Data Processing Agreement

This Data Processing Agreement (DPA) applies to organizations ("Institutions") that purchase seat licenses or institutional access to OurVaya (operated by Billimen Inc., "Processor"). It supplements the OurVaya Terms of Service and governs the processing of personal data on behalf of the Institution.

Scope and Applicability

This DPA applies when an Institution provides OurVaya with personal data about its members, employees, or students ("Data Subjects") in connection with an institutional seat license. It does not apply to individual consumer subscriptions.

If your organization requires a signed DPA, please email founder@partnastudio.com. We will provide a countersigned PDF version.

Roles

The Institution is the Data Controller — it determines the purpose and means of processing personal data about its Data Subjects.

Billimen Inc. is the Data Processor — it processes personal data only on the documented instructions of the Institution and only to the extent necessary to deliver the OurVaya platform.

Data We Process on Your Behalf

When an Institution provisions accounts for its members, we process: member email addresses (used as account identifiers), display names (if provided by the Institution), and learning activity data (progress, game scores, credentials earned) associated with those accounts.

We do not require government ID, Social Security Numbers, financial data, or health data from institutional members.

How We Use Institutional Member Data

We process institutional member data only to: create and manage user accounts, deliver the platform features the Institution has licensed, provide aggregate usage reporting to the Institution (no individual-level data without member consent), and respond to support requests.

We do not use institutional member data for advertising targeting, sale to third parties, or our own product analytics without separate written consent.

Sub-Processors

We use the following sub-processors who may process institutional member data: MongoDB Atlas (database hosting) — data stored in US regions by default; Vercel (hosting, CDN, serverless functions) — data processed in US and edge regions; Resend (transactional email delivery) — email addresses processed to deliver account emails; Stripe (payment processing) — processes Institution billing data, not member data.

We will notify Institutions of any material changes to sub-processors with at least 30 days' notice.

Data Retention and Deletion

Institutional member data is retained for the duration of the institutional license, plus 30 days following termination to allow for export. After 30 days, member accounts and associated data are deleted. Institutions may request earlier deletion by emailing founder@partnastudio.com.

Security

We implement technical and organizational measures to protect personal data, including: encryption in transit (TLS 1.2+), encryption at rest (MongoDB Atlas), access controls limiting data access to authorized personnel, and regular security reviews.

Data Subject Rights

Institutions are responsible for receiving and evaluating data subject rights requests (access, deletion, correction, portability) from their members. We will assist Institutions in fulfilling these requests by providing the technical capability to export or delete individual user data. Contact founder@partnastudio.com to initiate a data subject rights request.

Governing Law

This DPA is governed by the laws of the State of Delaware, United States. For Institutions subject to GDPR, we will execute a GDPR-compliant DPA with Standard Contractual Clauses upon request.

Contact

To request a countersigned DPA, to report a data incident, or for any questions about institutional data processing, contact: founder@partnastudio.com — Billimen Inc. · Wilmington, Delaware