Schoolyland

What you getHow it worksPricingFAQ
Claim a founding spot→

Navigate
What you getHow it worksPricingFAQ
Claim a founding spot→

Data Processing Agreement (DPA)

Last updated: July 2026 · Version 1.0

This Data Processing Agreement (“DPA“) forms part of the Terms of Service between Schoolyland (“Schoolyland“, “we“, “us“) and the customer identified in the applicable order (“Customer“, “you“), and governs Schoolyland’s processing of personal data on the Customer’s behalf.

How this DPA applies. This DPA is incorporated into the Terms of Service by reference and applies automatically — without signature — to every Customer whose use of the services involves processing of personal data subject to the EU General Data Protection Regulation (“GDPR“) or the UK GDPR. Customers who require a countersigned copy for their records may request one at [email protected]; we will return a signed copy of this same document.

This DPA should be read together with the Privacy Policy, the MCP Terms of Service, and the MCP Privacy Policy.

1. Definitions

  • “GDPR” — Regulation (EU) 2016/679. References to the GDPR include the UK GDPR where the UK GDPR applies to the processing, mutatis mutandis.
  • “Personal data“, “processing“, “controller“, “processor“, “data subject“, “supervisory authority“, “personal data breach” — as defined in Art. 4 GDPR.
  • “Customer Platform” — the WordPress platform Schoolyland builds, hosts, and/or maintains for the Customer under the Terms of Service.
  • “End User” — a natural person whose personal data the Customer collects or processes through the Customer Platform (e.g., the Customer’s own clients, students, subscribers, or community members).
  • “Customer Data” — personal data of End Users (and of the Customer’s own personnel, where applicable) that Schoolyland processes on the Customer’s behalf in the course of providing the services.
  • “Subprocessor” — a third party engaged by Schoolyland to process Customer Data on its behalf.
  • “Services” — the services described in the Terms of Service, including platform delivery, hosting, maintenance, support, and the AI layer (MCP service).

2. Roles and scope

2.1 Roles. For Customer Data, the Customer is the controller and Schoolyland is the processor. For data about the Customer itself (account, billing, support), Schoolyland is an independent controller, and the Privacy Policy governs that processing — it is outside the scope of this DPA.

2.2 Scope. This DPA applies to all processing of Customer Data by Schoolyland in the course of providing the Services, for the duration of the Terms of Service.

2.3 Details of processing. The subject matter, duration, nature and purpose of the processing, the categories of data subjects, and the types of personal data are set out in Annex A.

3. Customer obligations (controller)

3.1 The Customer is responsible for the lawfulness of the processing of Customer Data, including: having a valid legal basis for collecting and processing End Users’ personal data; providing End Users with the notices required by law (including the Customer’s own privacy policy on the Customer Platform); obtaining any required consents; and configuring the Customer Platform and its plugins in accordance with the laws that apply to the Customer.

3.2 The Customer’s instructions to Schoolyland are documented in: the Terms of Service, this DPA, the configuration and use of the Services, and any additional written instructions agreed between the parties. The Customer warrants that its instructions comply with applicable law.

4. Schoolyland obligations (processor)

4.1 Documented instructions. Schoolyland processes Customer Data only on the Customer’s documented instructions (Section 3.2), including with regard to international transfers, unless required to do otherwise by law to which Schoolyland is subject — in which case Schoolyland will inform the Customer of that legal requirement before processing, unless the law prohibits such information on important grounds of public interest. Schoolyland will inform the Customer if, in its opinion, an instruction infringes the GDPR.

4.2 No independent use. Schoolyland does not sell Customer Data, does not use it for advertising, and does not market to End Users — ever.

4.3 Confidentiality. Persons authorised by Schoolyland to process Customer Data are bound by contractual or statutory confidentiality obligations, and access is limited to what is operationally necessary.

4.4 Security. Schoolyland implements the technical and organizational measures set out in Annex B, as required by Art. 32 GDPR, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing.

4.5 Assistance with data subject rights. Taking into account the nature of the processing, Schoolyland will assist the Customer by appropriate technical and organizational measures, insofar as this is possible, in fulfilling the Customer’s obligation to respond to data subjects’ requests under Chapter III GDPR (access, rectification, erasure, restriction, portability, objection). See Section 7.

4.6 Assistance with Articles 32–36. Schoolyland will assist the Customer in ensuring compliance with the obligations under Arts. 32–36 GDPR (security, breach notification, data protection impact assessments, and prior consultation), taking into account the nature of the processing and the information available to Schoolyland.

4.7 Deletion and return. At the end of the provision of the Services, Schoolyland will delete or return Customer Data as set out in Section 10.

4.8 Demonstrating compliance. Schoolyland will make available to the Customer the information necessary to demonstrate compliance with Art. 28 GDPR, and will allow for and contribute to audits as set out in Section 9.

5. Subprocessors

5.1 General authorisation. The Customer grants Schoolyland a general written authorisation to engage Subprocessors for the processing of Customer Data. The Subprocessors currently engaged are listed in Annex C (kept consistent with Section 6 of the Privacy Policy).

5.2 Flow-down. Schoolyland imposes on each Subprocessor, by contract, data-protection obligations materially equivalent to those in this DPA, and remains fully liable to the Customer for the performance of each Subprocessor’s obligations.

5.3 Changes and objection. Schoolyland will give the Customer at least 30 days’ advance notice of the addition or replacement of a Subprocessor that processes Customer Data (by updating the published list and/or by email). If the Customer has reasonable data-protection grounds to object, the parties will discuss the concern in good faith; if no solution is found, the Customer may terminate the affected Services, and prepaid fees for the unused remainder of the affected Services will be refunded pro-rata.

5.4 Plugins on the Customer Platform. Third-party plugins installed on the Customer Platform (e.g., WooCommerce, FluentCRM, LearnDash) run on the Customer’s own platform and are not Schoolyland Subprocessors. As controller and platform owner, the Customer is responsible for reviewing and configuring them (see Terms of Service and Privacy Policy §6.2).

6. International transfers

6.1 Where Customer Data lives. Customer Platforms hosted by Schoolyland run on servers located in Germany (EU), operated by devim.cloud.

6.2 Transfers to Israel. Schoolyland is established in Israel. The European Commission’s adequacy decision for Israel permits transfers of personal data from the EU/EEA to Israel without additional safeguards (an equivalent UK adequacy regulation applies for the UK). Schoolyland’s administrative access to Customer Data from Israel is covered by this decision.

6.3 Transfers to the US. Where a Subprocessor processes data in the United States (see Annex C), the transfer relies on the EU–US Data Privacy Framework (where the provider is certified) and/or Standard Contractual Clauses (SCCs), together with the provider’s security commitments.

6.4 Schoolyland will not transfer Customer Data to any country or recipient not covered by Sections 6.1–6.3 without a valid transfer mechanism under Chapter V GDPR.

7. Data subject requests

7.1 If Schoolyland receives a request from an End User concerning Customer Data (access, erasure, etc.), it will not respond on the merits; it will refer the requester to the Customer and, where the request identifies the Customer Platform, notify the Customer without undue delay.

7.2 On the Customer’s written request, Schoolyland will provide reasonable assistance in fulfilling data-subject requests — including locating, exporting (in a structured, machine-readable format such as CSV/JSON), correcting, or deleting the relevant Customer Data — to the extent the Customer cannot do so itself through the Customer Platform’s own tools.

8. Personal data breach

8.1 Upon becoming aware of a personal data breach affecting Customer Data, Schoolyland will notify the Customer without undue delay, and in any event within 72 hours of becoming aware.

8.2 The notification will describe, to the extent then known: the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed. Information may be provided in phases as it becomes available.

8.3 Schoolyland will document the breach, cooperate with the Customer, and take reasonable steps to mitigate and prevent recurrence. Notification to supervisory authorities and to data subjects concerning Customer Data is the Customer’s responsibility as controller; Schoolyland will provide reasonable assistance.

9. Audits and information

9.1 On written request (no more than once in any 12-month period, except following a personal data breach affecting Customer Data or where required by a supervisory authority), Schoolyland will make available the information reasonably necessary to demonstrate compliance with this DPA — including summaries of security measures, Subprocessor arrangements, and relevant policies.

9.2 Where the information under 9.1 is insufficient to demonstrate compliance, the Customer (or an independent auditor on its behalf, bound by confidentiality and not a competitor of Schoolyland) may conduct an audit, subject to: 30 days’ advance written notice; agreed scope, timing, and duration during business hours; no access to other customers’ data or to information protected by law or confidentiality obligations; and the Customer bearing its own audit costs. Findings are confidential.

10. Deletion and return of Customer Data

10.1 During the term. The Customer can export its data at any time through the Customer Platform’s own tools, and may migrate the entire Platform as set out in the Terms of Service (§7).

10.2 At termination. Upon termination or expiry of the Services, Schoolyland will, at the Customer’s choice communicated in writing before or within 30 days after termination: (a) provide a full backup of the Customer Platform for download, and/or (b) delete the Customer Data from its systems — except where law requires retention (per the retention table in the Privacy Policy §11). Absent a choice, Customer Data is retained and then deleted per the Privacy Policy.

10.3 Backups. Rolling infrastructure backups are retained for 14 days; deleted data leaves the backup cycle automatically within that window.

10.4 Migrated platforms. Where the Customer has migrated the Platform to its own hosting, the copy on the Customer’s servers is outside Schoolyland’s systems and control from the moment of migration.

11. Liability

The liability of each party under this DPA is subject to the limitations and caps in the Terms of Service (§11), except where the GDPR does not permit such limitation (including a data subject’s right to compensation under Art. 82 GDPR).

12. Term

This DPA takes effect upon the Customer’s acceptance of the Terms of Service (or upon first processing of Customer Data, if earlier) and remains in force as long as Schoolyland processes Customer Data, notwithstanding expiry or termination of the Terms of Service.

13. Precedence

In case of conflict concerning the processing of Customer Data: (1) the GDPR and other mandatory law prevail over everything; (2) this DPA prevails over the Terms of Service; (3) the Terms of Service prevail over other documents.

14. Governing law

This DPA is governed by the same law and jurisdiction as the Terms of Service (§14 — laws of the State of Israel; courts of the Jerusalem district), except to the extent the GDPR or other mandatory data-protection law provides otherwise (including data subjects’ rights to lodge complaints and bring proceedings in their own member state).

15. Miscellaneous

15.1 Updates. Schoolyland may update this DPA to reflect changes in law or in the Services; material changes will be announced at least 30 days in advance. The version published at schoolyland.com/dpa/ at any given time applies.

15.2 Severability. If any provision is held invalid, the remainder stays in force, and the invalid provision is replaced by a valid one closest to its intent.

15.3 Entire data-processing agreement. This DPA, together with its Annexes, constitutes the parties’ entire agreement on the processing of Customer Data and replaces the summary in §3.2 of the Privacy Policy for Customers to whom this DPA applies.

15.4 EU representative (Art. 27 GDPR). Where Art. 27 GDPR requires Schoolyland to designate a representative in the Union (or the UK), Schoolyland will appoint one and publish the representative’s name and contact details on this page and in the Privacy Policy.

Annex A — Details of processing

Item Description
Subject matter Hosting, maintenance, support, and AI-layer operation of the Customer Platform, on which the Customer processes its End Users’ personal data
Duration The term of the Terms of Service, plus the deletion/retention windows in Section 10
Nature of processing Storage, hosting, backup, technical maintenance, support-driven access, automated actions requested by the Customer (including through the AI layer), export, deletion
Purpose Providing the Services ordered by the Customer — and nothing else
Categories of data subjects The Customer’s End Users: clients, students, course participants, community members, mailing-list subscribers, and the Customer’s own staff with platform accounts
Types of personal data Names; email addresses; phone numbers; billing and order data (excluding full card numbers, which are held by the payment provider); course enrollment and progress; community activity; form submissions; email engagement; login/usage metadata. Special categories (Art. 9) are not required by the Services; if the Customer chooses to collect them through its Platform, the Customer is responsible for the lawfulness of that collection

Annex B — Technical and organizational measures (Art. 32)

As detailed in the Privacy Policy §8:

  • Encryption in transit (HTTPS/TLS) on all communication
  • Encryption at rest for sensitive credentials (AES-256-CBC)
  • Payment data processed by PayPal under PCI-DSS — never stored on Schoolyland servers
  • Role-based access control; strong authentication on management platforms; need-to-know access
  • Full isolation between customers (containerized hosting)
  • Automated availability, performance, and access monitoring; audit logs contain technical metadata only
  • Infrastructure protection: backups twice daily (14-day retention), real-time malware scanning, DDoS protection, auto-renewing SSL
  • MCP service hardening: rate limiting, abuse prevention, protections against SSRF and prompt-injection vectors
  • Breach-response procedure (Privacy Policy §9)

Annex C — Subprocessors

Consistent with Privacy Policy §6 (the live list there is authoritative):

Subprocessor Role Processing location
devim.cloud Hosting of schoolyland.com and Customer Platforms Germany (EU)
PayPal Payment processing Global (US/EU entities)
Mailgun Email delivery EU / US
Bunny.net Video hosting and CDN EU (global CDN)
Anthropic (Claude) Processing of AI requests through the MCP service US
Cloudflare CDN, DNS, and security layer Global

Contact

CONTACT

Schoolyland

Email: [email protected]

Contact form: schoolyland.com/contact

Version 1.0, published July 2026. This DPA applies to services purchased through schoolyland.com. A countersigned copy is available on request at [email protected].

Companion documents: Terms of Service · Privacy Policy · MCP Terms of Service · MCP Privacy Policy

Schoolyland

Business infrastructure you own, connected to AI.

  • [email protected]

Navigate

  • Home
  • What you get
  • How it works
  • Pricing

Answers

  • FAQ
  • Documentation
  • Email us

Legal

  • Terms of Service
  • Privacy Policy
  • MCP Terms of Service
  • MCP Privacy Policy
  • Data Processing Agreement
  • Accessibility

© 2026 Schoolyland · All rights reserved