Data Processing Addendum.

This Data Processing Addendum ("DPA") supplements the Software Licensing Agreement ("Agreement") between EducAI Inc. ("Licensor") and the subscribing academic institution ("Licensee" or "Institution").

Last Updated: May 2026

1. Definitions

• "Applicable Privacy Laws" means all Canadian federal and provincial privacy legislation applicable to the processing of Personal Data, including the Personal Information Protection and Electronic Documents Act (PIPEDA) and the Freedom of Information and Protection of Privacy Act (FIPPA).
• "Personal Data" means any student or faculty information, educational records, authentication logs, or user queries generated through the use of the Software.
• "Software" means the EducAI local inference engine and Retrieval-Augmented Generation (RAG) platform licensed to the Institution.

2. Scope of Processing & Deployment Model

2.1 Self-Hosted Architecture: The Software is deployed entirely on-premise within the Institution’s own managed infrastructure or private cloud environment. EducAI Inc. does not provide external cloud hosting, data storage, or application routing.

2.2 Role of the Parties: Because the Software operates exclusively within the Institution's isolated network, the Institution acts as both the Data Controller and the Data Processor under Applicable Privacy Laws. EducAI Inc. acts solely as the software licensor and has no routine access to Personal Data.

2.3 Identity and Authentication: All user authentication, single sign-on (SSO), and session management are handled locally by the Institution’s internal identity providers (e.g., Active Directory). EducAI Inc. receives no authentication credentials.

3. Data Sovereignty and Local Storage

3.1 Institutional Control: All Personal Data, database backups, transient query caches, and vector embedding indices generated by the Software reside exclusively on the Institution's designated servers.

3.2 Zero Telemetry: The Software operates in a completely "air-gapped" or firewalled state. It does not phone home, transmit telemetry data, or sync user query logs back to EducAI Inc. servers.

4. Technical Security and Third-Party Sub-Processors

4.1 Zero Third-Party AI Exposure: The Software utilizes local Large Language Model (LLM) inference runtimes within the Institution's secure environment. No Personal Data or student queries are ever transmitted to external third-party artificial intelligence engines or consumer APIs (such as OpenAI, Anthropic, or external model providers).

4.2 No Sub-Processors: EducAI Inc. does not engage any third-party sub-processors, external cloud providers, or infrastructure hosts to process the Institution’s data, as no data leaves the Institution's network.

5. Support, Maintenance, and Data Access

5.1 Technical Support: In the event the Institution requires technical support, the Institution is responsible for anonymizing or redacting any logs before sharing them with EducAI Inc.

5.2 Explicit Access Authorization: EducAI Inc. personnel will not attempt to access the Institution's deployment environment. If direct troubleshooting is required, it will be conducted strictly via supervised screen-share sessions led by the Institution's IT staff.

6. Personal Data Breach Liability

6.1 Liability Limitation: Because EducAI Inc. does not store, transmit, or possess the Institution's Personal Data, EducAI Inc. cannot be held liable for data breaches, unauthorized access, or network compromises occurring within the Institution's hosting environment.

6.2 Incident Reporting: The Institution bears sole responsibility for monitoring its network, securing its servers, and notifying regulatory bodies and affected users in the event of a security incident under PIPEDA/FIPPA.

7. Software Updates and Patch Management

Because the software is firewalled and air-gapped, security updates are handled without granting EducAI remote access:

7.1 Secure Delivery: The Licensor shall provide software updates, patches, and model weights via a secure, verifiable download portal. The Institution's IT personnel are solely responsible for retrieving and deploying these updates within their isolated environment.

7.2 No Remote Execution: The Licensor guarantees that the Software contains no "forced update" mechanisms, remote execution backdoors, or administrative overrides that can bypass the Institution's internal firewall.

8. Security Vulnerability & Audit Rights

To ensure structural integrity and prevent vulnerabilities inside the deployed network environment:

8.1 Institutional Audits: The Institution reserves the right to perform routine vulnerability scans and penetration tests on the deployed Software instance.

8.2 Remediation: If the Institution discovers a critical security vulnerability in the Software architecture, the Licensor agrees to provide a remediation patch or mitigation strategy within an agreed-upon timeframe (e.g., 14 business days).

9. Term and Termination (End of License)

At the end of the licensing contract term, software and data assets are managed as follows:

9.1 Software Revocation: Upon termination of the Agreement, the Institution agrees to uninstall the Software and permanently delete the local inference engine and proprietary source files from its servers.

9.2 Institutional Data Ownership: All vector embeddings, chat logs, and cached queries generated during the term of the license remain the exclusive property of the Institution. The Licensor retains no rights to, or copies of, any data generated prior to termination.

10. Contact Information

For inquiries, audits, or notices related to this Data Processing Addendum, please contact our security team at:

EducAI Inc.
Attn: Information Security & Data Protection Officer
Email: soham@educai.info