Data Processing Agreement

1. Definitions

2. Scope of Agreement

2.1 Agreement Purpose

This Data Processing Agreement ("DPA") governs the processing of personal data by ShuleSoft Africa Limited ("Processor") on behalf of educational institutions ("Controllers") using the ShuleSoft Group Connect platform. This agreement ensures compliance with the Tanzania Data Protection Act 2022 and establishes the rights and obligations of both parties.

2.2 Relationship Between Parties

• Controller Responsibilities: The educational institution determines the purposes and means of personal data processing
• Processor Responsibilities: ShuleSoft processes personal data only on documented instructions from the Controller
• Joint Obligations: Both parties cooperate to ensure compliance with applicable data protection laws

2.3 Subject Matter and Duration

This DPA covers all personal data processing activities within the ShuleSoft Group Connect platform and remains in effect for the duration of the service agreement between the parties, including any extension or renewal periods.

3. Tanzania Data Protection Act Compliance

3.1 Data Protection Principles

We ensure compliance with the following principles under the Tanzania DPA:

3.2 Data Localization Requirements

In accordance with Tanzania DPA requirements:

• Primary Storage: Personal data of Tanzanian residents is primarily stored within Tanzania or approved jurisdictions
• Cross-Border Transfers: Any international transfers comply with Tanzania DPA adequacy requirements
• Data Sovereignty: Controllers maintain sovereignty over their data regardless of storage location
• Regulatory Cooperation: Full cooperation with Tanzania Data Protection Commission

3.3 Registration and Notification

• Controller Registration: Educational institutions handle their own registration requirements with the Tanzania Data Protection Commission
• Processor Notification: ShuleSoft maintains appropriate registrations as a data processor
• Processing Records: Detailed records of processing activities are maintained as required
• Impact Assessments: Data Protection Impact Assessments are conducted for high-risk processing

4. Categories of Personal Data

4.1 Student Data

• Identity Information: Names, student identification numbers, photographs
• Academic Records: Grades, test scores, academic performance data, attendance records
• Demographic Information: Age, gender, nationality, contact information
• Educational Progress: Course enrollment, academic progression, graduation status
• Disciplinary Records: Behavioral records, disciplinary actions (when applicable)

4.2 Staff Data

• Employment Information: Employee ID, job title, department, employment status
• Professional Data: Qualifications, certifications, professional development records
• Performance Data: Performance evaluations, training records, attendance
• Contact Information: Business and emergency contact details
• Payroll Information: Salary data, benefit information, tax details

4.3 Parent/Guardian Data

• Contact Information: Names, addresses, phone numbers, email addresses
• Relationship Data: Relationship to student, custody arrangements
• Communication Records: Messages, notifications, meeting records
• Financial Information: Fee payment records, billing information

4.4 Special Categories of Personal Data

When processed with appropriate safeguards and legal basis:

• Health Data: Medical conditions relevant to educational support, dietary requirements
• Religious Information: Religious preferences for educational or dietary accommodations
• Disability Information: Special educational needs, accessibility requirements

5. Purposes of Processing

5.1 Educational Management

• Student enrollment, registration, and academic record management
• Academic performance tracking and progress monitoring
• Curriculum delivery and educational program administration
• Assessment, examination, and certification processes
• Special educational needs support and accommodation

5.2 Administrative Functions

• School operations management and resource allocation
• Staff management, payroll, and human resources administration
• Financial management, fee collection, and budget planning
• Facility management and security administration
• Transport and catering service management

5.3 Communication and Engagement

• Communication with students, parents, and staff
• Emergency notifications and safety communications
• Parent engagement and community building
• Alumni relations and ongoing engagement

5.4 Analytics and Improvement

• Educational performance analysis and improvement
• Operational efficiency optimization
• Predictive analytics for educational outcomes
• Research and development for educational enhancement

5.5 Legal and Regulatory Compliance

• Compliance with educational regulations and standards
• Safeguarding and child protection requirements
• Financial audit and reporting obligations
• Legal proceedings and dispute resolution

6. Legal Basis for Processing

6.1 Primary Legal Bases

6.2 Consent Management

Where consent is the legal basis for processing:

• Informed Consent: Clear, specific information about processing purposes
• Freely Given: No conditioning of services on unnecessary consent
• Specific: Separate consent for different processing purposes
• Withdrawable: Easy mechanisms to withdraw consent
• Documented: Records of consent collection and withdrawal

6.3 Legitimate Interest Assessments

For processing based on legitimate interests, we conduct assessments considering:

• The necessity of processing for the legitimate interest
• The impact on data subjects' rights and freedoms
• The balance between legitimate interests and privacy rights
• Reasonable expectations of data subjects
• Available safeguards and mitigation measures

7. Data Subject Rights

7.1 Rights Under Tanzania DPA

Data subjects have the following rights, which we facilitate:

7.2 Request Handling Process

• Receipt: Acknowledge receipt within 3 working days
• Verification: Verify identity of the data subject
• Processing: Process request within 30 days (extendable to 60 days for complex requests)
• Response: Provide clear response with any requested data or explanation
• Appeal: Information about appeal processes if request is refused

7.3 Special Considerations for Minors

• Parental Rights: Parents/guardians may exercise rights on behalf of minors
• Capacity Assessment: Consider the child's capacity to understand the implications
• Best Interests: Decisions made in the best interests of the child
• Educational Continuity: Balance rights with educational requirements

8. Technical and Organizational Security Measures

8.1 Technical Security Measures

• Encryption: AES-256 encryption for data at rest and TLS 1.3 for data in transit
• Access Controls: Role-based access control with multi-factor authentication
• Network Security: Firewalls, intrusion detection, and network segmentation
• Database Security: Encrypted databases with access logging and monitoring
• Application Security: Secure coding practices, input validation, and output encoding
• Backup and Recovery: Secure, encrypted backups with tested recovery procedures

8.2 Organizational Security Measures

• Security Policies: Comprehensive information security policies and procedures
• Staff Training: Regular security awareness training for all personnel
• Access Management: Principle of least privilege and regular access reviews
• Incident Response: Formal incident response procedures and team
• Vendor Management: Security assessments of third-party service providers
• Compliance Monitoring: Regular compliance audits and security assessments

8.3 Physical Security Measures

• Data Center Security: Certified data centers with 24/7 physical security
• Environmental Controls: Climate control, fire suppression, and power management
• Access Controls: Biometric access controls and visitor management
• Equipment Security: Secure disposal of hardware and media

8.4 Security Certifications

9. International Data Transfers

9.1 Transfer Principles

Any international transfer of personal data is conducted in accordance with:

• Tanzania DPA Requirements: Compliance with cross-border transfer provisions
• Adequacy Decisions: Transfers to countries with adequate protection levels
• Appropriate Safeguards: Standard contractual clauses or binding corporate rules
• Specific Situations: Limited transfers for specific legitimate purposes

9.2 Safeguards for International Transfers

• Data Processing Agreements: Comprehensive agreements with international processors
• Standard Contractual Clauses: EU Commission approved clauses where applicable
• Certification Schemes: Adherence to recognized international certification schemes
• Codes of Conduct: Compliance with approved codes of conduct

9.3 Transfer Impact Assessments

Before any international transfer, we assess:

• The legal framework in the destination country
• Potential access by foreign governments
• Available legal remedies for data subjects
• Additional safeguards that may be necessary
• The necessity and proportionality of the transfer

10. Data Retention and Deletion

10.1 Retention Principles

• Purpose Limitation: Data retained only as long as necessary for the original purpose
• Legal Requirements: Compliance with educational and legal retention requirements
• Regular Review: Periodic review of retention needs and data classification
• Secure Deletion: Secure and verifiable deletion when retention period expires

10.2 Retention Periods

10.3 Deletion Procedures

• Automated Deletion: Automated systems for routine data deletion
• Secure Erasure: Multiple-pass secure erasure for sensitive data
• Backup Deletion: Deletion from all backup systems and archives
• Verification: Verification and documentation of deletion completion
• Exception Handling: Procedures for legal hold and exception cases

11. Data Breach and Incident Management

11.1 Incident Response Procedures

• Detection: 24/7 monitoring and automated breach detection systems
• Assessment: Immediate assessment of breach scope and risk level
• Containment: Swift action to contain and mitigate the breach
• Investigation: Thorough investigation of causes and impact
• Notification: Timely notification to relevant parties and authorities
• Remediation: Implementation of corrective and preventive measures

11.2 Notification Timelines (Tanzania DPA)

• Internal Notification: Immediate internal escalation upon detection
• Controller Notification: Within 24 hours of breach confirmation
• Supervisory Authority: Within 72 hours as required by Tanzania DPA
• Data Subject Notification: Without undue delay if high risk to rights
• Documentation: Comprehensive incident documentation and lessons learned

11.3 Breach Risk Assessment

We assess breach risk considering:

• Nature, sensitivity, and volume of data involved
• Ease of identification of individuals
• Severity of consequences for data subjects
• Likelihood of consequences occurring
• Special characteristics of data subjects (e.g., children)

12. Audits and Compliance Monitoring

12.1 Audit Rights and Procedures

• Controller Audit Rights: Controllers may audit our compliance upon reasonable notice
• Third-Party Audits: Independent security and compliance audits
• Regulatory Audits: Cooperation with Tanzania Data Protection Commission audits
• Documentation Access: Provision of relevant compliance documentation
• Remediation: Prompt remediation of any identified issues

12.2 Compliance Monitoring

• Regular Assessments: Quarterly compliance assessments and reviews
• Policy Updates: Regular updates to policies and procedures
• Training Programs: Ongoing staff training on data protection
• Performance Metrics: Key performance indicators for compliance
• Continuous Improvement: Continuous improvement of data protection practices

12.3 Audit Documentation

We maintain comprehensive documentation including:

• Records of processing activities
• Data protection impact assessments
• Consent records and withdrawal tracking
• Data subject request handling logs
• Security incident reports and responses
• Staff training records and certifications

13. Liability and Indemnification

13.1 Liability Allocation

• Controller Liability: Controllers liable for determining lawful processing purposes
• Processor Liability: ShuleSoft liable for processing in accordance with instructions
• Joint Liability: Joint liability for joint processing activities
• Third-Party Claims: Procedures for handling third-party data protection claims

13.2 Indemnification

• Processor Indemnification: ShuleSoft indemnifies for breaches of this DPA
• Controller Indemnification: Controllers indemnify for unlawful processing instructions
• Mutual Cooperation: Cooperation in defending against third-party claims
• Insurance Coverage: Appropriate insurance coverage for data protection risks

13.3 Limitation of Liability

Liability limitations are subject to applicable data protection law requirements and may not apply to:

• Willful misconduct or gross negligence
• Violations of data protection laws
• Breach of confidentiality obligations
• Failure to implement required security measures

14. Termination

14.1 Termination Events

This DPA may be terminated upon:

• Termination of the main service agreement
• Material breach of data protection obligations
• Insolvency or cessation of business operations
• Regulatory order or legal requirement
• Mutual agreement of the parties

14.2 Data Return and Deletion

Upon termination, ShuleSoft will:

• Data Export: Provide data export in standard formats within 30 days
• Secure Deletion: Securely delete all personal data unless legal retention required
• Confirmation: Provide written confirmation of data deletion
• Backup Deletion: Delete data from all backup systems and archives
• Third-Party Notification: Ensure sub-processors also delete or return data

14.3 Survival of Provisions

The following provisions survive termination:

• Confidentiality obligations
• Data return and deletion requirements
• Liability and indemnification clauses
• Audit rights for completed processing
• Governing law and dispute resolution

15. Contact Information

For any questions about this Data Processing Agreement, data protection compliance, or to exercise your data subject rights, please contact our Data Protection Officer. We are committed to addressing your inquiries promptly and in accordance with applicable data protection laws.