Legal

Data Processing Agreement

Effective Date: March 20, 2026  ·  Agreement Version: 1.0  ·  Governing Law: GDPR Art. 28 (EU 2016/679)

GDPR Art. 28 — Data Processing Agreement

Preamble

This Data Processing Agreement ("DPA") supplements the Syllabi Terms of Service between Syllabi, Inc. ("Syllabi" or "Processor") and the organization executing this agreement ("Controller" or "Customer"), and forms part of the overall agreement between the parties. This DPA governs the processing of personal data that Syllabi performs on behalf of the Controller in connection with Syllabi's learning management services.

This DPA is entered into pursuant to Article 28 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (the "General Data Protection Regulation" or "GDPR") and any equivalent national implementing laws.

1. Definitions

Capitalized terms used but not defined in this DPA have the meanings given in the GDPR. In addition:

1.1 Processor (Syllabi)

"Processor" means Syllabi, Inc., which processes personal data on behalf of the Controller in connection with providing the Syllabi platform and related services.

1.2 Controller (Customer)

"Controller" means the organization (identified during the signature process) that determines the purposes and means of the processing of personal data and that has engaged Syllabi to provide learning management services.

1.3 Data Subjects

"Data Subjects" means the Controller's employees, contractors, learners, or other individuals whose personal data is processed through the Syllabi platform on behalf of the Controller.

1.4 Personal Data

"Personal Data" has the meaning given in GDPR Art. 4(1): any information relating to an identified or identifiable natural person.

1.5 Processing

"Processing" has the meaning given in GDPR Art. 4(2) and includes collection, storage, retrieval, use, disclosure, and erasure of personal data.

2. Subject Matter and Nature of Processing

Syllabi processes personal data on behalf of the Controller for the purpose of providing its AI-powered learning management platform, including:

  • Creating and managing user accounts for the Controller's employees/learners
  • Generating AI-powered training courses and compliance content
  • Tracking learner progress, assessment scores, and completion records
  • Issuing certificates of completion and maintaining training records
  • Providing analytics and reporting on training outcomes
  • Maintaining audit logs for compliance purposes

2.1 Duration

This DPA applies for the duration of the services agreement between the Controller and Syllabi. Upon termination, Section 10 (Data Deletion and Return) governs the disposition of personal data.

2.2 Categories of Data Subjects

  • The Controller's employees, contractors, and authorized users
  • Learners enrolled in courses administered through Syllabi
  • Organization administrators and compliance officers

2.3 Categories of Personal Data

  • Identity data: Name, email address, organizational role
  • Training data: Course completion status, assessment scores, certificates, time-on-task
  • Authentication data: Session tokens, login timestamps, IP addresses (in audit logs)
  • Compliance data: Signed agreement records, audit log events
  • Content: Text extracted from documents uploaded for course generation (processed in-memory, not persisted)

2.4 Special Categories

Syllabi does not intentionally process special categories of personal data (GDPR Art. 9) such as health data, racial or ethnic origin, or political opinions. The Controller is responsible for ensuring that no special category data is uploaded to Syllabi unless appropriate safeguards are in place and an appropriate legal basis exists. Controllers using Syllabi for HIPAA-covered healthcare training should also execute a Business Associate Agreement (available here).

3. Processor Obligations

3.1 Instructions

Syllabi shall process personal data only on documented instructions from the Controller, including the instructions set out in the services agreement and this DPA, unless processing is required by applicable law. If Syllabi becomes aware that a processing instruction infringes the GDPR, Syllabi will inform the Controller.

3.2 Confidentiality

Syllabi ensures that persons authorized to process personal data are bound by appropriate confidentiality obligations. Syllabi's staff who access personal data are subject to employment agreements with confidentiality obligations. Syllabi does not disclose personal data to third parties except as authorized under this DPA or required by law.

3.3 Purpose Limitation

Syllabi processes personal data solely for the purposes set out in Section 2 and does not process personal data for its own commercial purposes unrelated to the service. In particular:

  • Content submitted for course generation is not used to train Syllabi's or its AI providers' models
  • Learner data is not sold or shared with advertising platforms
  • No behavioral profiling is performed for commercial purposes

4. Technical and Organizational Security Measures

Pursuant to GDPR Art. 28(3)(c) and Art. 32, Syllabi implements and maintains the following technical and organizational measures:

4.1 Access Controls

  • Least privilege: Role-based access control (RBAC) with six distinct roles. Access is limited to data necessary for each role's function.
  • Multi-tenant isolation: All data is scoped to organization IDs. No cross-organization data access is possible through normal application flows.
  • Authentication: Passwordless magic link authentication eliminates password breach risk. Configurable session timeouts enforce automatic sign-out.
  • Account lockout: Configurable lockout after repeated failed login attempts (default: 5 attempts, 15-minute lockout).
  • Internal access: Syllabi engineering staff cannot access Controller's data through normal application flows. Production data access requires explicit escalation and is audited.

4.2 Encryption

  • In transit: TLS 1.2+ enforced for all connections. HSTS headers prevent downgrade attacks. HTTP connections are automatically upgraded.
  • At rest: Database storage (Neon PostgreSQL) uses AES-256 encryption at rest. All backups are encrypted.
  • Authentication tokens: JWT tokens are signed with a secure secret and expire after 7 days.

4.3 Audit Logging

Syllabi maintains append-only audit logs of security-relevant events including: user logins and failures, member additions/removals, role changes, data exports, and course/content operations. Audit logs are retained for a minimum of 2 years (standard) or 6 years for organizations using HIPAA Mode.

4.4 Availability and Resilience

  • Application hosted on Render, Inc. (SOC 2 Type II certified)
  • Database hosted on Neon, Inc. (SOC 2 Type II certified) with automatic backups
  • DDoS protection provided by Cloudflare, Inc.
  • Automated health monitoring and alerting

4.5 Personnel Measures

  • Workforce training on data protection responsibilities
  • Confidentiality agreements for all personnel with data access
  • Regular security reviews of application code and infrastructure
  • Principle of minimum necessary access applied to all internal access

5. Sub-Processors

The Controller provides general authorization for Syllabi to engage the following sub-processors. Syllabi is responsible for ensuring each sub-processor provides at least equivalent data protection guarantees.

Sub-Processor Purpose Data Processed Location
Render, Inc. Cloud hosting and compute All application data (in-memory processing) United States
Neon, Inc. Managed PostgreSQL database All persisted personal data United States
Anthropic, PBC AI course generation (Claude) Document text, generation prompts United States
OpenAI, LLC AI course generation (GPT) Document text, generation prompts United States
Stripe, Inc. Payment processing Email, billing name, payment tokens United States
Postmark (ActiveCampaign) Transactional email delivery Email address, email content United States
Cloudflare, Inc. CDN, DDoS protection, DNS IP addresses, request metadata US / Global

5.1 Changes to Sub-Processors

Syllabi will provide the Controller with at least 30 days' advance notice before adding or replacing a sub-processor. This notice will be provided via email to the organization's primary administrator. The Controller may object to such changes on reasonable data protection grounds within the 30-day notice period. If Syllabi and the Controller cannot resolve the objection, either party may terminate the services agreement on written notice.

6. Breach Notification

6.1 Notification Obligation

In the event of a personal data breach as defined in GDPR Art. 4(12), Syllabi will notify the Controller without undue delay and within 72 hours of becoming aware of the breach, in accordance with GDPR Art. 33. This timeline is consistent with the Controller's notification obligations to supervisory authorities.

6.2 Notification Content

Syllabi's breach notification will include, to the extent available at the time of notification:

  • A description of the nature of the breach including, where possible, the categories and approximate number of Data Subjects and records affected
  • The name and contact details of Syllabi's data protection contact
  • A description of the likely consequences of the breach
  • A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects

Where not all information is available at the time of initial notification, Syllabi will provide additional information as it becomes available.

6.3 Notification Channel

Breach notifications will be sent to the primary administrator email address registered to the Controller's organization. The Controller is responsible for maintaining current contact information in organization settings.

6.4 Cooperation

Syllabi will cooperate with the Controller and provide all information reasonably necessary to enable the Controller to fulfill its own breach notification obligations under GDPR Art. 33 and Art. 34.

7. Data Subject Rights

Syllabi will assist the Controller in fulfilling its obligations to respond to Data Subject requests under GDPR Chapter III (Arts. 15–22). Specifically:

  • Access (Art. 15): Syllabi will provide data exports to enable the Controller to respond to access requests
  • Erasure (Art. 17): Syllabi will delete specified Data Subjects' data upon Controller's written instruction, subject to retention obligations
  • Portability (Art. 20): Syllabi provides CSV/machine-readable data exports for completion records and user data
  • Rectification (Art. 16): Controllers can update user data directly; Syllabi will assist for data not directly editable

The Controller is responsible for managing Data Subject requests. Syllabi will not respond directly to Data Subjects without the Controller's authorization unless required by applicable law.

If Syllabi receives a request directly from a Data Subject relating to the Controller's data, Syllabi will notify the Controller promptly and direct the Data Subject to the Controller, unless prohibited by law.

8. Controller Obligations

The Controller agrees to:

  • Process personal data in compliance with applicable data protection law, including providing appropriate legal bases for all processing
  • Provide Data Subjects with appropriate privacy notices, including the information required by GDPR Art. 13/14, before enrolling them on Syllabi
  • Ensure that any special categories of personal data (Art. 9) or data relating to criminal convictions (Art. 10) are not processed through Syllabi without appropriate safeguards
  • Not instruct Syllabi to process personal data in a manner that violates the GDPR or other applicable law
  • Maintain up-to-date contact information for the organization's primary administrator, to receive breach notifications and sub-processor change notices
  • Ensure appropriate access controls within their organization (managing roles, removing access for departed employees)

9. International Transfers

All personal data processed under this DPA is transferred to and processed in the United States. Syllabi relies on the following legal mechanisms for such transfers from the EEA, UK, and Switzerland:

9.1 Standard Contractual Clauses (SCCs)

For transfers from the EEA, Syllabi relies on the Standard Contractual Clauses adopted by Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (Module Two: Controller to Processor), which are incorporated by reference into this DPA and available upon request.

9.2 UK Transfers

For transfers from the United Kingdom, Syllabi relies on the International Data Transfer Addendum (IDTA) issued by the UK ICO, or UK addenda to EU SCCs as applicable.

9.3 Switzerland

For transfers from Switzerland, Syllabi relies on the standard data protection clauses issued by the Federal Data Protection and Information Commissioner (FDPIC).

9.4 Sub-Processor Transfers

Each sub-processor listed in Section 5 processes data in the United States under its own transfer mechanism (SCCs, adequacy decision, or equivalent). Details are available in each sub-processor's DPA documentation. Syllabi will provide this information upon request.

10. Data Deletion and Return

10.1 On Termination

Upon termination or expiration of the services agreement for any reason, Syllabi will, at the Controller's election made within 30 days of termination:

  • Return: Provide a complete export of the Controller's data (user records, course content, learner completion data, audit logs) in a machine-readable format (CSV/JSON) within 30 days; or
  • Delete: Securely delete all personal data from Syllabi's production systems within 30 days, and provide written confirmation of deletion.

10.2 Backup Retention

Encrypted backup data may persist for up to 60 days beyond the deletion confirmation date due to backup rotation schedules. Syllabi will not restore this data for any purpose after the deletion instruction is received.

10.3 Legal Retention

Notwithstanding the above, Syllabi may retain data where required by applicable law (e.g., financial transaction records required by law for 7 years), provided such retained data is minimized and isolated from active processing.

10.4 Retention During Services

During the term of the services agreement, Syllabi retains personal data in accordance with the retention periods in Syllabi's Privacy Policy (Section 6), unless the Controller specifies shorter retention in writing.

11. Audit Rights

11.1 Audit and Inspection

The Controller may audit Syllabi's data processing activities to verify compliance with this DPA. Syllabi will:

  • Respond to Controller's reasonable written questionnaires regarding security controls and data processing practices within 30 days
  • Upon reasonable written notice (minimum 30 days), make available information necessary to demonstrate compliance with this DPA
  • Provide access to relevant audit logs and security documentation upon request

11.2 Frequency and Cost

The Controller may conduct audits no more than once per calendar year, except where a data breach or regulatory requirement necessitates more frequent review. The Controller is responsible for the costs of any audit (including any third-party auditor engaged by the Controller), except where the audit reveals a material breach by Syllabi.

11.3 Certification as Substitute

In lieu of an on-site audit, Syllabi may provide relevant third-party audit reports, certifications (SOC 2, ISO 27001), or security assessments to satisfy audit obligations, to the extent these address the Controller's audit scope.

12. Liability and Indemnification

Each party's liability under this DPA is subject to the liability limitations set out in the applicable services agreement. Nothing in this DPA limits either party's liability to Data Subjects or to supervisory authorities under applicable data protection law. Each party will indemnify the other for regulatory fines, damages, and costs arising from that party's breach of GDPR obligations that are solely attributable to the breaching party.

13. Miscellaneous

13.1 Order of Precedence

In the event of a conflict between this DPA and the services agreement, this DPA shall prevail with respect to data protection matters. In the event of a conflict between this DPA and the Standard Contractual Clauses, the SCCs shall prevail.

13.2 Amendment

Syllabi may update this DPA by providing 30 days' written notice to the Controller's primary administrator. The Controller may reject updates that materially reduce data protection standards within the notice period. Continued use of the service after the notice period constitutes acceptance.

13.3 Severability

If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions remain in full force and effect.

13.4 Governing Law

This DPA is governed by the laws of the State of Delaware, except where the GDPR, UK GDPR, or Standard Contractual Clauses require the application of EU or UK law.

14. Contact

For GDPR-related inquiries, data subject requests, or questions about this DPA:

Data Protection Contact, Syllabi, Inc.
Email: privacy@syllabi-hsek.polsia.app
Subject line: DPA Inquiry — [Organization Name]

Sign this DPA
By signing, you confirm that you are authorized to enter into this agreement on behalf of your organization as the Data Controller.