DATA PROCESSING ADDENDUM
Last Updated: February 17, 2026
This Data Processing Addendum ("DPA") forms part of the Master Services Agreement, Terms of Service, or other written agreement ("Agreement") between 不落教育科技株式会社 (Uni Education Technology Co. Ltd) ("Novana") and the Customer identified in the Agreement ("Customer").
This DPA reflects the parties' agreement with respect to the Processing of Personal Data in connection with the Novana Service.
1. Definitions
- "Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity.
- "CCPA" means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act (CPRA).
- "Controller" means the entity that determines the purposes and means of the Processing of Personal Data.
- "Data Protection Laws" means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, Switzerland, the United Kingdom, the United States (including the CCPA), and Japan (APPI), applicable to the Processing of Personal Data under the Agreement.
- "Data Subject" means the identified or identifiable person to whom Personal Data relates.
- "GDPR" means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.
- "Personal Data" means any information relating to (i) an identified or identifiable natural person and, (ii) an identified or identifiable legal entity (where such information is protected similarly as personal data or personally identifiable information under applicable Data Protection Laws).
- "Processing" means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
- "Processor" means the entity which Processes Personal Data on behalf of the Controller.
- "Security Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
- "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, as adopted by the European Commission.
- "Subprocessor" means any third-party Processor engaged by Novana to assist in fulfilling its obligations with respect to providing the Service.
2. Processing of Data
2.1 Roles of the Parties. The parties acknowledge and agree that with regard to the Processing of Personal Data, Customer is the Controller, Novana is the Processor, and that Novana or its Affiliates may engage Subprocessors pursuant to the requirements set forth in Section 4 "Subprocessors" below.
2.2 Customer's Processing of Personal Data. Customer shall, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data.
2.3 Novana's Processing of Personal Data. Novana shall treat Personal Data as Confidential Information and shall Process Personal Data on behalf of and only in accordance with Customer's documented instructions for the following purposes:
- (a) Processing in accordance with the Agreement and applicable Order Forms;
- (b) Processing initiated by Users in their use of the Services; and
- (c) Processing to comply with other documented reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Agreement.
2.4 California Consumer Privacy Act (CCPA). Novana acts as a "Service Provider" as defined in the CCPA. Novana shall not (a) sell or share Personal Data; (b) retain, use, or disclose Personal Data for any purpose other than for the specific purpose of performing the Services; or (c) combine Personal Data with other personal information except as permitted by the CCPA.
2.5 Artificial Intelligence Processing. To the extent Novana uses artificial intelligence or machine learning services ("AI Services") in the provision of the Services:
- (a) PII Reduction. Novana employs commercially reasonable technical measures to detect and redact personally identifiable information (such as names, email addresses, and student identifiers) from Customer Content before transmitting it to AI Service providers. Customer acknowledges that no automated detection system is infallible.
- (b) No Training on Customer Data. Novana shall not use Customer Data to train, improve, or fine-tune any AI or machine learning model, whether owned by Novana or a third party, unless Customer has provided explicit, informed, and voluntary consent for such use. Novana maintains contractual agreements with its AI Subprocessors that prohibit the use of Customer Data for model training or improvement.
- (c) Volatile Processing. AI Subprocessors process Customer Content in volatile memory for the duration of a single request only. Customer Content is not persistently stored by AI Subprocessors beyond the time necessary to generate a response.
- (d) AI Output. Novana does not claim ownership of any output generated by AI Services on behalf of Customer. All AI-generated content (such as evidence descriptions, framework analyses, and improvement suggestions) is provided as recommendations for human review and does not constitute automated decision-making with legal or similarly significant effects.
3. Data Subject Requests
3.1 Data Subject Request Assistance. Novana shall, to the extent legally permitted, promptly notify Customer if Novana receives a request from a Data Subject to exercise the Data Subject's right of access, right to rectification, restriction of Processing, erasure ("right to be forgotten"), data portability, object to the Processing, its right not to be subject to an automated individual decision making, or its right to withdraw consent ("Data Subject Request").
3.2 Response to Requests. Taking into account the nature of the Processing, Novana shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Customer's obligation to respond to a Data Subject Request under Data Protection Laws. In addition, to the extent Customer, in its use of the Services, does not have the ability to address a Data Subject Request, Novana shall upon Customer's request provide commercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent Novana is legally permitted to do so and the response to such Data Subject Request is required under Data Protection Laws.
4. Subprocessors
4.1 Appointment of Subprocessors. Customer acknowledges and agrees that (a) Novana's Affiliates may be retained as Subprocessors; and (b) Novana and Novana's Affiliates respectively may engage third-party Subprocessors in connection with the provision of the Services. Novana or a Novana Affiliate has entered into a written agreement with each Subprocessor containing data protection obligations not less protective than those in this Agreement with respect to the protection of Customer's Personal Data.
4.2 List of Current Subprocessors. Novana shall make available to Customer the current list of Subprocessors for the Services at novana.io/trust/subprocessors.
4.3 Objection Right for New Subprocessors. Novana may update the list of Subprocessors from time to time. Customer may subscribe to notifications of new Subprocessors by emailing security@novana.io. If Customer subscribes, Novana will notify Customer of any new Subprocessor before authorizing the new Subprocessor to Process Personal Data. Customer may object to Novana's use of a new Subprocessor by notifying Novana in writing within ten (10) days of the update. In the event Customer objects to a new Subprocessor, as permitted in the preceding sentence, Novana will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer's configuration or use of the Services to avoid Processing of Personal Data by the objected-to new Subprocessor without unreasonably burdening the Customer. If Novana is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Customer may terminate the applicable Order Form(s) with respect only to those Services which cannot be provided by Novana without the use of the objected-to new Subprocessor.
4.4 Liability. Novana shall be liable for the acts and omissions of its Subprocessors to the same extent Novana would be liable if performing the services of each Subprocessor directly under the terms of this DPA.
5. Security
5.1 Controls for the Protection of Personal Data. Novana shall maintain appropriate technical and organizational measures for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Customer Data), confidentiality and integrity of Customer Data, as set forth in Annex II (Security Measures). Novana regularly monitors compliance with these measures.
5.2 Personnel. Novana ensures that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities, and have executed written confidentiality agreements.
6. Security Incident Management and Notification
6.1 Notification. Novana maintains security incident management policies and procedures. Novana shall notify Customer without undue delay (and in any event within 72 hours) after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data, including Personal Data, transmitted, stored or otherwise Processed by Novana or its Subprocessors of which Novana becomes aware (a "Security Incident"). Such notification shall include, to the extent reasonably available: (a) the nature of the Security Incident, including the categories and approximate number of Data Subjects and Personal Data records concerned; (b) the name and contact details of Novana's point of contact for further information; (c) a description of the likely consequences of the Security Incident; and (d) a description of the measures taken or proposed to address the Security Incident, including measures to mitigate its possible adverse effects. Where it is not possible to provide all information at the same time, Novana may provide the information in phases without undue further delay.
6.2 Remediation. Novana shall make reasonable efforts to identify the cause of such Security Incident and take those steps as Novana deems necessary and reasonable in order to remediate the cause of such a Security Incident to the extent the remediation is within Novana's reasonable control. The obligations herein shall not apply to incidents that are caused by Customer or Customer's Users.
7. Return and Deletion of Customer Data
Novana shall return Customer Data to Customer and, to the extent allowed by applicable law, delete Customer Data in accordance with the procedures and timeframes specified in the Agreement (specifically, 90 days post-termination).
8. Audit Rights
8.1 Security Reports. Upon Customer's written request, Novana shall provide (on a confidential basis) a summary of its current technical and organizational security measures to verify Novana's compliance with this DPA.
8.2 Audits. If the Security Reports are insufficient to demonstrate compliance with Data Protection Laws, or if a Supervisory Authority requires a physical audit, Customer may audit Novana's compliance. Such audit shall be: (a) subject to a mutually agreed scope; (b) conducted by an independent third party; (c) conducted during regular business hours with at least 30 days' advance notice; and (d) at Customer's sole expense.
9. Data Protection Impact Assessments
Upon Customer's request, Novana shall provide Customer with reasonable cooperation and assistance needed to fulfill Customer's obligation under the GDPR to carry out a data protection impact assessment related to Customer's use of the Services, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to Novana.
10. International Transfers
10.1 Transfer Mechanisms. The parties agree that when the transfer of Personal Data from the Customer to Novana is a "Restricted Transfer" (as defined by GDPR/UK GDPR), it shall be subject to the appropriate Standard Contractual Clauses (SCCs) as follows:
- (a) EEA Transfers: The EU SCCs (Module Two: Controller to Processor) are hereby incorporated by reference.
- (b) UK Transfers: The UK International Data Transfer Addendum to the EU SCCs is hereby incorporated by reference.
- (c) Japan Transfers: Novana complies with Article 24 of the APPI regarding cross-border transfers.
10.2 Governing Law for Transfers. For the purposes of the SCCs, the governing law shall be Ireland (for EEA transfers) and England and Wales (for UK transfers).
11. Student Data and Education Records (FERPA)
11.1 School Official Designation. With respect to Customer Data that constitutes "education records" as defined under the Family Educational Rights and Privacy Act ("FERPA," 20 U.S.C. § 1232g), the parties agree that Novana functions as a "School Official" with a "legitimate educational interest" as those terms are used under FERPA (34 CFR § 99.31(a)(1)). Novana's access to education records is pursuant to its contractual obligation to provide the Services to Customer.
11.2 Use Restrictions. Novana shall use education records solely to provide the Services as directed by Customer. Novana shall not (a) use education records for any purpose other than performing the Services; (b) re-disclose education records to any third party except as required by law, as authorized by Customer, or to Subprocessors bound by equivalent restrictions; or (c) use education records for advertising, marketing, or profiling of students.
11.3 COPPA. To the extent the Children's Online Privacy Protection Act ("COPPA," 15 U.S.C. § 6501–6506) applies, Customer represents that it has obtained all necessary consents or that it is relying on the school consent exception under COPPA. Novana does not collect personal information directly from children under the age of 13. All student data is provided by Customer (the school) acting as the Controller.
12. De-Identified and Aggregated Data
12.1 De-Identification. Novana may create de-identified or aggregated data sets derived from Customer Data, provided that such data (a) cannot reasonably be used to identify any individual Data Subject or Customer; and (b) has been processed using industry-standard de-identification techniques (such as removal of direct identifiers and statistical aggregation).
12.2 Permitted Use. Novana may use de-identified and aggregated data solely for (a) improving and developing the Services; (b) generating benchmarking reports and analytics that do not identify any individual or Customer; and (c) conducting internal research. Novana shall not attempt to re-identify any de-identified data.
12.3 No Sale. De-identified and aggregated data shall not be sold to third parties or used for advertising purposes.
13. Government and Law Enforcement Requests
If Novana receives a request from any government authority or law enforcement agency for access to Customer Data, Novana shall (a) promptly notify Customer of such request unless prohibited by law from doing so; (b) inform the requesting authority that Novana is a Processor acting on behalf of Customer; and (c) not disclose Customer Data until required to do so under applicable law. Where legally permitted, Novana shall allow Customer a reasonable opportunity to seek a protective order or other appropriate remedy before any disclosure.
14. Limitation of Liability
Each party's and all of its Affiliates' liability, taken together in the aggregate, arising out of or related to this DPA, and all Partner DPAs, whether in contract, tort or under any other theory of liability, is subject to the 'Limitation of Liability' section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and all Partner DPAs together.
ANNEX I: DETAILS OF PROCESSING
A. LIST OF PARTIES
Data Exporter:
- Name: The Customer.
- Address: As set out in the Agreement.
- Role: Controller.
Data Importer:
- Name: 不落教育科技株式会社 (Uni Education Technology Co. Ltd).
- Address: Room C, 2nd Floor, Hakata IC Building, 1-14-34 Hakataekihigashi, Hakata-ku, Fukuoka City, Fukuoka Ken, Japan.
- Contact Person: Data Protection Contact (security@novana.io).
- Role: Processor.
B. DESCRIPTION OF TRANSFER
1. Categories of Data Subjects
- Customer's employees, staff, teachers, and administrators.
- Students of the Customer (including minors of all ages whose data may be contained in school-uploaded documents).
2. Categories of Personal Data The Personal Data transferred concern the following categories of data:
- Identity Data: Names, Usernames, Student IDs.
- Contact Data: Email addresses, phone numbers.
- Professional Data: Job titles, roles, school affiliation.
- Usage Data: Device information, IP addresses, application activity logs, location information.
- Education Data: Assignments, grades, or class participation data (to the extent input into the Service).
3. Special Category Data
- The Service may process education records containing student data uploaded by the Customer; however, Novana processes such data solely as a Processor and does not intentionally collect special categories of data as defined in Article 9 of the GDPR (e.g., health, biometric, political opinions).
4. Frequency of Transfer
- Continuous.
5. Nature of Processing
- Collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, and destruction.
6. Duration of Processing
- For the term of the Agreement plus a retention period of 90 days.
C. COMPETENT SUPERVISORY AUTHORITY
- EEA: Data Protection Commission of Ireland.
- UK: Information Commissioner's Office (ICO).
ANNEX II: SECURITY MEASURES
Novana implements the following technical and organizational measures to ensure a level of security appropriate to the risk:
1. Measures of Pseudonymization and Encryption
- In Transit: All data transmitted over public networks is encrypted using TLS 1.2 or higher (HTTPS).
- At Rest: Data stored in the production database is encrypted using industry-standard encryption algorithms (e.g., AES-256).
2. Measures for Ensuring Ongoing Confidentiality, Integrity, Availability
- Redundancy: Novana utilizes industry-leading cloud infrastructure (e.g., AWS/GCP/Azure) with redundancy and high-availability zones.
- Access Control: Access to production systems is restricted to authorized engineering personnel on a least-privilege basis.
- Authentication: Multi-factor authentication (MFA) is strictly enforced for all administrative access to production environments.
3. Measures for Restoring Availability
- Backups: Automated daily backups of Customer Data are maintained to allow for data restoration in the event of a physical or technical incident.
- Disaster Recovery: Novana maintains a business continuity plan to restore services within reasonable timeframes.
4. Measures for Testing and Evaluation
- Vulnerability Scanning: Regular automated code analysis and security scanning of infrastructure.
- Code Review: All code changes are reviewed and pass automated testing prior to deployment.
5. Measures for Physical Security
- Data Centers: Novana relies on the physical security certifications of its cloud hosting providers (e.g., SOC 2 / ISO 27001 certified data centers). Novana does not maintain its own physical servers.
6. Measures for Data Minimization and Retention
- Minimization: Data collection is strictly limited to that which is necessary to provide the Service defined in the Agreement.
- Retention: Customer data is deleted from production systems within 90 days of contract termination.