Data processing agreement (DPA)

Last updated: 2026-04-22

1. Provider details

This DPA forms part of the agreement between the customer using TeachersFlow (the "Controller") and TeachersFlow (the "Processor") where TeachersFlow processes personal data on behalf of the Controller.

  • Provider: Jan Maxa
  • IČO (Business ID): 24495689
  • Address: Renoirova 652/16, 152 00 Prague 5, Czech Republic
  • Email: info@teachersflow.com

For this DPA, the provider acts as the Processor. This DPA is intended to meet Article 28 GDPR requirements. If you need a signed copy, contact us.

2. Roles

The Controller decides what personal data is entered into TeachersFlow and why it is processed. TeachersFlow processes that personal data only to provide, secure, support, and improve the Service, or as otherwise instructed by the Controller and allowed by law.

3. Controller obligations

  • Use TeachersFlow only with a valid legal basis and required notices, permissions, and consents.
  • Ensure instructions to TeachersFlow are lawful.
  • Keep account access secure and manage organization, teacher, student, activity, and portal-link access responsibly.
  • Review AI-generated output before using it with students or for educational decisions.
  • Respond to data-subject requests where the Controller is responsible for the underlying data.

4. Processor obligations

TeachersFlow will:

  • Process personal data only on documented instructions from the Controller, including these terms and product settings.
  • Ensure persons authorized to process personal data are bound by confidentiality.
  • Use appropriate technical and organizational measures described in Annex 2.
  • Assist the Controller with data-subject requests and GDPR obligations where reasonably possible.
  • Notify the Controller without undue delay after becoming aware of a personal data breach affecting Controller data.
  • Delete or return personal data at the end of the Service, subject to law, backups, billing records, security records, support records, and the product deletion flow.

5. Subprocessors

The Controller authorizes TeachersFlow to use the subprocessors listed in Annex 3. TeachersFlow will impose data protection obligations on subprocessors that are appropriate for the services they provide.

We will provide notice of material subprocessor changes by email, in-product notice, or an updated legal page. The Controller may object on reasonable data protection grounds by contacting info@teachersflow.com. If the parties cannot resolve the objection, the Controller may stop using the affected Service.

6. International transfers

Some subprocessors may process personal data outside the EEA, including in the United States. Where required, TeachersFlow will rely on appropriate safeguards such as adequacy decisions, Standard Contractual Clauses, and subprocessor transfer terms.

7. Audits and information

TeachersFlow will provide reasonable information needed to demonstrate compliance with this DPA. Audits must be reasonable, limited to data protection matters, avoid disruption to the Service, protect confidential information, and be requested with reasonable notice.

8. Annex 1 - Processing details

  • Subject matter: operation of TeachersFlow for teachers, schools, organizations, and authorized student access.
  • Duration: while the Controller uses the Service, plus any deletion grace period, backup period, and legally required or permitted retention period.
  • Nature of processing: collection, storage, organization, retrieval, hosting, display, sharing, editing, AI processing, file processing, billing support, security, deletion, and export.
  • Purpose: educational productivity workflows, AI-assisted teaching tools, grading assistance, lesson and assessment generation, student progress tracking, activities, teaching materials, organization management, billing, support, feedback handling, security, and compliance.
  • Data subjects: teachers, organization admins, organization teachers, students, parents or guardians receiving student links, activity participants, and other people whose data is entered by the Controller.
  • Personal data: names, emails, account identifiers, organization data, student names, classes, subjects, grades, assessments, notes, activity answers, submissions, files, photos, teaching materials, Google Docs text and metadata, prompts, AI outputs, Flowee messages and memory, support and feedback messages, usage counters, access tokens, billing identifiers, and technical data.
  • Special categories: TeachersFlow is not intended for special-category data unless the Controller chooses to enter it and has a lawful basis. The Controller should avoid entering unnecessary sensitive data.

9. Annex 2 - Security measures

  • Access control: account authentication, httpOnly session cookies, role-based product access, organization linking, and least-privilege practices where applicable.
  • Credential protection: password hashing and token invalidation after password reset.
  • Token protection: Google OAuth tokens are encrypted before storage.
  • Transport security: HTTPS/TLS for production web traffic where deployed behind HTTPS.
  • Application security: rate limiting, request-size limits, CORS configuration, security headers, input limits, and server-side authorization checks.
  • Data separation: user, organization, class, student, and material access is checked at the application level.
  • Deletion: account deletion scheduling, grace period reminders, primary-system deletion where reasonably possible, and file deletion for supported stored files, subject to backups, logs, and legally required retention.
  • Vendor management: use of established infrastructure, database, payment, email, analytics, storage, and AI providers.

10. Annex 3 - Subprocessors

  • Google Cloud and Google Cloud Storage: hosting, infrastructure, file storage, and security.
  • Google Gemini / Google AI: AI text, image, and embedding processing for AI-assisted features.
  • Google: Google sign-in, Google Docs/Drive access, Google Analytics, Google Tag, Google Fonts, and related browser-delivered services.
  • MongoDB Atlas: database hosting, storage, and vector search.
  • Stripe: payments, subscriptions, invoices, billing portal, and related fraud prevention.
  • Mailgun: transactional email delivery.
  • Content delivery providers: delivery of browser-loaded libraries such as MathJax, where used.

11. Governing law

This DPA is governed by the laws of the Czech Republic.

12. Contact

Questions about this DPA can be sent to info@teachersflow.com.