Data Processing Agreement

This Agreement takes effect automatically. By registering an account with CoRubrics or continuing to use the service, the data controller accepts the terms of this Agreement on their own behalf and on behalf of their organisation, if applicable. No wet signature is required.

1. Definitions and interpretation

For the purposes of this Agreement, the following definitions shall apply:

«GDPR» means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data.
«LOPD-GDD» means Spanish Organic Law 3/2018 of 5 December on the Protection of Personal Data and the Guarantee of Digital Rights.
«Data Controller» (or «Customer») means the teacher or entity accepting this Agreement who determines the purposes and means of the processing of personal data in the context of their use of CoRubrics.
«Data Processor» (or «CoRubrics») means Roger Feliu Vert, operating under the CoRubrics brand, with contact email legal@corubrics.co.
«Customer Data» means the personal data that the Controller inputs, uploads or generates through use of the Services.
«Services» means the educational assessment platform accessible at corubrics.co, including rubric creation, class and student management, assessment forms, grade calculation and reporting.
«Sub-processor» means any third party engaged by CoRubrics to process Customer Data on behalf of the Controller.
«Personal Data Breach» means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
The terms «personal data», «processing», «data subject», «supervisory authority» and «international transfer» shall have the meanings ascribed to them in the GDPR.

2. Processing of Customer Data

CoRubrics shall process Customer Data only on documented instructions from the Controller, including those set out in the CoRubrics Terms of Use and in this Agreement, unless required to do so by applicable law, in which case CoRubrics shall inform the Controller before processing, unless prohibited from doing so by law.

The subject matter, nature and purpose of the processing is the provision of the educational assessment Services described above. The categories of personal data processed include: student identification data (name, surnames, email address where provided by the teacher), assessment results, rubric scores and teacher account data. The data subjects are the students and pupils managed by the Controller, as well as the Controller themselves as a platform user.

The Processor shall not process Customer Data for its own purposes, for behavioural advertising, or for any purpose other than the provision of the Services.

3. Processor personnel

CoRubrics warrants that persons authorised to process Customer Data are subject to a duty of confidentiality, whether by contractual commitment or statutory obligation.

CoRubrics shall take all reasonable steps to ensure that access to Customer Data is limited to personnel whose access is necessary for the provision of the Services, and shall take appropriate steps to ensure that such personnel comply with the confidentiality and security obligations set out in this Agreement.

4. Security measures (Art. 32 GDPR)

CoRubrics shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR. Such measures include, but are not limited to:

Encryption of data in transit using TLS 1.2 or higher.
Encryption of data at rest in the database infrastructure.
Access controls and authentication, including one-time magic-link verification via email for teachers and secure single-use tokens for students.
Audit logging of relevant actions performed on the platform.
Regular assessments and testing of security measures.
Procedures to ensure the timely availability and restoration of processing systems and services in the event of a physical or technical incident.

4.1 Evolution of security measures

CoRubrics may update or modify the security measures over time, provided that such updates or modifications do not reduce the overall level of protection afforded to Customer Data.

5. Sub-processing

The Controller authorises CoRubrics to engage sub-processors for the processing of Customer Data. The current list of authorised sub-processors is set out in Schedule A to this Agreement and is permanently available at corubrics.co/dpa.

CoRubrics shall notify the Controller of any intended changes to the list of sub-processors (additions or replacements) by updating Schedule A published at corubrics.co/dpa with a minimum of ten (10) calendar days' prior notice before the change takes effect. The Controller may object to such changes by written notice to legal@corubrics.co. If no objection is received within the notice period, the Controller shall be deemed to have accepted the change.

CoRubrics shall impose data protection obligations on each sub-processor equivalent to those set out in this Agreement. In the event that a sub-processor fails to fulfil its data protection obligations, CoRubrics shall remain fully liable to the Controller for the performance of the sub-processor's obligations.

6. Data subject rights

Taking into account the nature of the processing, CoRubrics shall assist the Controller by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the Controller's obligation to respond to requests from data subjects exercising their rights under Chapter III of the GDPR (access, rectification, erasure, restriction of processing, data portability and objection).

If CoRubrics receives a request from a data subject in relation to Customer Data processed on behalf of the Controller, CoRubrics shall redirect such request to the Controller as soon as reasonably practicable, without acting on it directly, unless expressly instructed by the Controller or as required by applicable law.

CoRubrics shall make available to the Controller the technical tools available on the platform to manage, export and delete student and account data, in order to assist the Controller in responding to data subject requests.

7. Personal data breach

CoRubrics shall notify the Controller of any personal data breach without undue delay and, in any event, no later than seventy-two (72) hours after becoming aware of it. Notification shall be made to the email address associated with the Controller's account.

The notification shall include, to the extent possible and as information becomes available: a description of the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences of the breach, and the measures taken or proposed to address it.

CoRubrics shall cooperate with the Controller and provide all reasonable assistance in connection with any notification to the competent supervisory authority or to data subjects themselves, as required by Articles 33 and 34 of the GDPR.

8. Data protection impact assessment and prior consultation

CoRubrics shall provide reasonable assistance to the Controller in conducting data protection impact assessments (DPIAs) and in prior consultations with the supervisory authority that are necessary pursuant to Articles 35 and 36 of the GDPR, taking into account the nature of the processing and the information available to CoRubrics.

Such assistance shall be limited to technical information about the processing architecture, implemented security measures and sub-processors used, and shall be subject to applicable confidentiality constraints.

9. Deletion or return of data

Upon termination of the provision of the Services, CoRubrics shall, at the Controller's choice and upon written request, delete or return all Customer Data to the Controller within ten (10) business days, unless applicable law requires retention of the data.

«Termination of the provision» shall mean when the Controller closes their account, requests deletion of their account through the GDPR controls available on the platform, or when the Agreement is terminated for any reason.

Once the deletion period has elapsed, CoRubrics shall confirm in writing to the Controller that Customer Data has been deleted from all systems of the Processor and its sub-processors, except to the extent that applicable law requires its retention.

The Controller may, at any time during the term of the Agreement, export their data using the GDPR export function available on the platform.

10. Audits and inspections

CoRubrics shall make available to the Controller all information necessary to demonstrate compliance with the obligations set out in Article 28 of the GDPR and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.

Audits shall be subject to a minimum of thirty (30) calendar days' prior written notice, shall be conducted during business hours, shall not disproportionately interfere with CoRubrics' operations, and shall be subject to applicable confidentiality provisions. The cost of audits shall be borne by the Controller, unless the audit reveals material non-compliance by CoRubrics.

For the purposes of this Agreement, the Controller acknowledges that the provision of third-party compliance reports (e.g., SOC 2) or responses to standardised security questionnaires may reasonably satisfy the audit requirements described above.

11. International data transfers

Customer Data is stored primarily within the European Union, on Supabase infrastructure located in Frankfurt, Germany.

Certain processing operations may involve the transfer of data to third countries, in particular the United States, via the sub-processors detailed in Schedule A. All international transfers are carried out under Standard Contractual Clauses adopted by Commission Implementing Decision (EU) 2021/914, or another legally valid transfer mechanism in accordance with Article 46 of the GDPR.

CoRubrics shall periodically assess whether the safeguards provided by the transfer mechanisms used are sufficient to ensure a level of protection essentially equivalent to that guaranteed within the European Union.

12. General terms

12.1 Confidentiality

Each party shall maintain the confidentiality of Customer Data and any confidential information of the other party. CoRubrics shall not disclose Customer Data to any third party except as set out in this Agreement, as necessary to provide the Services, or as required by applicable law.

12.2 Notices

All notices required under this Agreement shall be in writing and sent to the email address designated by each party: to the Controller, to the email address associated with their CoRubrics account; to CoRubrics, to legal@corubrics.co.

12.3 Order of precedence

In the event of any conflict between this DPA and the CoRubrics Terms of Use with respect to data protection matters, this DPA shall prevail. In all other matters, the Terms of Use shall prevail.

12.4 Severability

If any provision of this Agreement is held to be invalid, void or unenforceable by a court of competent jurisdiction, the remaining provisions of the Agreement shall continue in full force and effect.

13. Governing law and jurisdiction

This Agreement is governed by Spanish law, in particular the GDPR and the LOPD-GDD, without prejudice to any mandatory provisions of the GDPR that may apply depending on the Controller's place of establishment.

For the resolution of any dispute arising out of or in connection with this Agreement, the parties submit to the exclusive jurisdiction of the Courts and Tribunals of the city of Barcelona, Spain, unless applicable law requires a different jurisdiction.

The Controller may also lodge a complaint with the Spanish Data Protection Agency (Agencia Española de Protección de Datos — AEPD), located at Calle Jorge Juan 6, 28001 Madrid, Spain (www.aepd.es).

Schedule A — Authorised Sub-processors

The Processor uses the following sub-processors to provide the service. All sub-processors are subject to contractual obligations equivalent to those set out in this Agreement. International transfers are carried out under Standard Contractual Clauses approved by the European Commission (Implementing Decision 2021/914/EU), unless the destination country benefits from a recognised adequacy decision.

Sub-processor	Service	Location	Transfer basis
Supabase, Inc.	Database, authentication and file storage	EU (Frankfurt, Germany)	No international transfer — data stored in the EU
Plus Five Five, Inc. (Resend)	Transactional email delivery	USA; sending region may be configured, but account data and metadata are stored in the USA.	EU-U.S. Data Privacy Framework and/or Standard Contractual Clauses where applicable
Vercel, Inc.	Web application hosting and edge infrastructure	USA (headquarters) — global edge	Standard Contractual Clauses (EU → USA)
Anthropic, PBC	AI-assisted rubric generation (pseudonymised rubric content only; no student or minor data)	USA	Standard Contractual Clauses (EU → USA)
Functional Software, Inc. (Sentry)	Error tracking and performance monitoring	USA	Standard Contractual Clauses (EU → USA)
Upstash, Inc.	Request rate limiting (in-memory Redis)	USA	Standard Contractual Clauses (EU → USA)

Contact for data processing matters

For any queries relating to this Agreement or to the processing of personal data, please contact CoRubrics at legal@corubrics.co.

legal@corubrics.co

← Back to CoRubrics