- Squid Academy Ltd, incorporated in England & Wales, company no. 14264598, registered office 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ (“Processor” or “Squid”), and
- The Organization identified in the Order/Sign‑Up or other agreement that governs use of the Services (“Controller”, “Customer”, or “Organization”).
1. Scope & Roles
1.1 Roles. For personal data that the Organization provides or makes available to Squid for the Services, the Organization is Controller (or equivalent under applicable law) and Squid is Processor (or service provider/processor under non‑EU laws). This DPA applies to all regions where Squid Academy operates, subject to applicable local privacy laws, as further detailed in the Region-Specific Addenda in Annex VI. 1.2 Public Users. For personal data of Public Users who contract directly with Squid, Squid acts as an independent controller; this DPA does not apply to that processing. Processing of Public User data is governed by Squid’s Privacy Policy, not this DPA. 1.3 Duration. This DPA applies for the term of the Agreement and until deletion of personal data in accordance with Section 10.2. Controller Instructions
2.1 Squid will process personal data only on documented instructions from the Organization, including those set forth in this DPA, the Agreement, and the Annex I (Description of Processing). 2.2 The Organization is solely responsible for ensuring that it has obtained all necessary rights, consents, and authorizations… especially in relation to minors, in accordance with the requirements set out in the Region-Specific Addenda (Annex VI). 2.3 No Model Training. Squid will not use Controller Personal Data (including pseudonymized data) to train, retrain, or fine‑tune generalized AI/ML models or datasets for product development unrelated to the Services, except on the Organization’s documented instructions.3. Processor Obligations
3.1 Confidentiality. Squid will ensure personnel who access personal data are bound by confidentiality obligations. 3.2 Security. Squid will implement and maintain appropriate technical and organizational measures (TOMs) described in Annex II. 3.3 Sub‑processors.a) The Organization authorizes Squid to engage sub‑processors for the Services subject to this Section.
b) Squid will impose written obligations on sub‑processors that are no less protective than this DPA and remain responsible for sub‑processor performance.
c) Sub‑processor list & notice. Squid will maintain a current Sub‑processor List and provide at least 30 days’ advance notice of any new or replacement sub‑processor by (i) emailing the Organization’s admin contact(s) and (ii) updating the Sub‑processor List. Where an emergency replacement is required to maintain availability, security, or support, Squid may appoint the sub‑processor and will provide notice without undue delay, after which the Organization may raise a reasonable objection; if unresolved in good faith within a reasonable period, either party may terminate only the affected Service for a pro‑rated refund. 3.4 Data Subject Requests. Squid will assist the Organization, without undue delay, in responding to data‑subject requests (access, deletion, etc.) under applicable law (see Section 7). 3.5 Assistance. Taking into account the nature of processing, Squid will assist the Organization with data‑protection impact assessments, consultations with supervisory authorities, and security obligations (Articles 32–36 GDPR or equivalents). 3.6 Records. Squid will maintain records of processing activities as required by law. 3.7 Government Requests. If a public authority requests access to personal data, Squid will (i) notify the Organization promptly unless legally prohibited, (ii) limit disclosure to what is legally required, and (iii) challenge unlawful or overbroad requests where reasonable.
4. Children & Student Data (Schools/Organizations)
4.1 Under‑13 Public Users. Public sign‑up for under‑13s is not allowed. 4.2 Organization‑Invited Minors. Organization must verify age, obtain and retain verifiable parental/guardian consent where required (e.g., COPPA; India DPDP for under‑18; Thailand PDPA for certain minors), and ensure compatible lawful bases under applicable law (e.g., UK/EU GDPR). 4.3 No Targeted Ads / Sale. Squid will not sell personal data, nor process it for cross‑context behavioral advertising, profiling of minors, or other restricted purposes under applicable US state privacy laws when acting as Processor. 4.4 Combination Limits. Squid will not combine personal data received from the Organization with other data except as permitted to provide and secure the Services, or as required by law.5. Security Incidents
5.1 **Notifications. **Squid will notify the Organization without undue delay after becoming aware of a Security Incident (meaning any confirmed unauthorized access to, or accidental loss, alteration, or disclosure of, personal data processed for the Organization). Where GDPR applies, Squid shall notify the Organization without undue delay and, where feasible, not later than 72 hours after becoming aware of a Security Incident. The initial notice will include known details per Annex V and be followed by updates as information becomes available. Notices will be sent to the Organization’s admin/DP contact and privacy@squid.gg. 5.2 Squid will promptly take reasonable steps to contain, investigate, and remediate the incident and will cooperate with the Organization’s reasonable requests, including regulatory notifications the Organization must make.6. International Transfers
6.1 Mechanisms. Where personal data are transferred across borders, Squid will use appropriate safeguards, including:- EU Standard Contractual Clauses (SCCs 2021/914): Module 2 (Controller→Processor) and/or Module 3 (Processor→Processor), as applicable (Annex IV),
- UK Addendum/IDTA to the SCCs for UK transfers, and
- other approved mechanisms (e.g., contractual, adequacy, or local law equivalents) for Malaysia, Thailand, India, or other regions.
7. Data Subject Rights & Cooperation
Taking into account the nature of processing, Squid will assist the Organization by appropriate technical and organizational measures to fulfill data‑subject requests (access, rectification, erasure, portability, restriction, objection). The Organization is responsible for authenticating requesters and providing Squid with the necessary information to identify relevant records. Where requests are excessive, manifestly unfounded, or duplicative, Squid may charge reasonable costs for assistance. For more information on how data subjects can exercise these rights, see our Your Privacy Rights page and Submit a Privacy Request form.8. Audits & Certifications
8.1 Reports. On request (no more than once per 12‑month period, unless there is a reasonable suspicion of non‑compliance or after a Security Incident), Squid will provide available audit reports or certifications relevant to the Services (e.g., independent penetration tests, security summaries, or any ISO/SOC reports if available). 8.2 On‑site Review. If such reports are insufficient, the Organization may conduct a reasonable audit of Squid’s applicable controls, subject to: (i) 30 days’ notice, (ii) confidentiality, (iii) conduct during business hours without disrupting operations, and (iv) allocation of Organization’s own costs. Prior to any on‑site review, the parties will first exhaust remote audit options (e.g., security questionnaires, third‑party reports, and control walkthroughs). The Organization may appoint an independent, qualified auditor bound by confidentiality to perform the audit on its behalf. 8.3 Sub‑processor audits are satisfied by reliance on Squid’s due diligence and third‑party reports where available.9. Return & Deletion
9.1 During Term. The Organization may export data via available tools or request reasonable assistance. 9.2 Termination. Upon termination/expiry of the Services, upon the Organization’s written instruction, Squid will delete or return personal data and delete existing copies within 35 days, unless retention is required by law or for backup/archival integrity (in which case data will be isolated and securely deleted on the next standard cycle). Upon completion of deletion, Squid will provide a written deletion confirmation. Returned data will be provided in a commonly used, machine‑readable format (e.g., CSV/JSON), unless otherwise agreed. For details of our standard retention periods by category of data, see our Data Retention & Deletion Schedule.10. Liability & Indemnity (DPA)
10.1 Allocation. The parties’ liability limitations in the Agreement apply to this DPA to the maximum extent permitted by law. 10.2 Controller Indemnity. Organization will indemnify Squid for claims arising from the Organization’s failure to provide required notices/consents (including parental consent), unlawful instructions, or misuse of the Services. 10.3 Processor Indemnity. Squid will indemnify the Organization for third‑party claims to the extent arising from Squid’s material breach of this DPA or willful misconduct in its role as Processor.11. Service Provider / Processor (Non‑EU Laws)
For US state privacy laws (including but not limited to CCPA/CPRA, VCDPA, CPA, UCPA, CTDPA, TDPSA), Squid acts as a service provider/processor: it shall (a) process only for the limited and specified purposes in the Agreement, (b) not sell or share personal data, (c) not retain, use, or disclose data outside the business purpose, (d) implement security measures, and (e) flow down the same obligations to sub‑processors.12. Order of Precedence; Updates
12.1 If there is a conflict between this DPA and the Agreement regarding data processing, this DPA prevails. 12.2 Squid may update Annexes to reflect sub‑processor changes, security improvements, or legal changes with prior notice where material; material adverse changes require mutual agreement unless required by law.13. Term & Termination
This DPA enters into force on the date the Organization accepts/executes the Agreement or this DPA (whichever earlier) and remains in effect until Squid’s deletion/return of personal data under Section 9.14. Governing Law & Venue
14.1 Between the parties, this DPA follows the governing law and venue set in the Agreement (England & Wales), except that the SCCs/UK Addendum are governed by their own clauses as specified in Annex IV. 14.2 Nothing in this DPA limits mandatory protections under applicable law.SIGNATURES
This DPA may be accepted by click‑wrap or executed in counterparts (electronic signatures permitted). Controller / OrganizationBy: __ (Name)Title: __
Date: __________________________ Processor / Squid Academy Ltd
By: __ (Name)Title: __
Date: __________________________
ANNEX I — Description of Processing
A. Subject Matter & Purpose. Squid processes personal data to provide the LMS + Tournament Services (user provisioning, authentication, classroom & team management, course delivery, progress tracking, tournament operations, support, security, and service improvement). Squid may analyze aggregated and de-identified usage metrics to maintain and improve the Services. Squid will not attempt to re‑identify de‑identified data. B. Duration. For the term of the Agreement plus deletion period in Section 9. C. Nature of Processing. Collection, storage, retrieval, transmission, display, structuring, analysis of usage for security/operations, deletion. D. Types of Personal Data.- **Identification: **name, email, organization affiliation/role, user IDs.
- Educational use data: enrollments, progress/completions, classroom/team membership, submissions, match results, timestamps, limited telemetry (e.g., login logs).
- Support meta: ticket content, error logs (which may incidentally contain personal data).
- **Payments: **Squid does not process payment card data for the Services. Payments are handled by third‑party payment processors, except where explicitly stated in the Order.
ANNEX II — Technical & Organizational Measures (TOMs)
1. Governance & Access- Role‑based access control (RBAC), least privilege; MFA for admin access.
- Background‑checked staff under confidentiality commitments.
- Joiner‑mover‑leaver processes; periodic access reviews.
- In transit: TLS 1.2+ for all external connections.
- At rest: Industry‑standard encryption (e.g., AES‑256 or cloud‑provider equivalent) for databases and backups where supported.
- Source control, code review, dependency scanning.
- Vulnerability management (CVSS‑based triage), remediation SLAs for critical/high findings.
- Staging/testing before production; change logs and approvals.
- Segmented cloud environments; hardened images; security groups/firewalls; WAF/anti‑DDoS where applicable.
- Continuous monitoring/alerting; audit logging for security‑relevant events.
- Collect only necessary fields (name, email, org, progress).
- Time‑bound log retention; backups encrypted and time‑limited.
- Regular backups; documented recovery procedures; periodic restore testing.
- Due diligence for sub‑processors; contractual flow‑down of data‑protection obligations; ongoing monitoring.
- Defined escalation paths; detection, containment, eradication, recovery; post‑incident review; customer notification “without undue delay.”
ANNEX III — Sub‑Processors
Current categories (non‑exhaustive):- Cloud infrastructure/IaaS (compute, storage, networking)
- Email delivery & notifications
- Error monitoring & crash analytics
- Customer support tooling / ticketing
- Log management & security monitoring
ANNEX IV — Cross‑Border Transfers
EU SCCs (2021/914)- Module 2 (Controller→Processor) applies to Organization→Squid transfers.
- Module 3 (Processor→Processor) applies to Squid→sub‑processor transfers.
- Docking clause enabled.
- Governing law/forum for SCCs: Ireland; Irish Data Protection Commission as supervisory authority; Irish courts have jurisdiction.
- Annex I(A–C): Parties, Description of Transfer → use Annex I of this DPA.
- Annex II: TOMs → as per Annex II of this DPA.
- Annex III: Sub‑processors → as per Annex III of this DPA.
- Incorporated for UK transfers; the Issuing Clauses are as per the UK ICO template. Complete required tables by reference to this DPA’s Annexes.
- UK Addendum (Addendum to EU SCCs). The parties incorporate the UK ICO Addendum. Table 1 (Parties), Table 2 (Selected SCCs), and Table 3 (Technical and Organizational Measures and Sub‑processors) are completed by reference to this DPA’sAnnex I (Parties/Description of Processing), Annex II (TOMs), and Annex III (Sub‑processors), and Table 4 (Ending the UK Addendum when the Approved Addendum Changes) is set to the template default.
- Use contractual safeguards permitted under local law (e.g., Malaysia PDPA cross‑border rules; Thailand PDPA adequacy/safeguards; India DPDP contractual protections pending rules).
ANNEX V — Security Incident Playbook (Summary)
This Annex summarizes Squid’s internal playbook and complements Section 5; where GDPR applies, Squid targets initial notification within 72 hours of awareness. Trigger: Potential or confirmed compromise affecting personal data. Notification: To Controller without undue delay after confirmation; initial notice aims to include: nature of incident, categories/volume of data affected, likely consequences, and measures taken/proposed. Containment & Recovery: Isolate affected systems; rotate keys/secrets; restore from clean backups as needed. Investigation: Root cause analysis; timeline reconstruction; corrective actions. Post‑Incident: Report and preventive improvements shared with Controller. For a plain‑language overview, see our Security & Incident Response page.ANNEX VI — Region‑Specific Addenda (Processor Commitments)
United States (incl. Texas) & Puerto Rico- Act as service provider/processor (no “sale” or “sharing”; no cross‑context behavioral ads; children’s data protections).
- For COPPA contexts: process children’s personal information only on documented instructions from the Controller; rely on verifiable parental consent obtained and retained by the Controller; provide deletion assistance.
- FERPA (where applicable): act as a “school official” under Controller’s direct control, using data only for educational purposes.
- Support state privacy obligations (access, deletion, correction) through Controller workflows.
- Process only for stated purposes; assist Controller with PDPA access/correction rights; use approved cross‑border safeguards.
- Respect consent requirements for minors per PDPA; assist with data‑subject rights; implement appropriate safeguards for cross‑border transfers.
- Treat children (<18) as protected data principals: no tracking/targeted advertising directed at children; process only on Controller’s instructions with parental consent confirmed by Controller; assist with data‑principal requests; apply transfer safeguards consistent with DPDP.