Data Processing Addendum

This Data Processing Addendum ("DPA") supplements the Tutorbase Terms of Service (the "Agreement") between Tutorbase Ltd. ("Tutorbase," "we," "our," or "us") and the Customer that has accepted the Agreement ("Customer," "you," or "your"). It applies where Customer processes personal data through the Service that is subject to the EU General Data Protection Regulation, the UK General Data Protection Regulation, the Hong Kong Personal Data (Privacy) Ordinance, or comparable data protection law (together, "Data Protection Law").

Where there is any conflict between this DPA and the Agreement on the subject of personal data processing, this DPA prevails. Capitalized terms used but not defined in this DPA have the meanings given in the Agreement.

• Customer Personal Data: Personal data contained in Customer Data, processed by Tutorbase on Customer's behalf as part of providing the Service.
• Data Subject: The identified or identifiable natural person to whom Customer Personal Data relates, such as a student, parent, payer, teacher, or staff member of Customer.
• Processing: Has the meaning given in applicable Data Protection Law and includes collection, recording, organization, storage, alteration, retrieval, use, disclosure, erasure, and destruction.
• Sub-processor: A third party engaged by Tutorbase to process Customer Personal Data on Tutorbase's behalf.
• Standard Contractual Clauses or SCCs: The EU Standard Contractual Clauses approved by the European Commission in Decision 2021/914 of 4 June 2021, Module Two (controller-to-processor).
• UK IDTA: The International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner under section 119A of the Data Protection Act 2018.

With respect to Customer Personal Data, Customer is the controller and Tutorbase is the processor. This DPA governs Tutorbase's processing of Customer Personal Data for the duration of the Agreement and for any post-termination processing permitted by Section 11.

The categories of Data Subjects, types of personal data, processing purposes, and processing duration are described in Annex A.

Tutorbase processes Customer Personal Data only on documented instructions from Customer, including with regard to transfers of Customer Personal Data to a third country or an international organization, unless required to do otherwise by law applicable to Tutorbase. The Agreement, this DPA, and Customer's use of the Service constitute Customer's documented instructions.

If Tutorbase becomes aware that an instruction infringes applicable Data Protection Law, Tutorbase will inform Customer without undue delay and may pause processing pending resolution.

Tutorbase ensures that personnel authorized to process Customer Personal Data are bound by appropriate confidentiality obligations and are trained on data protection requirements relevant to their role.

Tutorbase implements appropriate technical and organizational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data. The current measures are described in Annex B. Tutorbase may update these measures over time, provided that any update does not materially reduce the overall level of protection provided.

Tutorbase preferentially uses Sub-processors that have an independent attestation of their security controls (such as SOC 2 Type II or ISO 27001) for hosting, authentication, payments, and observability services.

Customer authorizes Tutorbase to engage the Sub-processors listed at tutorbase.com/sub-processors for the processing of Customer Personal Data, and to engage additional Sub-processors subject to the notice procedure below.

Tutorbase will give Customer at least 30 days' advance notice of the engagement of a new Sub-processor that processes Customer Personal Data, where reasonably practicable, by updating the public Sub-Processors page and, for subscribed Customers, by email. Customer may object on reasonable data-protection grounds within that notice period; if the parties cannot resolve the objection, Customer may terminate the Service on written notice (without refund of pre-paid fees beyond pro-rated unused portion).

Tutorbase enters into a written agreement with each Sub-processor that imposes obligations no less protective than those in this DPA and that are necessary to enable Tutorbase to comply with the Agreement and this DPA. Tutorbase remains liable to Customer for the performance of each Sub-processor.

Taking into account the nature of the processing, Tutorbase will assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer's obligation to respond to requests from Data Subjects to exercise their rights under Data Protection Law.

If a Data Subject contacts Tutorbase directly with a request concerning Customer Personal Data, Tutorbase will, without undue delay, refer the Data Subject to Customer and notify Customer.

Where Tutorbase transfers Customer Personal Data subject to EU/EEA Data Protection Law to a country that does not have an adequacy decision from the European Commission, the EU Standard Contractual Clauses (Module Two) are incorporated by reference into this DPA, with Customer as data exporter and Tutorbase (or the relevant Sub-processor) as data importer. Where docking is required for Sub-processor onward transfers, Module Three applies.

Where Customer Personal Data is subject to UK Data Protection Law, the UK International Data Transfer Addendum is incorporated by reference and supplements the SCCs as applicable.

Where Customer Personal Data is subject to the Hong Kong Personal Data (Privacy) Ordinance, Tutorbase will comply with its cross-border obligations and will, where required, take reasonable steps to ensure that the data is protected by measures comparable to those in the Ordinance.

Tutorbase will notify Customer without undue delay (and in any event within 72 hours where reasonably practicable) after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will include such information as is then known to Tutorbase that Customer reasonably requires to fulfil any breach-notification obligations Customer has under Data Protection Law.

Tutorbase will provide reasonable assistance to Customer in investigating and mitigating the Personal Data Breach.

At the end of the Agreement, Customer may export Customer Personal Data through the Service for a period of 30 days following termination. After this period, Tutorbase will delete or anonymize Customer Personal Data within a commercially reasonable timeframe, except where Tutorbase is required by law to retain some or all of it (in which case Tutorbase will continue to protect that data in accordance with this DPA for the duration of the retention).

Backups are retained for up to 30 days from creation and are overwritten in the ordinary course of business.

Tutorbase makes available to Customer information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR (and equivalent provisions of other applicable Data Protection Law). Tutorbase will satisfy this obligation primarily by providing relevant policies, security overviews, and Sub-processor attestation reports.

Where Customer reasonably believes such information is insufficient, the parties will discuss in good faith a proportionate, on-request audit conducted by Customer or a qualified, independent auditor bound by appropriate confidentiality obligations, at Customer's expense and with at least 30 days' written notice, no more than once per calendar year, and conducted in a manner that does not interfere with Tutorbase's business operations.

The liability of each party under this DPA is subject to the exclusions and limitations of liability set out in the Agreement. Nothing in this DPA limits a party's liability to a Data Subject under the SCCs or under mandatory applicable law.

Subject matter

Provision of the Tutorbase Service to Customer, comprising scheduling, CRM, billing, invoicing, payroll, lead capture, reporting, and related operational features for tutoring businesses.

Duration

For the term of the Agreement, plus any post-termination period permitted by Section 11.

Nature and purpose of processing

Hosting, storing, organizing, displaying, retrieving, transmitting, and otherwise processing Customer Personal Data in the course of providing the Service in accordance with Customer's instructions.

Categories of Data Subjects

• Customer's employees, contractors, and other authorized users of the Service
• Students of Customer (including minors where Customer has obtained necessary consents)
• Parents, guardians, and payers associated with Customer's students
• Leads, prospective students, and other contacts entered by Customer

Categories of personal data

• Identification and contact data (name, email, phone, address)
• Account and role data (sign-in identifiers, user role, permissions)
• Lesson and scheduling data (attendance, lesson notes, subject, teacher and room assignments)
• Billing and payment data (invoices, balances, payment method metadata; full payment card data is not stored by Tutorbase)
• Communication records (in-product messages, email communications generated through the Service)

Special categories

Tutorbase does not intend or design the Service to process special categories of personal data. Customer must not enter special categories of personal data into the Service unless expressly agreed in writing in advance.

Tutorbase implements the following technical and organizational measures, in proportion to the risk of processing:

• Encryption in transit using TLS 1.2 or higher
• Encryption at rest for primary database storage
• Logical tenant isolation between Customers, enforced at the application and database layers
• Role-based access control and the principle of least privilege for personnel access to production systems
• Multi-factor authentication required for personnel access to production systems
• Centralized logging and monitoring of administrative access
• Defined incident response procedures with documented notification timelines
• Regular backups with bounded retention windows
• Vendor selection that prefers Sub-processors with SOC 2 Type II or ISO 27001 attestation

This DPA forms part of the Agreement and is accepted by Customer when Customer accepts the Agreement (whether by clickthrough, signature, or by use of the Service).

For Customers that require a signed copy of this DPA on their paper, or that require execution of additional standard contractual clauses, please contact legal@tutorbase.com.