Data Processing Agreement

Last updated: January 1, 2026

This Data Processing Agreement (DPA) applies when Skriv processes personal data on behalf of educational institutions (the 'Data Controller').

1. Definitions

'Personal Data' means any information relating to an identified or identifiable natural person. 'Processing' means any operation performed on Personal Data. 'Data Subject' means the individual whose Personal Data is processed (students, teachers).

2. Scope of Processing

Skriv processes the following data: user account information (name, email), writing content created in the editor, process data (keystroke timing, session data), and usage analytics. Processing is performed solely for providing the educational writing service.

3. Processor Obligations

Skriv shall: process data only on documented instructions from the Controller; ensure persons processing data are bound by confidentiality; implement appropriate technical and organizational security measures; assist the Controller in responding to data subject requests; delete or return data upon termination; make available information necessary to demonstrate compliance.

4. Security Measures

We implement: encryption of data in transit and at rest; access controls and authentication; regular security testing; incident response procedures; employee training on data protection.

5. Sub-processors

Skriv uses the following sub-processors: Hetzner (hosting, Germany), Cloudflare (CDN/security, EU region). We will notify the Controller before engaging new sub-processors.

6. International Transfers

Personal Data is stored and processed within the EU. If any transfer outside the EU is necessary, appropriate safeguards (such as Standard Contractual Clauses) will be implemented.

7. Data Breach Notification

In case of a personal data breach, Skriv will notify the Controller without undue delay (within 72 hours) and provide information necessary for the Controller to meet its notification obligations.

8. Audit Rights

The Controller may audit Skriv's compliance with this DPA upon reasonable notice. Skriv will provide access to relevant documentation and facilities.

9. Termination

Upon termination of services, Skriv will delete all Personal Data within 30 days unless legally required to retain it. The Controller may request data export before deletion.

10. Contact

For DPA-related matters, contact: dpa@skriv.app. To request a signed copy of this DPA, schools should contact their Skriv representative.

Need a signed copy?

Schools can request a signed Data Processing Agreement by contacting our team. We'll prepare a customized agreement for your institution.

Request Signed DPA