Processor, unless the parties have agreed in writing that Customer is a Processor on behalf of a third-party Controller (in which case Customer warrants it has authority to bind that Controller and remains responsible for instructions).

Customer shall:

1. Determine the lawful bases and essential transparency for its end users and administrators;
2. Issue Processing instructions consistent with the Main Agreement and documented product functionality;
3. Be responsible for the accuracy, quality, and lawfulness of Personal Data it or its users submit; and
4. Ensure that where minors or students are concerned, required authorisations, parental consent, or school obligations (including under sector rules such as FERPA where applicable) are addressed.

Oholingo shall process Personal Data only on documented instructions from Customer—including this DPA, the Main Agreement, product configuration choices Customer controls, and documented support tickets for corrective actions—unless EU or UK law requires otherwise, in which case Oholingo will inform Customer unless prohibited on important grounds of public interest.

4.1 Confidentiality

Oholingo ensures that persons authorised to process Personal Data are bound by appropriate confidentiality obligations.

4.2 Security

Oholingo implements appropriate technical and organisational measures as described in Annex C and the Main Agreement, taking into account the state of the art, implementation costs, and risks to Data Subjects.

4.3 Subprocessing

Customer generally authorises Oholingo to engage Subprocessors as set out in Section 7. Oholingo imposes data protection terms on Subprocessors that are materially consistent with this DPA.

4.4 Data Subject rights

Oholingo assists Customer in responding to requests from Data Subjects to exercise rights under Applicable Data Protection Laws, as set out in Section 9.

4.5 Breach notification

Oholingo assists with notifications described in Section 10.

4.6 Deletion and return

At Customer’s election, Oholingo deletes or returns Personal Data after the end of provision of the Services, subject to Section 12.

4.7 Audit and information

Oholingo makes available information reasonably necessary to demonstrate compliance and supports audits as described in Section 11.

4.8 International transfers

Where Restricted Transfers occur, Oholingo provides appropriate safeguards described in Section 8.

4.9 Records

Oholingo maintains records of Processing categories and activities as required under Applicable Data Protection Laws.

Personal Data is treated as confidential information. Oholingo limits access to personnel and third parties who need access to provide the Service and who are subject to confidentiality and security duties. Customer will not disclose security credentials or administrative access except to authorised personnel and will use role-based access controls where offered.

Oholingo implements the measures summarised in Annex C, which may evolve as standards and threats change. Customer is responsible for configuring authentication policies, managing seats and roles, and using Oholingo consistent with its own security policies.

Customer generally authorises Oholingo to use Subprocessors to support the Service. Oholingo maintains a current list at Annex B of this page (see Annex B). Oholingo will inform Customer of changes to Subprocessors (for example via email to organisation administrators, in-product notice, or updates to this page) and allow a reasonable objection period where the Main Agreement provides for it; if objection rights exist and cannot be resolved, the parties will discuss commercially reasonable alternatives, which may include termination of affected components or the Agreement on terms stated in the Main Agreement.

Oholingo remains liable for the performance of its Subprocessors to the extent required by Article 28 GDPR / UK GDPR.

Personal Data may be processed in the EEA, UK, United States, and other countries where Oholingo or its Subprocessors operate. Where a Restricted Transfer occurs and no adequacy decision applies, the parties will implement appropriate safeguards, which may include:

• EU Standard Contractual Clauses (SCCs) Module Two (Controller to Processor) or Module Three as applicable;
• For UK transfers, the UK International Data Transfer Agreement (IDTA), Addendum, or equivalent approved transfer tools;
• Binding Corporate Rules or other lawful mechanisms where available.

On request, Oholingo will provide information about the safeguards applicable to Customer’s deployment. For SCCs, Customer may complete annexes using the particulars in Annex A and the identity details below: Processor: Oholingo, Available on request to enterprise customers and privacy@oholingo.com (please reference your organisation and order form).. Contact: privacy@oholingo.com (privacy), privacy@oholingo.com (data protection queries).

Where US law enforcement requests apply, Oholingo will challenge unlawful or overbroad requests where reasonable and will provide Customer notice unless legally prohibited.

Oholingo assists Customer by providing tools for access, correction, export, and deletion where available in the Service, and by responding to Customer’s written requests within commercially reasonable timeframes, taking into account complexity and volume. Where a Data Subject contacts Oholingo directly, Oholingo may redirect the individual to Customer when Customer is best placed to respond, unless Oholingo is legally required to respond directly.

Oholingo will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer’s Personal Data, and will provide information reasonably available to assist Customer in meeting its obligations, including a description of the nature of the breach, likely consequences, and measures taken or proposed. Notification may be delayed only where law enforcement requires secrecy during an investigation.

Customer is responsible for filings with supervisory authorities and communications to Data Subjects where Customer is the Controller, using Oholingo’s information as appropriate.

Oholingo makes available documentation on its practices (including security summaries and, where applicable, independent audit reports such as SOC 2) in lieu of repetitive audits to the extent permitted by Applicable Data Protection Laws.

Where mandatory law or the Main Agreement requires a deeper audit, Customer may request an audit at Customer’s expense on at least 45 days’ notice, during business hours, subject to reasonable confidentiality and security restrictions, not more than once every 12 months unless a material Security Incident or regulator investigation requires otherwise. Customer may use an independent third-party auditor bound by confidentiality. Findings that impact Oholingo’s general platform are shared in anonymised or aggregate form where feasible.

On termination or expiry of the Main Agreement, Oholingo will delete or return Personal Data in accordance with the Agreement and product capabilities. Where automated export is offered, Customer should retrieve data before the account closure window. Residual backup copies may persist for a limited period in encrypted backups, after which they are overwritten in the ordinary course.

Oholingo may retain minimal records where required by law (for example financial records), or securely isolated security logs with Personal Data minimised.

Liability for breach of this DPA is subject to the limitations, exclusions, and caps in the Main Agreement. If the Agreement does not specify a cap, aggregate liability for each party arising out of or relating to Personal Data processing under this DPA will not exceed the fees paid by Customer to Oholingo for the Service in the twelve (12) months preceding the event giving rise to the claim (excluding VAT/taxes). Nothing in this DPA limits liability that cannot be limited under applicable law.

Where the Main Agreement specifies governing law and courts, those provisions apply to this DPA. If silent, this DPA is governed by the laws of England and Wales, excluding conflict-of-law rules, and the courts of England and Wales have exclusive jurisdiction, unless Applicable Data Protection Laws require Data Subjects to bring claims in their home jurisdiction.

The annexes below form part of this DPA. Annex B may be updated to reflect new or replaced Subprocessors; material changes will follow the notice mechanism in Section 7.

Annex A — Description of processing

• Subject matter: Provision of the Oholingo language learning platform and related support.
• Duration: For the term of the Main Agreement, plus migration/deletion periods stated therein.
• Nature and purpose: Hosting; account and profile management; delivery of lessons, progress, gamification, and institution reporting features; customer support; error and performance diagnostics; abuse prevention and security; product improvement using aggregated or de-identified analytics where permitted.
• Categories of Data Subjects: Learners; institution administrators, teachers, or managers Customer designates; Customer billing contacts; support contacts.
• Categories of Personal Data: Identity and account details (name, email, user ID), role and seat information, authentication metadata, learning activity (e.g., lessons completed, scores, streaks, CEFR estimates), device/browser technical data, support communications content, and payment transaction metadata (payments handled by Stripe where billing applies).
• Special categories: Generally not intended. If Customer uploads optional profile fields or communications containing health or other sensitive information, Customer must ensure a lawful basis and instructions to Oholingo consistent with that processing.
• Processing location: As offered for Customer’s workspace (EU/US/UK regions where selectable) and as needed for global Subprocessors subject to Section 8.

Annex B — Subprocessors

Additional specialist subprocessors may support discrete features; Oholingo will update this Annex and notices as they are onboarded. Contact privacy@oholingo.com for the current list for procurement packets.

Annex C — Technical and organisational security measures (summary)

• Access control: Role-based access, least privilege, MFA options for administrators where supported, credential hashing, session controls.
• Transmission security: TLS for data in transit between clients and the Service.
• Encryption: Industry-standard encryption for data at rest within Subprocessor platforms where supported and configured.
• Logging and monitoring: Security logging, alerting, and incident response procedures.
• Availability and resilience: Hosting practices designed for business continuity consistent with provider capabilities.
• Organisational: Personnel training, vendor due diligence, change management, and secure development practices.
• Backups: Regular backups as configured by the platform and Subprocessors.

Full security questionnaires or customised DPA schedules for regulated institutions are supported where contractually agreed. Contact support@oholingo.com for enterprise assurance or support@oholingo.com for legal notices.