Data Processing Addendum (DPA)
This Data Processing Addendum applies where Scholars Consult processes personal data on behalf of a school or educational institution using the platform.
1. Parties and role allocation
The customer school acts as Data Controller for personal data submitted to the platform. Scholars Consult acts as Data Processor and processes such data only on documented instructions from the Controller, unless otherwise required by law.
2. Processing scope
Processing activities may include collection, organization, storage, retrieval, consultation, transmission, backup, and secure deletion of student, parent, staff, and billing-related records necessary to provide contracted services.
3. Purpose limitation
Scholars Consult processes personal data solely to deliver, secure, support, and maintain the services, and for legal and compliance obligations connected to service delivery.
4. Controller instructions
The Controller is responsible for the lawfulness of processing instructions, lawful basis for processing, and communication consent management (including SMS consent and opt-out compliance where messaging modules are used).
5. Confidentiality and access controls
- Access to personal data is restricted to authorized personnel on a need-to-know basis.
- Personnel with data access are subject to confidentiality obligations.
- Role-based access controls and tenant-level separation are applied in production systems.
6. Security measures
- Encryption in transit and secure authentication controls.
- Monitoring, logging, and incident response procedures.
- Backup and recovery controls for availability and resilience.
- Periodic security hardening and operational risk reviews.
7. Sub-processors
Scholars Consult may use sub-processors for infrastructure, communications, and payment operations. Sub-processors are engaged under data protection and confidentiality obligations materially consistent with this DPA.
8. Cross-border transfers
Where processing involves cross-border transfers, Scholars Consult implements safeguards designed to preserve an adequate level of protection, consistent with contractual commitments and applicable Ghana data protection principles.
9. Data subject requests
Scholars Consult will provide reasonable assistance to the Controller for responding to data subject access, correction, deletion, objection, and restriction requests, where technically feasible and legally required.
10. Security incidents and breach notification
Scholars Consult maintains incident management procedures and will notify the Controller without undue delay after becoming aware of a confirmed personal data breach affecting customer data, with available details for impact assessment and response.
11. Retention and deletion
Upon termination of services or written Controller instruction, personal data is returned, deleted, or anonymized within a reasonable timeframe, except where retention is required by law, dispute handling, or legitimate security records.
12. Audit and assurance
Upon reasonable request, Scholars Consult may provide information necessary to demonstrate compliance with this DPA, subject to confidentiality, security, and operational safeguards.
13. Applicable law references
- Data Protection Act, 2012 (Act 843).
- Electronic Transactions Act, 2008 (Act 772).
- Cybersecurity Act, 2020 (Act 1038), where applicable.
This DPA is a general framework and does not replace institution-specific legal advice.