Ocean English
Data Processing Addendum
Last updated: July 11, 2026
This Data Processing Addendum (“DPA”) forms part of the Terms of Service between Cortex Digital Studio LLC (“Processor”) and the Teacher (“Controller”) and applies to the processing of Student personal data.
1. Roles
The Teacher is the Controller of Student personal data. Cortex is the Processor, processing such data only to provide the Ocean English Services and only on the Controller’s documented instructions (which include these Terms and use of the Platform’s features).
2. Subject Matter and Duration
- Subject matter: provision of the Ocean English platform.
- Duration: for as long as the Teacher’s account is active, plus any legally required retention.
- Nature and purpose: hosting, storing, and processing Student data to deliver lessons, exercises, gamified learning, homework assistance, scheduling, and related features.
3. Types of Data and Categories of Data Subjects
- Data subjects: the Teacher’s Students (aged 13+).
- Types of data: identifiers (such as name and email), learning activity and progress, and content Students create or submit (which may include audio and images).
4. Controller (Teacher) Obligations
The Teacher warrants that it: (a) has a lawful basis to process its Students’ data; (b) has obtained all required consents, including parental/guardian consent for minor Students where required; (c) will not instruct Cortex to process data unlawfully; and (d) is responsible for the accuracy of the data it provides. The Teacher is fully responsible for compliance with all applicable data protection laws, including but not limited to the General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA), and the Brazilian General Data Protection Law (LGPD).
5. Processor (Cortex) Obligations
Cortex will: (a) process Student data only on the Controller’s instructions; (b) ensure persons authorized to process the data are bound by confidentiality; (c) implement appropriate technical and organizational security measures; (d) assist the Controller, taking into account the nature of processing, in responding to data-subject requests and in meeting security and breach obligations; (e) notify the Controller without undue delay after becoming aware of a personal-data breach; and (f) at the end of the service, delete or return Student data, except what must be retained by law.
6. Sub-processors
The Controller authorizes Cortex to use the sub-processors listed in the Privacy Policy (currently Stripe, Google/Firebase, OpenAI, Microsoft Azure, and video-conferencing providers). Cortex will impose data-protection obligations on sub-processors and remains responsible for their performance. Cortex will provide the Controller with at least 30 days’ prior written notice (via email or in-app notification) of any new sub-processors, giving the Controller a reasonable opportunity to object to such changes.
7. International Transfers
Where data is transferred across borders, the parties will rely on an appropriate transfer mechanism as required by applicable law. For transfers of personal data originating from the European Economic Area (EEA), the UK, or Brazil to countries not deemed to provide an adequate level of data protection, the parties agree to rely on the applicable Standard Contractual Clauses (SCCs) or equivalent legally recognized mechanisms (such as those approved by the Brazilian ANPD under the LGPD), which are hereby incorporated by reference.
8. Audits
Cortex will make available information reasonably necessary to demonstrate compliance with this DPA, subject to confidentiality and reasonable notice.
9. Liability
Liability under this DPA is subject to the limitations in the Terms of Service.