Data Processing Agreement

1. Purpose & Scope

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Scholytics ("Processor") and the educational institution using the platform ("Controller"). This DPA governs how Scholytics processes personal data on behalf of the Controller and complies with applicable data protection requirements.

2. Definitions

• Controller: The school or educational institution that determines the purposes and means of processing personal data
• Processor: Scholytics, which processes personal data on behalf of the Controller
• Personal Data: Any information relating to an identified or identifiable individual
• Processing: Any operation performed on personal data, including collection, storage, use, and deletion
• Subprocessor: Third-party service providers engaged by Scholytics to assist in processing data
• Data Subject: The individual to whom personal data relates (e.g., student, teacher, parent)

3. Roles & Responsibilities

Controller Responsibilities

• Determines the lawful basis for processing personal data
• Ensures appropriate consents are obtained where required
• Maintains accuracy and completeness of data entered into the platform
• Responds to data subject access requests
• Complies with applicable data protection laws

Processor Responsibilities

• Processes personal data only on documented instructions from the Controller
• Implements appropriate technical and organizational security measures
• Assists the Controller in fulfilling data subject rights requests
• Notifies the Controller of any data breaches without undue delay
• Ensures staff handling data are bound by confidentiality obligations

4. Scope of Processing

Scholytics processes personal data solely for the purpose of providing the school management services described in the Terms of Service, including:

• Student enrollment and record management
• Attendance tracking and reporting
• Academic performance analysis and reporting
• Teacher and staff management
• Communication and notification services

5. Categories of Data Subjects & Data Types

Data Subjects

Students, teachers, administrative staff, and parents/guardians (as provided by the Controller).

Categories of Personal Data

• Identification Information: Name, student ID, staff ID, date of birth
• Contact Information: Email address, phone number, residential address
• Academic Records: Grades, assessment scores, class rankings
• Attendance Records: Daily attendance, absence reasons, tardiness
• Login Credentials: Username, hashed password, access logs

6. Data Ownership & Control

All personal data uploaded to Scholytics remains the exclusive property of the Controller. Scholytics claims no ownership rights over any Controller data. The Controller retains the right to access, export, correct, or delete their data at any time through the platform interface or by written request.

7. Confidentiality

Scholytics ensures that all personnel authorized to process personal data are bound by appropriate confidentiality obligations, whether through employment contracts, non-disclosure agreements, or statutory professional secrecy requirements.

8. Security Measures

Scholytics implements and maintains appropriate technical and organizational measures to protect personal data against unauthorized or unlawful processing and against accidental loss, destruction, or damage. These measures include:

• Encryption of data in transit (TLS 1.3) and at rest (AES-256)
• Multi-factor authentication for administrative access
• Role-based access controls within the application
• Regular security assessments and vulnerability scanning
• Secure development and change management practices
• Physical security controls at data center facilities
• Automated backup and disaster recovery procedures

9. Subprocessors

The Controller authorizes Scholytics to engage subprocessors to assist in providing the Service. Current subprocessors include:

• Cloud hosting and infrastructure providers
• Email and notification service providers
• Analytics and monitoring services

Scholytics maintains an up-to-date list of subprocessors and will notify the Controller of any additions or changes at least fourteen (14) days in advance. Controllers may object to new subprocessors on reasonable grounds related to data protection.

All subprocessors are required to provide at least the same level of data protection as set forth in this DPA through written agreements.

10. International Data Transfers

Scholytics primarily processes and stores data within Ghana. In the event that data is transferred internationally (e.g., through subprocessor services), Scholytics ensures that appropriate safeguards are in place, such as standard contractual clauses or equivalent mechanisms, to protect the data in accordance with applicable laws.

11. Data Breach Notification

In the event of a personal data breach, Scholytics will:

• Notify the affected Controller(s) without undue delay, and in any event within 72 hours of becoming aware
• Provide information about the nature of the breach and affected categories of data
• Describe the likely consequences of the breach
• Describe measures taken or proposed to address the breach and mitigate potential adverse effects
• Cooperate with the Controller in meeting any regulatory notification obligations

12. Data Subject Rights

Scholytics will provide reasonable assistance to the Controller in responding to requests from data subjects exercising their rights, including:

• Right of access
• Right to rectification
• Right to erasure ("right to be forgotten")
• Right to restriction of processing
• Right to data portability
• Right to object to processing

The Controller is responsible for verifying the identity of the data subject and determining the validity of the request.

13. Data Retention & Deletion

Personal data is retained for the duration of the Controller's active account. Upon termination of the Service or upon written request, Scholytics will:

• Return a complete copy of all Controller data in a machine-readable format (upon request made within 30 days of termination)
• Delete all personal data from production systems within 60 days
• Securely destroy any backups containing personal data in accordance with standard backup rotation cycles (typically 90 days)

Certain data may be retained if required by law or for legitimate business purposes (e.g., audit logs, billing records, legal holds).

14. Audit Rights

Upon reasonable written request with at least 30 days' notice and at mutually agreed times, the Controller may audit Scholytics's compliance with this DPA. Audits shall be:

• Limited to once per calendar year
• Conducted during normal business hours
• At the Controller's sole expense
• Subject to reasonable confidentiality and security requirements

Scholytics may satisfy audit requirements by providing a third-party attestation or certification report (e.g., SOC 2 Type II, ISO 27001) where available.

15. Compliance with Laws

Scholytics aims to comply with applicable data protection laws and regulations, including:

• Ghana Data Protection Act, 2012 (Act 843)
• General Data Protection Regulation (GDPR) where applicable
• Other relevant regional and sectoral requirements

16. Term & Termination

This DPA shall remain in effect for as long as Scholytics processes personal data on behalf of the Controller. Termination of this DPA shall not affect the continued application of those provisions that by their nature survive termination, including:

• Confidentiality obligations
• Data return and deletion obligations
• Limitation of liability

17. Conflict & Precedence

In the event of any conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to data protection and processing matters.

18. Contact Information

For questions regarding this Data Processing Agreement or to exercise any rights hereunder, please contact: