New

Now in Claude, ChatGPT, Cursor & more with our MCP server

Koji
Why KojiUse casesCompareFAQ
Back to Koji for Education
Trust centreGDPR / AVGData processingAI governanceSecurityAccessibilitySub-processorsTOMCookies

Last updated: May 2026

Data Processing Agreement

DPA details aligned with the SURF Model Verwerkersovereenkomst v4.0 for procurement and privacy review.

DPA overview

Koji B.V. offers every university customer a Data Processing Agreement (Verwerkersovereenkomst) that is aligned with the SURF Model Verwerkersovereenkomst v4.0, released in January 2025. The SURF model is the standard contract template used across Dutch higher education for engaging processors of personal data, and it satisfies the requirements of Article 28 of the General Data Protection Regulation (GDPR).

Koji will sign the SURF model contract directly or, where the institution prefers a custom DPA, a Data Processing Agreement of equivalent scope and protective standard. In all cases the DPA governs the processing of personal data that Koji carries out on behalf of the institution.

Controller and processor

The university (or other educational institution) is the controller within the meaning of Article 4(7) GDPR. It determines the purposes and means of processing personal data in the context of course evaluation.

Koji B.V. is the processor within the meaning of Article 4(8) GDPR. Koji processes personal data solely on the documented instructions of the controller, except where Union or Member State law requires otherwise.

Coverage of GDPR Article 28(3) mandatory elements

Article 28(3) GDPR prescribes nine mandatory elements that must be addressed in any processor agreement. Koji's DPA covers each of them:

  • Processing on documented instructions. Koji processes personal data only on the written instructions of the controller, including with regard to transfers to third countries.
  • Confidentiality obligations. All persons authorised to process personal data at Koji have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  • Security measures. Koji implements the technical and organisational measures required under Article 32 GDPR, as described in the Security page.
  • Sub-processor conditions. Koji engages sub-processors only in accordance with the conditions set out below and with the controller's prior consent.
  • Assistance with data subject rights. Koji assists the controller in responding to requests from data subjects exercising their rights under Chapter III GDPR.
  • Assistance with security and breach obligations. Koji assists the controller in ensuring compliance with the obligations under Articles 32 to 36 GDPR, including breach notification and data protection impact assessments.
  • Data return and deletion. At the controller's choice, Koji returns or deletes all personal data after the end of the provision of services, and deletes existing copies unless Union or Member State law requires retention.
  • Audit support. Koji makes available to the controller all information necessary to demonstrate compliance with Article 28 and allows for and contributes to audits, including inspections, conducted by the controller or an auditor mandated by the controller.
  • Inform on unlawful instructions. Koji immediately informs the controller if, in its opinion, an instruction infringes the GDPR or other Union or Member State data protection provisions.

Subject matter and scope

The DPA covers the processing of student evaluation data by Koji on behalf of the controller for the purpose of course quality assessment. The specific categories of personal data processed include:

  • Conversation transcripts generated during AI-led interviews.
  • Quality scores and structured data derived from student responses.
  • Optional voice recordings, where the institution has enabled audio capture and obtained the appropriate consent.
  • Authentication data required for single sign-on (e.g., SAML attributes such as name and institutional email address via SURFconext or other IdP).

Categories of data subjects

The processing concerns the following categories of data subjects:

  • Students who participate in evaluation interviews.
  • Instructors whose names may appear in evaluation reports.
  • Administrative staff who operate the platform as system users.

Sub-processor management

Koji may engage sub-processors only with the controller's prior written consent. The DPA supports two consent mechanisms as described in Article 28(2) GDPR:

  • Specific prior authorisation, where the controller approves each sub-processor individually before engagement.
  • General written authorisation with an objection mechanism, where Koji informs the controller of intended changes to sub-processors and the controller has the right to object.

All sub-processors are bound by data protection obligations equivalent to those set out in the DPA between Koji and the controller. Where a sub-processor fails to fulfil its obligations, Koji remains fully liable to the controller for the performance of that sub-processor's obligations.

The current list of sub-processors, including their locations and processing purposes, is available at /edu/compliance/sub-processors. Koji notifies the controller of any proposed changes to sub-processors at least 30 days in advance of the change taking effect, providing the controller with sufficient time to raise an objection.

Security obligations

Koji implements and maintains technical and organisational measures appropriate to the risk, as required by Article 32 GDPR. These measures are documented in detail on the Security page and include:

  • Encryption at rest and in transit. All personal data is encrypted using AES-256 at rest and TLS 1.2 or higher in transit.
  • Access controls. Role-based access control (RBAC) with the principle of least privilege. Multi-factor authentication is required for all staff accessing production systems.
  • Penetration testing. Independent third-party penetration tests are conducted at least annually, with remediation of critical and high findings on a defined timeline.
  • Employee training. All Koji personnel with access to personal data receive data protection and security awareness training on an annual basis.
  • Incident response. A documented incident response plan is maintained and tested, covering detection, containment, eradication, recovery, and post-incident review.

Koji is pursuing ISO 27001 certification. The current status and roadmap for certification are described on the Security page.

Audit rights

The controller has the right to audit Koji's processing activities to verify compliance with the DPA and applicable data protection law. Koji supports audits through the following mechanisms:

  • Provision of relevant documentation, including security policies, processing records, and third-party audit or certification reports.
  • Responses to written questionnaires, including standard vendor assessment frameworks (e.g., SURF, HECVAT).
  • On-site or remote audits conducted by the controller or by an independent third-party auditor mandated by the controller.

Audit requests require reasonable prior notice of 30 days and are conducted during normal business hours. Koji bears its own costs associated with supporting the audit (staff time, preparation of documentation). The controller bears the direct costs of the audit itself, including fees of any external auditor it engages.

Data subject requests

Koji assists the controller in fulfilling its obligations to respond to data subject requests under Chapter III GDPR. This assistance covers the following rights:

  • Right of access (Article 15)
  • Right to rectification (Article 16)
  • Right to erasure (Article 17)
  • Right to restriction of processing (Article 18)
  • Right to data portability (Article 20)
  • Right to object (Article 21)

The controller receives and evaluates all data subject requests. Upon instruction from the controller, Koji executes the technical actions required to fulfil the request. Koji has the technical capability to fulfil such requests within 72 hours of receiving the controller's instruction.

Breach notification

In the event of a personal data breach as defined in Article 4(12) GDPR, Koji notifies the controller without undue delay and in any case within 24 hours of becoming aware of the breach. This is stricter than the 72-hour window the GDPR grants the controller for notification to the supervisory authority, allowing the controller sufficient time for its own assessment and reporting.

The breach notification to the controller includes, at a minimum:

  • A description of the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects concerned.
  • The categories and approximate number of personal data records concerned.
  • A description of the likely consequences of the breach.
  • A description of the measures taken or proposed to address the breach, including, where appropriate, measures to mitigate its possible adverse effects.

Where it is not possible to provide all information at the same time, Koji provides the information in phases without further undue delay.

Data return and deletion

On termination or expiry of the service agreement, and at the controller's choice, Koji either returns all personal data to the controller or deletes all personal data, including all existing copies.

  • Data return. Personal data is exported in a standard, machine-readable format (JSON and/or CSV) and made available to the controller via a secure download mechanism.
  • Deletion timeline. All copies of personal data, including data held in backups and disaster recovery systems, are deleted within 30 days of the return or deletion instruction.
  • Certificate of deletion. Koji provides a written certificate of deletion on request, confirming that all personal data has been destroyed and that no copies remain in Koji's possession.

Deletion is not carried out where Union or Member State law requires Koji to retain the personal data. In such cases, Koji informs the controller of the legal requirement and limits processing to the purposes required by that law.

International transfers

Koji does not transfer personal data outside the European Economic Area (EEA) without the controller's prior written authorisation. Where transfers outside the EEA are necessary and have been authorised by the controller, Koji ensures that appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) adopted by the European Commission, supplemented where necessary by additional technical and organisational measures.
  • Transfer Impact Assessments (TIAs) to evaluate the legal framework of the recipient country and identify any supplementary measures required to ensure an essentially equivalent level of protection.

The current sub-processor list at /edu/compliance/sub-processors identifies the location of each sub-processor, including whether data is processed within or outside the EEA.

Liability and indemnification

Liability between the controller and the processor is addressed in the DPA in accordance with the SURF Model Verwerkersovereenkomst v4.0 and applicable law. Each party is liable for the damage caused by processing that infringes the GDPR, in accordance with Article 82 GDPR.

Koji maintains professional liability insurance appropriate to the nature and scope of its processing activities. Details of coverage are available on request during the procurement process.

Requesting a DPA

To request a signed Data Processing Agreement, initiate DPA negotiations, or ask questions about any of the provisions described on this page, contact us at compliance@koji.so or schedule a call with the team.