Data Processing Agreement (DPA)

1. Parties and Scope

This Data Processing Agreement ("DPA") is entered into between BDNet LLC ("we," "us," "Processor") and the customer organization ("Customer," "Controller") using the manabiQ service ("Service"). This DPA forms part of the Terms of Service ("ToS") to the extent we process personal data on behalf of Customer in connection with the provision of the Service.

In the event of a conflict between this DPA and other terms of the Service agreement, this DPA prevails with respect to matters of personal data processing.

2. Definitions

• "Personal Data" means information relating to an identified or identifiable natural person as defined under GDPR, CCPA, APPI, and other applicable data protection laws.
• "Processing" means any operation performed on Personal Data, including collection, recording, storage, modification, disclosure, or erasure.
• "Controller" means the entity that determines the purposes and means of processing Personal Data (typically Customer).
• "Processor" means the entity that processes Personal Data on behalf of the Controller (manabiQ / BDNet LLC).
• "Sub-processor" means a third-party processor engaged by us to provide the Service.
• "Data Subject" means the natural person to whom Personal Data relates (e.g., learners invited by Customer).
• "Personal Data Breach" means unauthorized access to, alteration of, loss of, or disclosure of Personal Data.

3. Subject Matter, Duration, Nature and Purpose

3.1 Subject Matter

We process Customer's Personal Data to provide the Service (an AI-powered corporate training content generation and delivery platform).

3.2 Duration

This DPA is effective from the date Customer begins using the Service and continues until termination of the Terms of Service.

3.3 Nature and Purpose of Processing

• Generation of training courses (automated from materials provided by Customer)
• Learner invitation and authentication (magic-link emails)
• Recording and aggregate analytics of learner progress
• Customer support and inquiry response
• Security audit and fraud detection necessary for Service provision
• Record retention required by applicable law

4. Types of Personal Data and Categories of Data Subjects

4.1 Types of Personal Data

• Account Information: Email address, name, organization name, job title
• Learner Information: Email address, name, employee ID (optional), department (optional)
• Learning Data: Course progress, quiz responses, time spent, feedback
• Uploaded Materials: PDFs, Word, text, URLs, and files retrieved from external cloud storage provided by Customer (may include employee information or internal documents)
• Authentication Data: Firebase Auth UID, session tokens (hashed)
• Billing Information: Billing address, company name (card details are processed directly by Stripe and not stored by us)
• IP Addresses and Access Logs: For fraud detection and rate limiting

4.2 Categories of Data Subjects

• Customer's employees (administrators)
• Learners invited by Customer (employees, contractors, training recipients)
• Customer's support contacts

Note: We do not intentionally collect or process special categories of Personal Data such as racial or ethnic origin, religion, political opinions, or health information. If Customer uploads materials containing such information, Customer is responsible for obtaining appropriate consent under applicable law.

5. Processor Obligations

We commit to:

• Process Personal Data only on documented instructions from Customer (including instructions conveyed through the ToS and use of the Service)
• Ensure that personnel authorized to process Personal Data are bound by confidentiality obligations
• Implement appropriate technical and organizational measures (see Annex C)
• Not transfer data outside the EEA without Customer's prior written authorization, or use lawful transfer mechanisms such as SCCs
• Assist Customer in responding to Data Subject rights requests (access, rectification, erasure, portability, etc.)
• Notify Customer without undue delay (target: within 72 hours) upon becoming aware of a Personal Data Breach
• Upon termination of the ToS, delete or return Personal Data at Customer's choice
• Cooperate with Customer's audit rights under GDPR Article 28(3)(h) to a reasonable extent

6. Sub-processors

Customer consents to our use of the following Sub-processors as of the effective date of this DPA:

When we add or change Sub-processors, we will update this page and notify Customer of material changes by email. Customer may object on reasonable grounds within 30 days of notification.

7. International Data Transfers

The Service infrastructure is hosted in the United States (Google Cloud us-central1). For data transfers from the EEA, UK, or Switzerland, we rely on the Standard Contractual Clauses (EU Commission Decision 2021/914) or equivalent legal mechanisms.

For data transfers from Japan, we guarantee that our safeguards are adequate under APPI Article 24.

8. Technical and Organizational Security Measures (Annex C)

8.1 Technical Measures

• Encryption in transit and at rest (TLS 1.2+, AES-256-GCM)
• OAuth integration tokens encrypted at rest with AES-256-GCM
• Multi-factor authentication support (admin accounts)
• Robust identity management via Firebase Authentication
• Security headers: Content Security Policy, HSTS (preload), X-Frame-Options, etc.
• Rate limiting (distributed, Firestore-backed) for DoS mitigation
• OAuth state nonce for CSRF protection
• Stripe webhook signature verification
• Tamper-evident SHA-256 hash-chained audit logs
• Firestore Point-in-Time Recovery (7 days)
• Weekly backups (90-day retention)
• PII masking in access logs

8.2 Organizational Measures

• Least-privilege access control (IAM roles, deny-by-default Firestore rules)
• MFA, geo-guard, and audit logging for super-admin actions
• Re-authentication required within 5 minutes for destructive operations
• Runbook-based incident response procedures
• Confidentiality agreements with personnel
• Regular security reviews (monthly)

9. Data Subject Rights

We provide reasonable assistance to Customer in responding to Data Subject rights requests. The Service includes the following self-service functions:

• Right of Access / Portability: JSON data export (/my-settings)
• Right to Erasure: Account deletion (/my-settings)
• Right to Rectification: Profile editing (/settings)
• Right to Restrict Processing: Course enrollment cancellation; admin-initiated learner removal

10. Personal Data Breach Notification

Upon becoming aware of a Personal Data Breach, we will notify Customer by email without undue delay (targeting within 72 hours of discovery). The notification will include:

• Nature of the breach, categories and approximate number of Data Subjects concerned, and approximate number of records affected (as far as possible)
• Contact point for obtaining further information
• Likely consequences of the breach
• Measures taken or proposed to address the breach

11. Audits

We acknowledge Customer's right to audit under GDPR Article 28(3)(h). Audits will be conducted under the following conditions:

• Limited to once per year (except in case of a Personal Data Breach)
• 30 days prior written notice
• Conducted in a manner that minimizes disruption to normal business operations
• Auditor bound by confidentiality agreement
• Customer bears audit costs

Upon obtaining SOC 2 Type II reports or ISO 27001 certification in the future, we may satisfy audit obligations by providing such reports.

12. Data Return and Deletion

Upon termination of the ToS, at Customer's choice (by written request), we will within 30 days:

• Export all Personal Data in JSON format and return to Customer; or
• Securely delete all Personal Data from our systems and backups

Where retention is required by law (accounting records, tax-related, etc.), we will retain only the necessary data for the minimum required period. For GDPR Art.17 erasure requests, anonymized identifiers may be retained (not re-identifiable).

13. Liability

Liability under this DPA is subject to the limitations set forth in the Terms of Service. Each party is liable only for direct damages arising from its own breach of obligations.

14. Governing Law

This DPA is governed by the Terms of Service. For EEA, UK, or Swiss data transfers, GDPR and SCC provisions prevail. For Japanese Customers, Japanese law and APPI provisions apply.

15. Contact

For questions about this DPA, requests for a signed copy, or data protection inquiries: