Data Processing Agreement (DPA)

Effective Date: March 7, 2026

This Data Processing Agreement ("DPA") is entered into between TerryTrilla LLC ("Processor") and the Customer using TerryTrilla's services in a business or organizational capacity ("Controller"), and forms part of the Terms of Service.

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person as defined under GDPR Art. 4(1)
"Processing" has the meaning given in GDPR Art. 4(2)
"Data Subject" means the individual to whom Personal Data relates (e.g., the Controller's employees or students)
"Sub-processor" means any third party engaged by TerryTrilla to process Personal Data on behalf of the Controller
"GDPR" means Regulation (EU) 2016/679 of the European Parliament

2. Scope and Nature of Processing

2.1 Subject Matter

TerryTrilla processes Personal Data on behalf of the Controller solely for the purpose of providing the educational SaaS platform services described in the Terms of Service.

2.2 Categories of Data Subjects

Employees, staff, or agents of the Controller
Students or learners enrolled by the Controller

2.3 Categories of Personal Data

Names and email addresses
Learning progress and course completion data
Usage analytics and access logs
Payment information (processed by sub-processors)

3. Obligations of TerryTrilla (Processor)

TerryTrilla agrees to:

Process Personal Data only on documented instructions from the Controller, including for cross-border transfers
Ensure that authorized personnel are bound by confidentiality obligations
Implement appropriate technical and organizational security measures (Art. 32 GDPR)
Not engage new Sub-processors without prior written consent or general authorization from the Controller
Assist the Controller in fulfilling Data Subject rights requests (access, deletion, portability, etc.)
Assist the Controller in conducting Data Protection Impact Assessments (DPIAs) where applicable
Delete or return all Personal Data upon termination of services, at the Controller's choice
Make available all information necessary to demonstrate compliance and cooperate with audits, subject to the following conditions: audits may be conducted no more than once per calendar year, require a minimum of 30 days prior written notice, must be conducted during normal business hours, and are subject to reasonable confidentiality obligations

4. Sub-Processors

TerryTrilla maintains a list of authorized Sub-processors, available upon request at [email protected]. Current Sub-processors include:

Sub-Processor	Purpose	Location
Stripe, Inc.	Payment processing	United States
Amazon Web Services	Cloud hosting	United States / EU

TerryTrilla will notify the Controller of any intended changes to Sub-processors and provide an opportunity to object.

5. International Data Transfers

Where Personal Data is transferred outside the EU/EEA, TerryTrilla ensures appropriate safeguards are in place, including:

Standard Contractual Clauses (SCCs) pursuant to EU Commission Decision 2021/914
Sub-processor agreements incorporating equivalent transfer mechanisms

6. Security Measures

TerryTrilla implements the following technical and organizational measures (Art. 32 GDPR):

Encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256)
Access controls with role-based permissions and multi-factor authentication
Regular security assessments and vulnerability testing
Incident response procedures and breach notification protocols
Employee training on data protection and security

7. Data Breach Notification

In the event of a Personal Data breach, TerryTrilla will notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach. Notification will include:

Nature of the breach and categories/volume of data affected
Contact details of the Data Protection contact
Likely consequences and measures taken to address the breach

8. Controller's Obligations

The Controller represents and warrants that:

It has a valid legal basis for providing Personal Data to TerryTrilla
It has provided all required notices to Data Subjects
Its instructions to TerryTrilla comply with applicable data protection law

9. Term and Termination

This DPA remains in effect for the duration of the service agreement. Upon termination, TerryTrilla will delete or return all Personal Data within 30 days, unless retention is required by law.

10. Governing Law

This DPA is governed by the laws of the State of Wyoming, United States, with GDPR compliance obligations governed by EU law to the extent applicable.

11. Contact and Execution

To execute this DPA or for questions:

Email: [email protected]
Mail: TerryTrilla LLC, 30 N Gould St, Ste R, Sheridan, WY 82801, USA

Business customers may request a signed DPA for their records.

Annex I — Description of Processing Activities

A. List of Parties

	Controller	Processor
Name	As identified in the Controller's account	TerryTrilla LLC
Address	As provided at registration	30 N Gould St, Ste R, Sheridan, WY 82801, USA
Contact	As provided at registration	[email protected]
Role	Controller	Processor

B. Description of Transfer / Processing

Subject matter of processing:

Provision of educational SaaS platform services, including course delivery, user account management, learning progress tracking, and payment processing.

Duration of processing:

For the term of the service agreement plus any retention period required by applicable law.

Nature and purpose of processing:

Hosting and managing user accounts
Delivering course content and tracking learning progress
Processing payments via sub-processors
Providing customer support
Generating usage analytics for platform improvement

Categories of Personal Data:

Category	Examples
Identity data	Full name, username
Contact data	Email address
Account data	Password hash, account settings
Learning data	Course progress, completion records, assessment results
Payment data	Billing name, address (card details held by sub-processor)
Technical data	IP address, browser type, device identifiers, session logs

Categories of Data Subjects:

Employees, contractors, or agents of the Controller
Students, learners, or end users enrolled by the Controller

Annex II — Technical and Organizational Security Measures

TerryTrilla LLC implements the following measures pursuant to Article 32 GDPR:

1. Data Encryption

Measure	Detail
Encryption in transit	TLS 1.2 or higher for all data transmission
Encryption at rest	AES-256 encryption for stored personal data and backups
Key management	Encryption keys rotated regularly; stored separately from data

2. Access Controls

Measure	Detail
Authentication	Password policy enforced; multi-factor authentication available
Role-based access	Access to personal data limited to authorized personnel by role
Least privilege	Staff access granted on need-to-know basis only
Access logging	All access to production systems logged and monitored

3. Infrastructure and Operations

Measure	Detail
Cloud hosting	Data hosted on ISO 27001-certified infrastructure (AWS)
Backups	Automated daily backups with tested restoration procedures
Availability	Redundant infrastructure to minimize service interruptions
Patch management	Security patches applied on a regular schedule

4. Incident Response

Measure	Detail
Detection	Automated alerting for anomalous access patterns
Response plan	Documented incident response and breach notification procedures
Notification	Controller notified within 72 hours of confirmed breach per Art. 33 GDPR

5. Personnel

Measure	Detail
Confidentiality	All staff with data access bound by confidentiality obligations
Training	Staff receive data protection awareness training
Background checks	Conducted for personnel with access to production systems

6. Vendor Management

Measure	Detail
Sub-processor agreements	All sub-processors subject to DPA with equivalent obligations
Due diligence	Sub-processors assessed for security compliance before engagement