Legal
Effective Date: April 28, 2026
Cues Technologies Inc. | 9171 Wilshire Blvd, Ste 500, Beverly Hills, CA 90210
1.1 Unless otherwise defined in this DPA, capitalized terms used but not defined within this DPA will have the meaning set forth in the Agreement. The following capitalized terms used in this DPA will be defined as follows:
1.2 The terms “controller” and “processor” have the meanings given to them in the GDPR.
2.1 This DPA is incorporated into and forms an integral part of the Agreement. This DPA supplements and (in case of contradictions) supersedes the Agreement with respect to any Processing of Covered Data.
3.1 The Parties acknowledge and agree that:
4.1 The details of the Processing of Personal Data under the Agreement and this DPA (including subject matter, nature and purpose of the Processing, categories of Personal Data and Data Subjects) are described in the Agreement and in Schedule 1 to this DPA.
4.2 Other than in respect of its Processing of Covered Data for the Controller Purposes:
4.3 GradingPal will:
5.1 The Customer shall comply with its obligations under Applicable Data Protection Laws and shall ensure that:
6.1 GradingPal shall:
7.1 GradingPal may Process Covered Data anywhere that GradingPal or its Sub-processors maintain facilities, subject to the remainder of this paragraph 7. Covered Data is processed and stored on infrastructure located in the United States and other jurisdictions where GradingPal and its Sub-processors operate. GradingPal ensures that any international transfer of Covered Data is made in accordance with Applicable Data Protection Laws and the requirements of Schedule 3 of this DPA.
7.2 The Customer grants GradingPal general authorization to engage any Authorized Sub-processor listed in Schedule 4 to Process Covered Data.
7.3 GradingPal shall:
7.4 GradingPal maintains a current list of Authorized Sub-processors at www.gradingpal.com/sub-processors. GradingPal will update this page prior to adding or replacing any sub-processor and will notify institutional Customers of material changes to the sub-processor list upon request. If the Customer has a reasonable objection to the addition or replacement of a sub-processor, it may notify GradingPal in writing and the parties will work together in good faith to address the concern.
8.1 GradingPal will notify the Customer without undue delay of any request received by GradingPal or any Authorized Sub-processor from a Data Subject to assert their rights under Applicable Data Protection Laws in relation to Covered Data Processed by GradingPal as a processor or sub-processor (a “Data Subject Request”).
8.2 Other than in respect of GradingPal's Processing of Covered Data for the Controller Purposes, as between GradingPal and the Customer, the Customer will have sole discretion in responding to the Data Subject Request. GradingPal shall not respond to the Data Subject Request without the Customer's prior consent, save that GradingPal may advise the Data Subject that their request has been forwarded to the Customer.
8.3 GradingPal will provide the Customer with reasonable assistance as necessary for the Customer to fulfil its obligation under Applicable Data Protection Laws to respond to Data Subject Requests in respect of Covered Data.
9.1 GradingPal will implement and maintain appropriate technical and organizational data protection and security measures designed to ensure security of Covered Data, including protection against unauthorized or unlawful Processing and against accidental loss, destruction, or damage of or to Covered Data.
9.2 When assessing the appropriate level of security, GradingPal shall take into account the nature, scope, context and purpose of the Processing as well as the risks presented by the Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Covered Data.
9.3 GradingPal will implement and maintain as a minimum standard the measures set out in Schedule 2.
10.1 The Customer may audit GradingPal's compliance with this DPA in respect of its Processing of Covered Data. The Parties agree that all such audits will be conducted:
10.2 With respect to any audits conducted in accordance with this paragraph:
10.3 The Customer shall promptly notify GradingPal of any non-compliance discovered during an audit. The results of the audit shall be GradingPal's confidential information.
10.4 GradingPal shall provide to the Customer upon request, or may provide in response to any audit request, either: (a) data protection compliance certifications issued by a commonly accepted certification issuer which has been audited by a data security expert or publicly certified auditing company; or (b) such other documentation reasonably evidencing the implementation of the technical and organizational data security measures in accordance with industry standards.
10.5 If an audit requested by the Customer is addressed in the documents or certification provided by GradingPal, and: (a) the certification or documentation is dated within twelve (12) months of the Customer's audit request; and (b) GradingPal confirms that there are no known material changes in the controls audited — the Customer agrees to accept that certification or documentation in lieu of conducting a physical audit of the controls covered.
11.1 GradingPal shall notify the Customer in writing without undue delay after becoming aware of any Security Incident.
11.2 GradingPal shall take reasonable steps to contain, investigate, and mitigate any Security Incident, and shall send the Customer timely information about the Security Incident, to the extent known to GradingPal or as the information becomes available, including but not limited to: the nature of the Security Incident; the measures taken to mitigate or contain the Security Incident; and the status of the investigation.
11.3 GradingPal shall provide reasonable assistance with the Customer's investigation of any Security Incidents and any of the Customer's obligations in relation to the Security Incident under Applicable Data Protection Laws, including any notification to Data Subjects or supervisory authorities.
11.4 GradingPal's notification of or response to a Security Incident under this paragraph 11 shall not be construed as an acknowledgement by GradingPal of any fault or liability with respect to the Security Incident.
12.1 This DPA shall commence on the Effective Date and, notwithstanding any termination of the Agreement, will remain in effect until, and automatically expire upon, GradingPal's deletion of all Covered Data as described in this DPA.
12.2 GradingPal shall:
13.1 GradingPal ensures that any transfer of Covered Data outside the EEA, UK, or other jurisdiction from which the Customer transfers data, is made in accordance with Applicable Data Protection Laws, including by relying on a Lawful Transfer Mechanism as defined in clause 1.1 of this DPA and as further described in Schedule 3.
13.2 GradingPal will promptly inform the Customer if, in its reasonable opinion, a change in Applicable Data Protection Laws means that GradingPal can no longer provide a Lawful Transfer Mechanism for the international transfer of Covered Data, and the parties will work together in good faith to identify an alternative lawful basis for the transfer.
| Customer (Data Exporter) | GradingPal (Data Importer) | |
|---|---|---|
| Role | Data exporter (controller) | Data importer (controller / processor) |
| Contact person | The administrator of the Customer's account as notified to GradingPal. | hello@gradingpal.com |
| Activities relevant to the transfer | The performance of the Agreement. | The performance of the Agreement. |
| Data Subjects | Categories of Personal Data | Sensitive Data | Purpose of Processing |
|---|---|---|---|
| Main points of contact for accounts held by Educational Institutions (Account Administrators) | Contact information: name, email address, name of Educational Institution. Account preferences. Questions and correspondence submitted in relation to the Service. | None | Communicating with Account Administrators in relation to the administration of the Agreement and the relationship between the parties. Sending promotional emails in accordance with Account Administrator preferences. Identifying ways to improve the Service. |
| Teachers with accounts associated with, authorized by, or paid for by an Educational Institution (Teachers on School Accounts) | Contact information: name, email address, name of Educational Institution. Account preferences for service-related messages. Account tier. Questions and correspondence. Subjects taught and student year groups or grades. Content and materials created through the Service, including graded assignments and AI-generated feedback. Feedback in relation to content generated through the Service. Features and functionalities used on the Service. | None, unless contained in content and materials generated through, or prompts or feedback submitted to the Service. | Provision of access to the features and functionalities of the Service, including personalization. Provision of service-related communications. Provision of technical support. Distribution of promotional emails in accordance with data subject preferences. Informing product development and improvement. |
| Teachers with individual accounts not associated with, authorized by, or paid for by an Educational Institution (Independent Teachers) | Contact information, account tier, payment information (processed by Stripe). Account preferences. Questions and correspondence. Subjects taught and student year groups or grades. Content and materials created through the Service. Websites visited in respect of which the Service is activated. Feedback in relation to content generated. Features and functionalities used on the Service. Device used to access the Service (IP address). | None, unless contained in content and materials generated through, or prompts or feedback submitted to the Service. | Provision of access to the features and functionalities of the Service, including personalization. Processing subscription payments. Provision of service-related communications. Provision of technical support. Distribution of promotional emails in accordance with data subject preferences. Informing product development and improvement. |
| Students | Identity (name, email address); academic information (grade level, subject, course name); submitted assignments and coursework across all supported content types; AI-generated grades and feedback; performance analytics; technical data (IP address, device information). Where a teacher has connected Google Classroom, data may also be read from or written back to Google Classroom. | Any sensitive personal data contained in work product uploaded to the Service by the Student. | Provision of AI-powered grading and feedback. Generating performance analytics. Reading from and writing scores and feedback to Google Classroom on teacher instruction. Service security and operation. |
| All users | Device used to access the Service, such as IP address. | None | Provision of access to the features and functionalities of the Service. Ensuring the security and integrity of the Service. |
For transfers of Covered Data from customers located in the European Economic Area, the competent supervisory authority is the Irish Data Protection Commissioner, unless otherwise required by applicable law.
For transfers of Covered Data from customers located in the United Kingdom, the competent supervisory authority is the UK Information Commissioner's Office (ICO), acting independently under the UK GDPR and the Data Protection Act 2018.
GradingPal employs a combination of policies, procedures, guidelines and technical and physical controls to protect the Personal Data it processes from accidental loss and unauthorized access, disclosure or destruction.
This Schedule describes how GradingPal ensures that international transfers of Covered Data are made lawfully in accordance with Applicable Data Protection Laws.
GradingPal ensures that any transfer of Covered Data outside the EEA, UK, Switzerland, Australia, or other jurisdiction from which the Customer provides data, is made in accordance with Applicable Data Protection Laws. GradingPal does this by relying on one or more of the following Lawful Transfer Mechanisms, as appropriate to the relevant transfer:
GradingPal currently transfers Covered Data primarily to the United States, where GradingPal and its Sub-processors are located. The majority of GradingPal's Sub-processors (including AWS, Google, OpenAI, Anthropic, Stripe, Vercel, Render, Upstash, Loops, Resend, Mixpanel, Sentry, and Ably) are certified under the EU-US Data Privacy Framework and/or the UK-US Data Bridge, providing a lawful basis for these transfers without the need for additional contractual safeguards. For Sub-processors that are not certified under these frameworks, GradingPal relies on Standard Contractual Clauses or other appropriate safeguards as required. Mistral AI SAS is a French company whose infrastructure is hosted within the European Union; no transfer safeguard is required for data processed by Mistral.
GradingPal will maintain an up-to-date record of the transfer mechanisms applicable to each Sub-processor and will make this available to the Customer upon request.
Data transfer law evolves over time. GradingPal will monitor changes to Applicable Data Protection Laws and will update its transfer mechanisms as necessary to ensure continued compliance. GradingPal will notify the Customer if any material change to the applicable transfer mechanism is required and will work with the Customer in good faith to maintain a lawful basis for the transfer of Covered Data.
Where Covered Data originates from Australia and is transferred to GradingPal in the United States, GradingPal will take reasonable steps to ensure that it handles such Covered Data in a manner consistent with the Australian Privacy Principles. GradingPal is responsible for the acts and omissions of overseas recipients of Australian Covered Data as if they were its own. In the event of a suspected Security Incident affecting Australian Covered Data, GradingPal will carry out a reasonable and expeditious assessment within 30 days of becoming aware.
The following sub-processors are authorized to process Covered Data in connection with the provision of the Service. GradingPal maintains the current and complete sub-processor list at www.gradingpal.com/sub-processors and will update it prior to adding or replacing any sub-processor in accordance with paragraph 7.4 of this DPA.
| Sub-processor | Purpose | Country |
|---|---|---|
| Ably Realtime Ltd. | Real-time messaging | United Kingdom |
| Amazon Web Services, Inc. | Cloud infrastructure | United States |
| Anthropic PBC | AI services | United States |
| Axiom, Inc. | Logging and observability | United States |
| Chatwoot, Inc. | Customer support | United States |
| Functional Software, Inc. | Error monitoring | United States |
| Google LLC | Cloud infrastructure and AI | United States |
| Linear Orbit, Inc. | Internal operations | United States |
| Loops, Inc. | Email communications | United States |
| Microsoft Corporation | AI services | United States |
| Mistral AI SAS | AI services | France |
| Mixpanel, Inc. | Product analytics | United States |
| Notion Labs, Inc. | Internal operations | United States |
| OpenAI OpCo, LLC | AI services | United States |
| Render Services, Inc. | Cloud infrastructure | United States |
| Resend, Inc. | Email communications | United States |
| Slack Technologies, LLC | Internal communications | United States |
| Stripe, Inc. | Payment processing | United States |
| Supabase, Inc. | Cloud infrastructure | United States |
| Unstructured Technologies, Inc. | Document processing | United States |
| Upstash, Inc. | Cloud infrastructure | United States |
| Velt, Inc. | Collaboration services | United States |
| Vercel, Inc. | Cloud infrastructure | United States |
Customers wishing to execute a signed copy of this Data Processing Addendum should contact hello@gradingpal.com. By using GradingPal's Services, Customers agree to the terms and conditions of this DPA.