← Back to Legal

Data Processing Agreement

Last updated: January 8, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Use between SymfonyExam ("we," "us," or "Data Processor") and you ("Data Controller" or "User") and governs the processing of personal data in accordance with applicable data protection laws, including the General Data Protection Regulation (GDPR).

1. Definitions

  • Personal Data: Any information relating to an identified or identifiable natural person
  • Processing: Any operation performed on personal data, including collection, storage, use, and deletion
  • Data Subject: The individual to whom personal data relates
  • Data Controller: The entity that determines the purposes and means of processing personal data
  • Data Processor: The entity that processes personal data on behalf of the Data Controller
  • Sub-processor: Any third party engaged by the Data Processor to process personal data

2. Scope and Purpose of Processing

We process personal data solely for the purpose of:

  • Providing exam preparation services and educational content
  • Managing user accounts and authentication
  • Tracking exam progress and performance
  • Communicating with users about services
  • Improving our platform and services
  • Complying with legal obligations

3. Types of Personal Data

We may process the following categories of personal data:

  • Identity data (name, username)
  • Contact data (email address)
  • Account data (login credentials, preferences)
  • Usage data (exam attempts, scores, progress)
  • Technical data (IP address, browser type, device information)
  • Analytics data (page views, session duration)

4. Data Subject Categories

Personal data relates to the following categories of data subjects:

  • Registered users of the platform
  • Website visitors
  • Newsletter subscribers
  • Community participants

5. Data Processor Obligations

We commit to:

  • Process personal data only on documented instructions from the Data Controller
  • Ensure that persons authorized to process personal data are bound by confidentiality
  • Implement appropriate technical and organizational security measures
  • Engage sub-processors only with prior written authorization
  • Assist the Data Controller in responding to data subject requests
  • Assist the Data Controller in ensuring compliance with data protection obligations
  • Delete or return personal data upon termination of services
  • Make available all information necessary to demonstrate compliance

6. Security Measures

We implement the following security measures:

  • Encryption of data in transit and at rest
  • Regular security assessments and updates
  • Access controls and authentication mechanisms
  • Logging and monitoring of system access
  • Regular backups and disaster recovery procedures
  • Employee training on data protection
  • Incident response and breach notification procedures

7. Sub-processors

We may engage the following categories of sub-processors:

  • Cloud hosting providers (for infrastructure and data storage)
  • Analytics services (for usage analysis)
  • Email service providers (for communications)
  • Payment processors (for transaction processing)

A current list of sub-processors is available in our Third-Party Copyright Notices page. We will notify you of any changes to sub-processors and provide an opportunity to object.

8. Data Subject Rights

We will assist you in fulfilling data subject requests, including:

  • Right of access to personal data
  • Right to rectification of inaccurate data
  • Right to erasure ("right to be forgotten")
  • Right to restriction of processing
  • Right to data portability
  • Right to object to processing
  • Rights related to automated decision-making

9. Data Breach Notification

In the event of a personal data breach, we will notify you without undue delay and no later than 72 hours after becoming aware of the breach. The notification will include:

  • Nature of the breach and categories of data affected
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach
  • Contact information for further inquiries

10. International Data Transfers

If personal data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, such as:

  • Standard Contractual Clauses approved by the European Commission
  • Adequacy decisions by the European Commission
  • Binding Corporate Rules
  • Other legally recognized transfer mechanisms

11. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes outlined in this DPA or as required by law. Upon termination of services, we will delete or return all personal data within 30 days, unless legal obligations require longer retention.

12. Audit Rights

You have the right to audit our compliance with this DPA. We will provide reasonable cooperation and make available all information necessary to demonstrate compliance with data protection obligations.

13. Liability and Indemnification

Each party's liability under this DPA is subject to the limitations and exclusions set out in the Terms of Use. We will indemnify you against claims arising from our breach of this DPA, subject to applicable limitations.

14. Term and Termination

This DPA remains in effect for as long as we process personal data on your behalf. Upon termination, we will delete or return all personal data as instructed, except where retention is required by law.

15. Contact Us

For questions about this Data Processing Agreement:
📧 Email: [email protected]
🌐 Website: symfony-exam.com