Data Processing Agreement

DATA PROCESSING AGREEMENT (DPA)

Qoolli Academy

1. DATA CONTROLLER

Qoolli Academy, represented by the owner: Olha Arkusha

(“Controller”)

The Controller determines the purposes and means of processing personal data.

2. DATA PROCESSORS AND THIRD PARTIES

2.1 Data Processors (acting on behalf of the Controller)

• Bluehost (website hosting provider)

• Brevo (email communication and marketing platform)

• Kwiga LMS (learning management system provider)

• WPForms (if used as SaaS form processing service)

These entities process personal data solely on behalf of the Controller and according to documented instructions.

2.2 Independent Data Controllers / Third Parties

• Google Analytics (provided by Google LLC)

Google Analytics processes data as an independent controller under its own privacy terms.

3. PURPOSE OF DATA PROCESSING

Personal data is processed exclusively for the following purposes:

• User registration and account creation

• Provision of access to online courses and LMS platform

• Communication and student support

• Sending service-related notifications and updates

• Issuance of certificates of completion

4. TYPES OF PERSONAL DATA

• Full name

• Email address

No payment data is collected, stored, or processed by the Controller.

5. DATA SUBJECTS

• Students and users of Qoolli Academy

• Individuals registering for online courses

• Users accessing learning and communication systems

Data subjects may be located in the European Union and outside the EU.

6. LEGAL BASIS FOR PROCESSING

• performance of a contract (course access and educational services)

• consent of the data subject (marketing communications, where applicable)

• legitimate interest (platform functionality, communication, and service improvement)

7. PROCESSING INSTRUCTIONS

Processors shall process personal data only on documented instructions from the Controller.

Processors shall not:

• use personal data for their own purposes

• sell or disclose personal data to third parties

• process personal data beyond the agreed purposes

8. DURATION OF PROCESSING

Personal data will be retained for a minimum period of 12 months after the user’s last activity or course completion, and up to 24 months where necessary to provide services such as access to learning materials, communication, and certificate issuance, unless the data subject requests earlier deletion or longer retention is required by law.

9. RIGHTS OF DATA SUBJECTS

• access their personal data

• request correction of inaccurate or incomplete data

• request deletion of personal data

• request restriction of processing

Requests will be handled without undue delay and in any case within one month in accordance with GDPR.

10. SUB-PROCESSORS

The Controller authorizes the use of the sub-processors listed in Section 2.

Sub-processors may process personal data in the European Union and outside the EU, depending on their infrastructure and service location.

11. INTERNATIONAL DATA TRANSFERS

Personal data may be transferred outside the European Union.

Such transfers are safeguarded by appropriate mechanisms, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission

• Adequacy decisions where applicable

Examples include:

• Google LLC (USA) – SCCs

• Brevo (EU/US infrastructure) – SCCs

• Bluehost (depending on infrastructure) – SCCs

12. DATA SECURITY

• SSL/HTTPS encryption

• Password-protected systems and accounts

• Access restriction to authorized persons only

• Regular system and plugin updates

• Security measures provided by hosting and platform providers

13. PERSONAL DATA BREACH

In the event of a personal data breach, the Processor shall notify the Controller without undue delay after becoming aware of the breach.

The Controller is responsible for fulfilling legal obligations regarding notification to supervisory authorities and data subjects where required.

14. ASSISTANCE TO CONTROLLER

Processors shall assist the Controller in fulfilling obligations under GDPR, including:

• handling data subject requests

• supporting deletion or correction of data

• assisting in security incident response

15. CONFIDENTIALITY

All persons authorized to process personal data are bound by confidentiality obligations.

16. DATA DELETION OR RETURN

Upon termination of services or upon request of the Controller, personal data shall be securely deleted or returned, unless retention is required by applicable law.

17. LIABILITY

Each party is responsible for compliance with applicable data protection laws within its own role as Controller or Processor.

18. FINAL PROVISIONS

This Agreement remains in force as long as personal data is processed within Qoolli Academy services and shall be reviewed when processing activities or services materially change.

CONTROLLER

Qoolli Academy

Represented by: Olha Arkusha

Date: 13-04-2026