This Data Processing Agreement ("DPA") forms part of and is incorporated into the LearnForge Terms of Service between you and DLT Holdings LLC. It applies where DLT Holdings processes personal data on your behalf in connection with the LearnForge service ("Service") and where such processing is subject to the General Data Protection Regulation (EU) 2016/679 ("GDPR") or the UK General Data Protection Regulation ("UK GDPR").
In the event of a conflict between this DPA and the Terms of Service, this DPA takes precedence with respect to the processing of personal data.
2.1 The Controller determines the purposes and means of processing Personal Data in connection with the use of LearnForge on its Moodle-based Learning Management System ("LMS").
2.2 DLT Holdings acts as a Processor with respect to the limited Personal Data it processes in order to deliver the Service. DLT Holdings does not process learner content or learner activity data — that data remains on the Controller's LMS and is not transmitted to DLT Holdings.
2.3 The Personal Data processed by DLT Holdings under this DPA is limited to:
| Category | Data Elements | Purpose |
|---|---|---|
| Subscription account data | LMS URL, billing email address | Subscription management, license provisioning |
| Usage data | Spark consumption logs, generation timestamps | Service operation, billing, abuse prevention |
| Support communications | Name, email, message content | Customer support |
2.4 DLT Holdings does not process special categories of personal data as defined under Article 9 GDPR.
DLT Holdings agrees to:
3.1 Instructions. Process Personal Data only on documented instructions from the Controller, as set out in the Terms of Service and this DPA, unless required to do otherwise by applicable law. DLT Holdings will notify the Controller if it believes an instruction infringes applicable data protection law.
3.2 Confidentiality. Ensure that personnel authorized to process Personal Data are bound by appropriate confidentiality obligations.
3.3 Security. Implement appropriate technical and organizational measures to protect Personal Data against unauthorized access, loss, destruction, or alteration, including TLS encryption in transit and access controls on stored data.
3.4 Sub-processors. Not engage a new Sub-processor without giving the Controller prior written notice of at least 30 days, providing an opportunity to object. Current Sub-processors are listed in Section 6. DLT Holdings remains liable for the acts and omissions of its Sub-processors to the same extent as if DLT Holdings had performed the processing itself.
3.5 Data Subject Rights. Assist the Controller in responding to Data Subject requests to exercise rights under Chapter III of the GDPR (access, rectification, erasure, restriction, portability, objection) to the extent technically feasible given the data DLT Holdings holds.
3.6 Data Breach Notification. Notify the Controller without undue delay, and in any event within 72 hours of becoming aware, of any Personal Data breach affecting data processed under this DPA. Notification will include the nature of the breach, categories and approximate number of Data Subjects and records affected, likely consequences, and measures taken or proposed.
3.7 DPIAs. Provide reasonable assistance to the Controller in conducting Data Protection Impact Assessments and prior consultations with Supervisory Authorities where required under Article 35–36 GDPR.
3.8 Deletion or Return. Upon termination of the Terms of Service, delete or return all Personal Data processed under this DPA within 30 days, except where retention is required by applicable law. Confirm deletion in writing upon request.
3.9 Audits. Make available to the Controller, upon reasonable written request (no more than once per year), information reasonably necessary to demonstrate compliance with this DPA. DLT Holdings may satisfy this obligation through provision of a written compliance summary in lieu of an on-site audit, given the scale of operations.
The Controller agrees to:
4.1 Ensure it has a lawful basis for providing Personal Data to DLT Holdings for processing under this DPA.
4.2 Ensure it has provided all required notices to, and obtained all required consents from, Data Subjects whose Personal Data is processed under this DPA.
4.3 Notify DLT Holdings promptly of any Data Subject request or regulatory inquiry it receives that relates to data processed by DLT Holdings.
5.1 Personal Data processed under this DPA is stored and processed in the United States. Where the Controller is located in the European Economic Area (EEA) or United Kingdom, such transfers are made on the basis of the European Commission's Standard Contractual Clauses (SCCs) for the transfer of personal data to third countries (Module 2: Controller to Processor), as incorporated by reference into this DPA.
5.2 For UK transfers, the UK International Data Transfer Addendum to the EU Commission SCCs (as issued by the UK Information Commissioner's Office) applies.
5.3 The parties agree that by entering into this DPA, they are deemed to have executed the applicable SCCs, which are incorporated herein by reference. The SCCs are available at: commission.europa.eu. For the purposes of the SCCs, Section 2.3 of this DPA constitutes Annex I (description of processing), Section 3.3 constitutes Annex II (technical and organisational measures), and Section 6 constitutes Annex III (sub-processors).
DLT Holdings currently uses the following Sub-processors in connection with the Service:
| Sub-processor | Location | Processing Activity |
|---|---|---|
| Anthropic, PBC | United States | AI lesson content generation |
| ElevenLabs, Inc. | United States | AI audio narration generation |
| Black Forest Labs GmbH | Germany | AI image generation |
| Stripe, Inc. | United States | Payment processing |
| Resend, Inc. | United States | Transactional email delivery |
| Cloudflare, Inc. | United States | Hosting infrastructure, DNS, CDN |
DLT Holdings will maintain an up-to-date list of Sub-processors and notify the Controller of any changes in accordance with Section 3.4.
Each party's liability under this DPA is subject to the limitations set out in the Terms of Service. Nothing in this DPA limits either party's liability to Data Subjects or Supervisory Authorities under applicable data protection law.
This DPA remains in effect for as long as DLT Holdings processes Personal Data on behalf of the Controller under the Terms of Service. It terminates automatically upon expiry or termination of the Terms of Service, subject to the deletion obligations in Section 3.8.
This DPA is governed by the laws of the State of Montana, without prejudice to the mandatory provisions of the GDPR or UK GDPR applicable to the Controller.
In the event of a conflict, the order of precedence is: (1) applicable data protection law; (2) this DPA; (3) the Terms of Service.