Data Processing Agreement (DPA)

Standard Version for Schools Using Kiddoz

Last updated: December 22, 2025

This Data Processing Agreement ("DPA") describes how HOW GP, the operator of Kiddoz, processes personal data on behalf of schools under the EU General Data Protection Regulation (GDPR). It applies when a school uses Kiddoz to share classroom updates, photos, and communication with families.

This DPA forms part of the School's broader agreement to use the Kiddoz platform.

1. Parties

This DPA is made between:

Controller

The School

(Details to be completed by the School when entering into agreement)

and

Processor

HOW GP

Kalamida 3, Athens, 10554, Greece

VAT Number: EL801969865

G.E.MI.: 167278603000

Tax Office: A' Athinon

Email: hello@howstudio.dev

Operating the platform: Kiddoz

2. Subject Matter & Duration

HOW GP processes personal data solely to operate the Kiddoz platform for the School.

This DPA remains in effect for the duration of the School's use of Kiddoz and until all data is deleted or returned.

3. Nature and Purpose of Processing

Processing activities include:

  • Uploading, storing, and delivering photos and videos
  • Managing parent, teacher, and school accounts
  • Providing communication between school and families
  • Maintaining security, availability, and performance of the Service
  • Offering technical support

HOW GP processes data only in accordance with the documented instructions of the School.

4. Types of Personal Data

  • Child first name and class/group
  • Photos and videos of classroom activity
  • Teacher notes, posts, and updates
  • Parent/guardian contact details
  • Teacher and staff contact details
  • Log data (IP address, devices, timestamps) for security

No special categories of data (Art. 9 GDPR) are intentionally processed.

5. Categories of Data Subjects

  • Children enrolled at the School
  • Parents and legal guardians
  • Teachers, assistants, and school staff

6. School Responsibilities (Controller)

The School is responsible for:

  • Determining the lawful basis for processing child-related data
  • Obtaining parental/guardian consent where required
  • Ensuring content uploaded to Kiddoz is appropriate and lawful
  • Managing access (inviting/removing teachers and parents)
  • Providing lawful instructions to HOW GP
  • Complying with all GDPR obligations that apply to controllers

7. HOW GP Responsibilities (Processor)

7.1 Process Only on Instructions

HOW GP will process personal data only on behalf of the School and only for providing Kiddoz.

7.2 Confidentiality

All staff handling data are bound by confidentiality obligations.

7.3 Security Measures

HOW GP maintains appropriate technical and organisational measures, including:

  • TLS encryption
  • Encrypted storage of media files
  • Role-based access controls
  • Secure hosting on Fly.io
  • Media storage on Cloudflare R2
  • Continuous monitoring and security patching

7.4 Subprocessors

HOW GP uses subprocessors essential to the operation of the Service, including:

  • Cloudflare R2 – secure media storage
  • Fly.io – infrastructure hosting
  • Mailgun – transactional email services
  • Google Analytics – website analytics and usage statistics (for the public website only, not the platform itself)

Subprocessors operate under GDPR-compliant agreements. HOW GP remains responsible for their performance.

7.5 Data Subject Rights Assistance

HOW GP assists the School in fulfilling rights requests (access, deletion, correction, portability).

HOW GP does not respond directly to parents unless instructed in writing.

7.6 Data Breach Notification

In the event of a confirmed personal data breach, HOW GP will:

  • Notify the School without undue delay
  • Provide relevant information for regulatory reporting
  • Cooperate in mitigation efforts

7.7 Data Return or Deletion

Upon termination of the School's use of Kiddoz, HOW GP will:

  • Delete all personal data, or
  • Return it to the School in a standard format, as instructed

Any retained log data will remain only where required by law or for security purposes.

8. International Transfers

HOW GP stores data primarily in the European Union.

If a subprocessor performs international transfers, HOW GP ensures:

  • Adequacy decisions, or
  • Standard Contractual Clauses (SCCs), plus
  • Additional safeguards where required

9. Audit Rights

Upon written request, the School may receive documentation demonstrating HOW GP's compliance.

Audits may be performed once annually with prior notice, provided they do not disrupt service operations.

10. Liability

Each party is liable for fulfilling the obligations applicable to its GDPR role.

HOW GP is liable only for violations of this DPA or GDPR duties applicable to processors.

11. Governing Law

This DPA is governed by the laws of Greece.

Disputes will be resolved by the competent courts of Athens, Greece.

12. Signatures

Schools using Kiddoz may download this DPA, complete their details, sign it, and return it to HOW GP.

Download this DPA

Schools can download a PDF version of this Standard DPA here.

Note: PDF download will be available soon. For now, please contact us at hello@howstudio.dev to request a signed DPA.

🧸 Talk with Us