For Schools
Trust & Data Protection
This page summarises how Techlogia Lab meets the data-protection and security requirements of schools. It is aimed at school leadership, official data protection officers and school authorities evaluating the platform.
At a Glance
- Processing under Art. 28 GDPR — a signed data processing agreement (DPA) is a precondition before the first student class is created.
- Hosting exclusively in Germany (Hetzner) — no third-country transfers.
- Data minimisation — students log in via a class code without an email address; pseudonymous identifiers are used internally.
- Automatic deletion concept — class/student data is deleted automatically 90 days after the class is deactivated.
- Protection of minors — for learners under 16, consent of the legal guardians is required (Art. 8 GDPR).
- No tracking, no advertising in the student flow.
Documents & Evidence
We provide the following documents to schools for their data-protection review:
| Document | Availability | Link |
|---|---|---|
| DPA (Art. 28 GDPR) | Public | Öffnen |
| Privacy Policy | Public | Öffnen |
| Security Policy | Public | Öffnen |
| Accessibility Statement | Public | Öffnen |
| Legal Notice (Impressum) | Public | Öffnen |
| Data Protection Impact Assessment (Art. 35), summary | On request | |
| Record of Processing Activities (Art. 30) | On request | |
| TOM appendix & sub-processor list | On request | |
| Template consent for legal guardians | On request |
Hosting & Data Location
All personal data is processed and stored in German data centres (Hetzner). There is no transfer to third countries, so no Schrems II problem arises.
Technical & Organisational Measures (excerpt)
- TLS 1.3 encryption in transit, LUKS encryption at rest
- Web application firewall (CrowdSec), hardening, intrusion detection (Sentinel)
- Hardened, isolated exercise VMs with automatic shutdown
- Encrypted, automated backups (restic)
- Role-based access control, MFA for administration access
What We Do Not Claim
In the interest of honest compliance, we deliberately delimit:
- We do not claim a completed ISO 27001 certification — we are actively working toward it: risk management, asset inventory and a statement of applicability are already in place; external certification is not yet completed.
- Our curriculum reference is aligned with the education standards (GI / MKR-NRW / FISI), but not an official accreditation; final subject sign-off rests with the teacher.
- The DPA is undergoing final legal review; you receive the current version via the link above.
Contact
We are happy to answer your data protection officer's questions. Write to info@techlogia.de.