Data Processing Agreement

Version: 2026-05-28 Effective Date: 2026-05-28 Authoritative Privacy Policy: /legal/privacy §10 (Processor Obligations) Sub-processor Inventory: /legal/subprocessors Cross-border Transfers: the international transfer notice This Data Processing Agreement ("DPA") governs Koydo's processing of personal data on a Customer's behalf in connection with the Service. The DPA is incorporated into the Master Service Agreement ("MSA") for B2B Customers and into the Educator / Pro terms for Educators who handle personal data of students they are not the parent of, or who enable Koydo Payments. In the event of conflict, this DPA controls for data-processing matters.

• For Customer Personal Data, Customer is the controller (GDPR) or business (CCPA/CPRA); Koydo is the processor (GDPR) or service provider (CCPA/CPRA).
• Koydo processes Customer Personal Data only as Customer instructs and only as necessary to deliver the Service.
• Koydo does not sell Customer Personal Data, does not use it for cross-context behavioral advertising, and does not use it to train any AI model.
• Sub-processors are listed at /legal/subprocessors and bound by equivalent written commitments. Material changes carry a 30-day notice with an objection window.
• Transfers from EEA / UK / Switzerland to the United States are made under EU SCCs, the UK Addendum, and the Swiss FADP supplement (details at the international transfer notice).
• Personal Data Breach notice to Customer is delivered without undue delay and within 72 hours of confirmation.
• On termination, Customer Personal Data is returned or destroyed within 90 days, subject only to legal retention requirements.

Terms used in this DPA have the meanings set forth in GDPR (Regulation (EU) 2016/679), UK GDPR, CCPA/CPRA, Quebec Law 25, Brazil LGPD, and Saudi PDPL as applicable. The following terms have specific meanings here:

• "Customer Personal Data" — personal data Customer (or its end users and Authorized Users) provides to or generates through the Service, which Koydo processes on Customer's behalf.
• "Data Subject" — an identifiable natural person whose personal data is processed.
• "GDPR" — Regulation (EU) 2016/679 and, where applicable, the UK GDPR.
• "Personal Data Breach" — a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data.
• "Sub-processor" — a third party engaged by Koydo to process Customer Personal Data on Koydo's behalf.
• "SCCs" — the Standard Contractual Clauses approved by the European Commission in Implementing Decision (EU) 2021/914 of 4 June 2021.

2.1 Roles

For Customer Personal Data:

• Customer is the controller (GDPR) or business (CCPA/CPRA).
• Koydo is the processor (GDPR) or service provider (CCPA/CPRA).

For Koydo's own internal data — account information of Customer's administrators, billing records, support correspondence — Koydo acts as controller. That processing is governed by the Privacy Policy, not this DPA.

2.2 Subject Matter and Duration

Koydo processes Customer Personal Data only as necessary to provide the Service per the MSA. This DPA is effective for the duration of the MSA and, for processing tasks that continue post-termination (data export window, legal retention), for the period of those tasks.

2.3 Nature and Purpose

The nature of processing is provision of the Service (hosting, AI inference, payment processing where applicable, support). The purpose is enabling Customer to deliver language-learning to its Authorized Users.

2.4 Categories of Data Subjects

• Customer's Authorized Users (students, parents, teachers, administrators).
• For Educators with Koydo Payments enabled: the Educator's learners and learners' parents.

2.5 Categories of Personal Data

Koydo processes Customer Personal Data only on Customer's documented instructions, which are set forth in the MSA, this DPA, the Service configuration, and any written guidance Customer provides through Koydo's customer portal or by email to a Koydo account contact. Koydo will not process Customer Personal Data for any purpose outside those instructions. If Koydo is required by Union or Member State law to process Customer Personal Data outside Customer's instructions, Koydo will inform Customer of that requirement before processing, unless that law prohibits the notice on important grounds of public interest. If Koydo believes that an instruction infringes applicable data-protection law, Koydo will inform Customer in writing without delay.

Koydo ensures that personnel authorized to process Customer Personal Data are subject to a contractual or statutory duty of confidentiality. Access is granted on a least-privilege basis and reviewed at least quarterly. Every access to Customer Personal Data by Koydo personnel is recorded in an immutable audit log retained for 7 years.

Koydo has implemented and will maintain the technical and organizational measures set out below to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, that data. | Measure | Implementation |

|---|---| | Encryption in transit | TLS 1.2+ for all network paths; modern cipher suites only | | Encryption at rest | AES-256 for primary database, file storage, and backups | | Access controls | Least-privilege RBAC; SAML / OIDC SSO available for B2B Customers; mandatory multi-factor for all Koydo personnel | | Network controls | Cloudflare bot management; private networking between Koydo services and primary database | | Application controls | Server-side input validation; CSRF protection; rate-limiting; secrets management via Doppler | | Detection and response | Centralized logging; alerting on access anomalies; documented incident-response runbook | | Personnel | Background checks for personnel with production access; annual security training | | Vulnerability management | Continuous dependency scanning; quarterly third-party penetration testing | | Resilience | Cross-region backups; documented disaster-recovery procedure with annual exercise | These measures are reviewed at least annually and updated to maintain the level of security appropriate to the risk.

6.1 Authorization

Customer authorizes Koydo to engage sub-processors to process Customer Personal Data, provided each sub-processor is bound by a written contract that imposes data-protection obligations no less protective than this DPA.

6.2 Current List

The current list of sub-processors is maintained at /legal/subprocessors.

6.3 Changes and Right to Object

Koydo will notify Customer at least 30 days before adding or replacing a sub-processor, through the customer portal and email to the contact on file. Customer may object in writing within the notice window on reasonable data-protection grounds. If the parties cannot resolve the objection, Customer may terminate the affected portion of the Service for the affected portion of the term, with a pro-rata refund of pre-paid unused fees.

6.4 Liability

Koydo remains liable to Customer for sub-processor performance to the same extent Koydo would be liable for its own performance.

Transfers of Customer Personal Data from the EEA, the United Kingdom, or Switzerland to the United States rely on the mechanisms documented at the international transfer notice, including the EU SCCs (Module 2 controller-to-processor, Module 3 processor-to-processor where applicable), the UK Addendum to the EU SCCs (B1.0, 21 March 2022), and the Swiss FADP supplement. Koydo has performed Transfer Impact Assessments addressing FISA § 702 and EO 12333. Supplementary technical, contractual, and organizational measures are applied per EDPB Recommendations 01/2020.

Koydo provides Customer with tooling and assistance reasonably necessary to enable Customer to respond to requests from Data Subjects to exercise rights under GDPR (Articles 15-22), CCPA/CPRA (right to know, delete, correct, opt out of sale/share, limit use of sensitive personal information), Quebec Law 25, Brazil LGPD, Saudi PDPL, and equivalent regimes. Where Koydo receives a Data Subject request directly that relates to Customer Personal Data, Koydo will forward the request to Customer without undue delay and will not respond substantively except on Customer's documented instructions.

Koydo will notify Customer of a Personal Data Breach affecting Customer Personal Data without undue delay and in any case within 72 hours of Koydo's confirmation of the breach. The notice will, to the extent then known:

• describe the nature of the breach, including the categories and approximate number of Data Subjects and records concerned;
• describe the likely consequences;
• describe the measures taken or proposed to address the breach and to mitigate adverse effects;
• communicate the name and contact details of Koydo's data-protection contact for further information.

Information not available at the time of notification will be provided in subsequent updates without further undue delay.

Koydo will provide reasonable assistance to Customer with Customer's data-protection impact assessments and any prior consultation with supervisory authorities required by GDPR Articles 35-36, taking into account the nature of the processing and the information available to Koydo.

Customer may, no more than once per twelve-month period and on reasonable prior written notice, conduct an audit (or appoint a qualified independent auditor on commercially reasonable terms) to verify Koydo's compliance with this DPA. Koydo will make available the most recent SOC 2 Type II report (or equivalent) and reasonable documentary evidence in lieu of on-site audit where Customer accepts. Costs are borne by Customer unless the audit reveals material non-compliance, in which case Koydo bears reasonable costs.

On termination of the MSA — or earlier at Customer's written request — Koydo will return or destroy all Customer Personal Data within 90 days, except where retention is required by law or for the establishment, exercise, or defense of legal claims. A written certificate of destruction is provided on request.

To the extent Koydo processes Customer Personal Data subject to the CCPA / CPRA, Koydo is a "service provider" and certifies that it will not:

• sell or share Customer Personal Data;
• retain, use, or disclose Customer Personal Data outside the direct business purpose specified in the MSA;
• combine Customer Personal Data with personal information that Koydo receives from or on behalf of another business, except as permitted by 11 CCR § 7050.

Koydo provides reasonable assistance for Customer to honor Data Subject rights and to fulfill notice obligations under the CCPA / CPRA.

This DPA becomes effective when both parties execute the MSA (or, for Educators within scope, when the Educator accepts the applicable terms) and continues for the duration of the MSA. In the event of conflict between this DPA and the MSA, this DPA controls for data-protection matters. The governing law of the MSA applies.

• Data Protection Officer: dpo@koydo.app
• Privacy team: privacy@koydo.app
• Trust and Security: trust@koydo.app
• Vulnerability reports: security@koydo.app

For supervisory-authority complaints, EEA Data Subjects may contact the supervisory authority of their habitual residence (list at edpb.europa.eu); UK Data Subjects may contact the Information Commissioner's Office at ico.org.uk.

Material updates to this DPA will be notified to Customer at least 30 days before they take effect, through the customer portal and email to the contact on file. Non-material updates (clarifications, typographical fixes, sub-processor list maintenance) take effect on publication and are recorded in Koydo's legal version history.

Data Processing Agreement v2026-05-28 — Effective May 28, 2026 — koydo.app/legal/dpa