Data Processing Agreement

Last updated: March 20, 2026

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between teachmu ("Processor") and the teacher/organization using the Service ("Controller"). It describes how teachmu processes personal data on behalf of the Controller.

2. Definitions

• Personal Data — Any information relating to an identified or identifiable natural person
• Processing — Any operation performed on personal data (collection, storage, use, deletion)
• Data Subject — The individual whose personal data is processed (students, teachers)
• Sub-processor — Third-party services that process data on our behalf

3. Scope of Processing

teachmu processes the following categories of personal data:

• Student and teacher names, email addresses
• Lesson schedules and attendance records
• Exercise grades and progress data
• Messages sent through the platform
• Booking notes and preferences

4. Obligations of the Processor

teachmu shall:

• Process personal data only on documented instructions from the Controller
• Ensure persons authorized to process data are bound by confidentiality
• Implement appropriate technical and organizational security measures
• Not engage sub-processors without prior written consent
• Assist the Controller in fulfilling data subject requests
• Delete or return all personal data upon termination of the agreement
• Make available all information necessary to demonstrate compliance

5. Sub-processors

teachmu currently uses the following sub-processors:

• Supabase — Database, authentication, and file storage (AWS infrastructure)
• Vercel — Application hosting and edge functions
• Lemon Squeezy — Payment processing and subscription management

We will notify the Controller before adding or replacing sub-processors, providing an opportunity to object.

6. Security Measures

• Encryption in transit (TLS 1.2+) and at rest
• Row Level Security (RLS) ensuring tenant isolation
• Regular security updates and dependency audits
• Access controls and authentication via Supabase Auth
• Automated backups with point-in-time recovery

7. Data Breach Notification

In the event of a personal data breach, teachmu will notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach.

8. Data Subject Rights

teachmu will assist the Controller in responding to data subject requests including access, rectification, erasure, restriction, portability, and objection.

9. Data Retention

Personal data is retained for the duration of the service agreement. Upon account deletion, data is permanently removed within 30 days, except where retention is required by law.

10. Contact

For DPA-related inquiries, contact us at legal@teachmu.com.