← Back to Home
📋 Legal Document

Data Processing Agreement

seba | maths — Effective: 8 April 2026 · Version 1.0

Pursuant to Art. 28 GDPR · Governed by Spanish / Catalan law

1. Parties

This Data Processing Agreement ("DPA") is entered into between:

Data Controller

The school or educational institution ("Controller") that accesses and uses the seba | maths platform for educational purposes.

Data Processor

SEBA ("Processor"), the provider of the seba | maths educational platform.

2. Subject Matter and Duration

This DPA governs the processing of personal data by the Processor on behalf of the Controller in connection with the provision of the seba | maths educational platform. The DPA remains in force for the duration of the service agreement between the parties.

3. Nature and Purpose of Processing

The Processor processes personal data solely for the purpose of:

  • Providing access to the seba | maths curriculum platform
  • Maintaining the security and integrity of the platform
  • Providing technical support to the Controller
  • Generating anonymised usage analytics to improve the platform

4. Type of Personal Data

seba | maths is a content-only platform. In its standard configuration, no student personal data is collected or processed. The only data processed is anonymised usage analytics. Where schools choose to implement additional features, the Controller is responsible for ensuring appropriate data protection measures are in place.

5. Obligations of the Processor

The Processor shall:

  • Process personal data only on documented instructions from the Controller
  • Ensure that persons authorised to process the data are bound by confidentiality
  • Implement appropriate technical and organisational security measures (Art. 32 GDPR)
  • Not engage sub-processors without prior written consent from the Controller
  • Assist the Controller in responding to data subject rights requests
  • Delete or return all personal data upon termination of the service
  • Make available all information necessary to demonstrate compliance with Art. 28 GDPR

6. Sub-processors

The Processor currently uses the following sub-processors, all located within the EEA:

Sub-processorPurposeLocation
Umami AnalyticsAnonymised usage analyticsEU (self-hosted)
CDN ProviderStatic asset deliveryEU

7. Data Transfers

No personal data is transferred outside the European Economic Area. All processing takes place on EEA-based infrastructure. The Processor will not transfer data to third countries without prior written consent from the Controller and appropriate safeguards as required by Chapter V GDPR.

8. Security Measures

The Processor implements the following technical and organisational measures:

  • TLS 1.2+ encryption for all data in transit
  • Access controls and least-privilege principles
  • Regular security assessments and penetration testing
  • Incident response procedures with 72-hour breach notification
  • Data minimisation and pseudonymisation where applicable

9. Data Breach Notification

The Processor shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach. The notification shall include all information required under Art. 33(3) GDPR to the extent available at the time.

10. Governing Law

This DPA is governed by Spanish law, with particular reference to the Ley Orgánica 3/2018 (LOPDGDD) and the GDPR. Any disputes shall be subject to the jurisdiction of the courts of Barcelona, Catalonia.

11. Contact

For DPA enquiries, please contact our Data Protection Officer at [email protected].

This DPA is adapted from the SEBA platform legal framework. See also our Privacy Policy and Cookie Policy.