Student Data Processing Agreement (SDPA)

How Sukrat processes Student Data on behalf of educational institutions

Last Updated: February 16, 2026

This Student Data Processing Agreement (“SDPA”) describes how Sukrat AI (“Sukrat,” “we,” “us,” or “our”) processes Student Data on behalf of educational institutions (“Institution,” “Controller”) in connection with the Sukrat platform and services (the “Service”).

This SDPA applies when Sukrat processes Student Data on behalf of an educational institution.

1. Definitions

Student Data
Means personal data relating to students that is provided to Sukrat by an Institution or collected through student use of the Service.

This may include:

  • Student name
  • Email address
  • Account identifiers
  • Educational progress data
  • Assessment responses
  • Learning activity

Student Data does not include aggregated or anonymized data that cannot identify individual students.

Controller
The educational institution that determines the purposes and means of processing Student Data.

Processor
Sukrat, acting on behalf of the Controller.

Data Subject
The student whose data is processed.

2. Role of Sukrat

When providing services to an Institution, Sukrat acts as a Data Processor.

Sukrat processes Student Data solely to provide the Service.

Sukrat does not sell Student Data.

Sukrat does not use Student Data for advertising.

3. Purpose of Processing

Sukrat processes Student Data solely to:

  • Provide educational services
  • Deliver learning content and assessments
  • Track student progress
  • Provide AI-powered educational support
  • Maintain system security
  • Improve platform functionality

Processing is limited to educational purposes.

4. AI Processing of Student Data

Sukrat uses AI providers to generate educational content.

Student Data may be processed by AI providers solely to provide the Service.

Sukrat does not permit AI providers to use Student Data for unrelated purposes.

Sukrat does not use Student Data to train public AI models without authorization.

5. Confidentiality

Sukrat ensures that personnel authorized to process Student Data are subject to confidentiality obligations.

Access to Student Data is restricted.

6. Security Measures

Sukrat implements appropriate technical and organizational security measures, including:

  • Encryption in transit (HTTPS/TLS)
  • Secure authentication systems
  • Access controls
  • Infrastructure security protections
  • Monitoring and logging

These measures are designed to protect Student Data.

7. Subprocessors

Sukrat may use subprocessors to provide the Service.

These may include:

  • Supabase — infrastructure and database
  • Anthropic and OpenAI — AI processing
  • Stripe — payment processing (if applicable)
  • PostHog — analytics

Subprocessors are contractually obligated to protect Student Data.

A full list is available on the Subprocessors page.

8. Data Retention

Sukrat retains Student Data only as long as necessary to provide the Service or comply with legal obligations.

Upon request by the Institution, Sukrat will delete Student Data, subject to legal requirements.

9. Data Subject Rights

Sukrat assists Institutions in responding to student data rights requests, including:

  • Access
  • Correction
  • Deletion
  • Data portability

Requests may be submitted through the Institution or directly to Sukrat.

10. Incident Response

If Sukrat becomes aware of a security incident affecting Student Data, Sukrat will:

  • Investigate the incident
  • Take appropriate corrective action
  • Notify the Institution where required by law

11. Data Transfers

Student Data may be processed in countries outside the Institution's jurisdiction.

Sukrat implements safeguards designed to protect Student Data.

12. Use Restrictions

Sukrat will not:

  • Sell Student Data
  • Use Student Data for advertising
  • Use Student Data for unrelated purposes

Student Data is used solely to provide educational services.

13. Termination and Data Deletion

Upon termination of services, Sukrat will delete or return Student Data as requested by the Institution, subject to legal obligations.

14. Compliance with Applicable Laws

Sukrat is committed to complying with applicable data protection laws, including GDPR and other applicable regulations.

15. Contact

For Student Data Processing Agreement inquiries, contact: legal@sukrat.ai

Last Modified: February 16, 2026

Policy Version: 1.0