Data Processing Addendum

Effective 2026-01-01

This Data Processing Addendum ("DPA") forms part of the agreement between you (the "Center" or "Controller") and CIRCLETIME ("Processor") for use of the Service. It applies whenever CIRCLETIME processes Personal Data on the Center's behalf, including under the GDPR, UK GDPR, CCPA/CPRA, and applicable U.S. state privacy laws.

1. Roles & Scope

The Center is the Controller of Personal Data uploaded to the Service (including child, parent, and staff records). CIRCLETIME acts as Processor and processes Personal Data only on documented instructions from the Center.

2. Categories of Data & Data Subjects

• Children: name, DOB, immunization records, attendance, photos, incident reports
• Parents/guardians: contact details, billing, messages, e-signatures
• Staff: contact details, scheduling, payroll metadata

3. Processing Purposes

Providing, securing, and improving the Service; billing; parent communication; compliance reporting; and legally required disclosures.

4. Subprocessors

CIRCLETIME uses vetted subprocessors (hosting, payments, email, SMS, AI inference). A current list is available at privacy@educircletime.com on request. We provide at least 30 days notice of new subprocessors; the Center may object on reasonable grounds.

5. Security Measures

• TLS 1.2+ in transit, AES-256 at rest
• Row-Level Security and least-privilege access controls
• MFA for administrative access; full audit logging on sensitive operations
• Continuous vulnerability scanning and SLO monitoring

6. International Transfers

Personal Data is hosted in the United States. EU/UK transfers rely on the EU Standard Contractual Clauses (Module Two) and the UK Addendum, incorporated by reference.

7. Data Subject Requests

CIRCLETIME provides tooling for the Center to access, correct, export, or delete Personal Data. We assist the Center in responding to data subject requests within statutory timeframes.

8. Personal Data Breach Notification

We will notify the Center without undue delay and in any event within 72 hours of becoming aware of a Personal Data breach affecting the Center's data.

9. Audit Rights

Centers may request our most recent SOC 2 / penetration test summary annually. On-site audits are by mutual agreement and at the Center's expense.

10. Return or Deletion

On termination, the Center may export Personal Data via the in-app export. After 30 days we delete all Personal Data unless retention is legally required.

11. Contact

CIRCLETIME Privacy Team — privacy@educircletime.com.

See also our Terms of Service and Privacy Policy.