Chestnut Tools Logo

chestnut.tools

HomePricingContact
Log In

Data Processing Addendum

Last updated: July 4, 2025

This Data Processing Addendum ("DPA") forms part of the Terms of Service between you ("Customer", "you", or "your") and Samir Buch ("Chestnut.Tools", "we", "us", or "our") for the use of Chestnut.Tools Cloud services ("Services"). This DPA governs the processing of Personal Data by Chestnut.Tools on behalf of Customer.

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person, including student educational records.
  • "Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
  • "Processing" means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.
  • "Controller" means the Customer, who determines the purposes and means of Processing Personal Data.
  • "Processor" means Chestnut.Tools, who processes Personal Data on behalf of the Controller.
  • "Sub-processor" means any third party appointed by Chestnut.Tools to process Personal Data on behalf of the Customer.

2. Scope and Nature of Processing

2.1 Subject Matter

Processing of Personal Data necessary for the provision of student information system and attendance management services.

2.2 Duration

Processing will continue for the duration of the Services agreement and retention period specified herein.

2.3 Purpose of Processing

  • Student roster and enrollment management
  • Attendance tracking and reporting
  • Academic schedule management
  • Administrative communications
  • System authentication and security
  • Service improvement and support

2.4 Categories of Data Subjects

  • Students and prospective students
  • Faculty and teaching staff
  • Administrative personnel
  • Other authorized users of the system

2.5 Categories of Personal Data

  • Identification Data: Names, student ID numbers, employee ID numbers
  • Contact Information: Email addresses, phone numbers
  • Educational Records: Course enrollments, attendance records, grades, academic schedules
  • Authentication Data: Login credentials, OAuth tokens, session information
  • Technical Data: IP addresses, browser information, usage logs
  • Communication Data: Messages and communications through the platform

3. Customer Obligations

Customer warrants and undertakes that:

  • It has the legal right to disclose Personal Data to Chestnut.Tools for processing
  • It has obtained all necessary consents and provided required notices to Data Subjects
  • Processing instructions comply with applicable laws and regulations
  • It will promptly notify Chestnut.Tools of any changes to processing requirements
  • It will implement appropriate technical and organizational measures for data protection

4. Chestnut.Tools Obligations

Chestnut.Tools undertakes to:

  • Process Personal Data only in accordance with Customer's documented instructions
  • Ensure that persons authorized to process Personal Data are bound by confidentiality
  • Implement appropriate technical and organizational measures to secure Personal Data
  • Not engage sub-processors without prior written authorization from Customer
  • Assist Customer in responding to Data Subject requests
  • Notify Customer without undue delay of any Personal Data breaches
  • Delete or return Personal Data upon termination of services, unless retention is required by law
  • Make available information necessary to demonstrate compliance with this DPA

5. Technical and Organizational Measures

Chestnut.Tools implements the following measures to protect Personal Data:

5.1 Technical Measures

  • Encryption: Data encrypted in transit (TLS 1.3) and at rest (AES-256)
  • Access Controls: Role-based access control and multi-factor authentication
  • Network Security: Firewalls, intrusion detection, and secure network architecture
  • Data Backup: Regular automated backups with encryption
  • Monitoring: Continuous security monitoring and logging

5.2 Organizational Measures

  • Staff Training: Regular privacy and security training for personnel
  • Access Management: Principle of least privilege and regular access reviews
  • Incident Response: Documented incident response procedures
  • Vendor Management: Due diligence on sub-processors and vendors
  • Data Minimization: Collection and processing limited to necessary purposes

6. Sub-processing

6.1 Authorized Sub-processors

Customer consents to Chestnut.Tools engaging the following sub-processors:

  • Supabase: Database hosting and management services
  • Vercel: Application hosting and content delivery
  • Google: Authentication services (OAuth)
  • Sentry: Error monitoring and performance tracking

6.2 Sub-processor Requirements

Chestnut.Tools ensures that:

  • Sub-processors are bound by data protection obligations equivalent to this DPA
  • Customer is notified of any changes to sub-processors with opportunity to object
  • Chestnut.Tools remains fully liable for sub-processor performance

7. Data Subject Rights

Chestnut.Tools will assist Customer in fulfilling Data Subject requests for:

  • Access: Providing copies of Personal Data being processed
  • Rectification: Correcting inaccurate or incomplete Personal Data
  • Erasure: Deleting Personal Data when legally permissible
  • Restriction: Limiting processing under certain circumstances
  • Portability: Providing Personal Data in a structured, machine-readable format
  • Objection: Stopping processing based on legitimate interests

8. Personal Data Breaches

8.1 Notification Requirements

Upon becoming aware of a Personal Data breach, Chestnut.Tools will:

  • Notify Customer without undue delay and within 24 hours where feasible
  • Provide details of the breach, affected data, likely consequences, and mitigation measures
  • Assist Customer in breach notification obligations to supervisory authorities and Data Subjects
  • Document all breaches and remedial actions taken

9. International Data Transfers

Personal Data may be transferred to and processed in countries outside the European Economic Area. Chestnut.Tools ensures appropriate safeguards are in place, including:

  • Standard Contractual Clauses approved by the European Commission
  • Adequacy decisions where applicable
  • Additional technical and organizational measures as necessary

10. Data Retention and Deletion

10.1 Retention Period

Personal Data will be retained for:

  • The duration of the Services agreement
  • Additional 30 days after termination for data export purposes
  • Longer periods only if required by applicable law

10.2 Data Return and Deletion

Upon termination of Services, Chestnut.Tools will:

  • Provide Customer with options to export Personal Data
  • Delete all Personal Data from systems within 90 days of termination
  • Provide written confirmation of deletion upon Customer request
  • Retain data only as required by applicable law with appropriate safeguards

11. FERPA Compliance

For educational institutions subject to the Family Educational Rights and Privacy Act (FERPA), Chestnut.Tools acknowledges that:

  • Educational records are confidential and protected under FERPA
  • Chestnut.Tools is acting as a school official with legitimate educational interests
  • Personal Data will be used solely for authorized educational purposes
  • No re-disclosure of educational records will occur without proper authorization
  • Customer retains control over educational records and directory information

12. Audit and Compliance

12.1 Audit Rights

Customer may:

  • Request information to verify Chestnut.Tools' compliance with this DPA
  • Conduct audits subject to reasonable notice and confidentiality obligations
  • Review security certifications and compliance reports

12.2 Compliance Documentation

Chestnut.Tools maintains:

  • Records of processing activities
  • Security incident logs
  • Staff training records
  • Sub-processor agreements and assessments

13. Liability and Indemnification

  • Each party's liability under this DPA is subject to the limitation of liability clause in the main Terms of Service
  • Chestnut.Tools will indemnify Customer against claims arising from Chestnut.Tools' non-compliance with this DPA
  • Customer will indemnify Chestnut.Tools against claims arising from Customer's instructions or non-compliance with applicable law

14. Term and Termination

  • This DPA remains in effect for the duration of the Services agreement
  • Either party may terminate this DPA upon material breach that remains uncured after 30 days written notice
  • Provisions regarding data deletion, liability, and confidentiality survive termination

15. Governing Law and Jurisdiction

This DPA is governed by the same law as the main Terms of Service. Disputes will be resolved through the dispute resolution mechanisms specified in the main agreement.

16. Amendments

This DPA may only be amended by written agreement between the parties. Chestnut.Tools may update this DPA to reflect changes in applicable law with 30 days' advance notice.

Contact Information

For questions regarding this Data Processing Addendum:

  • Email: privacy [at] chestnut.tools
  • Data Protection Officer: dpo [at] chestnut.tools
  • Legal: legal [at] chestnut.tools

By using Chestnut.Tools Cloud services, Customer acknowledges that it has read, understood, and agrees to be bound by this Data Processing Addendum.

Chestnut Tools Logo

chestnut.tools

ContactPrivacy PolicyTerms of Service

© 2025 chestnut.tools