EduPilotPolicies and agreementsBack to EduPilot

Policies and agreements

Data Processing Agreement (DPA)

The documents that govern EduPilot — in one place and always current. The binding texts are provided in English.

Last updated: July 3, 20266 min read
01Terms of Service02Privacy Policy03Credit Policy04Creator Terms05Purchase Terms06Community Guidelines07AI Transparency08Data Processing (DPA)09Cookie Policy
Contents1. Definitions2. Scope and Purpose of Processing3. AI and Student Data4. Obligations of the Processor5. Obligations of the Controller6. Sub-processors7. International Data Transfers8. Data Subject Rights9. Audits10. Term and Termination11. Liability12. Contact

This Data Processing Agreement (“DPA”) forms part of the agreement between the educational institution or the individual educator who invites learners to the platform (“Controller”, “You”) and Aiventor Sp. z o.o. (“Processor”, “We”, “EduPilot”) for the provision of EduPilot services. For individual educators, this DPA is concluded electronically upon acceptance when first inviting learners.


1. Definitions

  • Personal Data — any information relating to an identified or identifiable natural person, including student data, educator data, and usage data
  • Controller — the educational institution that determines the purposes and means of processing personal data
  • Processor — Aiventor Sp. z o.o., which processes personal data on behalf of the Controller
  • Sub-processor — a third party engaged by the Processor to process personal data
  • Student Data — personal data of students processed through EduPilot, including names, emails, learning progress, and generated content
  • Applicable Data Protection Law — GDPR (Regulation (EU) 2016/679), and any applicable national implementations

2. Scope and Purpose of Processing

2.1 Data Processed

Data Category Data Elements Purpose
Educator account data Name, email, organization, role Account management, authentication
Student data (if applicable) Name, email, class/group, learning progress Providing educational services as directed by Controller
Content data Courses, lessons, assessments created Service delivery, storage
Usage data Feature usage, timestamps, interactions Service improvement, troubleshooting
Technical data IP address, device/browser info Security, performance

2.2 Purpose Limitation

The Processor shall process Personal Data only for the following purposes:

  • Providing EduPilot services as described in the Terms of Service
  • Technical support and troubleshooting
  • Service maintenance and security
  • As otherwise instructed in writing by the Controller

The Processor shall not process Personal Data for any other purpose, including but not limited to marketing, profiling, or selling data to third parties.


3. AI and Student Data

3.1 No Training on Student Data. The Processor does NOT use Student Data, educator data, or any content created within EduPilot to train, fine-tune, or improve artificial intelligence or machine learning models.

3.2 AI Processing. When EduPilot uses third-party AI services to generate educational content, inputs are processed solely to produce the requested output. AI sub-processors are contractually prohibited from retaining or using input data for model training.

3.3 AI Transparency. The Processor will clearly indicate when content is AI-generated. The Controller and its educators are responsible for reviewing AI-generated content before use with students.

3.4 No Profiling or Advertising. Data processed on behalf of educational institutions shall not be used for profiling, behavioral advertising, building marketing profiles, or any purpose beyond the contracted educational service. This applies to all Student Data without exception.

3.5 Age of Consent. In Poland, the age of consent for data processing is 16 years (Art. 8 GDPR, maintained by the Polish Act of 10 May 2018). The Controller is responsible for ensuring appropriate legal basis for processing data of students under 16, including obtaining verifiable parental consent where required.


4. Obligations of the Processor

The Processor shall:

4.1 Process Personal Data only on documented instructions from the Controller, unless required by law

4.2 Ensure that persons authorized to process Personal Data are bound by confidentiality obligations

4.3 Implement appropriate technical and organizational security measures, including:

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
  • Access controls with role-based permissions
  • Regular security assessments
  • Incident detection and response procedures
  • Backup and disaster recovery

4.4 Not engage another processor (sub-processor) without prior written authorization from the Controller (see Section 6)

4.5 Assist the Controller in responding to data subject requests (access, rectification, erasure, portability, restriction, objection) within reasonable timeframes

4.6 Assist the Controller with Data Protection Impact Assessments (DPIA) where required

4.7 Notify the Controller of any Personal Data breach without undue delay and no later than 48 hours after becoming aware of the breach, providing:

  • Nature of the breach
  • Categories and approximate number of data subjects affected
  • Likely consequences
  • Measures taken or proposed to address the breach

4.8 Upon termination of the agreement, at the Controller’s choice:

  • Return all Personal Data in a standard format (CSV/JSON), or
  • Delete all Personal Data within 30 days and certify deletion in writing

5. Obligations of the Controller

The Controller shall:

5.1 Ensure that there is a lawful basis for processing (e.g., public task, legitimate interest, consent where required)

5.2 Obtain necessary consents or authorizations for processing student data, including parental consent where required by applicable law

5.3 Inform data subjects (educators, students, parents) about the processing

5.4 Not provide the Processor with Personal Data that is not necessary for the service


6. Sub-processors

6.1 Authorized Sub-processors

The Controller provides general authorization for the Processor to engage sub-processors. Current sub-processors:

Sub-processor Service Location Data Processed
Amazon Web Services (AWS) Cloud hosting and storage EU (Frankfurt) / US All data
OpenRouter, Inc. AI model routing US Content inputs (not retained)
Anthropic (Claude) AI content generation US Content inputs (not retained)
OpenAI AI content generation (optional) US Content inputs (not retained)
Google (Gemini) AI content generation (optional) US Content inputs (not retained)
Stripe Payment processing US/EU Payment data only

6.2 Notification of Changes

The Processor will notify the Controller at least 14 days before adding or replacing a sub-processor. The Controller may object in writing within 14 days. If the objection cannot be resolved, either party may terminate the agreement.

6.3 Sub-processor Obligations

All sub-processors are bound by data processing agreements with equivalent protections to this DPA.


7. International Data Transfers

Where Personal Data is transferred outside the EEA (e.g., to US-based sub-processors), the Processor ensures adequate safeguards through:

  • EU-US Data Privacy Framework (where applicable)
  • Standard Contractual Clauses (SCCs) pursuant to Commission Decision 2021/914
  • Additional technical measures (encryption, pseudonymization) where appropriate

8. Data Subject Rights

The Processor will promptly assist the Controller in fulfilling data subject requests under GDPR Articles 15-22:

Right Response Time
Access (Art. 15) 30 days
Rectification (Art. 16) 30 days
Erasure (Art. 17) 30 days
Restriction (Art. 18) 30 days
Data portability (Art. 20) 30 days
Objection (Art. 21) 30 days

9. Audits

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA. The Controller may conduct audits (or appoint an independent auditor) with 30 days prior written notice, no more than once per year, during normal business hours.


10. Term and Termination

This DPA shall remain in effect for the duration of the service agreement. Upon termination:

  • Personal Data will be returned or deleted per Section 4.8
  • Obligations of confidentiality survive termination
  • The Processor will provide a written confirmation of data deletion

11. Liability

Liability under this DPA is governed by the Terms of Service and applicable law. Each party is liable for damages caused by its violation of Applicable Data Protection Law.


12. Contact

Data Processor: Aiventor Sp. z o.o. al. Solidarności 117-615, 00-140 Warszawa, Poland NIP: 7252347037 | REGON: 529689160 | KRS: 0001128173 Email: admin@aiventor.eu

Supervisory Authority: Urząd Ochrony Danych Osobowych (UODO) ul. Stawki 2, 00-193 Warszawa, Poland www.uodo.gov.pl


Questions about these documents? admin@aiventor.eu

Aiventor Sp. z o.o. · al. Solidarności 117-615, 00-140 Warszawa · NIP 7252347037 · KRS 0001128173

On this page

1. Definitions2. Scope and Purpose of Processing3. AI and Student Data4. Obligations of the Processor5. Obligations of the Controller6. Sub-processors7. International Data Transfers8. Data Subject Rights9. Audits10. Term and Termination11. Liability12. Contact