Document: HX-DPA-V1-2026 · Version 1.0 · Effective: 2026-04-30

Hanlexon Data Processing Agreement

Between:

Hanlexon LLC, a limited liability company organized under the laws of the United States (operating the Hanlexon service), with email contact admin@hanlexon.com (the "Provider")

and

[Institution / School / District legal name]

located at:

[Street address, city, state/region, postal code, country]

(the "Institution")

Effective Date:

This Data Processing Agreement (the "DPA") supplements and is incorporated by reference into the parties' commercial agreement and the Hanlexon Terms of Service available at https://www.hanlexon.com/v2/terms (collectively, the "Service Agreement"). In the event of a conflict between this DPA and the Service Agreement with respect to the processing of Personal Data, this DPA controls.

Recitals

WHEREAS, the Institution wishes to use the Hanlexon educational platform (the "Service") for instruction and assessment in Mandarin Chinese for students enrolled by the Institution;

WHEREAS, the parties recognize the need to protect Personal Data (including Student Data) under applicable laws including, as applicable, the Family Educational Rights and Privacy Act ("FERPA"), the Children's Online Privacy Protection Act ("COPPA"), the EU General Data Protection Regulation ("EU GDPR"), the UK General Data Protection Regulation ("UK GDPR") and Data Protection Act 2018, the Australian Privacy Principles under the Privacy Act 1988 (Cth) ("APPs"), and applicable U.S. state laws including the Illinois Student Online Personal Protection Act (105 ILCS 85, "SOPPA");

NOW, THEREFORE, in consideration of the mutual covenants set forth herein and for other good and valuable consideration, the parties agree as follows:

1. Definitions

"Personal Data" has the meaning given to it under EU GDPR Article 4(1), UK GDPR, or any equivalent term under applicable law, and includes "personal information," "student data," and "education records" as those terms are used in COPPA, FERPA, and SOPPA respectively.
"Student Data" means Personal Data that relates to a student enrolled by the Institution and is provided to or generated through the Service.
"Process" and "Processing" have the meanings given under EU GDPR Article 4(2).
"Sub-processor" means any third party engaged by Provider to Process Personal Data on its behalf.
"Data Subject" means an identifiable individual to whom Personal Data relates.
"Personal Data Breach" has the meaning given under EU GDPR Article 4(12).
"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of Personal Data to third countries as adopted by the European Commission, currently those set forth in Commission Implementing Decision (EU) 2021/914 of 4 June 2021, including the UK International Data Transfer Addendum where applicable.

2. Roles of the Parties

For purposes of EU GDPR, UK GDPR, and equivalent laws:

The Institution is the Data Controller (or, where applicable, "Business" under U.S. state laws) of Personal Data Processed under this DPA.
Hanlexon (Provider) is the Data Processor (or "Service Provider") and Processes Personal Data only on the documented instructions of the Institution and as set forth in this DPA, the Service Agreement, and applicable law.

For purposes of FERPA (where applicable), Provider is a "school official" with a legitimate educational interest in Personal Data, performing institutional services that the Institution would otherwise provide for itself.

3. Scope of Processing

3.1 Subject Matter

The provision of the Service to the Institution and its enrolled students for the purpose of Mandarin Chinese language instruction, including but not limited to: vocabulary practice, reading and writing exercises, voice conversation practice, pronunciation coaching, AI-assisted tutoring, classroom management, and progress reporting.

3.2 Duration

For the term of the Service Agreement, plus any post-termination Processing required by law or as set forth in Section 9 of this DPA.

3.3 Categories of Personal Data Processed

The categories of Personal Data Processed are set out in Schedule 1 (Schedule of Data).

3.4 Categories of Data Subjects

Students enrolled by the Institution
Teachers, parents, and administrators authorized by the Institution

3.5 Nature and Purpose of Processing

To provide, secure, monitor, and improve the Service for educational purposes pursuant to the Institution's instructions. Processing includes: storage; retrieval; display; analytical computation for adaptive learning algorithms; transmission to authorized Sub-processors solely as necessary to deliver the Service.

4. Provider Obligations

4.1 Documented Instructions

Provider shall Process Personal Data only on the documented instructions of the Institution, as set out in the Service Agreement and this DPA, except where required by applicable law. If Provider is required by law to Process Personal Data otherwise than on the Institution's instructions, Provider will notify the Institution of that legal requirement before Processing, unless prohibited by law.

4.2 Confidentiality

Provider shall ensure that personnel authorized to Process Personal Data have committed themselves to confidentiality obligations or are under an appropriate statutory obligation of confidentiality.

4.3 Security Measures

Provider shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including the measures set out in Schedule 2 (Security Measures).

4.4 Sub-processors

The Institution authorizes Provider to engage Sub-processors. Provider's current Sub-processors are published at https://www.hanlexon.com/v2/schools/privacy. Provider shall:

Enter into a written contract with each Sub-processor imposing data-protection obligations no less protective than those in this DPA;
Remain liable to the Institution for any acts or omissions of Sub-processors that cause Provider to breach this DPA;
Provide thirty (30) days' prior notice of any new Sub-processor or material change to existing arrangements via the published list at the URL above and via email to subscribers of admin@hanlexon.com;
The Institution may object to a new Sub-processor on reasonable data-protection grounds within the notice period; if the parties cannot resolve the objection, the Institution may terminate the affected portion of the Service.

4.5 Data Subject Rights

Provider shall, taking into account the nature of Processing, assist the Institution by appropriate technical and organizational measures, insofar as possible, to fulfill the Institution's obligations to respond to requests from Data Subjects exercising their rights under applicable law (including rights of access, rectification, erasure, restriction, portability, and objection).

4.6 Personal Data Breach Notification

Provider shall notify the Institution of any confirmed Personal Data Breach affecting Personal Data without undue delay and in any event within seven (7) days of becoming aware of the Breach (or stricter timeline if required by an applicable Data Privacy Agreement or law). The notice shall include, to the extent reasonably available:

A description of the nature of the Breach, including the categories and approximate number of Data Subjects and records concerned;
The likely consequences of the Breach;
Measures taken or proposed to address the Breach and mitigate its possible adverse effects;
A point of contact for further information.

4.7 Data Protection Impact Assessments

Provider shall provide the Institution with reasonable assistance with any Data Protection Impact Assessment and prior consultation with supervisory authorities, as required under EU GDPR Articles 35 and 36 (or equivalent provisions of UK GDPR), to the extent reasonably necessary and where the assistance relates to the Service.

4.8 No Use for Other Purposes

Provider shall not Process Personal Data for purposes other than providing the Service. Without limiting the generality of the foregoing, Provider shall not:

Sell, rent, lease, or otherwise commercialize Personal Data;
Use Personal Data to deliver targeted advertising;
Build behavioral profiles of Data Subjects for non-educational purposes;
Use the content of student-submitted text, voice recordings, or generated work product to train any artificial-intelligence model, whether internal or third-party.

Provider may use aggregated, de-identified usage telemetry (such as feature-usage counts, latency metrics, and error rates) to improve and secure the Service.

5. International Transfers

Where Processing involves the transfer of Personal Data from the European Economic Area, the United Kingdom, or any other jurisdiction with equivalent restrictions to a third country that has not been the subject of an adequacy decision, the parties agree that the SCCs (and, for transfers from the United Kingdom, the UK International Data Transfer Addendum) are incorporated into this DPA by reference and shall apply.

For Australian users, transfers of Personal Data outside Australia are conducted in accordance with Australian Privacy Principle 8, with reasonable steps taken to ensure overseas recipients comply with the APPs.

6. Audits

Provider shall make available to the Institution all information reasonably necessary to demonstrate compliance with this DPA. Provider shall allow for and contribute to audits, including inspections, conducted by the Institution or an auditor mandated by the Institution, no more than once per twelve-month period (except in case of a confirmed Personal Data Breach), upon reasonable prior written notice (no less than thirty (30) days), at the Institution's expense, and subject to confidentiality obligations.

To the extent reasonable, Provider may satisfy this obligation by providing the Institution with a copy of its most recent third-party security assessment report (where available), its Common Sense Privacy evaluation, or other equivalent documentation.

7. FERPA-Specific Provisions (United States Institutions)

For Institutions subject to FERPA:

Personal Data described in FERPA's "education records" definition shall remain the property of the Institution and the parents/eligible students.
Provider shall not redisclose Personal Data without the prior written consent of the Institution, except as permitted by 34 CFR § 99.31.
If Provider receives a request from a Data Subject (parent or eligible student) to inspect, amend, or delete Personal Data, Provider shall refer the request to the Institution within fifteen (15) business days.

8. SOPPA-Specific Provisions (Illinois Institutions)

For Institutions subject to the Illinois Student Online Personal Protection Act (105 ILCS 85):

Provider acknowledges its status as an "operator" and agrees to the obligations therein, including the prohibition on engaging in targeted advertising, building student profiles for non-educational purposes, or selling student information.
Provider shall comply with notification, posting, and breach-notification timelines as specified in 105 ILCS 85, supplementing (not superseding) Section 4.6 of this DPA where SOPPA imposes shorter timelines.

For state-specific privacy-statute compliance (CA AB 1584/SB 1177, NY Education Law 2-d, TX Education Code 32.151, etc.), the SDPC NDPA v2.2 STANDARD signed by Hanlexon (with Exhibit E General Offer of Privacy Terms) applies. SDPC auto-attaches the LEA's state-specific Exhibit G during signing. Available at https://www.hanlexon.com/v2/schools/privacy once signed.

9. Term and Termination

This DPA is effective as of the Effective Date and continues until the Service Agreement is terminated. Upon termination:

At the Institution's election (specified in writing within thirty (30) days of termination), Provider shall return all Personal Data to the Institution in a structured, commonly used machine-readable format, or shall permanently delete such Personal Data;
In either case, Provider shall complete the return or deletion within sixty (60) days of the Institution's instruction;
The duty of return or deletion shall not extend to Personal Data that has been de-identified prior to termination, or to copies retained as required by applicable law (e.g., for audit, dispute resolution, or backup purposes), provided such copies remain protected under the terms of this DPA.

10. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability in the Service Agreement, except where applicable law prohibits such limitation. Nothing in this DPA limits any party's liability for: (a) data-protection fines or penalties levied by a competent supervisory authority; (b) gross negligence or willful misconduct; or (c) breaches of confidentiality obligations.

11. Miscellaneous

Governing Law and Jurisdiction. This DPA is governed by the laws of the State of California, United States, except where applicable data-protection law mandates otherwise. The parties consent to the exclusive jurisdiction of the state and federal courts located in California for disputes not subject to arbitration under the Service Agreement.

Severability. If any provision of this DPA is found to be unenforceable, the remaining provisions remain in full force.

Order of Precedence. In the event of a conflict between (i) this DPA, (ii) the SCCs (where applicable), (iii) the Service Agreement, and (iv) Hanlexon's published Privacy Policy, the order of precedence is: SCCs (where they apply) → this DPA → Service Agreement → Privacy Policy.

Entire Agreement. This DPA, together with the Service Agreement and any signed SDPC NDPA v2.2 STANDARD with Exhibit G state-specific terms, constitutes the entire agreement between the parties with respect to the Processing of Personal Data.

Signatures

The undersigned representatives of the parties have executed this DPA as of the Effective Date written above.

For Provider (Hanlexon)	For Institution
Signature: Name: Yuming Ma Title: Founder, Hanlexon LLC Date: Email: admin@hanlexon.com	Signature: Name: Title: Date: Email:

For Provider (Hanlexon)

For Institution

Signature:

Name: Yuming Ma

Title: Founder, Hanlexon LLC

Date:

Email: admin@hanlexon.com

Signature:

Name:

Title:

Date:

Email:

Schedule 1 — Schedule of Data

The categories of Personal Data Processed under this DPA are:

Category	Examples	Source
Account credentials	Email address, hashed password	Provided by Data Subject at registration
Profile attributes	Display name, learning role (student/teacher/parent/admin), HSK level, language preferences	Provided voluntarily by Data Subject
Learning activity	Characters studied, mastery scores, review schedules, session duration, assessment results, drill outcomes	Generated automatically through Service usage
User-generated content	Worksheets created, vocabulary lists, reading materials, study notes, voice recordings, AI conversation transcripts	Created by Data Subject during use
Usage telemetry	Pages visited, features used, performance metrics, error logs	Collected automatically
Device and environment	Browser type, operating system, screen resolution, IP address (transient, for security)	Collected automatically
Third-party identity (where used)	Name, email, profile picture from Google or Apple Sign-In	From third-party service per Data Subject's authorization
Billing data (Institution accounts)	Stripe customer identifier, subscription status, transaction history	From Stripe; Provider does not store full card numbers

Categories of data the Provider does NOT collect: Social Security numbers; financial-account numbers; health records; biometric identifiers (other than transient voice samples used for pronunciation analysis and not retained); precise geolocation; political affiliation; religious beliefs.

Schedule 2 — Security Measures

Provider implements the following technical and organizational measures, consistent with the NIST Cybersecurity Framework:

Domain	Measure
Identify	Asset inventory; risk assessments at least annually; security roles documented
Protect (Access Control)	Multi-factor authentication available for administrative accounts; role-based access control; principle of least privilege; password hashing using industry-standard algorithms
Protect (Data Security)	Encryption in transit (TLS 1.2+); encryption at rest for sensitive data; secure key management via cloud provider HSM
Protect (Maintenance)	Security patches applied per vendor advisories; dependency vulnerability scanning
Detect	Application and infrastructure logging; alerting on anomalous access patterns; CSP-violation reports captured
Respond	Documented incident response process; communication plan; seven (7) day breach notification commitment under §4.6
Recover	Daily database backups; tested restore procedures; business continuity plan
Application Security	Cross-Site Request Forgery (CSRF) protection; Content Security Policy (CSP); HTTP-only and Secure cookies; rate limiting on authentication endpoints; OWASP Top 10 awareness in development
Vulnerability Disclosure	Public Vulnerability Disclosure Policy at https://www.hanlexon.com/v2/security; admin@hanlexon.com reporting channel; safe-harbor for good-faith research

Schedule 3 — Sub-processor List (as of Effective Date)

The current sub-processor list is published at https://www.hanlexon.com/v2/schools/privacy and is incorporated by reference. As of the Effective Date of this DPA, sub-processors include:

Sub-processor	Role	Region
Amazon Web Services, Inc.	Hosting, storage, content delivery	US (us-east-1)
Stripe, Inc.	Payment processing (no Student Data)	US
Anthropic, PBC	AI processing (Claude)	US
Google LLC	AI processing (Gemini)	US / Global
OpenAI-compatible providers (DeepSeek, Groq, others as needed)	AI processing for specialized capabilities	Varies
Microsoft Corporation (Azure)	Text-to-speech voice synthesis	US

Material changes to sub-processors are subject to thirty (30) days' prior notice via the published URL and email to subscribers of admin@hanlexon.com.

End of Hanlexon Data Processing Agreement v1.0 — HX-DPA-V1-2026