Data Processing Addendum

Effective date:
2026-05-01
Last updated: 2026-05-01
Version 1.0.0

1. About this DPA

This Data Processing Addendum ("DPA") is entered into between Day One Education Pty Ltd (ABN 52 696 719 561, ACN 696 719 561) ("DOE", "we", "us") and the institutional customer identified in the applicable Master Services Agreement or institutional subscription contract ("Customer", "you"). This DPA is incorporated into and forms part of that agreement (the "Agreement").

This DPA applies exclusively where the Customer is an institution — such as a school, university, tutoring business, or test-preparation provider — that accesses the DOE platform to enable its own end-users (such as students or tutees) to process personal data through the Service. In those circumstances, the Customer acts as the data controller and DOE acts as a data processor in respect of end-user personal data.

This DPA does not apply to individual consumer subscribers. Individual subscribers who hold their own account under the standard Terms of Service are not institutional customers for the purposes of this DPA; their data is governed solely by the DOE Privacy Policy and Terms of Service.

Where there is a conflict between this DPA and the Agreement, this DPA prevails in respect of the processing of personal data.

2. Definitions

In this DPA:

"Applicable Data Protection Law" means, as applicable to the processing in question: the EU General Data Protection Regulation 2016/679 ("GDPR"); the retained EU law version of the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland ("UK GDPR"); the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles; and any other privacy or data protection legislation applicable to the relevant processing.

"Controller" has the meaning given in the GDPR (an entity that determines the purposes and means of processing personal data). Where used in this DPA, it refers to the Customer.

"Data Subject" means any identified or identifiable natural person whose personal data is processed under this DPA, including end-users of the Customer's institutional account.

"Personal Data" has the meaning given in the GDPR (any information relating to an identified or identifiable natural person).

"Processing" has the meaning given in the GDPR (any operation or set of operations performed on personal data), and "process" and "processed" are to be construed accordingly.

"Processor" has the meaning given in the GDPR (an entity that processes personal data on behalf of the controller). Where used in this DPA, it refers to DOE.

"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission under Decision 2021/914 of 4 June 2021, as may be amended or replaced from time to time.

"Sub-processor" means any third party engaged by DOE to process personal data in connection with the Service on the Customer's behalf.

"Supervisory Authority" means the competent data protection supervisory authority with jurisdiction over the relevant processing, including (as applicable) the Office of the Australian Information Commissioner, the UK Information Commissioner's Office, and any EU member state supervisory authority.

"UK IDTA" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (Version A1.0, issued by the UK Information Commissioner under s.119A of the Data Protection Act 2018).

3. Scope of Processing

The subject matter, duration, nature, and purpose of the processing, the types of personal data processed, and the categories of data subjects are described in Annex A to this DPA. Processing is limited to that which is necessary to provide the Service under the Agreement.

4. DOE's Obligations as Processor

DOE shall, in its capacity as processor, comply with the following obligations in respect of personal data processed under this DPA:

(a) Documented instructions. DOE shall process personal data only on the documented instructions of the Customer, including as set out in the Agreement and this DPA, unless required to do so by applicable law. Where applicable law requires DOE to process personal data otherwise than on the Customer's instructions, DOE shall inform the Customer before such processing takes place to the extent permitted by law.

(b) Confidentiality of personnel. DOE shall ensure that all personnel authorised to process personal data under this DPA are subject to an appropriate obligation of confidentiality, whether by contract or statutory duty.

(c) Technical and organisational measures. DOE shall implement and maintain the technical and organisational security measures described in Annex B to this DPA, and shall ensure that those measures provide a level of security appropriate to the risk, taking into account the nature, scope, context, and purposes of processing.

(d) Sub-processor conditions. DOE shall engage sub-processors only in accordance with the requirements set out in §5 of this DPA. DOE shall impose on each sub-processor data protection obligations equivalent to those imposed on DOE under this DPA by means of a written contract.

(e) Assistance with data subject rights. Taking into account the nature of the processing, DOE shall provide the Customer with reasonable assistance in fulfilling its obligation to respond to requests from data subjects exercising their rights under Applicable Data Protection Law, including rights of access, rectification, erasure, restriction, portability, and objection. The scope and cost of such assistance is governed by §9 of this DPA.

(f) Assistance with security, breach notification, DPIAs, and prior consultation. DOE shall assist the Customer in ensuring compliance with its obligations under Articles 32 to 36 of the GDPR (security, notification of personal data breaches, data protection impact assessments, and prior consultation with supervisory authorities), taking into account the nature of the processing and the information available to DOE. DOE's breach notification obligations are further described in §8 of this DPA.

(g) Deletion or return of personal data. Upon termination or expiry of the Agreement, DOE shall, at the Customer's election made within 30 days of termination or expiry, return or delete all personal data processed under this DPA, subject to §11 of this DPA and any retention required by applicable law.

(h) Compliance information and audit. DOE shall make available to the Customer all information reasonably necessary to demonstrate compliance with the obligations set out in this DPA and shall allow for and contribute to audits, including inspections, conducted by the Customer or a mandated auditor, subject to the conditions set out in §10 of this DPA.

5. Sub-processors

5.1 Current sub-processors. The Customer authorises DOE to engage the sub-processors listed at https://dayoneed.com/legal/subprocessors as at the effective date of this DPA. That list sets out each sub-processor's name, location, and the processing activity it performs.

5.2 New sub-processors. DOE shall provide the Customer with at least 30 days' prior written notice before engaging a new sub-processor or making a material change to an existing sub-processor's role. Such notice shall be given by updating the sub-processor list at https://dayoneed.com/legal/subprocessors and, where the Customer has elected to receive notifications, by email to the Customer's nominated contact.

5.3 Right to object. The Customer may object to a new or changed sub-processor on reasonable data protection grounds by giving written notice to DOE at legal@dayoneed.com within 30 days of the notice referred to in §5.2. Where the Customer objects and DOE is unable to accommodate the objection, either party may terminate the affected part of the Service on written notice without liability to the other party, subject to any termination provisions in the Agreement.

5.4 Flow-down of obligations. DOE shall, by written contract with each sub-processor, impose data protection obligations equivalent to those imposed on DOE under this DPA, in particular providing sufficient guarantees to implement appropriate technical and organisational measures such that the processing meets the requirements of Applicable Data Protection Law.

6. International Transfers

6.1 Primary processing location. The DOE platform is hosted primarily in Sydney, Australia (AWS ap-southeast-2 via Supabase). Australia is a designated adequate country for the purposes of UK GDPR data transfers under the UK adequacy regulations. An EU adequacy decision in respect of Australia has not yet been issued as at the effective date of this DPA.

6.2 EEA to Australia transfers. For transfers of personal data from the European Economic Area to Australia, DOE relies on the SCCs (Module 2: controller to processor, or Module 3: processor to processor, as applicable) adopted under EU Commission Decision 2021/914. The supplementary measures applicable to such transfers are described in Annex B.

6.3 UK to Australia transfers. For transfers of personal data from the United Kingdom to Australia, DOE relies on the UK adequacy regulations. The UK IDTA (Version A1.0) is additionally in place as a fallback measure.

6.4 Transfers to US-based sub-processors. Transfers to sub-processors located in the United States are effected by means of the SCCs (Module 2 or Module 3, as applicable) together with the UK IDTA where UK data subjects are involved.

6.5 Transfers to Singapore (Railway). Where personal data is transferred to Railway's Singapore infrastructure for the purpose of application compute, such transfers are effected by means of the SCCs together with the supplementary measures described in Annex C.

6.6 Further information. Full details of transfer mechanisms applicable to each sub-processor are set out in Annex C and the live list at https://dayoneed.com/legal/subprocessors.

7. Security Measures

DOE shall implement and maintain the technical and organisational measures set out in Annex B to this DPA. DOE shall review and, where necessary, update those measures periodically to ensure they remain appropriate to the risks presented by the processing.

8. Breach Notification

8.1 DOE notification to Customer. In the event that DOE becomes aware of a personal data breach affecting personal data processed under this DPA, DOE shall notify the Customer without undue delay and, in any event, within 48 hours of becoming aware of the breach.

8.2 Content of notification. The notification shall include, to the extent then available to DOE:

  • (a) a description of the nature of the personal data breach including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
  • (b) the likely consequences of the personal data breach;
  • (c) the measures taken or proposed to be taken by DOE to address the breach, including, where appropriate, measures to mitigate its possible adverse effects.

8.3 Supplementary information. Where DOE is unable to provide all of the information described in §8.2 at the time of the initial notification, DOE shall provide such information in phases as it becomes available, without undue further delay.

8.4 Customer's notification obligations. The Customer remains solely responsible for any notifications to data subjects or supervisory authorities required by Applicable Data Protection Law. DOE shall provide reasonable assistance to the Customer in preparing any such notifications.

9. Data Subject Requests

9.1 Forwarding of requests. Where DOE receives a request from a data subject exercising a right under Applicable Data Protection Law in relation to personal data processed under this DPA, DOE shall promptly forward that request to the Customer. DOE shall not respond to the data subject directly except on the Customer's written instructions or as required by applicable law.

9.2 Assistance. DOE shall provide the Customer with such technical and organisational assistance as is reasonably requested by the Customer to fulfil its obligations in respect of data subject requests, within a reasonable timeframe.

9.3 Cost of assistance. Assistance in respect of up to five data subject requests per calendar month is provided without additional charge. For requests exceeding that volume, DOE may charge at its standard hourly rate, notified to the Customer in advance, for time reasonably spent by DOE personnel in providing the additional assistance.

10. Audit Rights

10.1 Information and certifications. Upon the Customer's written request, DOE shall make available to the Customer (or a mandated auditor bound by confidentiality): relevant certifications, information security policies, and the most recent third-party audit report or assessment obtained by DOE.

10.2 On-site audit. The Customer (or a mandated auditor) may conduct an on-site audit of DOE's processing facilities and practices subject to the following conditions:

  • (a) at least 30 days' prior written notice;
  • (b) the audit is conducted during DOE's normal business hours with minimal disruption to operations;
  • (c) the scope is limited to matters directly relevant to DOE's obligations under this DPA;
  • (d) no more than one audit per calendar year unless a prior audit identified a material breach of this DPA that has not been remediated;
  • (e) the Customer and its auditor are subject to a confidentiality obligation with respect to any information obtained during the audit.

10.3 Equivalent assurance. DOE may satisfy the requirements of §10.1 and §10.2 by providing the Customer with a current SOC 2 Type II report or ISO 27001 certification in lieu of a dedicated audit, once such certification is obtained by DOE.

11. Deletion and Return of Personal Data at End of Service

11.1 Customer election. Within 30 days following the date of termination or expiry of the Agreement, the Customer may give DOE written notice electing either (a) return of all personal data processed under this DPA in a commonly used, machine-readable format, or (b) deletion of all such personal data. DOE shall comply with that election within 30 days of receipt.

11.2 Backup retention. Notwithstanding §11.1, personal data contained in DOE's automated back-ups will be retained for up to 90 days following the completion of deletion or return under §11.1, after which time DOE shall ensure that such data is deleted from back-up media in the ordinary course of DOE's standard backup rotation procedures.

11.3 Legal retention requirements. DOE may retain personal data beyond the periods specified in §11.1 and §11.2 to the extent and for the period required by applicable law, provided that DOE notifies the Customer of any such retention obligation.

11.4 Certification. Upon the Customer's written request, DOE shall provide the Customer with written certification that deletion has been completed in accordance with this section.

12. AI Training Prohibition

Day One Education does not use personal data processed under this DPA to train, fine-tune, or otherwise improve artificial intelligence models, whether operated by Day One Education or by any sub-processor.

AI features within the Service use third-party foundation model APIs (such as OpenAI) to process individual requests at inference time. No personal data processed under this DPA is retained by DOE or directed to any sub-processor for the purpose of training or improving any AI model. DOE shall include equivalent prohibitions in its contracts with AI sub-processors to the extent that such sub-processors would otherwise have access to personal data processed under this DPA.

13. Liability

The liability of each party under or in connection with this DPA (whether arising in contract, tort, or otherwise) is subject to the limitations and caps set out in the Agreement. For the avoidance of doubt, the liability cap applicable to this DPA is the cap applicable to the institutional subscription or Master Services Agreement under which the Customer subscribes, and not any consumer liability cap that may appear in DOE's standard consumer Terms of Service.

14. Governing Law

This DPA and any non-contractual obligations arising out of or in connection with it shall be governed by, and construed in accordance with, the laws of the State of Victoria, Australia. Each party irrevocably submits to the non-exclusive jurisdiction of the courts of Victoria, Australia.

Annex A: Description of Processing

A.1 Subject matter

Provision of the DOE GAMSAT preparation platform, including essay grading, AI tutoring, practice question delivery, and usage analytics, to the Customer's end-users under an institutional subscription or Master Services Agreement.

A.2 Nature and purpose of processing

ActivityPurpose
Account creation and managementEnabling end-user access to the Service
Essay submission and AI gradingEducational service delivery
AI tutoring interactionsEducational service delivery
Practice question delivery and response recordingEducational service delivery
Usage analytics and progress trackingReporting to institutional customers and personalised learning

A.3 Duration of processing

For the term of the institutional contract, and thereafter subject to §11 of this DPA.

A.4 Types of personal data

  • Account data: name, email address, institutional identifier
  • User-generated academic content: essays, tutor-session messages, question responses
  • Usage metrics: session timestamps, feature interactions, progress data

A.5 Categories of data subjects

End-users of the Customer's institutional account, typically students or tutees of the institutional customer. The Customer warrants that it has provided all required notices to, and obtained all required consents from, its end-users prior to submitting their personal data to the Service.

Annex B: Technical and Organisational Measures

The following technical and organisational measures ("TOMs") are implemented by DOE as at the effective date of this DPA. DOE reviews these measures at least annually and updates them as necessary to address new or changed risks.

B.1 Encryption

  • At rest: All personal data stored in the DOE database is encrypted at rest using AES-256 encryption managed by Supabase (hosted on AWS).
  • In transit: All data transmitted between the client and DOE services, and between DOE services and sub-processors, is protected by TLS 1.2 or higher.

B.2 Access control

  • DOE implements role-based access control ("RBAC") across the application, restricting access to personal data to personnel and system components with a legitimate operational need.
  • Administrative access to production systems requires multi-factor authentication.
  • Access rights are reviewed periodically and revoked promptly upon a change in personnel status.

B.3 Audit logging

Administrative actions affecting personal data (including access, modification, and deletion operations) are logged and retained for a minimum of 90 days for audit and incident investigation purposes.

B.4 Backup and disaster recovery

Supabase point-in-time recovery is enabled for the production database. Backups are encrypted using the same AES-256 standard as live data. Recovery point objectives and recovery time objectives are documented in DOE's internal incident response plan.

B.5 Incident response

DOE maintains a documented incident response plan and operates an on-call rotation for security incidents. The plan includes procedures for detection, containment, investigation, notification (in accordance with §8 of this DPA), and post-incident review.

B.6 Personnel measures

  • All DOE personnel with access to personal data are subject to confidentiality obligations by way of their employment or contractor agreements.
  • Background checks are conducted for personnel in roles with privileged access to production systems.
  • DOE provides security awareness training to all personnel on at least an annual basis.

B.7 Vulnerability management

Automated dependency scanning and static analysis are integrated into DOE's CI/CD pipeline. Security vulnerabilities are triaged and remediated in accordance with DOE's internal vulnerability management policy.

B.8 Change management

All changes to application code and infrastructure are managed through version control (Git) and a CI/CD pipeline that includes automated testing and review gates prior to deployment to production.

B.9 Supplementary transfer measures

For transfers to countries without an EU or UK adequacy decision, DOE implements the following supplementary measures in addition to the SCCs or UK IDTA:

  • encryption in transit and at rest as described in §B.1;
  • contractual commitments from sub-processors not to access or process personal data beyond what is necessary to provide the contracted service;
  • monitoring of legal developments in destination countries that may affect the level of protection afforded to transferred data.

Annex C: Sub-processors and Transfer Mechanisms

C.1 Current sub-processors

The definitive and current list of sub-processors engaged by DOE, including their name, country of establishment, and processing activity, is maintained at https://dayoneed.com/legal/subprocessors.

C.2 Transfer mechanisms by destination

Transfer routeMechanism
EEA → Australia (Supabase, AWS ap-southeast-2)SCCs (EU 2021/914) Module 2 / Module 3 + supplementary measures (Annex B §B.9); UK adequacy applies for UK → AU
EEA/UK → United States (OpenAI and other US sub-processors)SCCs Module 2 / Module 3; UK IDTA (Version A1.0) for UK data subjects
EEA/UK → Singapore (Railway compute)SCCs Module 2 / Module 3 + supplementary measures (Annex B §B.9); UK IDTA (Version A1.0) for UK data subjects

C.3 Updates to transfer mechanisms

DOE shall update the sub-processor list and, where relevant, the transfer mechanism information in this Annex C in conjunction with any notice issued under §5.2 of this DPA.

Annex D: Standard Contractual Clauses and UK IDTA

D.1 EU Standard Contractual Clauses

The SCCs adopted under EU Commission Decision 2021/914 of 4 June 2021 are incorporated by reference into this DPA and apply to transfers of personal data from the EEA to third countries without an adequacy decision, as specified in §6 of this DPA:

  • Module 2 (controller to processor): applies where the Customer (as controller) is established in the EEA and personal data is transferred to DOE (as processor) or to a sub-processor located in a third country.
  • Module 3 (processor to processor): applies where DOE (as processor) further transfers personal data to a sub-processor located in a third country.

The parties shall complete the required annexes and options within the SCCs (including Annex I, Annex II, and the optional clauses) as specified in a separate SCC schedule to the Agreement, or as agreed in writing between the parties, taking into account the specific circumstances of the transfer.

D.2 UK International Data Transfer Addendum

The UK IDTA (Version A1.0) issued by the UK Information Commissioner under s.119A of the Data Protection Act 2018 is incorporated by reference into this DPA and applies to transfers of personal data from the United Kingdom, as specified in §6 of this DPA. The UK IDTA shall be read in conjunction with and as an addendum to the relevant SCCs module identified in §D.1 above.

D.3 Docking clause and future modules

The parties agree to incorporate any future modules or amendments to the SCCs or the UK IDTA issued by the relevant competent authorities, to the extent required to ensure the lawfulness of the relevant transfers, by way of written amendment to this DPA, which shall take effect on the date required by the relevant competent authority.

D.4 Conflict with this DPA

In the event of any conflict between the SCCs or UK IDTA and any other provision of this DPA or the Agreement, the SCCs or UK IDTA (as applicable) shall prevail with respect to the subject matter of the transfer to which they apply.