This Data Processing Agreement ("DPA") forms part of the Terms of Service between EuroDesk OS ("Processor") and the agency customer ("Controller"). It governs the processing of personal data under the EU General Data Protection Regulation (GDPR) and UK GDPR.
1. Definitions
- "GDPR" means Regulation (EU) 2016/679 General Data Protection Regulation.
- "Personal Data" means any information relating to an identified or identifiable natural person.
- "Processing" means any operation performed on Personal Data.
- "Data Subject" means the identified or identifiable natural person whose Personal Data is processed.
- "Sub-processor" means a third party engaged by the Processor to process Personal Data.
2. Scope and Roles
The Controller is the agency that uploads student data to the EuroDesk OS platform. The Processor is EuroDesk OS, which processes Personal Data on behalf of the Controller to provide transcript parsing, university matching, visa monitoring, and CRM services.
The nature and purpose of processing is the automation of European university matching, visa compliance tracking, and student application management for study-abroad agencies.
3. Categories of Data Subjects and Personal Data
3.1 Data Subjects
- Agency personnel (counselors, administrators)
- Students whose data is uploaded by agencies
3.2 Categories of Personal Data
- Names, email addresses, phone numbers
- Nationality and target country information
- Academic transcripts and grades
- Visa application documents
- University match results and application status
4. Processor Obligations
The Processor shall:
- Process Personal Data only on documented instructions from the Controller
- Ensure persons authorized to process Personal Data are committed to confidentiality
- Implement appropriate technical and organizational security measures
- Assist the Controller in responding to Data Subject rights requests
- Notify the Controller without undue delay upon becoming aware of a Personal Data breach
- Delete or return all Personal Data upon termination of services
- Maintain records of processing activities and make them available to supervisory authorities upon request
5. Security Measures
The Processor implements the following security measures:
- Encryption of data in transit (HTTPS/TLS) and at rest
- Row Level Security (RLS) for multi-tenant data isolation
- Private storage buckets with agency-scoped access
- Service role keys used only server-side, never exposed to frontend
- Rate limiting on API endpoints
- CORS restrictions to authorized domains only
- File type validation and size limits
- Regular security audits and penetration testing
6. Sub-processors
The Controller authorizes the Processor to engage the following Sub-processors:
| Sub-processor | Purpose | Location |
|---|
| Supabase, Inc. | Database, Authentication, Storage | European Union (Germany) |
| Vercel Inc. | Frontend Hosting & Server Functions | European Union (Germany) |
| Google Cloud Platform | Backend Hosting & AI Services | European Union (Germany) / United States |
| Cloudflare, Inc. | Object Storage & Security Services | European Union |
| Resend Inc. | Email Service (Transactional & Marketing) | European Union (Ireland) |
| PostHog, Inc. | Product Analytics | European Union |
| Functional Software, Inc. (Sentry) | Error Tracking & Monitoring | European Union |
| Eleven Labs Inc. | AI Voice Generation | United States |
| Fal Labs (fal.ai) | AI Video Generation | United States |
| PayPal, Inc. | Payment Processing | United States |
| LinkedIn Corporation | Social Media Integrations | United States |
| Jina AI GmbH | Search & Enrichment Services | European Union (Germany) |
| Serper.dev | Search API Services | United States |
The Processor shall notify the Controller of any intended changes to Sub-processors. The Controller may object to new Sub-processors within 14 days of notification.
7. International Data Transfers
The majority of your data is processed and stored within the European Economic Area (EEA). Specifically:
- Database, Authentication & Storage: Supabase (Frankfurt, Germany)
- Frontend Hosting: Vercel (Frankfurt, Germany)
- Backend API: Google Cloud Run (Frankfurt, Germany)
- Object Storage & Security: Cloudflare (European Union)
- Email: Resend (Ireland)
- Analytics & Monitoring: PostHog & Sentry (European Union)
- Search & Enrichment: Jina AI (Germany)
Limited data transfers outside the EEA occur only for:
- AI Infrastructure: Data may be processed by AI infrastructure providers (Google Cloud, ElevenLabs, fal.ai) in the United States. Transcripts are used solely for processing and are typically not stored long-term by these providers.
- Payments: Transactional data is processed by our payment partner in the United States (PayPal).
- Integrations & Search: Data for social media integrations (LinkedIn) and public search queries (Serper.dev) is processed in the United States.
For all transfers outside the EEA, the Processor ensures appropriate safeguards are in place, including:
- EU Standard Contractual Clauses (SCCs) as adopted by the European Commission
- Adequacy decisions where applicable
- Supplementary technical measures (encryption, access controls)
Sub-processor compliance frameworks:
8. Data Subject Rights
The Processor shall assist the Controller in fulfilling its obligations to respond to Data Subject requests, including:
- Right of access (Article 15)
- Right to rectification (Article 16)
- Right to erasure ("right to be forgotten") (Article 17)
- Right to restriction of processing (Article 18)
- Right to data portability (Article 20)
- Right to object (Article 21)
The Controller may exercise these rights through the platform's self-service tools or by contacting support@eurodesk.io. The Processor will respond within 30 days.
9. Data Breach Notification
In the event of a Personal Data breach, the Processor shall:
- Notify the Controller without undue delay, and in any event within 72 hours of becoming aware of the breach
- Provide details including the nature of the breach, categories of data affected, likely consequences, and measures taken
- Assist the Controller in notifying the relevant supervisory authority and affected Data Subjects
- Take immediate steps to mitigate the breach and prevent further unauthorized access
10. Data Retention and Deletion
The Processor shall retain Personal Data for as long as the Controller's account is active. Upon termination:
- The Processor shall delete all Personal Data within 30 days unless a longer retention period is required by law
- The Controller may request a copy of their data before deletion
- Backup copies shall be deleted within 90 days
11. Audits and Inspections
The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA. The Controller may conduct audits of the Processor's compliance, subject to:
- Reasonable prior written notice
- No more than once per year unless a breach has occurred
- Confidentiality obligations
- The Processor's right to redact commercially sensitive information
12. Contact
For questions regarding this DPA or to exercise Data Subject rights, contact:
- Email: support@eurodesk.io
- Website: https://www.eurodesk.io