Last Updated: June 1, 2026
This Data Processing Agreement (“DPA”) describes how Sukrat AI (“Sukrat,” “we,” “us,” or “our”) processes personal data on behalf of users and institutional customers (schools, colleges, tutoring centers) in connection with the Sukrat platform and services (the “Service”).
This DPA supports compliance with applicable data protection laws including the General Data Protection Regulation (GDPR), the UK GDPR, and applicable US state and sector laws. For institutional customers, a signed DPA is incorporated into the school agreement by reference. To request a copy of the executable DPA, contact legal@sukrat.ai.
1. Definitions
“Personal Data” means any information relating to an identified or identifiable natural person.
“Student Data” means Personal Data relating to students that is provided to Sukrat by an Institution or collected through student use of the Service.
“Controller” means the entity that determines the purposes and means of processing Personal Data. For institutional deployments, the School is generally the Controller with respect to Student Data.
“Processor” means the entity that processes Personal Data on behalf of the Controller. Sukrat acts as Processor when processing Student Data for institutional customers.
“Data Subject” means the individual whose Personal Data is processed.
2. Scope and Categories of Data Processed
Sukrat processes the following categories of Personal Data to provide the Service:
- Account and identity data (name, institutional email, school affiliation, role)
- Learning and assessment data (assessment responses, mastery graph state, session metadata)
- AI interaction logs (session transcripts, retained 90 days then deleted)
- Technical and device data (device type, browser, IP address)
- Payment and billing metadata (via Stripe; no card numbers stored by Sukrat)
3. Purpose and Legal Basis for Processing
Personal Data is processed solely for the Authorized Purpose: providing the Sukrat intelligent tutoring, adaptive assessment, mastery modeling, and curriculum practice services. Sukrat does not process Personal Data for advertising, behavioral profiling, or AI model training.
Where Sukrat acts as a Controller (e.g., direct B2C student accounts), processing is based on contract performance and legitimate interest. Where Sukrat acts as a Processor for institutional customers, processing is based on the instructions of the Controller (the School).
4. Confidentiality
Sukrat ensures that all personnel authorized to process Personal Data are subject to binding confidentiality obligations. Access to Personal Data is restricted to named team members with a documented legitimate need, enforced via multi-factor authentication.
5. Security Measures
Sukrat implements the following technical and organizational measures:
- AES-256 encryption at rest (Supabase EU region and DigitalOcean)
- TLS 1.2+ encryption in transit across all endpoints
- Supabase Row-Level Security enforcing per-student and per-institution data isolation at the database level
- Multi-factor authentication required for production database access
- No student PII in development or staging environments
- Cloudflare WAF and DDoS protection at the network edge
- Sentry error monitoring with PII scrubbed before transmission
For more detail, see the Security and Data Protection page.
6. No-PII AI Processing Commitment
No student personally identifiable information is included in prompts sent to external AI providers (Anthropic, OpenAI, Google Gemini). Prompts contain only anonymized curriculum content and mastery context. No student data is used to train third-party AI models. This is enforced architecturally and required by contract with every AI provider.
7. Subprocessors
Sukrat engages the following categories of subprocessors to operate the Service. All are bound by data processing agreements that prohibit use of data beyond the contracted service purpose.
- Infrastructure and database: Supabase, DigitalOcean, Vercel, Cloudflare
- AI model providers: Anthropic, OpenAI, Google (Gemini), DeepSeek (Pakistan-only, anonymized)
- Observability: Langfuse (AI evaluation), Sentry (error monitoring)
- Analytics: PostHog (anonymized usage events, no PII)
- Payment processing: Stripe
- Email delivery: Resend
The full list with data categories is on the Subprocessors page. Material subprocessor changes are communicated to institutional customers in advance.
8. Data Subject Rights
Sukrat supports the following data subject rights and will assist institutional customers in responding to requests from their students:
- Right of access — export of mastery data and session history
- Right to rectification — correction of inaccurate account data
- Right to erasure — deletion of all PII within 30 days of request
- Right to portability — machine-readable JSON export
- Right to restriction — pause processing on request
Requests may be submitted via the GDPR and Data Rights Request page or directly to privacy@sukrat.ai.
9. Data Retention
- Account data: until deletion + 90-day grace period
- Assessment responses and mastery state: active enrollment + 90 days post-closure, then anonymized
- Session transcripts (AI logs): 90 days post-session, then deleted
- Analytics events: 90 days
- Billing records: per Stripe and applicable accounting requirements
10. International Data Transfers
Student data is stored in the EU region (Supabase EU). Data may be processed by infrastructure providers and AI providers in other jurisdictions. Sukrat ensures that any international transfer is covered by appropriate safeguards (standard contractual clauses or equivalent) as required by applicable law.
11. Breach Notification
If Sukrat becomes aware of a confirmed security incident affecting Personal Data, Sukrat will notify the relevant Controller (school) within 72 hours of confirmation, and will notify affected individuals where required by applicable law.
12. Termination and Data Deletion
Upon termination of services, Sukrat will export available Student Data in a machine-readable format on request within 30 days, and will delete Student Data within 30 days of termination unless a longer period is required by law.
13. Contact
For DPA-related inquiries or to request a signed institutional DPA, contact: legal@sukrat.ai
Last Modified: June 1, 2026
Version: 2.0