Home / LEGAL

Data Processing Agreement

Effective date: 2026-03-10

This Data Processing Agreement (“DPA”) is entered into by and between:

  1. The Controller: The Customer utilizing Scoold Cloud services, hereinafter referred to as the “Controller”;
  2. The Processor: Erudika Ltd., with its principal place of business at 4 Lelinska Chuka Str., 1618 Sofia, Bulgaria, hereinafter referred to as the “Processor”; Together referred to as “Parties.” This DPA is an addendum to the agreement between the Parties governing the provision of the Scoold Cloud service (“Agreement”).

Article 1 - Roles of the Parties

1.1 The Controller determines the purposes and means of the processing of Personal Data. 1.2 The Processor processes Personal Data on behalf of the Controller strictly in accordance with the terms of this DPA and applicable Data Protection Laws.

Article 2 - Purpose Limitation

2.1 The Processor shall process Personal Data solely for the purpose of providing Scoold Cloud services as outlined in the Agreement. 2.2 The Processor shall not process Personal Data for its own purposes or those of any third party unless required by law.

Article 3 - Categories of Personal Data and Data Subjects

3.1 The Personal Data processed may include:

  • Name and surname
  • Email address
  • Data provided by users via Scoold Cloud services
  • Cookies and tracking data

3.2 The data subjects include:

  • Users of the Controller’s Scoold Cloud services
  • Employees and associates of the Controller

Article 4 - Processor Personnel

4.1 The Processor ensures that its employees and subcontractors authorized to process Personal Data are bound by confidentiality obligations.

Article 5 - Security Measures

5.1 The Processor shall implement appropriate technical and organizational measures to ensure the security of Personal Data in accordance with Article 32 of GDPR.

Article 6 - Audits

6.1 The Controller has the right to conduct audits of the Processor’s data processing activities to verify compliance with GDPR. 6.2 The Processor shall provide necessary documentation to demonstrate compliance.

Article 7 - Data Breach Notification

7.1 The Processor shall notify the Controller of any Personal Data Breach within 24 hours of discovery. 7.2 The Processor shall provide relevant details of the breach and assist in mitigating its effects.

Article 8 - Data Subject Rights

8.1 The Processor shall assist the Controller in responding to requests from data subjects exercising their GDPR rights. 8.2 The Processor shall notify the Controller of any such request within two (2) business days.

Article 9 - Subprocessors

9.1 The Processor may engage third parties for data processing, provided they meet GDPR requirements. 9.2 The current subprocessors include:

  • Amazon Web Services LLC
  • Intuit Inc. (Mailchimp)

9.3 The Processor shall inform the Controller in writing of any intended changes to subprocessors at least 30 days in advance.

Article 10 - Data Transfers

10.1 The Processor shall not transfer Personal Data outside the European Economic Area (EEA) without prior written consent from the Controller and appropriate safeguards.

Article 11 - Retention of Data

11.1 The Processor shall retain Personal Data only as long as necessary for the provision of services or as required by applicable law.

Article 12 - Deletion and Return of Data

12.1 Upon termination of the Agreement, the Processor shall, at the Controller’s choice, delete or return all Personal Data unless legally required to retain it.

Article 13 - Liability

13.1 Each Party shall be liable for its own breaches of this DPA, in accordance with Article 82 of GDPR.

Article 14 - Governing Law & Dispute Resolution

14.1 This DPA shall be governed by the laws of Bulgaria. 14.2 Any disputes shall be settled before the competent courts in the Controller’s jurisdiction.

Article 15 - Contact Person

15.1 The Processor’s designated contact person for data protection matters:

Alexander Bogdanovski, Managing Director, Erudika Ltd. Email: [Insert Contact Email]

Article 16 - AI Transparency & Governance (EU AI Act)

16.1 Scope of AI Use

We implement AI Systems solely as supportive functionality within our services. Such systems do not operate autonomously in a manner that produces legal or similarly significant effects on individuals.

We assess AI use cases against applicable regulatory frameworks, including the forthcoming EU Artificial Intelligence Act (EU AI Act), and classify them according to risk level where applicable.

16.2 Risk Classification and Compliance Approach

We design and operate our AI Systems under the assumption that they fall within limited-risk or minimal-risk categories under the EU AI Act. Where AI features may qualify as higher-risk under evolving regulatory guidance, we commit to:

  • performing documented risk assessments;
  • implementing additional safeguards and controls;
  • updating this policy and associated agreements accordingly.

16.3 Transparency to Users

Where users interact with AI-enabled features, we ensure appropriate transparency by:

  • clearly indicating when AI functionality is being used;
  • providing general information about the role and limitations of AI in the service;
  • avoiding misleading representations of AI capabilities.

16.4 Human Oversight and Control

We maintain meaningful human oversight over AI-assisted processes. AI outputs are not relied upon as sole decision-making mechanisms where such decisions may affect users. Customers retain full control over how AI features are used within their environment.

16.5 Accuracy, Robustness, and Security

We take reasonable steps to ensure that AI Systems used in our services are:

  • technically robust and resilient to errors;
  • monitored for performance and reliability;
  • protected against unauthorized access, manipulation, or misuse.

We continuously evaluate system performance and apply updates where necessary to maintain reliability.

16.6 Data Governance

AI Systems operate under strict data governance principles aligned with GDPR, including:

  • data minimization;
  • purpose limitation;
  • access controls and data isolation.

As stated in Section 14, Customer Data is not used for AI training or model improvement.

16.7 Accountability and Documentation

We maintain internal documentation describing:

  • AI system functionality and intended purpose;
  • data flows and processing activities;
  • risk assessments and mitigation measures.

Such documentation may be made available to customers upon reasonable request, subject to confidentiality and security considerations.

16.8 Continuous Monitoring and Regulatory Alignment

We monitor regulatory developments related to the EU AI Act and commit to:

  • updating our practices and documentation as requirements evolve;
  • implementing additional controls where legally required;
  • cooperating with competent authorities where applicable.

Annex - AI Data Processing Addendum

This Annex forms an integral part of the Data Processing Agreement (DPA) and applies to any processing involving AI Systems.

A.1 Binding Instructions

The Processor shall process Customer Data in connection with AI Systems strictly in accordance with the Controller’s documented instructions and solely for the purpose of providing the services. Any use of Customer Data for AI training or model improvement is expressly prohibited and outside the scope of permitted processing.

A.2 Prohibition on Training and Secondary Use

The Processor shall not, and shall ensure that its subprocessors do not:

  • use Customer Data to train, retrain, fine-tune, or validate AI models;
  • incorporate Customer Data into training datasets, embeddings, or model weights;
  • use Customer Data to improve service performance beyond the specific request context;
  • disclose Customer Data to any third party for AI training purposes.

This prohibition survives termination of the Agreement.

A.3 Technical Controls

The Processor shall implement technical controls designed to enforce the above restrictions, including where applicable:

  • disabling training flags or telemetry that would enable model learning;
  • ensuring stateless or ephemeral processing of AI inputs and outputs;
  • preventing persistence of prompts and outputs beyond necessary service delivery;
  • logical and physical data isolation between customers.

A.4 Subprocessor Flow-Down Obligations

Where AI-related subprocessors are engaged, the Processor shall ensure that:

  • equivalent obligations to those set out in this Annex are imposed contractually;
  • subprocessors are prohibited from retaining or using Customer Data for training;
  • subprocessors provide sufficient guarantees under Article 28 of GDPR.

The Processor remains fully liable for the performance of its subprocessors.

A.5 Transparency and Assistance

The Processor shall, upon reasonable request, provide the Controller with information necessary to demonstrate compliance with this Annex, including:

  • a description of AI processing activities;
  • confirmation of training prohibitions;
  • relevant security and data handling measures.

A.6 Data Subject Rights and AI Processing

The Processor shall assist the Controller in responding to data subject requests relating to AI processing, including access, erasure, and restriction requests, in accordance with Articles 15-18 of GDPR.

A.7 Precedence

In the event of any inconsistency between this Annex and other provisions of the DPA or Agreement, this Annex shall take precedence with respect to AI-related processing.

Signed by the duly authorized representatives of the Parties:

Controller:
Name: ______________________
Title: ______________________
Date: ______________________

Processor (Erudika Ltd.):
Name: ______________________
Title: ______________________
Date: ______________________

This DPA is effective as of the date of last signature.