HackTheKnowledge logo
InicioCursosLaboratoriosPreciosNosotrosBlogComunidadContactoCarrito
Cargando…

Data Processing Addendum (DPA)

Last updated: March 2026

This Data Processing Addendum ("DPA") forms part of the agreement between you ("Controller") and HackTheKnowledge ("Processor" / "HTK") and governs the processing of personal data in accordance with Article 28 of the EU General Data Protection Regulation (GDPR) 2016/679.

1. Definitions

  • Controller: The entity that determines the purposes and means of processing personal data (corporate customers of the HTK Master Program using our B2B platform).
  • Processor: HackTheKnowledge, processing personal data on behalf of the Controller.
  • Personal Data / Data Subject: As defined in Art. 4 GDPR.

2. Subject Matter and Duration

HTK processes personal data to provide access to online cybersecurity training courses and virtual machine labs. Processing occurs for the duration of the service agreement and ends when the agreement terminates or the data subject account is deleted, subject to legal retention obligations.

3. Nature and Purpose of Processing

  • Account creation, authentication, and access management.
  • Course enrolment, progress tracking, and certificate issuance.
  • Lab session provisioning (userId, courseId, labId passed to Azure).
  • Billing and payment processing via Stripe.
  • Transactional email (purchase confirmation, password reset) via Resend.
  • Learning analytics and platform improvement.

4. Categories of Data Subjects and Personal Data

  • Students / Learners: name, email, hashed password, learning progress, lab activity.
  • Billing contacts: name, email, billing country, transaction history.

5. Sub-Processors

The Controller authorises HTK to engage the following sub-processors. HTK will notify the Controller of any intended changes (addition or replacement) with 30 days' notice, giving the Controller the opportunity to object.

  • Stripe Inc. (USA) — Payment processing. SCCs in place. stripe.com/privacy
  • Neon Inc. (USA, EU region) — PostgreSQL database hosting. SCCs in place.
  • Vercel Inc. (USA) — Application hosting and edge delivery. SCCs in place. vercel.com/legal/privacy-policy
  • Microsoft Azure (EU regions: West Europe, East US, Southeast Asia) — Lab VM provisioning. Pseudonymous IDs only (userId, courseId, labId). No directly identifying data. Microsoft DPA applies.
  • Resend Inc. (USA) — Transactional email. SCCs in place.
  • Upstash Inc. (USA, EU region) — Redis for rate limiting. Ephemeral data only (no PII stored). SCCs in place.

6. Controller Instructions

HTK processes personal data only on documented instructions from the Controller, including with regard to transfers to third countries. HTK will inform the Controller if it believes an instruction infringes the GDPR or other applicable data protection law.

7. Confidentiality

HTK ensures that persons authorised to process personal data are subject to confidentiality obligations. Access to personal data is role-based and limited to employees who require it to perform their duties.

8. Security Measures (Art. 32 GDPR)

  • Encryption in transit (HTTPS/TLS 1.2+, HSTS preload).
  • Encryption at rest for database storage (Neon).
  • bcrypt password hashing (cost factor ≥ 12).
  • HMAC-SHA256 signed API calls to internal services.
  • Role-based access control with DB-verified admin checks.
  • Rate limiting on all authentication and sensitive endpoints.
  • Automated session invalidation after password change.
  • Regular dependency audits (`pnpm audit`).

9. Data Subject Rights Assistance

HTK will assist the Controller in fulfilling obligations to respond to data subject rights requests (access, rectification, erasure, portability, objection) within the timescales required by the GDPR. Contact privacy@hacktheknowledge.com.

10. Breach Notification

In the event of a personal data breach, HTK will notify the Controller without undue delay and no later than 72 hours after becoming aware, to the extent technically possible and subject to law enforcement exceptions. Notifications will include the nature of the breach, categories and approximate number of data subjects affected, and measures taken or proposed.

11. Data Deletion and Return

Upon termination of the service, HTK will, at the Controller's choice, delete or return all personal data and delete existing copies, unless applicable law requires storage of the data. Deletion will be completed within 90 days of termination unless legal obligations require longer retention.

12. Audit Rights

HTK shall make available to the Controller all information necessary to demonstrate compliance with the obligations under Art. 28 GDPR and shall allow for and contribute to audits and inspections conducted by the Controller or a mandated auditor, subject to reasonable notice and confidentiality obligations.

13. International Transfers

Where personal data is transferred to sub-processors in countries outside the EEA without an adequacy decision, HTK relies on Standard Contractual Clauses (SCCs) as adopted by the European Commission (Decision 2021/914) as the transfer mechanism.

14. Governing Law

This DPA is governed by the laws of Spain, consistent with the Terms of Service, without prejudice to mandatory provisions of the GDPR applicable in the data subject's country of residence.

Contact

DPA enquiries: privacy@hacktheknowledge.com