Data Processing Agreement
Last updated: 5 July 2026
This Data Processing Agreement (“DPA”) applies whenever edu.games processes personal data — including student personal data — on behalf of a school, university, or other institution (“Institution”) in connection with the edu.games platform. It is incorporated into, and forms part of, our Terms of Service. Institutions that require a signed, standalone copy for procurement can request one at legal@edu.games.
1. Roles of the Parties
The Institution is the data controller (or, where it processes data on behalf of a further controller, a processor) and determines the purposes and means of processing personal data of its students, staff, and other users. edu.games is a data processor and processes personal data only on behalf of, and under the instructions of, the Institution.
2. Processing Instructions
edu.games will process personal data only on the Institution’s documented instructions, including with regard to international transfers, unless required to do otherwise by law — in which case edu.games will inform the Institution before processing, unless the law prohibits this.
3. Confidentiality
edu.games ensures that personnel authorised to process personal data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
4. Security Measures
edu.games implements appropriate technical and organisational measures to protect personal data, summarised in Annex 2 below.
5. Sub-processors
The Institution provides general authorisation for edu.games to engage sub-processors to help operate the platform. Our current sub-processor list is published and kept up to date at edu.games/subprocessors. edu.games imposes data protection obligations on sub-processors that are no less protective than those in this DPA, and remains liable for their performance. Institutions that have requested notice of sub-processor changes may object on reasonable grounds within a reasonable period.
6. Assistance with Data Subject Requests
Taking into account the nature of the processing, edu.games will assist the Institution, insofar as reasonably possible, in responding to requests from data subjects (including students and parents/guardians where applicable) exercising their rights under the GDPR or equivalent laws.
7. Personal Data Breach Notification
edu.games will notify the Institution without undue delay after becoming aware of a personal data breach affecting the Institution’s data, and will provide information reasonably required to allow the Institution to meet its own notification obligations.
8. Data Protection Impact Assessments
edu.games will provide reasonable assistance to the Institution with data protection impact assessments and prior consultations with supervisory authorities, where required.
9. Audits
edu.games will make available information reasonably necessary to demonstrate compliance with this DPA and will allow for, and contribute to, audits or inspections conducted by the Institution or an auditor mandated by the Institution, subject to reasonable notice, confidentiality, and no more than once per year absent a legitimate concern.
10. International Transfers
edu.games is based in Australia. Where personal data is transferred from the EEA, UK, or Switzerland to Australia or another country without an applicable adequacy decision, the transfer is governed by the European Commission’s Standard Contractual Clauses (Module 2: Controller to Processor, or Module 3: Processor to Processor, as applicable) and, for transfers from the UK, the UK International Data Transfer Addendum, each deemed incorporated into this DPA as Annex 3.
11. Deletion or Return of Data
At the end of the provision of services, edu.games will, at the Institution’s choice, delete or return all personal data processed on its behalf, except where retention is required by law.
12. Liability & Term
Liability under this DPA is governed by the limitation of liability provisions in our Terms of Service. This DPA remains in effect for as long as edu.games processes personal data on the Institution’s behalf.
Annex 1 — Details of Processing
Subject matter: provision of the edu.games learning-games platform, including the marketplace, teacher and student portals, and the xAPI Learning Record Store.
Duration: for the term of the Institution’s agreement with edu.games.
Nature and purpose: hosting accounts, delivering games, recording and reporting learning activity, and providing related support.
Categories of data: account and profile data; learning-record (xAPI) data including scores, completion, and activity timestamps; technical and diagnostic data.
Categories of data subjects: students (including minors), teachers, and other institution staff.
Annex 2 — Technical & Organisational Measures
Summarised in our Privacy Policy §10 (Security). A detailed technical and organisational measures document is available on request from legal@edu.games.
Annex 3 — Sub-processors & Transfer Mechanisms
See edu.games/subprocessors for the current list of sub-processors, their function, and applicable international transfer safeguards.
Contact & Requesting a Signed Copy
To request a countersigned copy of this DPA, ask questions, or exercise audit rights under Section 9, contact legal@edu.games.