Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the agreement between Autotend (operated by Neureaux, Inc.) and the institution ("Controller") for the provision of attendance tracking services.

1. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person.
• "Processing" means any operation performed on Personal Data.
• "Data Subject" means the individual to whom Personal Data relates (students, instructors).
• "Sub-processor" means any third party engaged by Autotend to process Personal Data.

2. Scope and Roles

The Controller determines the purposes and means of processing Personal Data. Autotend acts as a Processor, processing Personal Data only on behalf of and under the instructions of the Controller.

3. Data Processing Details

Categories of Data Subjects:

• Students enrolled at the institution
• Instructors and administrative staff

Categories of Personal Data:

• Name and email address
• Student/employee identification numbers
• Attendance records and timestamps
• Course enrollment information
• Device identifiers (for mobile app)
• Location data (when GPS verification is enabled)

Purpose of Processing:

• Recording and verifying student attendance
• Generating attendance reports and analytics
• Providing service notifications
• Maintaining service security

4. Processor Obligations

Autotend shall:

• Process Personal Data only on documented instructions from the Controller
• Ensure persons authorized to process Personal Data are bound by confidentiality
• Implement appropriate technical and organizational security measures
• Assist the Controller in responding to Data Subject requests
• Delete or return all Personal Data upon termination of services
• Make available information necessary to demonstrate compliance
• Allow for and contribute to audits conducted by the Controller

5. Security Measures

Autotend implements the following security measures:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
• Access controls and authentication mechanisms
• Regular security assessments and penetration testing
• Incident response and breach notification procedures
• Employee security training and background checks
• SOC 2 Type II certified infrastructure

6. Sub-processors

Autotend may engage Sub-processors to assist in providing services. A current list of Sub-processors is available upon request. We will notify the Controller of any intended changes to Sub-processors, allowing the Controller to object.

Current Sub-processors:

• Amazon Web Services (AWS) — Cloud infrastructure (US)
• Vercel — Application hosting (US)
• Stripe — Payment processing (US)
• SendGrid — Email delivery (US)

7. Data Transfers

Personal Data is primarily stored in the United States. For international transfers, Autotend relies on Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by additional safeguards where required.

8. Data Subject Rights

Autotend will assist the Controller in fulfilling Data Subject requests for access, rectification, erasure, restriction, portability, and objection. Requests should be directed to the Controller (institution) who will coordinate with Autotend as needed.

9. Breach Notification

Autotend will notify the Controller without undue delay (and in any event within 72 hours) upon becoming aware of a Personal Data breach. Notification will include the nature of the breach, categories of data affected, and measures taken to address it.

10. Duration and Termination

This DPA remains in effect for the duration of the service agreement. Upon termination, Autotend will delete all Personal Data within 90 days unless retention is required by law.

11. Contact

For DPA inquiries or to request a signed copy:

• Email: privacy@autotend.io
• Mail: Autotend Privacy Team, 123 Education Way, San Francisco, CA 94105