learn-co.de

Data Processing Agreement

Between LEARN-CO.DE LTD (the "Processor") and the School (the "Controller")

Version 1.0 — Effective 22 June 2026

This Data Processing Agreement ("DPA") forms part of the agreement between the School ("Controller", "you") and LEARN-CO.DE LTD, a company registered in England and Wales (company number 17293312), registered office 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom ("Processor", "we", "us"), for the provision of the learn-co.de computer science teaching platform ("the Service"). It governs our processing of personal data on the School's behalf and reflects the requirements of Article 28 of the UK GDPR.

By subscribing to or using the Service, the School enters into this DPA electronically, with the same effect as signature; no counter-signature is required. Schools whose procurement requires a signed copy can use the self-service process in the Execution of this Agreement section below.

1. Definitions

Terms such as "personal data", "processing", "controller", "processor", "data subject", "personal data breach" and "supervisory authority" have the meanings given in UK Data Protection Law, meaning the UK GDPR, the Data Protection Act 2018, and any successor or amending legislation including the Data (Use and Access) Act 2025.

2. Roles

2.1 The School is the Controller and LEARN-CO.DE LTD is the Processor in respect of the personal data described in Annex 1 ("School Personal Data").

2.2 Each party will comply with its obligations under UK Data Protection Law.

3. Processing on documented instructions

3.1 We will process School Personal Data only on the School's documented instructions, including as set out in this DPA and as necessary to provide the Service, unless required to do otherwise by law (in which case we will inform the School first, unless legally prohibited).

3.2 The School's use and configuration of the Service constitutes its documented instructions. The School may give additional reasonable written instructions consistent with the DPA.

3.3 We will inform the School if, in our opinion, an instruction infringes UK Data Protection Law.

3.4 We will not sell School Personal Data, use it for advertising or marketing, or use it for our own profiling or unrelated analytics. We may use aggregated, fully anonymised statistics that do not identify any individual or school to operate and improve the Service.

4. Confidentiality

We ensure that all personnel and contractors authorised to process School Personal Data are bound by appropriate confidentiality obligations and are made aware of the confidential nature of the data.

5. Security

We implement appropriate technical and organisational measures to protect School Personal Data, as described in Annex 3 and in our Security Statement. These measures take into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing, as well as the risks to data subjects — bearing in mind that the data includes children's data.

6. Sub-processors

6.1 The School provides general written authorisation for us to engage sub-processors to process School Personal Data, provided we impose data protection obligations on them that are no less protective than those in this DPA and remain liable for their performance.

6.2 Our current sub-processors are listed in our Sub-processor List. We will give the School at least 30 days' notice of the addition or replacement of a sub-processor (by updating the published list and/or by notification), during which the School may object on reasonable data protection grounds. If we cannot resolve a reasonable objection, the School may terminate the affected part of the Service.

7. Assistance to the School

7.1 Taking into account the nature of the processing, we will assist the School by appropriate technical and organisational measures, insofar as possible, to fulfil the School's obligations to:

  • respond to requests from data subjects exercising their rights (access, rectification, erasure, restriction, portability, objection);
  • ensure the security of processing;
  • notify and communicate personal data breaches;
  • carry out Data Protection Impact Assessments (DPIAs) and prior consultation with the ICO.

7.2 The Service provides self-service tools enabling a School administrator to export all of the School's data and to delete individual accounts or the entire School's data. We will provide additional assistance on request.

8. Personal data breaches

We will notify the School without undue delay after becoming aware of a personal data breach affecting School Personal Data, and will provide the information the School reasonably needs to meet its own breach-notification obligations, including (as available) the nature of the breach, likely consequences, and measures taken or proposed.

9. Deletion and return of data

9.1 On termination or expiry of the Service, and at the School's choice, we will delete or return all School Personal Data, and delete existing copies, unless we are required by law to retain it.

9.2 In the absence of a different instruction, we will retain School Personal Data for a grace period of 90 days after the subscription ends (to guard against accidental loss from payment or renewal issues and to allow export), after which we will permanently delete it within a further 30 days.

9.3 Backups are deleted on our standard backup rotation cycle following deletion of the live data.

10. Audits and information

We will make available to the School information reasonably necessary to demonstrate compliance with Article 28 of the UK GDPR, and will allow for and contribute to audits, including inspections, conducted by the School or an auditor it mandates, subject to reasonable notice, confidentiality, frequency limits, and security requirements. We may satisfy audit requests by providing relevant certifications, policies and security documentation.

11. International transfers

We will not transfer School Personal Data outside the UK unless an appropriate safeguard recognised under UK Data Protection Law is in place (for example the UK International Data Transfer Agreement, or the UK Addendum to the EU Standard Contractual Clauses). See the Sub-processor List for the locations of our sub-processors.

12. Liability and precedence

12.1 This DPA forms part of, and is subject to, the Terms & Conditions, including any limitations and exclusions of liability set out there.

12.2 In the event of a conflict between this DPA and the Terms & Conditions in relation to data protection, this DPA prevails.

13. Governing law

This DPA is governed by the laws of England and Wales and subject to the exclusive jurisdiction of the courts of England and Wales.

Annex 1 — Details of processing

Subject matter: Provision of the learn-co.de computer science teaching and learning platform.

Duration: For the term of the School's subscription, plus the retention period in clause 9.

Nature and purpose: Hosting, storage, organisation, retrieval, display, and deletion of School data to enable class management, assignments, marking, progress tracking, coding activities and live lessons.

Categories of data subjects: Teachers and school staff; pupils/students; the School's account administrator.

Categories of personal data: - Identity and account data (names, school email/username, role, year group, class membership, school). - Authentication data (managed via Firebase Authentication; we do not see plaintext passwords). - Educational data (assignments, answers, attempts, marks, grades, revision sessions, topic progress, saved code, and free-text content entered by pupils). - Limited technical/security logs. - Administrator billing/contact data.

Special category data: None requested or required. Schools are instructed not to enter special category data into free-text fields.

Frequency of processing: Continuous, for the duration of the subscription.

Annex 2 — Sub-processors

As listed and maintained at /legal/sub-processors. Current principal sub-processors: Google (Firebase / Firestore / Authentication / Cloud / Workspace), Fly.io, and Stripe (payments).

Annex 3 — Technical and organisational security measures

  • Tenant isolation: data is segregated by school (schoolId); a school can only access its own data.
  • Access control: role-based access (admin / teacher / student); students can access only their own records and their classes; teachers can access only their own school. Roles, school identifiers and trust-related values cannot be set by client-side users.
  • Encryption: data encrypted in transit (TLS) and at rest, as provided by our infrastructure providers.
  • Least privilege: our staff have least-privilege access; production access is restricted, logged and used only when necessary for support or operations.
  • Environment separation: production personal data is not used in test or development environments.
  • Logging: significant administrative actions are logged to a reasonable and proportionate extent.
  • Backups and recovery: regular backups with a documented recovery process.
  • Authentication: every account must verify its email address before use; users set their own passwords (teachers never set or know pupil passwords) via secure, single-use, time-limited links; passwords are managed by Firebase Authentication and never visible to us in plaintext; school single sign-on (SSO) supported.
  • Email authentication: our sending domain uses SPF, DKIM and DMARC to prevent spoofing of verification and password emails.
  • Vendor management: sub-processors are bound by equivalent data protection obligations.

(See our full Security Statement for more detail.)

Execution of this Agreement

This DPA can be entered into in either of the following ways. Both are legally binding and you do not need to do both.

  1. Electronically, on subscription (default). By subscribing to or using the Service, the School accepts this DPA on the School's behalf. It takes effect on that date, in the version published here, and no signature is required. This is sufficient for most schools.
  2. By counter-signed copy (where your procurement requires one). Use the "Download PDF" button at the top of this page to save the current version, complete the School (Controller) signature block below, and email the signed copy to dpo@learn-co.de. We will return it signed for and on behalf of LEARN-CO.DE LTD, so you hold a fully executed copy.

Signature block (for option 2):

The Controller — the SchoolThe Processor — LEARN-CO.DE LTD
Signed: ___________________________Signed: ___________________________
Name: ___________________________Name: ___________________________
Position: _________________________Position: _________________________
School: __________________________Company: LEARN-CO.DE LTD
Date: ____________________________Company number: 17293312
Registered office: 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ
Date: ____________________________

The version and effective date at the top of this DPA identify the agreed text, whichever method is used.

Version 1.0 — Effective 22 June 2026 · Use “Download PDF” above to save a copy.