Data processor

A data processor, in GDPR terms, is the entity that processes personal data on behalf of a controller. The processor doesn't decide why the data is being processed — that's the controller's job — but is operationally responsible for processing it correctly, securely, and in accordance with the controller's instructions.

LearnCoin is the data processor for tenant-issued credentials. A university (the controller) instructs LearnCoin to issue a credential for a specific recipient. LearnCoin (the processor) canonicalizes, signs, anchors, and stores the credential. If the recipient later requests GDPR erasure, the university — as controller — decides whether to honor it; LearnCoin — as processor — executes the erasure on LearnCoin's side of the infrastructure.

Processor obligations under GDPR include maintaining a record of processing activities (Article 30), implementing appropriate security measures (Article 32), and notifying the controller of breaches. LearnCoin maintains DPA (Data Processing Agreement) templates that tenants sign alongside the main service agreement.