GDPR (EU/EEA Data Protection)

This page describes how Kernex LLC (“Kernex,” “we,” “us,” or “our”) addresses the requirements of the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and related European Union and European Economic Area (“EU/EEA”) data protection law when we process personal data of individuals located in the EU/EEA in connection with our software-as-a-service platform and related services (the “Services”), including our browser-based development environment (KernexLab), automated grading and feedback systems (KGrader), academic integrity tools (KernexCheck), and collaborative help-room features (HelpRoom). This page supplements our Privacy Policy and is intended to provide transparency for data subjects in the EU/EEA and for educational institutions (“Institutions”) that use our Services in that context. It does not constitute legal advice. If you are in the EU/EEA and have questions about your rights or our processing, you may contact us or our EU representative (if designated) as set out below.

1. Controller and Processor Roles

Under the GDPR, the “controller” determines the purposes and means of processing personal data; a “processor” processes personal data on behalf of the controller. When you use the Services as an end user (e.g., student or instructor) and we determine the purposes and means of processing (e.g., for account management, support, and product improvement), Kernex acts as a controller for that processing. When an Institution uses the Services and we process personal data solely on the documented instructions of the Institution (e.g., to provide grading, feedback, and academic integrity features for the Institution’s courses), Kernex typically acts as a processor (or sub-processor) for that processing, and the Institution is the controller. Our agreements with Institutions specify the scope of processing, confidentiality, security, sub-processors, and data subject rights assistance as required by the GDPR.

2. Lawful Basis for Processing (Controller Context)

Where we act as controller, we process personal data on the following lawful bases under Article 6 GDPR, as applicable: (a) Performance of a contract—processing necessary to provide the Services and perform our contract with you or your Institution; (b) Legitimate interests—processing necessary for our legitimate interests (e.g., security, fraud prevention, improving the Services, analytics in anonymized or aggregated form), where such interests are not overridden by your rights; (c) Legal obligation—processing necessary to comply with a legal obligation; and (d) Consent—where we have asked for and you have given consent for specific processing (e.g., certain communications or optional features). Where we rely on legitimate interests, we have assessed that our interests are balanced against your rights and freedoms. You may contact us for more detail on the lawful basis for any specific processing.

3. Your Rights Under the GDPR

If you are in the EU/EEA, you have the following rights in respect of your personal data when we act as controller (and, where we act as processor, your Institution remains responsible for responding to your rights; we will assist the Institution as agreed):

• Right of access (Article 15): You may obtain confirmation as to whether we process your personal data and, where that is the case, access to the data and certain information about the processing.
• Right to rectification (Article 16): You may request correction of inaccurate personal data.
• Right to erasure (“right to be forgotten”) (Article 17): You may request erasure of your personal data in certain circumstances (e.g., where the data is no longer necessary, where you withdraw consent, or where the data has been unlawfully processed).
• Right to restriction of processing (Article 18): You may request that we restrict processing in certain situations (e.g., while we verify accuracy or where you object to processing).
• Right to data portability (Article 20): Where processing is based on contract or consent and is carried out by automated means, you may have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit those data to another controller.
• Right to object (Article 21): You may object to processing based on legitimate interests or to processing for direct marketing. We will cease such processing unless we have compelling legitimate grounds that override your interests, or for the establishment, exercise, or defense of legal claims.
• Right to withdraw consent: Where processing is based on consent, you may withdraw consent at any time; withdrawal does not affect the lawfulness of processing before withdrawal.
• Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority in the EU/EEA, in particular in the member state of your residence, place of work, or place of the alleged infringement.

To exercise any of these rights, contact us at support@kernex.org or at the address below. We will respond within the timeframes required by the GDPR (generally one month, subject to extension where permitted). We may need to verify your identity before processing your request. Where we act as processor, we will forward your request to the relevant Institution where appropriate or respond in accordance with our agreement with the Institution.

4. International Transfers

Kernex is based in the United States. When we process personal data of individuals in the EU/EEA, that data may be transferred to and processed in the United States or other countries outside the EU/EEA that may not provide the same level of data protection. We implement appropriate safeguards for such transfers as required by the GDPR, including where applicable: (a) transfers to countries that the European Commission has deemed to provide an adequate level of data protection; (b) the use of standard contractual clauses (“SCCs”) approved by the European Commission; and (c) other mechanisms permitted under the GDPR. Our agreements with Institutions that involve processing of EU/EEA personal data typically include or reference the relevant transfer mechanisms. For more information about the safeguards we use for international transfers, you may contact us at support@kernex.org.

5. Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected (e.g., to provide the Services, comply with legal obligations, resolve disputes, and enforce our agreements), in accordance with our Privacy Policy and our agreements with Institutions. When we act as processor, we retain data in accordance with the Institution’s instructions and our agreement. You may request further information about retention periods for your data by contacting us.

6. Security

We implement technical and organizational measures designed to ensure a level of security appropriate to the risk, including as described in our Privacy Policy and in our agreements with Institutions, in line with Article 32 GDPR. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority and, where required, affected data subjects in accordance with the GDPR.

7. Contact and Data Protection Enquiries

For any questions about our processing of your personal data under the GDPR, to exercise your rights, or to contact us in relation to EU/EEA data protection:

Kernex LLC
325 E. Grand River Avenue, Suite 345
East Lansing, Michigan 48823, United States
Email: support@kernex.org
Website: kernex.org

We will respond to your request without undue delay and in any event within one month of receipt, subject to any permitted extension under the GDPR. If you are not satisfied with our response, you have the right to lodge a complaint with a supervisory authority in your country of residence or place of work in the EU/EEA.