Last Updated: February 16, 2026
This Data Processing Agreement (“DPA”) describes how Sukrat AI (“Sukrat,” “we,” “us,” or “our”) processes personal data on behalf of users and institutional customers in connection with the Sukrat platform and services (the “Service”).
This DPA is intended to support compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR).
1. Definitions
For the purposes of this DPA:
“Personal Data” means any information relating to an identified or identifiable person.
“Controller” means the entity that determines the purposes and means of processing personal data.
“Processor” means the entity that processes personal data on behalf of the Controller.
“Data Subject” means the individual whose personal data is processed.
Depending on the context, Sukrat may act as either a Controller or a Processor.
2. Scope of Processing
Sukrat processes personal data only as necessary to provide the Service.
This may include:
- Account information
- Educational progress data
- User-generated educational content
- Technical and usage data
Processing is limited to providing and improving the Service.
3. Purpose of Processing
Personal data is processed solely for the following purposes:
- Providing educational services
- Operating the platform
- Supporting learning functionality
- Maintaining system security
- Providing customer support
Sukrat does not sell personal data.
4. Instructions from Controller
Sukrat processes personal data only in accordance with:
- User instructions
- Institutional customer instructions
- Applicable laws
Sukrat does not process data for unrelated purposes.
5. Confidentiality
Sukrat ensures that personnel authorized to process personal data are subject to confidentiality obligations.
Access to personal data is restricted.
6. Security Measures
Sukrat implements appropriate technical and organizational measures, including:
- Encryption in transit (HTTPS/TLS)
- Secure authentication systems
- Access controls
- Monitoring and logging
These measures are designed to protect personal data.
7. Subprocessors
Sukrat uses trusted subprocessors to operate the Service.
These may include:
- Supabase — infrastructure and database
- Anthropic and OpenAI — AI processing
- Stripe — payment processing
- PostHog — analytics
All subprocessors are contractually obligated to protect personal data.
A full list is available on the Subprocessors page.
8. Data Subject Rights
Sukrat supports data subject rights, including:
- Access
- Correction
- Deletion
- Data portability
Requests may be submitted via the GDPR Rights Request page.
9. Data Retention
Sukrat retains personal data only as long as necessary to provide the Service or comply with legal obligations.
Users and institutional customers may request deletion.
10. Data Transfers
Personal data may be processed in countries outside the user's jurisdiction.
Sukrat implements safeguards designed to protect personal data.
11. Incident Notification
If Sukrat becomes aware of a security incident affecting personal data, Sukrat will:
- Investigate the incident
- Take appropriate remediation steps
- Notify affected parties where required by law
12. Termination
Upon termination of services, Sukrat will delete or return personal data as required by applicable law.
13. Contact
For DPA-related inquiries, contact: legal@sukrat.ai
Last Modified: February 16, 2026
Policy Version: 1.0