Data Processing Agreement (DPA)

Effective Date: April 30, 2026

Data Controller: You (the Classario user / Customer)

Data Processor: LENEDO TECH FZ-LLC

Processor Address: HD88C, In5 Tech, Dubai Internet City, Dubai, United Arab Emirates

Processor Contact: help@classario.com

This Data Processing Agreement ("DPA") forms part of the Terms & Conditions between LENEDO TECH

FZ-LLC ("Processor") and you, the Customer ("Controller"), and governs the processing of personal data by the

Processor on behalf of the Controller in connection with the Classario platform.

This DPA is intended to satisfy the requirements of applicable data protection legislation including, where

applicable, the EU GDPR (Regulation 2016/679), the UK GDPR, and the UAE Federal Decree-Law No. 45 of

2021 on the Protection of Personal Data.

1. Definitions

"Personal Data", "Data Subject", "Processing", "Controller", and "Processor" have the meanings given in

applicable data protection law. "Services" means the Classario platform and related features provided pursuant

to the Terms & Conditions. "Sub-processor" means any third party engaged by the Processor to carry out

processing activities on behalf of the Controller.

2. Scope & Role of the Parties

The Controller determines the purposes and means of processing personal data uploaded to or generated

within the Classario platform (e.g., student profiles, attendance records, communications). The Processor

processes such data solely on the documented instructions of the Controller.

3. Controller's Obligations

The Controller warrants and undertakes that it:

• Has a valid legal basis for processing each category of personal data shared with the Processor.

• Has provided, or will provide, appropriate privacy notices to Data Subjects.

• Will ensure that personal data shared is accurate, adequate, and limited to what is necessary.

• Will comply with all applicable data protection laws in its use of the Services.

4. Processor's Obligations

The Processor agrees to:

• Process personal data only on documented instructions from the Controller, unless required by applicable law.

• Ensure that personnel authorised to process personal data are bound by appropriate confidentiality

obligations.

• Implement technical and organisational measures as set out in Annex II.

• Assist the Controller in fulfilling Data Subject rights requests within the timeframes required by law.

• Assist the Controller with security obligations, breach notifications, DPIAs, and prior consultations.

• Delete or return all personal data upon termination of the Services, at the Controller's choice.

• Make available to the Controller all information necessary to demonstrate compliance with this DPA.

5. Sub-processing

The Processor has the Controller's general authorisation to engage sub-processors. The Processor will inform

the Controller of any intended changes concerning sub-processors, giving the Controller the opportunity to

object. The Processor shall impose data protection obligations on any sub-processor equivalent to those in this

DPA.

Current Sub-processors

A list of current sub-processors (including cloud infrastructure, AI model providers, payment processors, and

communication tools) is available at classario.com/sub-processors and will be updated as changes occur.

6. International Data Transfers

Where the Processor transfers personal data to countries outside the EEA, UK, or UAE that do not offer an

equivalent level of protection, such transfers will be subject to appropriate safeguards, including the European

Commission's Standard Contractual Clauses (SCCs) for controller-to-processor transfers or equivalent

mechanisms as required by applicable law.

7. Security Measures (Annex II Summary)

The Processor implements the following measures:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256).

• Role-based access controls and least-privilege principles.

• Multi-factor authentication for administrative access.

• Regular vulnerability assessments and penetration testing.

• Incident response procedures including breach notification within 72 hours of discovery.

• Data backup and disaster recovery mechanisms with defined RPO and RTO.

• Employee security training and background screening for roles with data access.

8. Data Breach Notification

The Processor will notify the Controller without undue delay, and in any event within 72 hours, of becoming

aware of a personal data breach affecting Controller's data. The notification will include: nature of the breach,

categories and approximate number of Data Subjects affected, likely consequences, and measures taken or

proposed to address the breach.

9. Data Subject Rights

The Processor will promptly notify the Controller of any Data Subject rights requests received directly. The

Processor will provide reasonable technical and organisational assistance to enable the Controller to fulfil such

requests.

10. Audits & Inspections

The Processor shall provide the Controller with all information necessary to demonstrate compliance with this

DPA. The Controller may conduct, or commission a third party to conduct, audits of the Processor's processing

activities, provided reasonable prior written notice of at least 30 days is given, and at most once per 12-month

period, unless otherwise required by a supervisory authority.

11. Retention & Deletion

Upon termination or expiry of the Services, the Processor will, at the Controller's election, delete or return all

personal data and delete existing copies, unless applicable law requires retention. The Processor will certify

deletion in writing upon request.

12. Term & Termination

This DPA commences on the Effective Date and continues for as long as the Processor processes personal

data on behalf of the Controller. Termination of the underlying Terms & Conditions automatically terminates this

DPA, subject to surviving obligations.

13. Governing Law

This DPA is governed by the laws of the United Arab Emirates (Dubai). Where the Controller is established in

the EU/EEA and the GDPR applies, the parties agree that EU law governs to the extent required by the GDPR.

14. Contact & DPO

For data protection enquiries, please contact:

LENEDO TECH FZ-LLC

HD88C, In5 Tech, Dubai Internet City, Dubai, United Arab Emirates

Email: help@classario.com