TERMS AND AGREEMENTS
Terms of Service
Product Terms
Beta Terms
Data Processing Addendum
POLICIES
Acceptable Use Policy
TechClass Honor Code
Payment and Refund Policy
Intellectual Property Policy
Trademark Usage Policy
PRIVACY RESOURCES
Privacy Policy (Global)
Privacy Policy (EU and Swiss)
Cookie Policy
CCPA Notice
STATEMENTS
Accessibility Statement

Data Processing Addendum

Last update:
September 11, 2025

This Data Processing Addendum (“DPA”) forms an integral part of, and is incorporated into, the agreement or other written or electronic contract (the “Agreement”) between TechClass (“Processor”) and the customer entity that has entered into the Agreement (“Controller”). This DPA governs the Processing of Personal Data in connection with the provision of TechClass services, including without limitation the Onboarding Training Platform, TechClass Training Library™, and TechClass AI (collectively, the “Services”).

This DPA reflects the Parties’ agreement regarding the Processing of Personal Data under applicable data protection and privacy laws, including, as applicable, the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the UK GDPR, and the Swiss Federal Act on Data Protection (“FADP”) (collectively, the “Data Protection Laws”).

1. Definitions

For the purposes of this DPA, the following definitions shall apply:

“Controller” means the entity that determines the purposes and means of Processing Personal Data.

“Processor” means TechClass, which Processes Personal Data on behalf of the Controller.

“Data Protection Laws” means all applicable laws and regulations relating to the protection of Personal Data, including GDPR, UK GDPR, and FADP.

“Personal Data” means any information relating to an identified or identifiable natural person.

“Sub-processor” means any third party engaged by the Processor to Process Personal Data on behalf of the Controller.

“Processing” (and its cognates) shall have the meaning given in the Data Protection Laws.

2. Scope and Application

2.1. This DPA shall apply where and to the extent the Controller submits Personal Data to TechClass for Processing in connection with the Services.

2.2. With respect to such Processing, the Controller shall be deemed the Controller and TechClass shall be deemed the Processor within the meaning of the Data Protection Laws.

2.3. TechClass shall Process Personal Data strictly in accordance with this DPA, the Agreement, and the documented lawful instructions of the Controller, except where required otherwise by applicable law.

3. Roles and Responsibilities

3.1. Controller Obligations

The Controller shall:

  1. ensure that it has established a lawful basis for the Processing of Personal Data;
  2. provide the Processor with documented instructions regarding such Processing; and
  3. ensure that data subjects are properly informed of the Processing as required under Data Protection Laws.

3.2. Processor Obligations

The Processor shall:

  1. Process Personal Data solely on the documented instructions of the Controller, unless otherwise required by applicable law;
  2. implement and maintain appropriate technical and organizational measures to safeguard Personal Data; and
  3. ensure that any personnel authorized to Process Personal Data are bound by confidentiality obligations.

3.3. Confidentiality

TechClass must treat all Customer Personal Data as the Controller’s Confidential Information under the Agreement. TechClass shall ensure that all personnel authorized to process Customer Personal Data are bound by written or statutory obligations of confidentiality.

4. Sub-Processing

4.1 The Controller authorizes the Processor to engage Sub-processors as necessary for the performance of the Services.

4.2 A current list of Sub-processors engaged by TechClass is made available at: [link to Subprocessors page].

4.3 The Processor shall provide the Controller with reasonable notice of the addition or replacement of Sub-processors, thereby granting the Controller the opportunity to object to such changes, to the extent permitted by Data Protection Laws.

5. International Data Transfers

5.1 Where Personal Data is transferred outside the European Economic Area, the United Kingdom, or Switzerland, the Processor shall ensure that such transfers are safeguarded in accordance with applicable Data Protection Laws, including, without limitation, through the implementation of:

  1. Standard Contractual Clauses (SCCs) approved by the European Commission;
  2. the UK International Data Transfer Addendum; and/or
  3. the Swiss Addendum, as applicable.

6. Security

The Processor shall implement and maintain appropriate technical and organizational measures designed to ensure a level of security appropriate to the risk, including, without limitation:

  1. encryption of Personal Data in transit and at rest;
  2. access controls and authentication measures;
  3. regular testing, assessment, and evaluation of security measures; and
  4. documented incident response and breach notification procedures.

7. Data Subject Rights

The Processor shall, to the extent reasonably practicable, assist the Controller in fulfilling its obligations to respond to requests from data subjects exercising their rights under Data Protection Laws, including, without limitation, the rights of access, rectification, erasure, restriction, portability, and objection.

8. Data Breach Notification

In the event of a Personal Data Breach, the Processor shall notify the Controller without undue delay upon becoming aware of such breach, providing information sufficient to enable the Controller to comply with its obligations under Data Protection Laws.

9. Data Retention and Deletion

Upon termination or expiration of the Services, the Processor shall, at the written election of the Controller:

  1. securely delete all Personal Data, or
  2. return all Personal Data to the Controller,

unless applicable law requires continued retention.

10. Audits and Compliance

10.1 The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA.

10.2 Upon reasonable prior notice, the Controller (or an independent auditor appointed by the Controller) may conduct audits, limited to once annually unless otherwise required by law.

11. Miscellaneous

11.1 In the event of conflict or inconsistency between this DPA and any other provisions of the Agreement, the provisions of this DPA shall prevail with respect to the Processing of Personal Data.

11.2 This DPA shall be governed by and construed in accordance with the laws of Finland. Any disputes arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of Finland.

12. Order of Precedence

In the event of conflict or inconsistency between this DPA, the Agreement, and any related documentation, the following order of precedence shall apply:

  1. This DPA;
  2. The Agreement;
  3. Any other related documents or policies.

Annex 1 – Details of Processing

  1. Subject Matter: Processing of Personal Data in connection with the provision of the Services.
  2. Duration: For the term of the Agreement between the Parties.
  3. Nature and Purpose of Processing: Hosting, storage, learning management, AI-powered content generation, analytics, and reporting.
  4. Types of Personal Data: Employee information, login credentials, training progress, assessments, certifications.

Categories of Data Subjects: Employees, contractors, students, and other authorized users of the Controller.