Data Processing Agreement

Last updated: Sept 24, 2025

Important: This Data Processing Agreement ("DPA") is an integral part of our service agreement with educational institutions. XFocus AS exclusively serves schools and educational organizations. This DPA governs how we process personal data on behalf of schools in compliance with GDPR Article 28.

This agreement should be read together with our Terms of Service and Privacy Policy.

1. Definitions and Roles

1.1 Parties

Data Controller: The educational institution (school, district, or organization) that determines the purposes and means of processing personal data.

Data Processor: XFocus AS, acting on behalf of and under the instructions of the Controller.

1.2 Scope

This DPA governs the processing of personal data by XFocus AS when providing educational platform services to Controllers, in accordance with GDPR Article 28.

2. Nature and Purpose of Processing

2.1 Categories of Data

XFocus processes the following categories of personal data on behalf of Controllers:

  • Student names and identifiers
  • Email addresses
  • Class and project information
  • Educational content and submissions
  • Learning activity data
  • Communication within the platform
  • Assessment and progress data

2.2 Purpose of Processing

Processing is performed solely to provide educational platform services including project-based learning management, student collaboration tools, and educational content delivery as instructed by the Controller.

2.3 Duration

Processing continues for the duration of the service agreement. Upon termination, data will be returned or anonymized according to Section 8 of this DPA.

3. Processor Obligations

XFocus AS commits to:

  • Process personal data only on documented instructions from the Controller
  • Ensure persons authorized to process data are bound by confidentiality
  • Implement appropriate technical and organizational security measures
  • Engage sub-processors only with Controller authorization
  • Assist the Controller in responding to data subject requests
  • Assist with security, breach notifications, and impact assessments
  • Anonymize or return all personal data after service termination
  • Make available information necessary to demonstrate compliance
  • Submit to audits conducted by the Controller or authorized auditor

4. Sub-Processors

4.1 Authorization

The Controller provides general authorization for XFocus AS to engage the sub-processors listed below. XFocus AS will notify Controllers of any intended changes concerning sub-processors, giving the Controller opportunity to object.

4.2 Current Sub-Processors

Service ProviderPurposeLocationData Processed
Amazon Web ServicesInfrastructure & HostingEU (Frankfurt)All platform data
StripePayment ProcessingEU/USBilling contact information only
OpenAIAI Learning FeaturesUSConversation content (optional feature)
ResendEmail ServicesUSEmail addresses, notification content
SentryError MonitoringUSError logs, performance data (anonymized)

Note: This list is maintained and updated at xfocus.no/legal/dpa

4.3 Sub-Processor Requirements

XFocus AS ensures all sub-processors are bound by data protection obligations no less protective than those in this DPA and remain fully liable for sub-processor performance.

5. Security Measures

5.1 Technical Measures

  • Encryption of data in transit (TLS 1.2+) and at rest
  • Regular security updates and patch management
  • Access controls and authentication mechanisms
  • Network security and firewall protection
  • Regular automated backups
  • Monitoring and logging of access

5.2 Organizational Measures

  • Confidentiality agreements with all personnel
  • Regular security training for staff
  • Access on a need-to-know basis
  • Incident response procedures
  • Regular security assessments
  • Data protection by design and default

6. Data Breach Notification

6.1 Notification Timeline

XFocus AS will notify the Controller without undue delay, and in any case within 48 hours, after becoming aware of a personal data breach affecting Controller's data.

6.2 Information Provided

Breach notifications will include:

  • Nature of the breach and categories of data affected
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach
  • Contact point for more information

7. Data Subject Rights

7.1 Assistance

XFocus AS will assist the Controller in fulfilling obligations to respond to data subject requests for:

  • Access to personal data
  • Rectification or erasure
  • Restriction of processing
  • Data portability
  • Objection to processing
  • Right to anonymization instead of deletion where applicable

7.2 Response Timeline

XFocus AS will respond to Controller requests for assistance within 10 business days or as required to meet regulatory deadlines.

8. Data Return and Anonymization

8.1 Upon Termination

Upon termination of services, XFocus AS will, at the Controller's choice:

  • Return all personal data to the Controller in a standard format
  • Anonymize all personal data, rendering it non-identifiable and non-attributable
  • Both return and then anonymize the data

Anonymized data may be retained for statistical analysis and service improvement purposes.

8.2 Anonymization Process

Anonymization will be performed using industry-standard techniques to ensure data cannot be re-identified. This includes removing direct identifiers, generalizing quasi-identifiers, and applying appropriate statistical disclosure controls.

8.3 Retention Exceptions

Complete anonymization does not apply to data XFocus AS is required to retain under EU or Norwegian law. Such data will be protected and processing limited to legal requirements only.

9. Audits and Compliance

9.1 Audit Rights

The Controller has the right to conduct audits to verify XFocus AS's compliance with this DPA, subject to:

  • Reasonable advance notice (minimum 30 days)
  • During regular business hours
  • No more than once per year unless required by regulators
  • Conducted by independent third-party auditors bound by confidentiality

9.2 Compliance Documentation

XFocus AS maintains records of processing activities and will provide relevant compliance documentation upon reasonable request.

10. Liability and Indemnification

10.1 Limitation of Liability

Liability under this DPA is subject to the limitations set forth in the main service agreement, except where prohibited by applicable law.

10.2 Indemnification

Each party will defend and indemnify the other against claims arising from that party's breach of this DPA or applicable data protection laws.

11. International Transfers

Personal data is primarily processed within the EEA. Any transfers outside the EEA are conducted using appropriate safeguards:

  • EU Standard Contractual Clauses (SCCs)
  • Adequacy decisions by the European Commission
  • Other mechanisms approved under GDPR

12. Term and Termination

This DPA remains in effect for the duration of the service agreement. Provisions relating to data protection obligations survive termination to the extent required by applicable law.

13. Governing Law

This DPA is governed by Norwegian law and GDPR. Disputes shall be resolved according to the dispute resolution provisions in the main service agreement.

14. Contact Information

Data Protection Contact:

XFocus AS
General Support: support@xfocus.no

15. Agreement

By using XFocus services as an educational institution, the Controller agrees to the terms of this Data Processing Agreement. This DPA forms part of and is incorporated into the main service agreement.

XFocus | Manage all student-led projects in one place