Legal · Jukuna Learning Platform
Data Processing Agreement
Effective date: 2026-06-01 · Version 1.0
1. Parties
This Data Processing Agreement ("DPA") is entered into between:
- Controller: The school or institution ("School") that has subscribed to the Jukuna platform.
- Processor: The operator of the Jukuna Learning Platform ("Jukuna").
2. Scope of Processing
Jukuna processes the following categories of personal data on behalf of the School:
| Data category | Purpose | Retention |
|---|---|---|
| Student name | Identity display, teacher view | Contract duration + 30 days |
| Student email address | Authentication, notifications | Contract duration + 30 days |
| Question performance data (scores, timestamps) | ELO-based personalisation, analytics | Contract duration + 30 days |
| Session metadata (subject, topic, difficulty) | Progress tracking, reports | Contract duration + 30 days |
| Teacher name and email | Class management | Contract duration + 30 days |
No special category data (health, biometric, etc.) is processed. No student data is used to train AI models.
3. Sub-Processors
Jukuna uses the following sub-processors. The School consents to their use by accepting this DPA:
| Sub-processor | Role | Data location |
|---|---|---|
| Supabase Inc. | Database, authentication, file storage | South Korea (AWS ap-northeast-2) |
| Google LLC (Gemini API) | AI question generation & answer scoring — receives practice content (subject, topic, questions, answers); not used to train models | US |
| Vercel Inc. | Hosting, CDN, serverless functions | Global edge (US primary) |
| Resend Inc. | Transactional email (invitations, alerts, consent) | US |
| Cloudflare Inc. | Bot-protection (Turnstile) on public forms | Global edge (US primary) |
4. Data Subject Rights
The School, as data controller, is responsible for handling data subject (student) rights requests. Jukuna will assist as follows:
- Access / Export: Full data export available on request within 5 business days.
- Deletion: Individual student deletion available via the admin panel or by emailing admin@jukuna.com. Processed within 30 days.
- Correction: Name and email updates available in the platform settings.
5. Security Measures
- All data encrypted at rest (AES-256 via Supabase) and in transit (TLS 1.3).
- Row-level security (RLS) enforced at the database layer — no school can access another school's data.
- Authentication via Supabase Auth (email/password or Google OAuth). Passwords are never stored in plaintext.
- Access control: students see only their own data; teachers see only their class; school admins see only their school.
6. International Transfers
Jukuna is operated from Japan and personal data is processed by sub-processors outside Japan — principally South Korea (database & storage) and the United States (AI processing, email, bot-protection, and hosting). Transfers are made on the basis of the sub-processors’ contractual data-protection commitments, providing protection equivalent to that required under APPI; where a sub-processor offers Standard Contractual Clauses, those are incorporated by reference.
7. Breach Notification
In the event of a personal data breach affecting School data, Jukuna will notify the School's designated admin contact within 72 hours of becoming aware, providing the nature of the breach, categories of data affected, and remediation steps taken.
8. Termination
Upon termination of the school's subscription, Jukuna will retain all school data for 30 days to allow data export, after which all personal data will be permanently deleted from production systems. Anonymised aggregate statistics may be retained for platform analytics.
9. Contact
Data protection inquiries: admin@jukuna.com
個人データ処理合意(概要・日本語)
- 学校(管理者)がデータ管理者、Jukunaがデータ処理者となります
- 処理するデータ:氏名、メールアドレス、学習データ(スコア・タイムスタンプ)
- AI問題生成(Gemini API)へは科目・トピックのみ送信し、個人情報は送信しません
- 全データはTLS/AES-256で暗号化。RLSにより学校間のデータ分離を保証
- 契約終了後30日でデータを完全削除
- 問合せ:admin@jukuna.com