Where is the platform hosted?

Our platform is hosted on infrastructure located within the European Union.

We use cloud infrastructure providers with EU-based data centers, including:

• Hetzner (Germany – Nürnberg)

• Scaleway (France – Paris)

These providers operate under European data protection law (GDPR).

Where is user data stored?

Application data is stored in databases located in Frankfurt, Germany, including:

• MongoDB – primary database

• Redis – in-memory database for caching and session management

This ensures that core application data is processed within the EU.

What personal data is processed?

Depending on how the platform is used, the following types of data may be processed:

Account data

• name

• email address

• user identifiers

Learning data

• educational content created by users

• answers and submissions

Technical data

• IP addresses

• authentication logs

• session data

We follow the principle of data minimization and process only data necessary to operate the service.

Does the platform comply with GDPR?

Yes.

The platform is designed to comply with the General Data Protection Regulation (GDPR / DSGVO) and follows principles such as:

• data minimization

• privacy by design

• privacy by default

Technical and organizational measures are implemented in accordance with Art. 32 GDPR.

Is a Data Processing Agreement (AAV) available?

Yes.

Schools and organizations can sign a Data Processing Agreement (Auftragsverarbeitungsvertrag – AAV) in accordance with Art. 28 GDPR.

The agreement is currently available in German only and can be found here.

If you require a signed version, please contact us.

Which subprocessors are used?

To operate the platform, we use selected service providers (subprocessors), including:

• Hetzner – infrastructure hosting

• Scaleway – infrastructure hosting

• MongoDB – database services

• Redis – caching database

• Brevo – transactional email delivery

• Cloudflare – DNS and content delivery network

• FastSpring – payment processing (Merchant of Record)

• Termly – cookie consent management

• heyData – data protection management

All subprocessors are bound by data processing agreements and must comply with GDPR requirements.

A detailed list is available on the Subprocessors page.

Are data transfers outside the EU possible?

Whenever possible, data is processed within the European Union or the European Economic Area (EEA).

If a provider processes data outside the EEA (for example certain global infrastructure services), appropriate safeguards such as Standard Contractual Clauses (SCCs) are used.

How is data protected?

We implement extensive technical and organizational measures (TOMs) to protect personal data.

Examples include:

• encrypted connections (HTTPS / TLS)

• strict access controls and authentication systems

• role-based user permissions

• logging and monitoring of system activity

• separation of production and testing environments

• regular backups and recovery procedures

Detailed information is available on our Technical and Organizational Measures (TOMs) page.

Who can access the data?

Access to personal data is strictly limited.

Only authorized personnel may access data, and only when necessary for:

• technical support

• system maintenance

• security monitoring

Administrative access is restricted and logged.

Is the platform suitable for use in schools?

Yes.

The platform is designed with educational environments in mind and supports schools in meeting their data protection requirements under GDPR.

We provide documentation commonly required by school IT departments and data protection officers, including:

• Data Processing Agreement (AAV)

• Technical and Organizational Measures (TOMs)

• Subprocessor list

• Hosting and infrastructure information

Who can I contact regarding data protection?

If you have questions regarding data protection or require additional documentation, please contact:

[email protected]

Our external Data Protection Officer is:

heyData GmbH

Schützenstraße 5

10117 Berlin

https://www.heydata.eu

[email protected]