Parties
This Data Processing Agreement ("DPA") is entered into between:
- Customer ("Data Controller" or "Controller"): The school, educational institution, or organization that has agreed to the School-Core Terms of Service and subscribes to the Service.
- School-Core ("Data Processor" or "Processor"): The entity providing the School-Core platform and services as described in the Terms of Service.
This DPA forms part of, and is incorporated into, the Terms of Service ("Agreement") between the Controller and the Processor. In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to the processing of Personal Data.
Definitions
In this DPA, the following terms shall have the meanings set out below. Terms not defined herein shall have the meaning given in the Agreement, the EU General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR"), or other applicable Data Protection Laws.
- "Applicable Data Protection Laws" means all laws and regulations relating to data protection and privacy applicable to the processing of Personal Data under this DPA, including but not limited to: GDPR, UK GDPR, FERPA, COPPA, CCPA/CPRA, POPIA, PDPA, LGPD, PIPEDA, and any national implementing legislation.
- "Authorized Sub-processor" means a third party engaged by the Processor to process Personal Data on behalf of the Controller.
- "Data Subject" means an identified or identifiable natural person whose Personal Data is processed under this DPA, including students, parents/guardians, teachers, staff, and school administrators.
- "Data Subject Request" means a request made by a Data Subject to exercise their rights under Applicable Data Protection Laws.
- "EEA" means the European Economic Area.
- "Personal Data" means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller in connection with the Service.
- "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
- "Processing" (and its cognates "Process," "Processed") means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
- "School Data" means all Personal Data that is uploaded to, created within, or processed through the Service by or on behalf of the Controller, including student records, staff records, parent/guardian information, health data, financial data, and behavioral data.
- "Service" means the School-Core cloud-based school management platform as described in the Agreement.
- "Special Category Data" means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, or data concerning a person's sex life or sexual orientation; and includes "sensitive personal information" as defined under other Applicable Data Protection Laws.
- "Standard Contractual Clauses" ("SCCs") means the standard contractual clauses for the transfer of personal data to processors established in third countries, as approved by the European Commission (Commission Implementing Decision (EU) 2021/914).
- "Technical and Organizational Measures" means the security measures described in Annex II of this DPA and in the Processor's Security Policy.
Scope and Purpose of Processing
Subject Matter
The Processor shall process Personal Data on behalf of the Controller to provide the Service as described in the Agreement. The details of the processing are set out in Annex I.
Duration
Processing shall continue for the duration of the Agreement, plus any post-termination retention period as described in Section 12 and Annex I.
Nature and Purpose of Processing
The Processor processes Personal Data for the following purposes:
| Purpose | Description |
|---|---|
| Account Management | User registration, authentication, session management, role assignment |
| Academic Management | Curriculum delivery, timetabling, course enrollment, class assignments |
| Learning Management | Virtual classrooms, assignments, submissions, grading, feedback |
| Assessment & Reporting | Grade recording, report card generation, transcript production, analytics |
| Student Information | Student profiles, enrollment history, attendance tracking, behavior records |
| Health & Counseling | Health records, medical conditions, counseling notes, incident reports |
| Finance | Fee management, invoicing, payment processing, financial reporting |
| Communication | Messaging, announcements, meeting scheduling, notifications |
| Operations | Transport management, library records, hostel management, visitor logs, facility booking |
| HR & Staff Management | Employment records, payroll, attendance, contracts, recruitment, appraisals, CPD, disciplinary and grievance management |
| AI-Powered Features | AI tutoring (Study Buddy), quiz generation, lesson planning, grading assistance, report card comments, unit planning |
| Analytics & Dashboards | Statistical analysis, performance insights, operational metrics |
| Audit & Compliance | Audit logging, access tracking, compliance monitoring |
Categories of Data Subjects
- Students (including minors)
- Parents and guardians
- Teachers and academic staff
- Non-teaching staff (administrative, operational, support)
- School administrators and principals
- External visitors (visitor management)
- Job applicants (recruitment module)
Types of Personal Data
The categories of Personal Data processed are detailed in Annex I and include:
Identification Data: Full name, date of birth, gender, nationality, profile photographs, government-issued ID numbers (where provided by the school)
Contact Data: Email addresses, phone numbers, physical addresses, emergency contact details
Educational Data: Grades, assessment scores, attendance records, behavior records, learning progress, course enrollments, transcripts, class participation data, XP/gamification data
Health Data (Special Category): Medical conditions, allergies, medications, vaccination records, counseling notes, psychological assessments, health incident reports
Financial Data: Fee structures, payment records, salary information, bank details (for staff payroll), billing addresses
Employment Data: Employment contracts, job titles, department assignments, salary schedules, performance appraisals, CPD records, disciplinary records, grievance records, recruitment/applicant data, onboarding records
Technical Data: IP addresses, user agent strings, session tokens, login timestamps, device information
Behavioral Data: Behavior incidents, disciplinary records, reward/merit points, counseling referrals
Communication Data: Messages between users, announcements, meeting records, notification preferences
AI Interaction Data: Prompts sent to AI services, AI-generated responses, token usage counts
Controller Obligations
Lawful Basis
The Controller warrants that it has a lawful basis for processing Personal Data through the Service, and that all necessary consents, authorizations, and notices have been obtained or given in accordance with Applicable Data Protection Laws. In particular, the Controller shall:
(a) Obtain appropriate parental/guardian consent for the processing of children's data where required by law (e.g., COPPA for children under 13, GDPR for children under the age set by the applicable Member State)
(b) Provide adequate privacy notices to all Data Subjects whose data is processed through the Service
(c) Ensure that the processing of Special Category Data (health records, counseling notes) has a valid legal basis
(d) Maintain records of consent and lawful basis determinations
Instructions
The Controller shall provide documented instructions for the processing of Personal Data. The Agreement, this DPA, and the Controller's use of the Service constitute the Controller's complete and final instructions. Any additional or alternative instructions must be agreed in writing.
Compliance
The Controller is responsible for:
(a) Complying with Applicable Data Protection Laws in its capacity as Controller
(b) Ensuring the accuracy and lawfulness of Personal Data provided to the Processor
(c) Configuring access controls, permissions, and privacy settings within the Service appropriately
(d) Training Authorized Users on proper data handling within the Service
(e) Responding to Data Subject Requests (with the Processor's assistance as described in Section 7)
(f) Conducting Data Protection Impact Assessments ("DPIAs") where required
(g) Notifying the relevant supervisory authority and Data Subjects of Personal Data Breaches where required
FERPA Compliance (US Schools)
Where the Controller is a US educational institution subject to FERPA:
(a) The Controller designates the Processor as a "school official" with a "legitimate educational interest" under FERPA 34 CFR 99.31(a)(1)
(b) The Processor shall use education records solely for the purpose of providing the Service
(c) The Processor shall not disclose education records to third parties except as permitted under FERPA or as directed by the Controller
(d) The Controller retains control over education records and may request their return or deletion
Processor Obligations
Processing Instructions
The Processor shall:
(a) Process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law (in which case, the Processor shall inform the Controller of that legal requirement before processing, unless prohibited by law)
(b) Not process Personal Data for any purpose other than providing the Service as described in the Agreement
(c) Not sell, rent, trade, or otherwise commercially exploit Personal Data
(d) Not use Personal Data for profiling, advertising, marketing, or any purpose unrelated to the Service
(e) Not use student data for targeted advertising or commercial purposes
Confidentiality
The Processor shall ensure that all personnel authorized to process Personal Data:
(a) Have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
(b) Have received appropriate training on data protection responsibilities
(c) Process Personal Data only in accordance with the Controller's instructions
Security
The Processor shall implement and maintain appropriate Technical and Organizational Measures to ensure a level of security appropriate to the risk, as described in Annex II and the Processor's Security Policy. These measures include:
(a) Encryption: TLS 1.2+ for data in transit; AES-256 for data at rest, with additional application-level AES-256-GCM encryption on sensitive fields (MFA secrets, OAuth refresh tokens)
(b) Access Controls: Role-based access control covering school, leadership, specialist, platform, and partner contexts, with three-layer permission resolution (built-in defaults, tenant-level overrides, user-level overrides) and a custom-role mechanism for tenant-defined permission sets
(c) Authentication: Irreversible bcrypt password hashing at industry-recommended cost, encrypted server-issued session tokens with periodic refresh, OAuth 2.0 SSO with Google Workspace and Microsoft Entra ID, multi-factor authentication via TOTP (required for administrative roles), cryptographically secure single-use tokens for password reset and activation
(d) Multi-Tenant Isolation: Mandatory tenant filter on all database queries; cross-tenant access architecturally prevented with defense-in-depth scoping on all create / update / delete operations
(e) Input Validation: Schema validation on all API inputs, parameterized queries via the ORM layer, server-side HTML sanitization on user-generated content
(f) Rate Limiting: Applied to authentication, account creation, password reset, MFA verification, and public form submissions, backed by a distributed in-memory store
(g) Monitoring: Comprehensive audit logging (user identity, action, entity, previous/new values, IP address, user agent, timestamp); auth-failure categories captured for security review; real-time error monitoring with PII excluded by design
(h) Backup and Recovery: Continuous database replication with point-in-time recovery, RPO < 1 hour, RTO < 4 hours
Assistance
The Processor shall assist the Controller, taking into account the nature of processing and the information available to the Processor, in:
(a) Responding to Data Subject Requests (Section 7)
(b) Ensuring compliance with security obligations
(c) Notifying the Controller of Personal Data Breaches (Section 8)
(d) Conducting DPIAs and prior consultations with supervisory authorities where required
Records of Processing
The Processor shall maintain records of processing activities carried out on behalf of the Controller, containing:
(a) The name and contact details of the Processor and Controller
(b) The categories of processing carried out on behalf of the Controller
(c) Transfers of Personal Data to third countries or international organizations (including the transfer mechanism)
(d) A general description of Technical and Organizational Measures
Sub-processors
General Authorization
The Controller grants the Processor general written authorization to engage Sub-processors to process Personal Data, subject to the conditions in this Section 6.
Current Sub-processors
The Processor currently engages the following Sub-processors:
| Sub-processor | Purpose | Data Processed | Location | Certifications |
|---|---|---|---|---|
| Vercel Inc. | Application hosting, edge delivery | All application data, platform-generated files | Global (Edge Network) | SOC 2 Type II |
| Cloudflare Inc. | User file storage (R2) | User-uploaded documents, attachments, media | Configurable (region hints available) | SOC 2 Type II, ISO 27001 |
| Supabase Inc. (AWS) | PostgreSQL database hosting, connection pooling | All persistent data (full database) | Singapore (ap-southeast-1) | SOC 2 Type II, ISO 27001 |
| Upstash Inc. | Redis caching, rate limiting, AI budget tracking | Rate limit counters, AI token budgets, cached responses | Global | SOC 2 Type II |
| Sentry (Functional Software Inc.) | Error monitoring, performance tracking | Error reports, stack traces (PII excluded by design) | United States | SOC 2 Type II |
| Anthropic PBC | AI processing (Claude models) | AI prompts containing educational context (minimal PII) | United States | Enterprise DPA |
| OpenAI Inc. | AI processing (GPT models) | AI prompts containing educational context (minimal PII) | United States | Enterprise DPA, SOC 2 Type II |
| Google LLC | OAuth SSO authentication | Authentication tokens, basic profile (name, email) | Global | SOC 2 Type II, ISO 27001 |
| Microsoft Corporation | OAuth SSO authentication (Entra ID) | Authentication tokens, basic profile (name, email) | Global | SOC 2 Type II, ISO 27001 |
| Stripe Inc. | Payment processing for platform subscriptions, AI subscriptions, and partner payouts (school-collected parent fees do not flow through Stripe) | Card holder data captured directly by Stripe (never reaches our servers); Stripe customer + payment intent identifiers; billing address | United States / Global | PCI DSS Level 1, SOC 2 Type II, ISO 27001 |
| Resend Inc. | Transactional email delivery (password resets, billing notices, dunning emails, support replies, report-card distribution) | Email addresses, recipient names, message content | United States | SOC 2 Type II |
Notification of Changes
The Processor shall:
(a) Maintain an up-to-date list of Sub-processors, available upon request and at https://school-core.com/legal/sub-processors
(b) Notify the Controller at least 30 days in advance of any intended changes to the list of Sub-processors (additions or replacements)
(c) Provide sufficient information about the new Sub-processor to enable the Controller to exercise its right of objection
Right to Object
The Controller may object to a new Sub-processor by notifying the Processor in writing within 14 days of receiving notice. If the Controller objects on reasonable grounds related to data protection:
(a) The Processor shall use commercially reasonable efforts to make available an alternative arrangement that avoids the use of the objected-to Sub-processor
(b) If no alternative is reasonably available, either party may terminate the affected portion of the Service (or the Agreement) without penalty, and the Processor shall refund any prepaid fees for the unused portion of the Subscription Term
Sub-processor Obligations
The Processor shall:
(a) Enter into a written agreement with each Sub-processor imposing data protection obligations no less protective than those in this DPA
(b) Remain fully liable to the Controller for the performance of each Sub-processor's obligations
(c) Conduct appropriate due diligence on each Sub-processor's security practices and certifications
Live sub-processor registry
Primary database hosting
Data processed
All platform data (student records, staff records, academic data, communications)
Data location
Singapore (AWS ap-southeast-1)
Application hosting and edge delivery
Data processed
Application requests, server-side rendering, edge functions
Data location
Global (edge network)
File and document storage
Data processed
User-uploaded documents, attachments, profile images, certificates, report PDFs
Data location
Configurable (region hints available)
AI-powered educational features
Data processed
Prompts containing academic context (no PII stored by provider). See Privacy Policy §6 for details.
Data location
United States
Alternative AI processing for specific features
Data processed
Educational prompts (no PII stored by provider). See Privacy Policy §6 for details.
Data location
United States
Payment processing for subscriptions and billing
Data processed
Payment card details (handled directly by Stripe, never touches our servers), billing information
Data location
United States / Global
Transactional email delivery
Data processed
Email addresses, recipient names, email content (password resets, notifications, report card distribution)
Data location
United States
Error monitoring and performance tracking
Data processed
Error context, stack traces, performance metrics. Configured to exclude PII.
Data location
United States
Rate-limit counters and short-lived AI budget caches
Data processed
Rate-limit keys (IP, userId), AI token budgets, cached responses (no long-term PII).
Data location
Global (regional choice configurable)
Optional sign-in with Google Workspace and Google Drive personal-account connections
Data processed
Authentication tokens, basic profile (name, email). No customer data is shared with Google.
Data location
Global
Optional sign-in with Microsoft 365 / Entra and OneDrive personal-account connections
Data processed
Authentication tokens, basic profile (name, email). For OneDrive-connected users: file listing tokens scoped to the consenting user only.
Data location
Global
Data Subject Rights
Assistance with Requests
The Processor shall, taking into account the nature of the processing, assist the Controller by appropriate technical and organizational measures, insofar as possible, in fulfilling the Controller's obligations to respond to Data Subject Requests. These rights include:
| Right | GDPR Article | Implementation |
|---|---|---|
| Right of Access | Art. 15 | Data export via CSV/Excel/PDF; API access |
| Right to Rectification | Art. 16 | In-app editing by authorized users |
| Right to Erasure | Art. 17 | Account deactivation; data deletion upon request |
| Right to Restriction | Art. 18 | Account suspension; role-based access restriction |
| Right to Data Portability | Art. 20 | CSV/Excel export; PDF report generation |
| Right to Object | Art. 21 | Feature opt-out controls; AI feature disabling |
| Rights Related to Automated Decision-Making | Art. 22 | AI features are assistive only; no solely automated decisions with legal/significant effect |
Notification
The Processor shall promptly notify the Controller if it receives a Data Subject Request directly, unless prohibited by law. The Processor shall not respond to such requests except on the Controller's documented instructions, unless required by applicable law.
Technical Capabilities
The Service provides the following technical capabilities to support Data Subject Rights:
(a) Data Export: Built-in CSV, Excel, and PDF export for student records, grades, attendance, financial data, and reports
(b) Data Correction: Authorized users can update records through the Service interface
(c) Account Deactivation: User accounts can be set to SUSPENDED or INACTIVE status
(d) Data Deletion: Upon Controller request, specific records or entire tenant data can be permanently deleted
(e) Access Logging: Audit logs track all access to and modifications of Personal Data
(f) AI Opt-Out: AI-powered features can be disabled at the tenant level or restricted by role
Personal Data Breach
Notification
The Processor shall notify the Controller without undue delay, and in any event within 24 hours, after becoming aware of a Personal Data Breach affecting Controller's Personal Data.
Content of Notification
The notification shall include, to the extent available:
(a) A description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and Personal Data records concerned
(b) The name and contact details of the Processor's point of contact for further information
(c) A description of the likely consequences of the Personal Data Breach
(d) A description of the measures taken or proposed to address the Personal Data Breach, including measures to mitigate its possible adverse effects
Ongoing Obligations
The Processor shall:
(a) Provide further information as it becomes available, in phases if necessary
(b) Take immediate steps to contain and remediate the breach
(c) Cooperate fully with the Controller's investigation and response efforts
(d) Preserve all relevant logs and evidence
(e) Not communicate directly with Data Subjects about the breach without the Controller's prior written approval, unless required by law
Documentation
The Processor shall maintain a register of all Personal Data Breaches, including:
(a) The facts relating to the breach
(b) Its effects
(c) The remedial action taken
(d) The outcome and lessons learned
International Data Transfers
Transfer Mechanisms
Where Personal Data is transferred from the EEA, UK, or Switzerland to a country that does not benefit from an adequacy decision, the Processor shall ensure that appropriate safeguards are in place, including:
(a) Standard Contractual Clauses (SCCs): The EU SCCs (Commission Implementing Decision (EU) 2021/914) are incorporated by reference and form part of this DPA. For transfers subject to the UK GDPR, the UK International Data Transfer Addendum to the EU SCCs applies. For transfers subject to the Swiss Federal Act on Data Protection, the applicable Swiss transfer mechanism applies.
(b) Transfer Impact Assessments: The Processor shall conduct and document transfer impact assessments for each Sub-processor located in a country without an adequacy decision, evaluating the laws and practices of the destination country.
(c) Supplementary Measures: Where transfer impact assessments identify risks, the Processor shall implement supplementary measures (technical, organizational, or contractual) to ensure an essentially equivalent level of protection.
Current Data Transfer Locations
| Data Category | Destination | Transfer Mechanism |
|---|---|---|
| Application data | Global (Vercel Edge) | SCCs + supplementary measures |
| Database (primary) | Singapore (AWS ap-southeast-1) | SCCs + AWS adequacy/certifications |
| File storage | Configurable region (Cloudflare R2) | SCCs + supplementary measures; region selection available |
| Rate limiting/caching | Global (Upstash) | SCCs + supplementary measures |
| Error monitoring | United States (Sentry) | SCCs + supplementary measures |
| AI processing | United States (Anthropic, OpenAI) | SCCs + enterprise DPAs |
| Authentication (OAuth) | Global (Google, Microsoft) | SCCs + adequacy decisions where applicable |
Controller Consent
By entering into this DPA, the Controller authorizes the transfers described in Section 9.2. The Controller acknowledges that the Service requires certain international transfers to function and that the Processor has implemented appropriate safeguards for such transfers.
Audit Rights
Information and Audit
The Processor shall:
(a) Make available to the Controller all information necessary to demonstrate compliance with this DPA and Applicable Data Protection Laws
(b) Allow for and contribute to audits, including inspections, conducted by the Controller or an independent auditor mandated by the Controller, subject to the conditions in this Section 10
Audit Procedure
(a) The Controller shall give the Processor at least 30 days' written notice of any planned audit
(b) Audits shall be conducted during normal business hours and shall not unreasonably disrupt the Processor's operations
(c) The Controller shall bear the costs of audits initiated by the Controller (except where the audit reveals material non-compliance by the Processor)
(d) The scope of audits shall be limited to the Processor's processing of Personal Data under this DPA
(e) The Controller and its auditor shall be bound by confidentiality obligations regarding any proprietary or confidential information accessed during the audit
Third-Party Certifications
The Processor may satisfy audit requirements by providing:
(a) Copies of relevant third-party audit reports or certifications (e.g., SOC 2 Type II reports of Sub-processors)
(b) Summaries of penetration test results
(c) Completed security questionnaires or self-assessment reports
(d) Evidence of compliance with the Technical and Organizational Measures described in Annex II
Regulatory Audits
The Processor shall cooperate with any audit or investigation by a supervisory authority or regulatory body with jurisdiction over the Controller's processing activities, to the extent such cooperation is required by Applicable Data Protection Laws.
Data Retention and Deletion
During the Agreement
During the term of the Agreement, the Processor shall retain Personal Data as necessary to provide the Service and in accordance with the Controller's instructions. The following automated retention policies apply:
| Data Type | Retention Period | Action |
|---|---|---|
| Read notifications | 90 days | Automatic batch deletion |
| XP transaction details (individual records) | 2 years | Automatic deletion (aggregated profile totals preserved) |
| XP profile aggregates (totalXp, annualXp, level, tier, streaks) | Duration of student enrollment | Retained to support multi-year cumulative progression and year-over-year peer comparisons |
| AI usage summaries | 1 year | Automatic deletion |
| Password reset tokens | 1 hour | Automatic nullification |
| Expired session tokens | On refresh (15 min cycle) | Automatic invalidation |
| Audit logs | 3 years | 1 year active in production database, 2 years archived in cold storage, then permanently deleted |
Post-Termination
Upon termination or expiry of the Agreement:
(a) The Controller shall have 30 days to export all Personal Data using the Service's export functionality
(b) After the 30-day export period, the Processor shall delete all Personal Data within 60 days (90 days total from termination)
(c) Deletion shall be permanent and irreversible, including from backups (within the normal backup rotation cycle)
(d) The Processor shall certify deletion in writing upon the Controller's request
Exceptions to Deletion
The Processor may retain Personal Data beyond the periods specified above where:
(a) Required by applicable law or regulation (e.g., financial records, tax obligations)
(b) Necessary for the establishment, exercise, or defense of legal claims
(c) Required by a valid legal hold or preservation order
In such cases, the Processor shall inform the Controller, isolate the retained data, and apply appropriate security measures. Retained data shall be deleted once the retention obligation expires.
Term and Termination of DPA
Term
This DPA shall remain in effect for the duration of the Agreement and shall automatically terminate upon the termination or expiry of the Agreement, subject to Section 11.2 (post-termination data handling).
Survival
The following provisions shall survive termination of this DPA:
(a) Section 5.2 (Confidentiality)
(b) Section 8 (Personal Data Breach) — to the extent any breach is discovered post-termination
(c) Section 10 (Audit Rights) — for a period of 12 months after termination
(d) Section 11 (Data Retention and Deletion)
(e) Section 13 (Liability)
(f) Annex II (Technical and Organizational Measures) — for as long as the Processor retains any Personal Data
Liability
Allocation
Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement, except as provided in this Section 13.
Processor Liability
The Processor shall be liable for damage caused by processing only where it has:
(a) Not complied with obligations under Applicable Data Protection Laws specifically directed to processors
(b) Acted outside or contrary to the Controller's lawful instructions
(c) Failed to implement the Technical and Organizational Measures described in Annex II
Controller Liability
The Controller shall be liable for damage caused by processing where it has:
(a) Not complied with its obligations under Applicable Data Protection Laws as Controller
(b) Provided unlawful or contradictory instructions to the Processor
(c) Failed to fulfill its obligations under Section 4 of this DPA
Indemnification
Each party shall indemnify the other against all claims, damages, losses, costs, and expenses (including reasonable legal fees) arising from the indemnifying party's breach of this DPA or Applicable Data Protection Laws.
No Limitation for Certain Breaches
Nothing in this DPA or the Agreement shall limit either party's liability for:
(a) Fraud or fraudulent misrepresentation
(b) Willful misconduct or gross negligence in handling Personal Data
(c) Liability that cannot be excluded or limited under Applicable Data Protection Laws
Governing Law
This DPA
This DPA shall be governed by the same governing law as the Agreement, unless otherwise required by Applicable Data Protection Laws.
Standard Contractual Clauses
Where the SCCs apply, they shall be governed by the law of the EU Member State in which the Controller is established (or, where the Controller is not established in an EU Member State, the law of the EU Member State designated in the SCCs).
Regulatory Compliance
Nothing in this DPA shall limit the rights of supervisory authorities, regulatory bodies, or Data Subjects under Applicable Data Protection Laws.
General Provisions
Entire Agreement
This DPA, together with its Annexes and the Agreement, constitutes the entire agreement between the parties regarding the processing of Personal Data.
Amendments
This DPA may be amended by the Processor to reflect changes in Applicable Data Protection Laws or processing practices. Material changes shall be notified to the Controller at least 30 days in advance.
Severability
If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.
Order of Precedence
In the event of a conflict between this DPA and the Agreement:
- Applicable Data Protection Laws (mandatory provisions)
- Standard Contractual Clauses (where applicable)
- This DPA
- The Agreement
Annex I: Details of Processing
A. List of Parties
Controller:
- Name: [Customer name as per Agreement]
- Address: [Customer address]
- Contact person: [Customer DPO or authorized contact]
- Role: Data Controller
Processor:
- Name: School-Core
- Address: Available on request via privacy@school-core.com (full address is provided when both parties countersign this DPA)
- Contact person: privacy@school-core.com
- Role: Data Processor
B. Description of Processing
| Element | Detail |
|---|---|
| Subject matter | Provision of cloud-based school management platform |
| Duration | Duration of the Agreement plus post-termination retention period (up to 90 days) |
| Nature of processing | Collection, storage, organization, structuring, retrieval, consultation, use, disclosure by transmission (to authorized users), alignment, combination, restriction, erasure, destruction |
| Purpose | To provide the Service (school management, academic operations, student information, HR, finance, communication, AI-assisted education) as described in the Agreement |
C. Categories of Data Subjects
| Category | Description |
|---|---|
| Students | Current and former students enrolled at the Controller's institution(s), including minors |
| Parents/Guardians | Parents, legal guardians, and authorized family contacts of students |
| Teaching Staff | Teachers, tutors, teaching assistants, and other academic personnel |
| Non-Teaching Staff | Administrative, operational, financial, HR, IT, library, transport, and support staff |
| School Leadership | Principals, vice-principals, department heads, school administrators |
| External Persons | Visitors (visitor management module), job applicants (recruitment module) |
D. Categories of Personal Data
| Category | Data Elements |
|---|---|
| Identity | First name, last name, preferred name, date of birth, gender, nationality, profile photo, government ID numbers |
| Contact | Email address, phone number, physical address, emergency contacts |
| Authentication | Hashed password (bcrypt-12), OAuth tokens (encrypted), session tokens (JWT), password reset tokens |
| Academic | Grades, scores, GPA, class enrollment, attendance, timetable, subjects, learning objectives, submissions, feedback, XP points, achievements, graduation progress |
| Health (Special Category) | Medical conditions, allergies, medications, blood type, vaccination records, health incidents, counseling notes, psychological assessments |
| Behavioral | Behavior incidents, merit/demerit points, disciplinary records, reward transactions |
| Financial | Fee amounts, payment history, invoices, scholarship/bursary details, salary information (staff), bank account details (staff payroll) |
| Employment (Staff) | Job title, department, employment dates, contract type/terms, salary schedule, pay runs, attendance records, leave balances, performance appraisals, CPD records, disciplinary cases, grievance cases, onboarding checklists, recruitment/applicant data |
| Communication | Messages, announcements, meeting records, notification preferences, chat history |
| Technical | IP address, user agent, browser/device info, login timestamps, session data |
| AI Interactions | Prompts, responses, feature used, token count, model used |
| Audit | User ID, action type, entity affected, old/new values, timestamp, IP address, user agent |
E. Special Categories of Data
| Special Category | Lawful Basis (Controller Responsibility) | Additional Safeguards |
|---|---|---|
| Health data | Explicit consent or vital interests; school's legitimate educational function | Role-restricted access (School Nurse, Counselor, relevant admin roles); encrypted at rest |
| Counseling notes | Explicit consent or legitimate interests with safeguards | Restricted to Counselor and authorized admin roles only |
| Religious/ethnic data | Where collected for demographic purposes with consent | Optional fields; not required for core functionality |
| Biometric data | Not collected | N/A |
| Children's data | Parental/school consent (COPPA, GDPR Art. 8) | Age-appropriate defaults; school-mediated consent model; no direct marketing |
F. Retention Periods
| Data Category | Retention Period | Basis |
|---|---|---|
| Active student records | Duration of enrollment + end of academic year | Educational purpose |
| Alumni records | As directed by Controller | Controller instruction |
| Staff employment records | Duration of employment + as directed by Controller | Employment purpose, legal requirements |
| Health records | As directed by Controller | Legal and safeguarding requirements |
| Financial records | As directed by Controller (minimum per applicable law) | Legal and tax obligations |
| Audit logs | 3 years | Compliance and dispute resolution (1 year active + 2 years archived) |
| AI interaction data | 1 year (aggregated summaries) | Usage monitoring |
| Read notifications | 90 days | System maintenance |
| All data post-termination | 90 days | Data export period, then permanent deletion |
Annex II: Technical and Organizational Measures
The Processor implements and maintains the following Technical and Organizational Measures in accordance with Article 32 of the GDPR and equivalent provisions of other Applicable Data Protection Laws.
Encryption
| Measure | Implementation |
|---|---|
| Encryption in transit | TLS 1.2+ enforced on all connections (HTTPS only); HSTS in force |
| Encryption at rest (database & object storage) | AES-256, provider-managed |
| Encryption at rest (sensitive fields) | Application-level AES-256-GCM on MFA secrets and OAuth refresh tokens, layered above provider-managed disk encryption |
| Password storage | Irreversible bcrypt hash at industry-recommended cost |
| Session tokens | Encrypted, server-issued, periodically rotated |
| Password reset & activation tokens | Cryptographically secure random, short-lived, single-use |
| MFA backup codes | One-way hashed; verified with constant-time comparison |
Access Control
| Measure | Implementation |
|---|---|
| Authentication methods | Password + bcrypt, OAuth 2.0 SSO (Google Workspace, Microsoft Entra ID), TOTP multi-factor authentication (required for administrative roles) |
| Session management | Encrypted server-issued tokens with periodic refresh; sessions revocable per-device |
| Role-based access | Comprehensive role catalog spanning school, leadership, specialist, platform, and partner contexts, plus a custom-role mechanism for tenant-defined permission sets |
| Permission resolution | Three-layer: built-in role defaults → tenant-level overrides → user-level overrides |
| Principle of least privilege | Default role configurations follow least privilege; privileged role grants require two-person approval; soft compartmentalisation downgrades the operational admin when a domain specialist is appointed |
| Account states | Active / suspended / inactive status controls; abuse-detection auto-revocation across all devices on suspicious-activity spikes |
| Password requirements | Per-tenant configurable policy enforced at minimum complexity |
Multi-Tenant Isolation
| Measure | Implementation |
|---|---|
| Query-level isolation | Every tenant-scoped database query enforces a tenant filter |
| Cross-tenant prevention | Architecturally enforced; defense-in-depth scoping applied to all create / update / delete operations |
| Admin context switching | Platform-side cross-tenant actions logged against the target tenant so customer admins see who accessed their data and when |
Input Validation and Application Security
| Measure | Implementation |
|---|---|
| Schema validation | Strict schema validation on all API inputs |
| SQL injection prevention | Parameterized queries via ORM |
| Content sanitization | Server-side HTML sanitization on all user-generated content |
| File upload security | Type, size, and content-type restrictions enforced; high-risk formats blocked |
| Rate limiting | Applied to authentication, account creation, password reset, MFA verification, and public form submissions, backed by a distributed store |
| CORS | Cross-origin request restrictions configured |
| CSP / HSTS / X-Frame-Options | Restrictive headers applied on every response |
Monitoring and Audit
| Measure | Implementation |
|---|---|
| Audit logging | All significant actions logged with: user ID, role, action, entity, old/new values, IP, user agent, timestamp; auth-failure categories captured for security review |
| Error monitoring | Real-time error monitoring with PII excluded by design from error reports |
| System health | Automated monitoring with database and AI service health checks |
| Source map security | Source maps used for debugging and excluded from public production artefacts |
| Weekly governance digest | School Owners receive a weekly summary of high-impact events (privilege changes, bulk deletes, abuse-detection triggers) |
Infrastructure Security
| Measure | Implementation |
|---|---|
| Cloud hosting | SOC 2 Type II- and ISO 27001-aligned providers (listed in the Sub-processors page) |
| DDoS protection | Edge-level via the hosting provider's global infrastructure |
| Database connections | Connection pooling with conservative per-instance limits and timeouts |
| DNS security | DNSSEC support |
Backup and Recovery
| Measure | Implementation |
|---|---|
| Database backups | Continuous replication with point-in-time recovery |
| File storage | Redundant storage with automatic replication |
| Application architecture | Stateless — enables instant redeployment |
| Recovery Point Objective | < 1 hour |
| Recovery Time Objective | < 4 hours |
Organizational Measures
| Measure | Implementation |
|---|---|
| Personnel confidentiality | NDAs and confidentiality agreements for all personnel with production access |
| Security training | Upon onboarding and annually |
| Background checks | For all personnel with access to production systems |
| Access revocation | Immediate upon role change or departure |
| Secure development | Code reviews, automated dependency vulnerability scanning, pre-commit secret scanning, no hardcoded secrets |
| Incident response | Documented procedures with severity classification and defined response times |
Annex III: Standard Contractual Clauses
Where Personal Data is transferred from the EEA to a country without an adequacy decision, the Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) are incorporated by reference into this DPA.
Module Selection
| Module | Applicability |
|---|---|
| Module 2 (Controller to Processor) | Applies to all transfers from Controller to Processor |
| Module 3 (Processor to Sub-processor) | Applies to all transfers from Processor to authorized Sub-processors |
Clause Selections
| Clause | Selection |
|---|---|
| Clause 7 (Docking clause) | Included — allows additional Controllers to accede |
| Clause 9(a) (Sub-processor authorization) | Option 2 — General written authorization (with right to object per Section 6.4 of this DPA) |
| Clause 11 (Redress) | Optional clause included |
| Clause 13 (Supervision) | The supervisory authority of the EU Member State in which the Controller is established shall act as competent supervisory authority |
| Clause 17 (Governing law) | Option 1 — The law of the EU Member State in which the Controller is established |
| Clause 18(b) (Forum) | The courts of the EU Member State in which the Controller is established |
UK International Data Transfer Addendum
For transfers subject to the UK GDPR, the UK International Data Transfer Addendum to the EU SCCs (as issued by the UK Information Commissioner under Section 119A of the Data Protection Act 2018) is incorporated by reference.
Swiss Data Transfer Addendum
For transfers subject to the Swiss Federal Act on Data Protection (FADP), the SCCs apply with the modifications required to comply with the FADP, and the Federal Data Protection and Information Commissioner (FDPIC) shall act as the competent supervisory authority.
Contact
Data Protection Officer: privacy@school-core.com Security Team: security@school-core.com Legal: legal@school-core.com
For urgent data protection matters, include "URGENT" in the email subject line.
Last updated: June 2026 · v1.0 — June 2026