Data Processing Agreement
AINA | TA — Educational Platform
Parties
This Data Processing Agreement ("Agreement") is entered into between:
Data Controller
The educational institution or individual teacher ("Controller") accessing AINA | TA through the platform or any associated domain.
Data Processor
The operator of AINA | TA ("Processor"), acting on behalf of the Controller to process personal data as described in this Agreement.
This Agreement forms part of the Terms of Service and is incorporated by reference. It governs all processing of personal data carried out by the Processor on behalf of the Controller in connection with the AINA | TA platform.
1. Definitions
| Term | Definition |
|---|---|
| GDPR | Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 |
| EU AI Act | Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 |
| LOMLOE | Ley Orgánica 3/2020 de 29 de diciembre, by which the Spanish Organic Law on Education is modified |
| Personal Data | Any information relating to an identified or identifiable natural person as defined in Article 4(1) GDPR |
| Processing | Any operation performed on personal data, as defined in Article 4(2) GDPR |
| Special Category Data | Personal data revealing racial or ethnic origin, political opinions, religious beliefs, health data, or biometric data, as defined in Article 9 GDPR |
| EEA | European Economic Area, comprising the EU Member States plus Iceland, Liechtenstein, and Norway |
| Catalan Public Cloud | Núvol Públic de Catalunya, the sovereign cloud infrastructure operated under the authority of the Generalitat de Catalunya |
| Sub-processor | Any third party engaged by the Processor to carry out processing activities on behalf of the Controller |
| Aina | The AI assistant integrated into AINA | TA, powered by large language models and the BSC Salamandra framework |
2. Subject Matter and Duration
The Processor provides an AI-powered educational platform ("AINA | TA") that enables teachers to conduct AI-assisted chat sessions, generate teaching materials and lesson plans, administer practice assessments aligned with LOMLOE competency frameworks, receive AI-generated student progress assessments, and manage class groups.
This Agreement remains in force for as long as the Processor processes personal data on behalf of the Controller. Upon termination, the Processor shall delete or return all personal data within 30 days, unless applicable law requires longer retention.
3. Nature and Purpose of Processing
All processing is carried out exclusively for the following purposes: providing core educational platform functionality; generating AI-assisted educational content and recommendations; maintaining audit trails of AI decisions to satisfy EU AI Act and GDPR obligations; detecting and logging AI bias incidents; enabling teacher oversight and override of AI decisions; providing data export and deletion capabilities; and complying with applicable legal obligations.
4. Categories of Data Subjects and Personal Data
Important: AINA | TA does not directly collect personal data from students. Student data is entered by teachers using pseudonymous identifiers. The platform does not collect student names, dates of birth, or other directly identifying information.
| Category | Examples | Legal Basis |
|---|---|---|
| Account data | Name, email address, OAuth identifier | Art. 6(1)(b) GDPR — performance of contract |
| Usage data | Login timestamps, page views, feature interactions | Art. 6(1)(f) GDPR — legitimate interests |
| Educational content | Lesson plans, teaching materials, school calendars | Art. 6(1)(b) GDPR — performance of contract |
| Practice session data | Question responses, scores, timestamps (pseudonymous IDs only) | Art. 6(1)(b) GDPR — performance of contract |
| AI interaction data | Chat messages sent to Aina, AI-generated responses | Art. 6(1)(b) GDPR — performance of contract |
| AI assessment records | Competency scores, AI summaries, teacher overrides | Art. 6(1)(b) GDPR — performance of contract |
| Bias incident logs | Truncated input/output text (max 200 chars), severity, resolution status | Art. 6(1)(c) GDPR — legal obligation (EU AI Act Art. 12) |
| Audit trail records | Event type, timestamp, user ID, action summary | Art. 6(1)(c) GDPR — legal obligation (EU AI Act Art. 12) |
5. Obligations of the Processor
5.1 Instruction Compliance
Process personal data only on documented instructions from the Controller, unless required by applicable law. The Processor shall immediately inform the Controller if an instruction infringes GDPR.
5.2 Confidentiality
Ensure that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
5.3 Security Measures
Implement and maintain appropriate technical and organisational measures including: TLS 1.2+ encryption in transit, AES-256 encryption at rest, role-based access control, OAuth 2.0 authentication, PII minimisation (bias logs truncated to 200 characters), pseudonymisation of student data, and comprehensive audit logging.
5.4 Sub-processor Management
Not engage a new sub-processor without prior written authorisation from the Controller. The same data protection obligations shall be imposed on all sub-processors by contract.
5.5 Data Subject Rights
Assist the Controller in fulfilling GDPR rights (Articles 15–22). The platform provides: data export (Privacy Dashboard), right to erasure (Delete All My Data), data portability (JSON format), and the right to object to automated decision-making (teachers can override any AI decision).
5.6 Data Breach Notification
Notify the Controller within 72 hours of becoming aware of a personal data breach, providing sufficient information to allow the Controller to meet its own notification obligations under Article 33 GDPR.
5.7 Deletion and Return
At the choice of the Controller, delete or return all personal data upon termination of the service, and delete existing copies unless applicable law requires storage.
5.8 Audit Cooperation
Make available all information necessary to demonstrate compliance with Article 28 GDPR, and allow for audits and inspections conducted by the Controller or an auditor mandated by the Controller.
6. Data Retention Schedule
| Data Category | Retention Period | Deletion Mechanism |
|---|---|---|
| Practice session records | Rolling cap of 200 most recent sessions per user | Automated nightly purge (cron job) |
| AI chat messages | 90 days from last activity | Automated nightly purge |
| Aina behavioural profile | Reset after 90 days of inactivity | Automated nightly purge |
| Bias incident logs (resolved) | 30 days after resolution | Automated nightly purge |
| Read notifications | 30 days after reading | Automated nightly purge |
| Audit log records | 24 months from creation | Automated nightly purge (03:30 UTC) |
| AI assessment records | Retained until user deletion request | User-initiated via Privacy Dashboard |
| Learning path records | Retained until user deletion request | User-initiated via Privacy Dashboard |
| Grade override audit trail | Minimum 5 years (legal obligation) | Manual deletion by administrator only |
| Account data | Retained until account deletion | User-initiated via Privacy Dashboard |
7. International Data Transfers
All personal data processed by AINA | TA is stored and processed exclusively within the European Economic Area (EEA). Primary infrastructure runs on the Manus Platform (EEA data centres). Where technically feasible, data is hosted on the Núvol Públic de Catalunya (Catalan Public Cloud), in accordance with Catalan data sovereignty principles.
The Processor commits to prioritising EEA-sovereign hosting providers and to migrating to the Catalan Public Cloud infrastructure as it becomes available for production educational workloads.
8. Sub-processors
| Sub-processor | Role | Location | Transfer Safeguard |
|---|---|---|---|
| Manus Platform | Infrastructure hosting, OAuth authentication, database services | EEA | EEA-based processing |
| Hugging Face | Neural machine translation for question bank localisation | EEA (EU data centres) | EEA-based; no personal data transmitted |
| BSC (Barcelona Supercomputing Center) | Salamandra LLM framework; model weights | Spain (EEA) | EEA-based processing |
| ip-api.com | IP geolocation for Catalan dialect detection | EEA | Only IP address transmitted; not linked to user accounts |
The Processor shall notify the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object to such changes.
9. EU AI Act Compliance
AINA | TA is classified as a high-risk AI system under Annex III of the EU AI Act (educational and vocational training AI systems). The following measures are implemented:
Art. 9 — Risk Management
A risk management system is maintained throughout the AI system lifecycle. Known risks and mitigations are documented in the EU AI Act Technical File.
Art. 10 — Data Governance
Only curriculum-aligned question banks and teacher-provided content are used for AI operations. No student demographic data is used in AI model inputs.
Art. 11 — Technical Documentation
Full technical documentation covers system architecture, AI model descriptions, training data provenance, and performance metrics.
Art. 13 — Transparency
Plain-language descriptions of all AI decision-making processes are available from the Audit Dashboard under the Algorithm Description tab.
Art. 14 — Human Oversight
All AI-generated grades, assessments, and learning path recommendations can be reviewed and overridden by teachers. No AI decision is final.
Art. 12 — Logging
Automatic logging of AI decisions, human overrides, and bias incidents. Logs are accessible to administrators and retained for a minimum of 5 years for grade override records.
10. Obligations of the Controller
- Ensure a lawful basis for processing personal data before instructing the Processor.
- Ensure that data subjects have been provided with the information required by Articles 13 and 14 GDPR.
- Ensure that student data uses pseudonymous identifiers and does not include unnecessary personal information.
- Not instruct the Processor to process special category data unless a specific legal basis under Article 9 GDPR applies.
- Promptly notify the Processor of any data subject requests received directly by the Controller.
- Ensure that any person accessing the platform is bound by appropriate confidentiality obligations.
11. Liability and Indemnification
Each party shall be liable for damages caused by processing that infringes GDPR in accordance with Article 82 GDPR. Where both parties are responsible for damage, each party shall be held liable for the entire damage to ensure effective compensation of the data subject. A party shall be exempt from liability if it proves it is not in any way responsible for the event giving rise to the damage.
12. Governing Law and Jurisdiction
This Agreement is governed by the laws of Spain and, where applicable, the laws of the Autonomous Community of Catalonia. Any disputes shall be subject to the exclusive jurisdiction of the courts of Barcelona, Spain, without prejudice to the right of data subjects to bring claims before their national supervisory authority.
Applicable supervisory authorities: APDCAT (Catalonia) and AEPD (Spain).
13. Amendments
This Agreement may be amended by the Processor with 30 days' written notice to the Controller. Continued use of the platform after the notice period constitutes acceptance of the amended Agreement.
14. Contact Information
Data Protection Contact
AINA | TA — Data Protection
[email protected] (placeholder — to be updated by the Controller)
Appendix A: Technical and Organisational Security Measures
A.1 Pseudonymisation and Encryption: All database contents are encrypted at rest (AES-256). Data in transit is protected by TLS 1.2+. Student data is processed using teacher-assigned pseudonymous identifiers that cannot be linked to real identities without information held separately by the Controller.
A.2 Confidentiality, Integrity, Availability, and Resilience: The platform is hosted on managed infrastructure with automated backups, health monitoring, and failover capabilities. Access to production systems is restricted to authorised personnel only.
A.3 Restore Availability and Access: Regular automated backups ensure that personal data can be restored in the event of a physical or technical incident.
A.4 Regular Testing and Evaluation: Security measures are reviewed at least annually. Automated TypeScript type-checking and unit testing (Vitest) are run on every code change. Bias detection is tested with adversarial prompts as part of the development process.
A.5 User Authentication and Access Control: OAuth 2.0 authentication prevents unauthorised access. Role-based access control (RBAC) restricts admin-only functions. Session tokens expire and are invalidated on logout. All sensitive procedures require authentication.
Appendix B: Data Flow Diagram (Narrative)
- Teacher logs in via OAuth 2.0 (Manus identity provider). No password is stored by the Processor.
- Teacher creates content (lesson plans, calendars, materials). Content is stored in the EEA-hosted database.
- Teacher initiates AI interaction (chat with Aina, material generation, assessment). The request is sent to the server, which calls the LLM inference endpoint. No personal data is included in the LLM prompt beyond what the teacher explicitly provides.
- AI response is generated and passed through the bias detection module before being returned to the teacher.
- Practice session data is recorded with pseudonymous student IDs. No student names or identifying information are stored.
- AI assessments and learning paths are generated from aggregated practice scores and stored with the teacher's user ID and a pseudonymous student ID.
- Audit events are logged automatically for all AI decisions, overrides, and bias incidents.
- Nightly retention purge automatically deletes data that has exceeded its retention period.
- Data export/deletion is available to the teacher at any time from the Privacy Dashboard.
This document was prepared in accordance with Article 28(3) GDPR and reflects the data processing practices of AINA | TA as of 8 April 2026. It should be reviewed annually or whenever significant changes are made to the platform's data processing activities.