ClassPods

Data Processing Addendum

Last updated: 2026-05-17

This Data Processing Addendum (DPA) forms part of the agreement between the school (the "Controller") and ClassPods (the "Processor") for the processing of personal data when teachers and students use the ClassPods service. A signable PDF version is available on request — email hello@classpods.org.

1. Roles

The school is the Controller of educational personal data processed through the service (teacher accounts created under the school's organization, student responses, classroom records). ClassPods is the Processor and processes such data on the school's documented instructions and as necessary to provide the service.

2. Scope of processing

Processing includes:

  • Account creation and authentication for teachers, admins, and (optionally) students.
  • Classroom records: classes, rosters, assignments, submissions, live-game responses.
  • Generated content: lesson packs, quizzes, worksheets drafted via AI tools.
  • Reporting and analytics derived from the above.
  • Operational logs required for security, reliability, and abuse prevention.
  • Billing metadata for the school-level invoice (no card data is stored by ClassPods).

3. Duration

Processing continues for the term of the underlying agreement and any agreed wind-down period (typically 30 days post-termination) during which the Controller may export data. After that period, ClassPods will delete or anonymize the data unless retention is required by law.

4. Subprocessors

ClassPods uses the following subprocessors to operate the service. Material changes are notified to schools with reasonable notice and a right to object:

  • Supabase — primary database, authentication, file storage.
  • Vercel — application hosting and edge delivery.
  • Stripe — payment processing and subscription management (school-billed only).
  • Resend — transactional and lifecycle email delivery.
  • OpenAI and Anthropic — generative model providers used for AI drafting. Teacher prompts are sent to the provider; ClassPods does not opt usage into model training.

5. Data residency

Production data is hosted in a single managed region selected for low GCC latency. Schools requiring a specific residency region (EU, Middle East, or other) can request it during procurement; the chosen region will be recorded in this DPA before signature.

6. Security measures

  • TLS encryption in transit; encryption at rest via Supabase managed storage.
  • Role-based access controls (school admin / teacher / student / platform admin).
  • Authentication via managed Supabase Auth, MFA available on request.
  • Principle of least privilege for the ClassPods team; production access is logged.
  • Secrets handling via environment variables; no production credentials in source control.
  • Automated bounce/complaint suppression on transactional email.

7. Sub-processor instructions

ClassPods processes personal data only on the Controller's documented instructions, on the Controller's behalf, and as necessary to provide the service. Use of personal data for marketing, advertising, or third-party model training is prohibited.

8. International transfers

Where personal data is transferred outside the school's jurisdiction (for example, through a subprocessor with operations in a different region), the transfer is performed under appropriate safeguards (Standard Contractual Clauses or an adequacy decision, where applicable).

9. Data subject requests

ClassPods will assist the Controller in responding to data-subject requests (access, correction, export, deletion) within a reasonable timeframe and at no additional cost during the term of the agreement.

10. Incident response

ClassPods will notify the Controller without undue delay (and within 72 hours where feasible) of any confirmed personal-data breach affecting the Controller's data, with the information then known and ongoing updates as investigation progresses.

11. Audit

On reasonable written notice, ClassPods will respond to written audit questionnaires covering the measures described in this DPA, no more than once per twelve-month period unless a confirmed breach requires earlier review.

12. Deletion and return

On termination, ClassPods will, at the Controller's choice, return or delete personal data within the agreed wind-down period, except where retention is required by law.

13. Contact

DPA questions, signing requests, and incident notifications: hello@classpods.org.