Applies when using the Tutlio platform.
Note: This Data Processing Agreement (DPA) forms an integral part of the Service Agreement, if one has been signed, the Tutlio Platform Terms of Use and the Privacy Policy. It applies to all Tutors and Organizations that use the Tutlio platform and process students' personal data.
1. Parties and definitions
1.1. Parties and roles
This Data Processing Agreement (the DPA) is entered into between MB Tutlio (the Service Provider or Platform), which provides the Tutlio platform services, and the Tutor/Organization (the Client), which uses the Platform to manage students' data and organize lessons. The parties expressly agree that, under the General Data Protection Regulation (GDPR), when personal data is processed in the Platform, the Client acts exclusively as the Data Controller and MB Tutlio acts exclusively as the Data Processor under Article 28 GDPR.
1.2. Definitions
GDPR means the General Data Protection Regulation (EU 2016/679). Personal data means any information about a natural person, such as a student or parent/guardian, whose identity is known or can be identified. Data Controller means the natural or legal person, the Client, that determines the purposes and means of data processing. Data Processor means the natural or legal person, MB Tutlio, that processes personal data exclusively on behalf of and on instructions from the Data Controller. Data Subject means the natural person, such as a student or parent/guardian, whose personal data is processed. Sub-processor means a third party used by the Service Provider for data processing operations, such as Supabase, Stripe or Perlas Finance.
2. Scope and purposes of data processing
2.1. Data processed
In the Platform, on the Client's instructions, the following personal data of students and parents/guardians may be processed: first name and surname; email address; phone number; age and grade/class, optionally; invitation codes; lesson history, including dates, times, topics and notes; payment information, including amount, status and payment deadlines; parent/guardian data if the payer is not the student: name and email address.
2.2. Purposes of processing
Data is processed for the following purposes: provision of Platform services, including lesson scheduling, calendar management and sending reminders; payment administration, including processing lesson payments and generating and sending invoices; communication, including sending automatic notifications; accounting, including maintaining financial records as required by law; platform improvement, using anonymous statistics to improve platform services.
2.3. Duration of processing
Data is stored for as long as the service agreement or account use between the Client and the Platform remains in effect; financial records, including payments and invoices, are stored for 10 years as required by accounting laws; after termination of the agreement or deletion of the account, data is stored for up to 30 days unless the Client requests earlier deletion or data export.
3. Obligations and responsibilities of the parties
3.1. Obligations of the Service Provider as Data Processor
The Service Provider undertakes to: process data only on the Client's instructions; implement appropriate technical and organizational security measures; notify the Client of personal data breaches within 72 hours after becoming aware of them; assist the Client in exercising data subject rights; use only approved sub-processors; return or delete data after the end of the agreement according to the Client's choice; allow audits; and not transfer data outside the EU/EEA without appropriate safeguards.
3.2. Obligations of the Client as Data Controller
The Client undertakes to: have a legal basis for processing all data entered into the Platform; inform data subjects; obtain appropriate consents; ensure data accuracy and comply with the data minimization principle; independently respond to data subject requests; use the Platform responsibly, not transfer access to third parties and protect login credentials.
4. Sub-processors
4.1. Approved sub-processors
The Client grants the Service Provider general authorization to use the following sub-processors: Supabase Inc. for database hosting and management, EU AWS eu-central-1, GDPR compliant, ISO 27001; Stripe, Inc. for payment processing, US/EU using SCC, PCI DSS Level 1; UAB Perlas Finance for open banking and payment processing services, Lithuania, a payment institution licensed by the Bank of Lithuania; Resend (Zernonia, Inc.) for email sending, US AWS using SCC.
4.2. Changes to sub-processors
If the Service Provider plans to add a new sub-processor or replace an existing one, it will inform the Client by email no later than 30 days before the change. The Client has the right to object to a new sub-processor if there are justified reasons related to data protection; in that case, the Client has the right to terminate the service agreement.
5. Data subject rights
5.1. Exercise of rights
Data subjects, meaning students and parents, have the following rights under GDPR: right of access, right to rectification, right to erasure, also called the right to be forgotten, right to restriction, right to data portability, right to object, and the right to lodge a complaint with the State Data Protection Inspectorate (VDAI).
5.2. Response deadlines and procedures
Data subject requests must first be handled by the Client as Data Controller. If the Client needs technical assistance extracting or deleting data, the Client may contact the Service Provider by email at info@tutlio.lt. The Service Provider responds to such requests no later than within 30 days.
6. Data security measures
6.1. Technical measures
Encryption: TLS 1.3 for transport, AES-256 at rest for storage. Authentication: secure password storage using bcrypt hash. Access control: segregated access to data using Row-Level Security - RLS. Backups: automatic daily backups stored for 30 days. Monitoring: monitoring of security events and server metrics.
6.2. Organizational measures
Employee training and confidentiality obligations, with all employees signing an NDA. Access limitation: only authorized employees have technical access to the infrastructure. Incident management: documented procedures for handling security breaches.
7. Personal data breaches
If a personal data breach occurs, the Service Provider promptly, and no later than within 72 hours, notifies the Client by email, describes the nature of the breach, states the measures taken and provides recommendations. The Client, as Data Controller, is responsible for further notification of data subjects or VDAI according to GDPR requirements.
8. International data transfers
The main personal data is stored in the European Union (AWS eu-central-1). When using sub-processors registered in the United States, such as Stripe and Resend, data transfer is carried out on the basis of the European Commission's approved Standard Contractual Clauses (SCC), ensuring the level of protection required by the EU.
9. Audit and compliance verification
The Client has the right to request information about the GDPR compliance measures applied by the Service Provider. The Service Provider undertakes to provide supporting documents. Physical infrastructure audits may be carried out only by prior agreement, with coverage of the Service Provider's audit support costs and without compromising the confidentiality of other clients.
10. End of agreement and data return
After termination of the service agreement or deletion of the Client's account, the Service Provider returns data by allowing export in JSON or CSV format. After the 30-day transition period ends, all Client personal data is irreversibly deleted from systems and backups, except data that must be retained by law, such as financial transactions for accounting purposes.
11. Liability and compensation
Each party is liable for damage arising from its own breach of this DPA and GDPR. The Service Provider's maximum financial liability as Data Processor for breaches of this DPA is limited to the amounts and conditions set out in the main Service Agreement or in the Platform Terms of Use, under the limitation of liability / Liability Cap.
12. Contacts
MB Tutlio contacts for GDPR and privacy matters: Email: info@tutlio.lt; Subject: BDAR / Data Protection; Response time: within 5 business days.
13. Final provisions
This DPA enters into force when the Client agrees to the Platform Rules or signs the Service Agreement and remains valid throughout the service period. The Service Provider may update this DPA by informing the Client by email no later than 30 days before the changes take effect. This agreement is governed by the law of the Republic of Lithuania and EU GDPR requirements.