This Data Processing Amendment (“Amendment”) supplements and forms part of the Terms of Service and Privacy Policy of Sukrat AI (“Sukrat”). It describes in detail how Sukrat processes personal data as a data processor on behalf of institutional customers (schools, colleges, tutoring centers) using the Sukrat platform.
For institutional customers, this Amendment is incorporated by reference into the school agreement. To request an executable copy for your institution, contact legal@sukrat.ai.
Definitions
- “Controller” — the educational institution that determines the purposes and means of processing Student Data
- “Processor” — Sukrat AI Inc., acting on behalf of the Controller
- “Personal Data” — any information relating to an identified or identifiable natural person
- “Student Data” — Personal Data relating to students provided to Sukrat by an Institution or collected through student use of the Service
- “Processing” — any operation performed on Personal Data, including collection, storage, access, transmission, or deletion
- “Authorized Purpose” — providing the Sukrat intelligent tutoring, adaptive assessment, mastery modeling, and curriculum practice services as contracted by the Institution
Scope of Processing
Sukrat acts as a data Processor when processing Student Data on behalf of an institutional customer. The categories of Student Data processed by Sukrat are:
- Account and identity data: student name, institutional email address, school affiliation, and role
- Learning and assessment data: assessment responses, mastery graph state, and session metadata
- AI interaction logs: session transcripts retained 90 days then permanently deleted
- Technical data: device type, browser, and approximate location (country-level only)
Processing Purposes and Restrictions
Sukrat processes Student Data solely for the Authorized Purpose. Sukrat will not:
- Sell Student Data to any third party
- Use Student Data for advertising or behavioral profiling
- Use Student Data to train third-party AI models — this is enforced architecturally and required by contract with every AI provider
- Process Student Data for any purpose not specified in the Controller's instructions or required by applicable law
No-PII AI Processing Commitment
When Sukrat sends requests to external AI model providers (Anthropic, OpenAI, Google Gemini) to generate educational content, no student personally identifiable information is included. Prompts contain only anonymized curriculum content (question text, syllabus reference, mark scheme context) and anonymized mastery context for the relevant topic. This architectural constraint is not configurable and cannot be bypassed.
Data Security
Sukrat implements the following technical and organizational measures to protect Student Data:
- AES-256 encryption at rest (Supabase EU region and DigitalOcean)
- TLS 1.2+ encryption in transit across all endpoints
- Supabase Row-Level Security enforcing per-institution data isolation at the database level
- Multi-factor authentication required for production database access, restricted to named team members
- No student PII accessible in development or staging environments
- Cloudflare WAF and DDoS protection at the network edge
Subprocessors
Sukrat engages the following categories of subprocessors to provide the Service. All are bound by data processing agreements with equivalent protections to this Amendment:
- Infrastructure: Supabase (EU region), DigitalOcean, Vercel, Cloudflare
- AI providers: Anthropic, OpenAI, Google (Gemini API) — anonymized prompts only, no student PII
- Observability: Langfuse (AI evaluation, anonymized), Sentry (error monitoring, PII scrubbed)
- Analytics: PostHog (anonymized events, no PII)
- Payment: Stripe (billing metadata only)
- Email: Resend (transactional emails)
The full list with data categories is on the Subprocessors page. Sukrat will notify institutional customers of material subprocessor changes in advance.
Data Subject Rights
Sukrat will assist the Controller in responding to data subject rights requests from students, including:
- Right of access to Student Data
- Right to rectification of inaccurate data
- Right to erasure (“right to be forgotten”)
- Right to restrict processing
- Right to data portability
Requests may be submitted via the school administrator or directly to privacy@sukrat.ai.
Data Retention
Sukrat retains Student Data only for as long as necessary to provide the Service:
- Assessment responses and mastery state: active enrollment + 90 days post-account-closure, then anonymized
- Session transcripts (AI interaction logs): 90 days, then deleted
- Account data: until account deletion + 90-day grace period
Upon termination, Sukrat will export available Student Data in a machine-readable format within 30 days on request, and will delete Student Data within 30 days of termination unless a longer period is required by law.
International Transfers
Student Data is stored in the EU region (Supabase EU). Transfers to subprocessors outside the EEA are covered by standard contractual clauses or equivalent safeguards as required by GDPR and applicable law.
Breach Notification
If Sukrat becomes aware of a confirmed security incident affecting Student Data, Sukrat will notify the Controller within 72 hours of confirmation, providing all information necessary to fulfil applicable breach notification obligations. For Sukrat's incident response process, see the Security Incident Response Policy.
Contact
For questions about this Amendment or to request an executable institutional DPA:
- Email: privacy@sukrat.ai
- Legal: legal@sukrat.ai
- Address: c/o Registered Agent, Tailor Brands
- Location: Wilmington, Delaware, USA
Last Modified: June 1, 2026
Policy Version: 2.0