Data Processing Agreement

This data processing agreement applies between:

Jointly referred to as the "Parties".

• GDPR: Regulation (EU) 2016/679, the General Data Protection Regulation.
• Personal data: all information relating to an identified or identifiable natural person, as referred to in Article 4(1) GDPR.
• Processing: any operation relating to personal data, such as collection, recording, storage, alteration, consultation, disclosure or erasure.
• Data subject: the natural person to whom the personal data relates — primarily teachers and participants.
• Data breach: a breach of security that, accidentally or unlawfully, leads to the destruction, loss, alteration, unauthorised disclosure of or access to personal data.
• Sub-processor: a third party engaged by the Processor to process personal data on behalf of the Controller.

This agreement governs the processing of personal data by Lectame in connection with the provision of the Lectame platform — an AI-supported presentation and interaction platform for education and training.

The agreement takes effect when the Client starts using Lectame (by creating an account or organising a session in which participant data is processed) and remains in force for as long as Lectame processes personal data on behalf of the Client.

The agreement terminates automatically when Lectame no longer processes any personal data for the Client, or upon written termination by either of the Parties subject to the notice period set out in the main agreement.

• Client is the controller for processing carried out in connection with their teaching or training activities using Lectame.
• Lectame is the processor for processing carried out on behalf of the Client.
• For processing that Lectame carries out for its own business purposes (such as account management, security, invoicing, own marketing), Lectame is itself the controller. This agreement does not cover that; see the privacy policy.

Lectame processes personal data solely on the basis of documented instructions from the Client. This agreement, the terms and conditions and the privacy policy together form those instructions, along with the settings the Client configures in the application (for example, the choice to turn AI features or analytics on or off).

Lectame informs the Client if it considers that an instruction infringes the GDPR.

• Creating and editing presentations, including any AI-generated content at the teacher's request.
• Organising and facilitating live sessions in which participants join via a session code or QR code.
• Recording and presenting participants' answers and responses to the teacher, for formative purposes.
• Management and authentication of the Client's accounts and those of their staff.
• Logging and monitoring for security and stability purposes.

• Teachers and administrators of the Client who have an account.
• Participants (typically students or course participants) who join a live session via a session code.
• Guests who create presentations without an account under the responsibility of the Client.

Lectame is not designed for the structural processing of special categories of personal data (Article 9 GDPR) or criminal-conviction data (Article 10 GDPR). The Client ensures that users within their own organisation do not enter medical data, diagnoses, religious beliefs, ethnicity, sexual orientation or similar data into presentation content, AI prompts or session data, unless a lawful basis and appropriate measures have been put in place beforehand.

Where relevant, Lectame displays warnings in the interface advising users not to include personal data, patient data or confidential information in AI prompts.

All Lectame staff and all external persons engaged by Lectame who may gain access to personal data are bound by confidentiality under their employment or service contract or an additional confidentiality declaration.

Lectame takes appropriate technical and organisational measures to ensure a level of security appropriate to the risk. In broad terms, these include:

• Access management, authentication and role-based authorisation.
• Encryption of connections and encryption of storage at the platform level.
• Logging and monitoring of security-relevant events.
• Backup and recovery provisions.
• Regular updates and patching of components.
• Incident response procedures.
• Assessment of suppliers and sub-processors.
• Data minimisation and purpose limitation in the design of features.
• Periodic evaluation of the measures.

A high-level explanation can be found on the security page. Additional details can be shared under confidentiality arrangements with schools and organisations that need them for their own assessment.

The Client hereby gives general written authorisation for the engagement of the sub-processors listed below. The procedure in Article 14 applies to changes.

Lectame informs the Client at least 30 days before a planned change to the sub-processors (addition, replacement or change of location). Within that period, the Client may object with reasons. In the event of a well-founded objection, the Parties will seek a reasonable solution; if that is not possible, the Client may terminate the agreement.

Primary storage takes place within the EEA. For sub-processors where processing may (partly) take place outside the EEA, we apply safeguards such as the EU-US Data Privacy Framework and/or Standard Contractual Clauses. The applicable safeguard per sub-processor is shown in the table above.

Lectame supports the Client in responding to data subject requests (access, rectification, erasure, restriction, portability, objection) by, where possible, making the necessary data accessible or exportable via the platform's management functions.

For requests that the Client cannot handle themselves, Lectame provides reasonable assistance with the requested information.

Lectame supports the Client in carrying out a data protection impact assessment (DPIA) and in any prior consultation of the supervisory authority, insofar as this can reasonably be expected of Lectame.

Lectame reports a possible data breach to the Client without undue delay after Lectame becomes aware of it. The Client then assesses, as the controller, whether notification to the supervisory authority (in principle within 72 hours of the Client becoming aware) and to the data subjects is necessary.

Lectame documents all data breaches and the measures taken in response.

Upon request, Lectame provides the Client with reasonably available information enabling the Client to verify compliance with this agreement. An audit by or on behalf of the Client is possible on the basis of written notice, with due regard to reasonable preparation time and business continuity, and subject to confidentiality arrangements. Any costs of an audit are borne by the Client, unless the audit reveals a material shortcoming.

After termination of the service, Lectame deletes the personal data from active systems within 30 days, unless statutory retention obligations require otherwise. At the Client's request, an export is made available in a common format prior to deletion.

Rotating backups that are still persistent at the time of deletion are removed in accordance with our hosting provider's backup schedule; during that period, data stored in them remains encrypted and inaccessible for production use.

Lectame's liability under this agreement aligns with the liability provisions in our terms and conditions, except insofar as mandatory law provides otherwise (such as Article 82 GDPR).

In the event of a conflict between this data processing agreement, the terms and conditions and the privacy policy, the following order of precedence applies:

1. This data processing agreement (for processing matters).
2. The terms and conditions.
3. The privacy policy (as an explanation of the processing).

Questions about this data processing agreement? Email [email protected] or [email protected]. If you have complaints about the processing of personal data, you can also contact the Autoriteit Persoonsgegevens.