Data Processing Agreement

GDPR/UK GDPR-compliant terms for processing personal data on behalf of customers.

Effective May 1, 2026 · v1.0 — June 2026

Parties

This Data Processing Agreement ("DPA") is entered into between:

  • Customer ("Data Controller" or "Controller"): The school, educational institution, or organization that has agreed to the School-Core Terms of Service and subscribes to the Service.
  • School-Core ("Data Processor" or "Processor"): The entity providing the School-Core platform and services as described in the Terms of Service.

This DPA forms part of, and is incorporated into, the Terms of Service ("Agreement") between the Controller and the Processor. In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to the processing of Personal Data.

Definitions

In this DPA, the following terms shall have the meanings set out below. Terms not defined herein shall have the meaning given in the Agreement, the EU General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR"), or other applicable Data Protection Laws.

  • "Applicable Data Protection Laws" means all laws and regulations relating to data protection and privacy applicable to the processing of Personal Data under this DPA, including but not limited to: GDPR, UK GDPR, FERPA, COPPA, CCPA/CPRA, POPIA, PDPA, LGPD, PIPEDA, and any national implementing legislation.
  • "Authorized Sub-processor" means a third party engaged by the Processor to process Personal Data on behalf of the Controller.
  • "Data Subject" means an identified or identifiable natural person whose Personal Data is processed under this DPA, including students, parents/guardians, teachers, staff, and school administrators.
  • "Data Subject Request" means a request made by a Data Subject to exercise their rights under Applicable Data Protection Laws.
  • "EEA" means the European Economic Area.
  • "Personal Data" means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller in connection with the Service.
  • "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
  • "Processing" (and its cognates "Process," "Processed") means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
  • "School Data" means all Personal Data that is uploaded to, created within, or processed through the Service by or on behalf of the Controller, including student records, staff records, parent/guardian information, health data, financial data, and behavioral data.
  • "Service" means the School-Core cloud-based school management platform as described in the Agreement.
  • "Special Category Data" means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, or data concerning a person's sex life or sexual orientation; and includes "sensitive personal information" as defined under other Applicable Data Protection Laws.
  • "Standard Contractual Clauses" ("SCCs") means the standard contractual clauses for the transfer of personal data to processors established in third countries, as approved by the European Commission (Commission Implementing Decision (EU) 2021/914).
  • "Technical and Organizational Measures" means the security measures described in Annex II of this DPA and in the Processor's Security Policy.

Scope and Purpose of Processing

Subject Matter

The Processor shall process Personal Data on behalf of the Controller to provide the Service as described in the Agreement. The details of the processing are set out in Annex I.

Duration

Processing shall continue for the duration of the Agreement, plus any post-termination retention period as described in Section 12 and Annex I.

Nature and Purpose of Processing

The Processor processes Personal Data for the following purposes:

PurposeDescription
Account ManagementUser registration, authentication, session management, role assignment
Academic ManagementCurriculum delivery, timetabling, course enrollment, class assignments
Learning ManagementVirtual classrooms, assignments, submissions, grading, feedback
Assessment & ReportingGrade recording, report card generation, transcript production, analytics
Student InformationStudent profiles, enrollment history, attendance tracking, behavior records
Health & CounselingHealth records, medical conditions, counseling notes, incident reports
FinanceFee management, invoicing, payment processing, financial reporting
CommunicationMessaging, announcements, meeting scheduling, notifications
OperationsTransport management, library records, hostel management, visitor logs, facility booking
HR & Staff ManagementEmployment records, payroll, attendance, contracts, recruitment, appraisals, CPD, disciplinary and grievance management
AI-Powered FeaturesAI tutoring (Study Buddy), quiz generation, lesson planning, grading assistance, report card comments, unit planning
Analytics & DashboardsStatistical analysis, performance insights, operational metrics
Audit & ComplianceAudit logging, access tracking, compliance monitoring

Categories of Data Subjects

  • Students (including minors)
  • Parents and guardians
  • Teachers and academic staff
  • Non-teaching staff (administrative, operational, support)
  • School administrators and principals
  • External visitors (visitor management)
  • Job applicants (recruitment module)

Types of Personal Data

The categories of Personal Data processed are detailed in Annex I and include:

Identification Data: Full name, date of birth, gender, nationality, profile photographs, government-issued ID numbers (where provided by the school)

Contact Data: Email addresses, phone numbers, physical addresses, emergency contact details

Educational Data: Grades, assessment scores, attendance records, behavior records, learning progress, course enrollments, transcripts, class participation data, XP/gamification data

Health Data (Special Category): Medical conditions, allergies, medications, vaccination records, counseling notes, psychological assessments, health incident reports

Financial Data: Fee structures, payment records, salary information, bank details (for staff payroll), billing addresses

Employment Data: Employment contracts, job titles, department assignments, salary schedules, performance appraisals, CPD records, disciplinary records, grievance records, recruitment/applicant data, onboarding records

Technical Data: IP addresses, user agent strings, session tokens, login timestamps, device information

Behavioral Data: Behavior incidents, disciplinary records, reward/merit points, counseling referrals

Communication Data: Messages between users, announcements, meeting records, notification preferences

AI Interaction Data: Prompts sent to AI services, AI-generated responses, token usage counts

Controller Obligations

Lawful Basis

The Controller warrants that it has a lawful basis for processing Personal Data through the Service, and that all necessary consents, authorizations, and notices have been obtained or given in accordance with Applicable Data Protection Laws. In particular, the Controller shall:

(a) Obtain appropriate parental/guardian consent for the processing of children's data where required by law (e.g., COPPA for children under 13, GDPR for children under the age set by the applicable Member State)

(b) Provide adequate privacy notices to all Data Subjects whose data is processed through the Service

(c) Ensure that the processing of Special Category Data (health records, counseling notes) has a valid legal basis

(d) Maintain records of consent and lawful basis determinations

Instructions

The Controller shall provide documented instructions for the processing of Personal Data. The Agreement, this DPA, and the Controller's use of the Service constitute the Controller's complete and final instructions. Any additional or alternative instructions must be agreed in writing.

Compliance

The Controller is responsible for:

(a) Complying with Applicable Data Protection Laws in its capacity as Controller

(b) Ensuring the accuracy and lawfulness of Personal Data provided to the Processor

(c) Configuring access controls, permissions, and privacy settings within the Service appropriately

(d) Training Authorized Users on proper data handling within the Service

(e) Responding to Data Subject Requests (with the Processor's assistance as described in Section 7)

(f) Conducting Data Protection Impact Assessments ("DPIAs") where required

(g) Notifying the relevant supervisory authority and Data Subjects of Personal Data Breaches where required

FERPA Compliance (US Schools)

Where the Controller is a US educational institution subject to FERPA:

(a) The Controller designates the Processor as a "school official" with a "legitimate educational interest" under FERPA 34 CFR 99.31(a)(1)

(b) The Processor shall use education records solely for the purpose of providing the Service

(c) The Processor shall not disclose education records to third parties except as permitted under FERPA or as directed by the Controller

(d) The Controller retains control over education records and may request their return or deletion

Processor Obligations

Processing Instructions

The Processor shall:

(a) Process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law (in which case, the Processor shall inform the Controller of that legal requirement before processing, unless prohibited by law)

(b) Not process Personal Data for any purpose other than providing the Service as described in the Agreement

(c) Not sell, rent, trade, or otherwise commercially exploit Personal Data

(d) Not use Personal Data for profiling, advertising, marketing, or any purpose unrelated to the Service

(e) Not use student data for targeted advertising or commercial purposes

Confidentiality

The Processor shall ensure that all personnel authorized to process Personal Data:

(a) Have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality

(b) Have received appropriate training on data protection responsibilities

(c) Process Personal Data only in accordance with the Controller's instructions

Security

The Processor shall implement and maintain appropriate Technical and Organizational Measures to ensure a level of security appropriate to the risk, as described in Annex II and the Processor's Security Policy. These measures include:

(a) Encryption: TLS 1.2+ for data in transit; AES-256 for data at rest, with additional application-level AES-256-GCM encryption on sensitive fields (MFA secrets, OAuth refresh tokens)

(b) Access Controls: Role-based access control covering school, leadership, specialist, platform, and partner contexts, with three-layer permission resolution (built-in defaults, tenant-level overrides, user-level overrides) and a custom-role mechanism for tenant-defined permission sets

(c) Authentication: Irreversible bcrypt password hashing at industry-recommended cost, encrypted server-issued session tokens with periodic refresh, OAuth 2.0 SSO with Google Workspace and Microsoft Entra ID, multi-factor authentication via TOTP (required for administrative roles), cryptographically secure single-use tokens for password reset and activation

(d) Multi-Tenant Isolation: Mandatory tenant filter on all database queries; cross-tenant access architecturally prevented with defense-in-depth scoping on all create / update / delete operations

(e) Input Validation: Schema validation on all API inputs, parameterized queries via the ORM layer, server-side HTML sanitization on user-generated content

(f) Rate Limiting: Applied to authentication, account creation, password reset, MFA verification, and public form submissions, backed by a distributed in-memory store

(g) Monitoring: Comprehensive audit logging (user identity, action, entity, previous/new values, IP address, user agent, timestamp); auth-failure categories captured for security review; real-time error monitoring with PII excluded by design

(h) Backup and Recovery: Continuous database replication with point-in-time recovery, RPO < 1 hour, RTO < 4 hours

Assistance

The Processor shall assist the Controller, taking into account the nature of processing and the information available to the Processor, in:

(a) Responding to Data Subject Requests (Section 7)

(b) Ensuring compliance with security obligations

(c) Notifying the Controller of Personal Data Breaches (Section 8)

(d) Conducting DPIAs and prior consultations with supervisory authorities where required

Records of Processing

The Processor shall maintain records of processing activities carried out on behalf of the Controller, containing:

(a) The name and contact details of the Processor and Controller

(b) The categories of processing carried out on behalf of the Controller

(c) Transfers of Personal Data to third countries or international organizations (including the transfer mechanism)

(d) A general description of Technical and Organizational Measures

Sub-processors

General Authorization

The Controller grants the Processor general written authorization to engage Sub-processors to process Personal Data, subject to the conditions in this Section 6.

Current Sub-processors

The Processor currently engages the following Sub-processors:

Sub-processorPurposeData ProcessedLocationCertifications
Vercel Inc.Application hosting, edge deliveryAll application data, platform-generated filesGlobal (Edge Network)SOC 2 Type II
Cloudflare Inc.User file storage (R2)User-uploaded documents, attachments, mediaConfigurable (region hints available)SOC 2 Type II, ISO 27001
Supabase Inc. (AWS)PostgreSQL database hosting, connection poolingAll persistent data (full database)Singapore (ap-southeast-1)SOC 2 Type II, ISO 27001
Upstash Inc.Redis caching, rate limiting, AI budget trackingRate limit counters, AI token budgets, cached responsesGlobalSOC 2 Type II
Sentry (Functional Software Inc.)Error monitoring, performance trackingError reports, stack traces (PII excluded by design)United StatesSOC 2 Type II
Anthropic PBCAI processing (Claude models)AI prompts containing educational context (minimal PII)United StatesEnterprise DPA
OpenAI Inc.AI processing (GPT models)AI prompts containing educational context (minimal PII)United StatesEnterprise DPA, SOC 2 Type II
Google LLCOAuth SSO authenticationAuthentication tokens, basic profile (name, email)GlobalSOC 2 Type II, ISO 27001
Microsoft CorporationOAuth SSO authentication (Entra ID)Authentication tokens, basic profile (name, email)GlobalSOC 2 Type II, ISO 27001
Stripe Inc.Payment processing for platform subscriptions, AI subscriptions, and partner payouts (school-collected parent fees do not flow through Stripe)Card holder data captured directly by Stripe (never reaches our servers); Stripe customer + payment intent identifiers; billing addressUnited States / GlobalPCI DSS Level 1, SOC 2 Type II, ISO 27001
Resend Inc.Transactional email delivery (password resets, billing notices, dunning emails, support replies, report-card distribution)Email addresses, recipient names, message contentUnited StatesSOC 2 Type II

Notification of Changes

The Processor shall:

(a) Maintain an up-to-date list of Sub-processors, available upon request and at https://school-core.com/legal/sub-processors

(b) Notify the Controller at least 30 days in advance of any intended changes to the list of Sub-processors (additions or replacements)

(c) Provide sufficient information about the new Sub-processor to enable the Controller to exercise its right of objection

Right to Object

The Controller may object to a new Sub-processor by notifying the Processor in writing within 14 days of receiving notice. If the Controller objects on reasonable grounds related to data protection:

(a) The Processor shall use commercially reasonable efforts to make available an alternative arrangement that avoids the use of the objected-to Sub-processor

(b) If no alternative is reasonably available, either party may terminate the affected portion of the Service (or the Agreement) without penalty, and the Processor shall refund any prepaid fees for the unused portion of the Subscription Term

Sub-processor Obligations

The Processor shall:

(a) Enter into a written agreement with each Sub-processor imposing data protection obligations no less protective than those in this DPA

(b) Remain fully liable to the Controller for the performance of each Sub-processor's obligations

(c) Conduct appropriate due diligence on each Sub-processor's security practices and certifications

Live sub-processor registry

Supabase (PostgreSQL)

Primary database hosting

Infrastructure

Data processed

All platform data (student records, staff records, academic data, communications)

Data location

Singapore (AWS ap-southeast-1)

SOC 2 Type IIHIPAA
Vercel

Application hosting and edge delivery

Infrastructure

Data processed

Application requests, server-side rendering, edge functions

Data location

Global (edge network)

SOC 2 Type IIGDPR
Cloudflare R2

File and document storage

Infrastructure

Data processed

User-uploaded documents, attachments, profile images, certificates, report PDFs

Data location

Configurable (region hints available)

SOC 2 Type IIISO 27001PCI DSS
Anthropic (Claude)

AI-powered educational features

AI Processing

Data processed

Prompts containing academic context (no PII stored by provider). See Privacy Policy §6 for details.

Data location

United States

SOC 2 Type II
OpenAI (GPT)

Alternative AI processing for specific features

AI Processing

Data processed

Educational prompts (no PII stored by provider). See Privacy Policy §6 for details.

Data location

United States

SOC 2 Type II
Stripe

Payment processing for subscriptions and billing

Payment

Data processed

Payment card details (handled directly by Stripe, never touches our servers), billing information

Data location

United States / Global

PCI DSS Level 1SOC 2 Type IIISO 27001
Resend

Transactional email delivery

Communication

Data processed

Email addresses, recipient names, email content (password resets, notifications, report card distribution)

Data location

United States

SOC 2 Type II
Sentry

Error monitoring and performance tracking

Monitoring

Data processed

Error context, stack traces, performance metrics. Configured to exclude PII.

Data location

United States

SOC 2 Type IIGDPR
Upstash Redis

Rate-limit counters and short-lived AI budget caches

Infrastructure

Data processed

Rate-limit keys (IP, userId), AI token budgets, cached responses (no long-term PII).

Data location

Global (regional choice configurable)

SOC 2 Type II
Google (OAuth)

Optional sign-in with Google Workspace and Google Drive personal-account connections

Authentication

Data processed

Authentication tokens, basic profile (name, email). No customer data is shared with Google.

Data location

Global

SOC 2 Type IIISO 27001
Microsoft Entra ID

Optional sign-in with Microsoft 365 / Entra and OneDrive personal-account connections

Authentication

Data processed

Authentication tokens, basic profile (name, email). For OneDrive-connected users: file listing tokens scoped to the consenting user only.

Data location

Global

SOC 2 Type IIISO 27001

Data Subject Rights

Assistance with Requests

The Processor shall, taking into account the nature of the processing, assist the Controller by appropriate technical and organizational measures, insofar as possible, in fulfilling the Controller's obligations to respond to Data Subject Requests. These rights include:

RightGDPR ArticleImplementation
Right of AccessArt. 15Data export via CSV/Excel/PDF; API access
Right to RectificationArt. 16In-app editing by authorized users
Right to ErasureArt. 17Account deactivation; data deletion upon request
Right to RestrictionArt. 18Account suspension; role-based access restriction
Right to Data PortabilityArt. 20CSV/Excel export; PDF report generation
Right to ObjectArt. 21Feature opt-out controls; AI feature disabling
Rights Related to Automated Decision-MakingArt. 22AI features are assistive only; no solely automated decisions with legal/significant effect

Notification

The Processor shall promptly notify the Controller if it receives a Data Subject Request directly, unless prohibited by law. The Processor shall not respond to such requests except on the Controller's documented instructions, unless required by applicable law.

Technical Capabilities

The Service provides the following technical capabilities to support Data Subject Rights:

(a) Data Export: Built-in CSV, Excel, and PDF export for student records, grades, attendance, financial data, and reports

(b) Data Correction: Authorized users can update records through the Service interface

(c) Account Deactivation: User accounts can be set to SUSPENDED or INACTIVE status

(d) Data Deletion: Upon Controller request, specific records or entire tenant data can be permanently deleted

(e) Access Logging: Audit logs track all access to and modifications of Personal Data

(f) AI Opt-Out: AI-powered features can be disabled at the tenant level or restricted by role

Personal Data Breach

Notification

The Processor shall notify the Controller without undue delay, and in any event within 24 hours, after becoming aware of a Personal Data Breach affecting Controller's Personal Data.

Content of Notification

The notification shall include, to the extent available:

(a) A description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and Personal Data records concerned

(b) The name and contact details of the Processor's point of contact for further information

(c) A description of the likely consequences of the Personal Data Breach

(d) A description of the measures taken or proposed to address the Personal Data Breach, including measures to mitigate its possible adverse effects

Ongoing Obligations

The Processor shall:

(a) Provide further information as it becomes available, in phases if necessary

(b) Take immediate steps to contain and remediate the breach

(c) Cooperate fully with the Controller's investigation and response efforts

(d) Preserve all relevant logs and evidence

(e) Not communicate directly with Data Subjects about the breach without the Controller's prior written approval, unless required by law

Documentation

The Processor shall maintain a register of all Personal Data Breaches, including:

(a) The facts relating to the breach

(b) Its effects

(c) The remedial action taken

(d) The outcome and lessons learned

International Data Transfers

Transfer Mechanisms

Where Personal Data is transferred from the EEA, UK, or Switzerland to a country that does not benefit from an adequacy decision, the Processor shall ensure that appropriate safeguards are in place, including:

(a) Standard Contractual Clauses (SCCs): The EU SCCs (Commission Implementing Decision (EU) 2021/914) are incorporated by reference and form part of this DPA. For transfers subject to the UK GDPR, the UK International Data Transfer Addendum to the EU SCCs applies. For transfers subject to the Swiss Federal Act on Data Protection, the applicable Swiss transfer mechanism applies.

(b) Transfer Impact Assessments: The Processor shall conduct and document transfer impact assessments for each Sub-processor located in a country without an adequacy decision, evaluating the laws and practices of the destination country.

(c) Supplementary Measures: Where transfer impact assessments identify risks, the Processor shall implement supplementary measures (technical, organizational, or contractual) to ensure an essentially equivalent level of protection.

Current Data Transfer Locations

Data CategoryDestinationTransfer Mechanism
Application dataGlobal (Vercel Edge)SCCs + supplementary measures
Database (primary)Singapore (AWS ap-southeast-1)SCCs + AWS adequacy/certifications
File storageConfigurable region (Cloudflare R2)SCCs + supplementary measures; region selection available
Rate limiting/cachingGlobal (Upstash)SCCs + supplementary measures
Error monitoringUnited States (Sentry)SCCs + supplementary measures
AI processingUnited States (Anthropic, OpenAI)SCCs + enterprise DPAs
Authentication (OAuth)Global (Google, Microsoft)SCCs + adequacy decisions where applicable

Controller Consent

By entering into this DPA, the Controller authorizes the transfers described in Section 9.2. The Controller acknowledges that the Service requires certain international transfers to function and that the Processor has implemented appropriate safeguards for such transfers.

Audit Rights

Information and Audit

The Processor shall:

(a) Make available to the Controller all information necessary to demonstrate compliance with this DPA and Applicable Data Protection Laws

(b) Allow for and contribute to audits, including inspections, conducted by the Controller or an independent auditor mandated by the Controller, subject to the conditions in this Section 10

Audit Procedure

(a) The Controller shall give the Processor at least 30 days' written notice of any planned audit

(b) Audits shall be conducted during normal business hours and shall not unreasonably disrupt the Processor's operations

(c) The Controller shall bear the costs of audits initiated by the Controller (except where the audit reveals material non-compliance by the Processor)

(d) The scope of audits shall be limited to the Processor's processing of Personal Data under this DPA

(e) The Controller and its auditor shall be bound by confidentiality obligations regarding any proprietary or confidential information accessed during the audit

Third-Party Certifications

The Processor may satisfy audit requirements by providing:

(a) Copies of relevant third-party audit reports or certifications (e.g., SOC 2 Type II reports of Sub-processors)

(b) Summaries of penetration test results

(c) Completed security questionnaires or self-assessment reports

(d) Evidence of compliance with the Technical and Organizational Measures described in Annex II

Regulatory Audits

The Processor shall cooperate with any audit or investigation by a supervisory authority or regulatory body with jurisdiction over the Controller's processing activities, to the extent such cooperation is required by Applicable Data Protection Laws.

Data Retention and Deletion

During the Agreement

During the term of the Agreement, the Processor shall retain Personal Data as necessary to provide the Service and in accordance with the Controller's instructions. The following automated retention policies apply:

Data TypeRetention PeriodAction
Read notifications90 daysAutomatic batch deletion
XP transaction details (individual records)2 yearsAutomatic deletion (aggregated profile totals preserved)
XP profile aggregates (totalXp, annualXp, level, tier, streaks)Duration of student enrollmentRetained to support multi-year cumulative progression and year-over-year peer comparisons
AI usage summaries1 yearAutomatic deletion
Password reset tokens1 hourAutomatic nullification
Expired session tokensOn refresh (15 min cycle)Automatic invalidation
Audit logs3 years1 year active in production database, 2 years archived in cold storage, then permanently deleted

Post-Termination

Upon termination or expiry of the Agreement:

(a) The Controller shall have 30 days to export all Personal Data using the Service's export functionality

(b) After the 30-day export period, the Processor shall delete all Personal Data within 60 days (90 days total from termination)

(c) Deletion shall be permanent and irreversible, including from backups (within the normal backup rotation cycle)

(d) The Processor shall certify deletion in writing upon the Controller's request

Exceptions to Deletion

The Processor may retain Personal Data beyond the periods specified above where:

(a) Required by applicable law or regulation (e.g., financial records, tax obligations)

(b) Necessary for the establishment, exercise, or defense of legal claims

(c) Required by a valid legal hold or preservation order

In such cases, the Processor shall inform the Controller, isolate the retained data, and apply appropriate security measures. Retained data shall be deleted once the retention obligation expires.

Term and Termination of DPA

Term

This DPA shall remain in effect for the duration of the Agreement and shall automatically terminate upon the termination or expiry of the Agreement, subject to Section 11.2 (post-termination data handling).

Survival

The following provisions shall survive termination of this DPA:

(a) Section 5.2 (Confidentiality)

(b) Section 8 (Personal Data Breach) — to the extent any breach is discovered post-termination

(c) Section 10 (Audit Rights) — for a period of 12 months after termination

(d) Section 11 (Data Retention and Deletion)

(e) Section 13 (Liability)

(f) Annex II (Technical and Organizational Measures) — for as long as the Processor retains any Personal Data

Liability

Allocation

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement, except as provided in this Section 13.

Processor Liability

The Processor shall be liable for damage caused by processing only where it has:

(a) Not complied with obligations under Applicable Data Protection Laws specifically directed to processors

(b) Acted outside or contrary to the Controller's lawful instructions

(c) Failed to implement the Technical and Organizational Measures described in Annex II

Controller Liability

The Controller shall be liable for damage caused by processing where it has:

(a) Not complied with its obligations under Applicable Data Protection Laws as Controller

(b) Provided unlawful or contradictory instructions to the Processor

(c) Failed to fulfill its obligations under Section 4 of this DPA

Indemnification

Each party shall indemnify the other against all claims, damages, losses, costs, and expenses (including reasonable legal fees) arising from the indemnifying party's breach of this DPA or Applicable Data Protection Laws.

No Limitation for Certain Breaches

Nothing in this DPA or the Agreement shall limit either party's liability for:

(a) Fraud or fraudulent misrepresentation

(b) Willful misconduct or gross negligence in handling Personal Data

(c) Liability that cannot be excluded or limited under Applicable Data Protection Laws

Governing Law

This DPA

This DPA shall be governed by the same governing law as the Agreement, unless otherwise required by Applicable Data Protection Laws.

Standard Contractual Clauses

Where the SCCs apply, they shall be governed by the law of the EU Member State in which the Controller is established (or, where the Controller is not established in an EU Member State, the law of the EU Member State designated in the SCCs).

Regulatory Compliance

Nothing in this DPA shall limit the rights of supervisory authorities, regulatory bodies, or Data Subjects under Applicable Data Protection Laws.

General Provisions

Entire Agreement

This DPA, together with its Annexes and the Agreement, constitutes the entire agreement between the parties regarding the processing of Personal Data.

Amendments

This DPA may be amended by the Processor to reflect changes in Applicable Data Protection Laws or processing practices. Material changes shall be notified to the Controller at least 30 days in advance.

Severability

If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.

Order of Precedence

In the event of a conflict between this DPA and the Agreement:

  1. Applicable Data Protection Laws (mandatory provisions)
  2. Standard Contractual Clauses (where applicable)
  3. This DPA
  4. The Agreement

Annex I: Details of Processing

A. List of Parties

Controller:

  • Name: [Customer name as per Agreement]
  • Address: [Customer address]
  • Contact person: [Customer DPO or authorized contact]
  • Role: Data Controller

Processor:

  • Name: School-Core
  • Address: Available on request via privacy@school-core.com (full address is provided when both parties countersign this DPA)
  • Contact person: privacy@school-core.com
  • Role: Data Processor

B. Description of Processing

ElementDetail
Subject matterProvision of cloud-based school management platform
DurationDuration of the Agreement plus post-termination retention period (up to 90 days)
Nature of processingCollection, storage, organization, structuring, retrieval, consultation, use, disclosure by transmission (to authorized users), alignment, combination, restriction, erasure, destruction
PurposeTo provide the Service (school management, academic operations, student information, HR, finance, communication, AI-assisted education) as described in the Agreement

C. Categories of Data Subjects

CategoryDescription
StudentsCurrent and former students enrolled at the Controller's institution(s), including minors
Parents/GuardiansParents, legal guardians, and authorized family contacts of students
Teaching StaffTeachers, tutors, teaching assistants, and other academic personnel
Non-Teaching StaffAdministrative, operational, financial, HR, IT, library, transport, and support staff
School LeadershipPrincipals, vice-principals, department heads, school administrators
External PersonsVisitors (visitor management module), job applicants (recruitment module)

D. Categories of Personal Data

CategoryData Elements
IdentityFirst name, last name, preferred name, date of birth, gender, nationality, profile photo, government ID numbers
ContactEmail address, phone number, physical address, emergency contacts
AuthenticationHashed password (bcrypt-12), OAuth tokens (encrypted), session tokens (JWT), password reset tokens
AcademicGrades, scores, GPA, class enrollment, attendance, timetable, subjects, learning objectives, submissions, feedback, XP points, achievements, graduation progress
Health (Special Category)Medical conditions, allergies, medications, blood type, vaccination records, health incidents, counseling notes, psychological assessments
BehavioralBehavior incidents, merit/demerit points, disciplinary records, reward transactions
FinancialFee amounts, payment history, invoices, scholarship/bursary details, salary information (staff), bank account details (staff payroll)
Employment (Staff)Job title, department, employment dates, contract type/terms, salary schedule, pay runs, attendance records, leave balances, performance appraisals, CPD records, disciplinary cases, grievance cases, onboarding checklists, recruitment/applicant data
CommunicationMessages, announcements, meeting records, notification preferences, chat history
TechnicalIP address, user agent, browser/device info, login timestamps, session data
AI InteractionsPrompts, responses, feature used, token count, model used
AuditUser ID, action type, entity affected, old/new values, timestamp, IP address, user agent

E. Special Categories of Data

Special CategoryLawful Basis (Controller Responsibility)Additional Safeguards
Health dataExplicit consent or vital interests; school's legitimate educational functionRole-restricted access (School Nurse, Counselor, relevant admin roles); encrypted at rest
Counseling notesExplicit consent or legitimate interests with safeguardsRestricted to Counselor and authorized admin roles only
Religious/ethnic dataWhere collected for demographic purposes with consentOptional fields; not required for core functionality
Biometric dataNot collectedN/A
Children's dataParental/school consent (COPPA, GDPR Art. 8)Age-appropriate defaults; school-mediated consent model; no direct marketing

F. Retention Periods

Data CategoryRetention PeriodBasis
Active student recordsDuration of enrollment + end of academic yearEducational purpose
Alumni recordsAs directed by ControllerController instruction
Staff employment recordsDuration of employment + as directed by ControllerEmployment purpose, legal requirements
Health recordsAs directed by ControllerLegal and safeguarding requirements
Financial recordsAs directed by Controller (minimum per applicable law)Legal and tax obligations
Audit logs3 yearsCompliance and dispute resolution (1 year active + 2 years archived)
AI interaction data1 year (aggregated summaries)Usage monitoring
Read notifications90 daysSystem maintenance
All data post-termination90 daysData export period, then permanent deletion

Annex II: Technical and Organizational Measures

The Processor implements and maintains the following Technical and Organizational Measures in accordance with Article 32 of the GDPR and equivalent provisions of other Applicable Data Protection Laws.

Encryption

MeasureImplementation
Encryption in transitTLS 1.2+ enforced on all connections (HTTPS only); HSTS in force
Encryption at rest (database & object storage)AES-256, provider-managed
Encryption at rest (sensitive fields)Application-level AES-256-GCM on MFA secrets and OAuth refresh tokens, layered above provider-managed disk encryption
Password storageIrreversible bcrypt hash at industry-recommended cost
Session tokensEncrypted, server-issued, periodically rotated
Password reset & activation tokensCryptographically secure random, short-lived, single-use
MFA backup codesOne-way hashed; verified with constant-time comparison

Access Control

MeasureImplementation
Authentication methodsPassword + bcrypt, OAuth 2.0 SSO (Google Workspace, Microsoft Entra ID), TOTP multi-factor authentication (required for administrative roles)
Session managementEncrypted server-issued tokens with periodic refresh; sessions revocable per-device
Role-based accessComprehensive role catalog spanning school, leadership, specialist, platform, and partner contexts, plus a custom-role mechanism for tenant-defined permission sets
Permission resolutionThree-layer: built-in role defaults → tenant-level overrides → user-level overrides
Principle of least privilegeDefault role configurations follow least privilege; privileged role grants require two-person approval; soft compartmentalisation downgrades the operational admin when a domain specialist is appointed
Account statesActive / suspended / inactive status controls; abuse-detection auto-revocation across all devices on suspicious-activity spikes
Password requirementsPer-tenant configurable policy enforced at minimum complexity

Multi-Tenant Isolation

MeasureImplementation
Query-level isolationEvery tenant-scoped database query enforces a tenant filter
Cross-tenant preventionArchitecturally enforced; defense-in-depth scoping applied to all create / update / delete operations
Admin context switchingPlatform-side cross-tenant actions logged against the target tenant so customer admins see who accessed their data and when

Input Validation and Application Security

MeasureImplementation
Schema validationStrict schema validation on all API inputs
SQL injection preventionParameterized queries via ORM
Content sanitizationServer-side HTML sanitization on all user-generated content
File upload securityType, size, and content-type restrictions enforced; high-risk formats blocked
Rate limitingApplied to authentication, account creation, password reset, MFA verification, and public form submissions, backed by a distributed store
CORSCross-origin request restrictions configured
CSP / HSTS / X-Frame-OptionsRestrictive headers applied on every response

Monitoring and Audit

MeasureImplementation
Audit loggingAll significant actions logged with: user ID, role, action, entity, old/new values, IP, user agent, timestamp; auth-failure categories captured for security review
Error monitoringReal-time error monitoring with PII excluded by design from error reports
System healthAutomated monitoring with database and AI service health checks
Source map securitySource maps used for debugging and excluded from public production artefacts
Weekly governance digestSchool Owners receive a weekly summary of high-impact events (privilege changes, bulk deletes, abuse-detection triggers)

Infrastructure Security

MeasureImplementation
Cloud hostingSOC 2 Type II- and ISO 27001-aligned providers (listed in the Sub-processors page)
DDoS protectionEdge-level via the hosting provider's global infrastructure
Database connectionsConnection pooling with conservative per-instance limits and timeouts
DNS securityDNSSEC support

Backup and Recovery

MeasureImplementation
Database backupsContinuous replication with point-in-time recovery
File storageRedundant storage with automatic replication
Application architectureStateless — enables instant redeployment
Recovery Point Objective< 1 hour
Recovery Time Objective< 4 hours

Organizational Measures

MeasureImplementation
Personnel confidentialityNDAs and confidentiality agreements for all personnel with production access
Security trainingUpon onboarding and annually
Background checksFor all personnel with access to production systems
Access revocationImmediate upon role change or departure
Secure developmentCode reviews, automated dependency vulnerability scanning, pre-commit secret scanning, no hardcoded secrets
Incident responseDocumented procedures with severity classification and defined response times

Annex III: Standard Contractual Clauses

Where Personal Data is transferred from the EEA to a country without an adequacy decision, the Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) are incorporated by reference into this DPA.

Module Selection

ModuleApplicability
Module 2 (Controller to Processor)Applies to all transfers from Controller to Processor
Module 3 (Processor to Sub-processor)Applies to all transfers from Processor to authorized Sub-processors

Clause Selections

ClauseSelection
Clause 7 (Docking clause)Included — allows additional Controllers to accede
Clause 9(a) (Sub-processor authorization)Option 2 — General written authorization (with right to object per Section 6.4 of this DPA)
Clause 11 (Redress)Optional clause included
Clause 13 (Supervision)The supervisory authority of the EU Member State in which the Controller is established shall act as competent supervisory authority
Clause 17 (Governing law)Option 1 — The law of the EU Member State in which the Controller is established
Clause 18(b) (Forum)The courts of the EU Member State in which the Controller is established

UK International Data Transfer Addendum

For transfers subject to the UK GDPR, the UK International Data Transfer Addendum to the EU SCCs (as issued by the UK Information Commissioner under Section 119A of the Data Protection Act 2018) is incorporated by reference.

Swiss Data Transfer Addendum

For transfers subject to the Swiss Federal Act on Data Protection (FADP), the SCCs apply with the modifications required to comply with the FADP, and the Federal Data Protection and Information Commissioner (FDPIC) shall act as the competent supervisory authority.

Contact

Data Protection Officer: privacy@school-core.com Security Team: security@school-core.com Legal: legal@school-core.com

For urgent data protection matters, include "URGENT" in the email subject line.

Last updated: June 2026 · v1.0 — June 2026