Kursio

DRAFT — pending legal counsel review

This page contains placeholder text and is not yet legally binding. It is awaiting review and approval by legal counsel before it takes effect.

Data Processing Agreement

This Data Processing Agreement (the "Agreement") is entered into between the course-organizing organization (the controller) and Kursio (the processor) and governs Kursio's processing of personal data on the organization's behalf under Article 28 of the GDPR.

Version: 2026-06-09

1. Parties and roles

The organization arranging courses through Kursio is the controller of its participants' personal data. Kursio is the processor and processes personal data only on documented instructions from the controller, in accordance with this Agreement.

2. Subject matter, duration, nature, and purpose of the processing

The processing comprises the administration of course registrations: receiving registrations, invoicing, attendance tracking, issuing certificates, and course evaluation. The processing continues for as long as the organization holds a Kursio account and thereafter for the retention periods set out in section 7.

3. Categories of data subjects and personal data

Data subjects: course participants and the organization's own users. Personal data: name, email address, phone number, employer, billing details, and — for licensed medical professionals — license number, specialty, and attendance/continuing-education records (data processed in reliance on Article 9(2)(h) GDPR, occupational/health-care purposes).

4. Processor obligations (Article 28(3))

Kursio shall: process personal data only on documented instructions; ensure that persons authorized to process the data are bound by confidentiality; implement appropriate technical and organizational security measures (Article 32); respect the conditions for engaging sub-processors; assist the controller in responding to data-subject requests and with the obligations under Articles 32–36; delete or return the data when the processing ends; and make available to the controller the information necessary to demonstrate compliance and allow for audits.

5. Sub-processors

Kursio engages the following sub-processors for the processing. The organization grants general prior authorization for these. When the list changes, a new version of this Agreement is published and the organization is prompted to review it again; the organization has the right to object to a new sub-processor.

Sub-processorPurposeData categoriesRegion
SupabaseDatabase, authentication, and file storageAll data categories in section 3EU
ResendTransactional email deliveryName, email address, email contentEU/US
StripeSubscription and per-course billing (Kursio's own billing of the organization)The organization's billing detailsEU/US
VercelApplication hosting and content deliveryAll data passing through the applicationEU/Global
SentryError monitoring (consent-gated in the browser)Technical error data; IP addressEU
UpstashDistributed rate limiting (Redis)IP addresses and transient countersEU

If the organization objects to a new sub-processor and no reasonable solution can be reached, the organization may terminate the service.

6. Instruction on direct handling of data-subject requests

The controller hereby instructs and authorizes Kursio to receive and fulfil data subjects' (participants') requests for access, rectification, erasure, portability, and restriction directly via Kursio's self-service interfaces, without each individual request requiring the controller's prior approval. This instruction is subject to the statutory exceptions in section 7 (including the Swedish Accounting Act's invoice-retention requirement). An organization that has not accepted the current version of this Agreement has not given this instruction.

7. Retention and statutory exceptions

Personal data is purged according to the organization's retention settings. Invoice records are retained for seven years under the Swedish Accounting Act (bokföringslagen) and are exempt from erasure. Certificate verifications are retained as continuing-education evidence for a separately stated period. These exceptions apply also when a data subject requests erasure.

8. Supervisory authority

The supervisory authority is the Swedish Authority for Privacy Protection (IMY). Data subjects have the right to lodge a complaint with IMY.

← Back to legal overview

Kursio© 2026
LegalPrivacy PolicyTerms of ServiceCookie PolicyData Processing Agreement