Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
TermsPrivacyDPATrustCopyrightFERPAAccessibility
CoCalc Logo Icon
TermsPrivacyDPATrustCopyrightFERPAAccessibility

CoCalc - Data Processing Addendum

Last Updated: April 15, 2026

This Data Processing Addendum ("DPA") is incorporated into the SageMath, Inc. Terms of Service ("Agreement") and applies to the processing of Personal Data by SageMath, Inc. on behalf of its Users.

1. Nature and Purpose of Processing

SageMath, Inc. provides a collaborative cloud-based platform (CoCalc) for research, analysis, and scientific publishing. The Subject Matter of the processing is the data uploaded, created, or processed by the User within the CoCalc environment.

  • Hosted Platform: Data is stored and processed on SageMath, Inc. infrastructure to provide core platform functionality.
  • User-Directed Compute: Users may explicitly choose the geographic location and infrastructure provider for specific compute tasks. In such cases, SageMath, Inc. processes data in the location selected by the User.
  • AI-Assisted Features: SageMath, Inc. provides optional integrations with third-party AI providers. Data is transmitted to these providers only upon explicit initiation by the User.

2. Sub-processors

The Controller (User) provides a general authorization for SageMath, Inc. to engage sub-processors.

  • Current List: A current list of sub-processors is maintained at the SageMath, Inc. Trust Center (https://trust.cocalc.com/).
  • Notification of Changes: Users may subscribe to notifications of changes to the sub-processor list directly via the Trust Center. SageMath, Inc. will provide at least 15 days' notice before authorizing any new sub-processor to process Customer Data, during which time the Controller may object to the change in writing.

3. Security of Processing

SageMath, Inc. shall implement and maintain appropriate technical and organizational measures to protect Customer Data against unauthorized access, loss, or disclosure. These measures include, but are not limited to:

  • Encryption: Data is encrypted at rest and in transit using industry-standard protocols.
  • Access Control: Access to production environments is restricted to authorized personnel on a "need-to-know" basis.
  • Audit: SageMath, Inc. undergoes regular security assessments and maintains documentation of its security controls (e.g., SOC 2 Type II report).

4. GDPR Representation

Pursuant to Article 27 of the GDPR, SageMath, Inc. has appointed the following representatives for data protection matters in the EU and UK:

  • EU Representative: Adam Brogden, Instant EU GDPR Representative Ltd (Ireland). Contact: [email protected].
  • UK Representative: Adam Brogden, GDPRLocal Ltd. Contact: [email protected].

5. Data Subject Rights and Collaboration

  • User-Controlled Deletion: SageMath, Inc. provides the Controller with the ability to delete files, projects, and accounts directly through the CoCalc interface.
  • Requests to SageMath, Inc.: If SageMath, Inc. receives a request from a Data Subject to exercise their rights regarding data contained within a project owned by another User, SageMath, Inc. will forward that request to the project owner.
  • Collaborative Integrity: The Controller acknowledges that in a collaborative environment, the deletion of a Data Subject's account may not result in the deletion of data contained within projects owned by other Users, as that data is part of the other User's records.

6. International Data Transfers

  • Standard Contractual Clauses (SCCs): For transfers of Personal Data from the EU/EEA to countries that do not ensure an adequate level of data protection, the parties hereby incorporate by reference the Standard Contractual Clauses (Module Two: Controller-to-Processor).
  • UK Addendum: For transfers from the UK, the International Data Transfer Addendum to the EU SCCs is hereby incorporated.
  • Hierarchy: In the event of a conflict between this DPA and the SCCs, the SCCs shall prevail.

7. Data Deletion and Return

Upon termination of the Agreement or at the Controller's request, SageMath, Inc. shall delete or return all Customer Data in its possession, unless applicable law requires continued storage. Data is typically deleted within 60 days of contract termination.

8. Audit and Compliance

SageMath, Inc. shall make available to the Controller all information reasonably necessary to demonstrate compliance with Article 28 of the GDPR. The Controller acknowledges that SageMath, Inc.'s maintenance of a SOC 2 Type II report satisfies the Controller's right to audit SageMath, Inc.'s technical and organizational measures.

9. Liability

The total liability of each party under this DPA shall be subject to the limitation of liability provisions set forth in the SageMath, Inc. Terms of Service.

This DPA is incorporated into the SageMath, Inc. Terms of Service by reference and is effective as of the date the User first accesses the CoCalc platform.