Data Processing Agreement
Last updated: March 8, 2026
1. Introduction
This Data Processing Agreement ("DPA") forms part of the Terms of Service between STEMConnects ("Data Processor" or "we") and the user ("Data Controller" or "you"). This DPA applies where we process personal data on your behalf in connection with providing our tutoring platform services.
2. Definitions
- Personal Data: Any information relating to an identified or identifiable individual, as defined under GDPR Article 4(1).
- Processing: Any operation performed on personal data, including collection, storage, use, disclosure, and deletion.
- Data Subject: The individual whose personal data is processed (students, tutors, parents/guardians).
- Sub-processor: A third-party service provider engaged by STEMConnects that processes personal data.
3. Scope of Processing
STEMConnects processes personal data solely for the purpose of providing and improving our tutoring platform services. The categories of data processed include:
| Data Category | Examples | Purpose |
|---|---|---|
| Identity Data | Name, email, avatar | Account management, communication |
| Education Data | Grade, school, learning goals, session history | Tutor matching, learning support |
| Financial Data | Transaction records, payout history | Payment processing, compliance |
| Technical Data | IP address, device info, login events | Security, fraud prevention |
| Communications | Messages, session materials | In-app messaging, tutoring delivery |
4. Obligations of STEMConnects
As a data processor, STEMConnects shall:
- Process personal data only on documented instructions from the data controller, unless required by law.
- Ensure that persons authorized to process personal data are bound by confidentiality obligations.
- Implement appropriate technical and organizational security measures, including encryption, access controls, MFA, rate limiting, and audit logging.
- Not engage sub-processors without prior notification and ensuring equivalent data protection obligations.
- Assist the data controller in responding to data subject rights requests (access, rectification, erasure, portability).
- Delete or return all personal data upon termination of services, unless retention is required by law.
- Make available all information necessary to demonstrate compliance and allow for audits.
5. Sub-processors
STEMConnects uses the following sub-processors to deliver our services:
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, file storage | United States |
| Stripe | Payment processing, tutor payouts | United States |
| Zoom | Video conferencing for tutoring sessions | United States |
| Resend | Transactional email delivery | United States |
| Vercel | Application hosting and deployment | United States |
We will notify users of any changes to sub-processors via email or platform notice at least 30 days before engaging a new sub-processor.
6. Data Security Measures
STEMConnects implements the following security measures to protect personal data:
- Encryption: TLS encryption for all data in transit.
- Authentication: Multi-factor authentication (TOTP MFA) available for all users.
- Access Control: Role-based access control with principle of least privilege.
- Monitoring: Comprehensive audit logging of security-relevant events.
- Rate Limiting: Protection against brute-force attacks and abuse.
- Account Lockout: Automatic lockout after repeated failed login attempts.
- Session Management: Secure session handling with device tracking and remote sign-out.
7. Data Breach Notification
In the event of a personal data breach, STEMConnects will notify affected users without undue delay and no later than 72 hours after becoming aware of the breach. Notification will include the nature of the breach, categories of data affected, approximate number of individuals impacted, likely consequences, and measures taken to address the breach.
8. International Data Transfers
STEMConnects and its sub-processors are primarily based in the United States. For users in the European Economic Area (EEA) or other regions with data transfer restrictions, we rely on Standard Contractual Clauses (SCCs) and ensure that sub-processors maintain adequate data protection safeguards.
9. Data Retention and Deletion
Personal data is retained for as long as the user's account is active. Upon account deletion, personal data is anonymized or deleted. Anonymized transaction records may be retained for up to 7 years for financial and legal compliance. Audit logs are retained for up to 2 years for security purposes. For details, see our Privacy Policy.
10. Data Subject Rights
STEMConnects provides tools for users to exercise their data rights directly:
- Access & Portability: Users can export all their data via the "Download My Data" feature in Account Settings.
- Rectification: Users can update their personal information through their profile settings.
- Erasure: Users can delete their account through Account Settings, which anonymizes personal data and deletes messages, files, and login records.
- Restriction: Users can contact us to restrict processing of their data.
11. Contact
For questions about this Data Processing Agreement or to request a signed copy, contact:
- Email: privacy@stemconnects.com
- Mail: STEMConnects, San Francisco, CA