1. Purpose
This DPA governs the processing of personal data by the Processor on behalf of the Controller.
Objectives:
- Define responsibilities of both parties
- Ensure lawful data processing
- Establish security and compliance obligations
2. Scope
This DPA applies to:
- All personal data processed through the platform
- All operations performed on behalf of the Institution
- All users (students, parents, staff, administrators)
3. Definitions
For clarity and enforceability:
- Personal Data: Any information relating to an identifiable individual
- Sensitive Personal Data (SPDI): Data defined under Indian SPDI Rules (e.g., financial data, passwords)
- Processing: Collection, storage, use, transmission, or deletion of data
- Controller: Institution determining purpose and means of processing
- Processor: Campus 24x7 processing data on behalf of Controller
- Sub-processor: Third-party service provider engaged by Processor
- Data Subject: Individual whose data is processed (student, parent, staff)
- Data Breach: Unauthorized access, disclosure, or loss of data
4. Roles and Relationship
4.1 Controller (Institution)
The Institution:
- Determines purpose and lawful basis of processing
- Controls what data is collected
- Is responsible for compliance with applicable laws
4.2 Processor (Campus 24x7)
Campus 24x7:
- Processes data only on documented instructions from the Controller
- Does not independently decide purpose of processing
- Implements technical and organizational safeguards
4.3 No Joint Control
- Parties are not joint controllers
- Responsibilities are clearly separated
5. Nature and Purpose of Processing
5.1 Nature of Processing
Processing includes:
- Collection
- Storage
- Organization
- Retrieval
- Transmission
- Deletion
5.2 Purpose of Processing
- Student lifecycle management
- Attendance tracking
- Fee and financial management
- Examination and reporting
- Communication (SMS/email/in-app notifications/WhatsApp Business API transactional messages)
6. Categories of Data Subjects
Data subjects include:
- Students (including minors)
- Parents/guardians
- Teachers and staff
- Institutional administrators
7. Categories of Personal Data
7.1 General Personal Data
- Name
- Contact details
- Role/designation
7.2 Student Data
- Academic records
- Attendance
- Communication data
7.3 Sensitive Personal Data (SPDI)
- Financial data (fees, transactions)
- Login credentials (hashed passwords)
7.4 Technical Data
- IP address
- Device information
- Usage logs
8. Duration of Processing
- Processing continues for the duration of the subscription
- Post-termination:
- Data retained per Privacy Policy
- Deleted or anonymized after retention period
9. Processor Obligations
Campus 24x7 (Processor) shall:
9.1 Process Data Only on Instructions
- Process personal data strictly based on documented instructions from the Institution
- Not use data for independent purposes
- Not sell, rent, or commercially exploit data
9.2 Ensure Lawful Processing Support
- Assist the Controller in meeting legal obligations
- Provide necessary tools (logs, exports, controls) for compliance
9.3 No Unauthorized Disclosure
Not disclose personal data to third parties without:
- Authorization from Controller, or
- Legal obligation
9.4 Data Minimization
- Process only data necessary for service delivery
- Avoid excessive or unnecessary data handling
9.5 Accuracy Support
Provide mechanisms for:
- Data correction
- Updates by authorized users
10. Security Measures (Technical & Organizational)
The Processor implements layered security aligned with industry practices.
10.1 Infrastructure Security
- Hosted on Hostinger VPS
- Server hardening (SSH keys, firewall, restricted access)
- Environment isolation (production/staging/dev)
10.2 Network Security
- HTTPS (TLS 1.2+) encryption
- Reverse proxy via Nginx
- Rate limiting and request throttling
10.3 Application Security
- Backend: NestJS with validation pipelines
- Frontend: React (TypeScript)
- Protection against:
- SQL Injection
- XSS
- CSRF
10.4 Authentication & Access
- Password hashing (bcrypt)
- Multi-Factor Authentication (MFA) for privileged users
- JWT-based authentication
- Session expiration controls
10.5 Authorization Controls
- Role-Based Access Control (RBAC)
- Custom permissions per institution
- Strict API-level enforcement
10.6 Multi-Tenant Isolation
- Institution-scoped queries
- Middleware validation to prevent cross-tenant access
10.7 Logging & Monitoring
Centralized managed logging
Monitoring of:
- Login activity
- Data changes
- Suspicious events
10.8 Backup & Recovery
- Automated backups
- Secure storage
- Periodic restoration testing
10.9 Vulnerability Management
- Regular updates of dependencies
- Security patches applied
- Periodic vulnerability assessments
11. Confidentiality
11.1 Personnel Confidentiality
- All personnel with access to data are bound by confidentiality obligations
- Access limited based on role and necessity
11.2 Data Access Restriction
- Access granted only to authorized personnel
- Strict access control enforcement
11.3 Non-Disclosure
Data shall not be disclosed except:
- As required for service delivery
- As required by law
12. Security Incident Management
12.1 Incident Detection
Continuous monitoring systems detect anomalies
12.2 Response Process
- Immediate containment
- Investigation and root cause analysis
- Mitigation and remediation
12.3 Notification Obligation
Controller notified within a reasonable timeframe
Includes:
- Nature of breach
- Affected data
- Mitigation actions
13. Use of Sub-processors
The Processor may engage third-party service providers ("Sub-processors") to support service delivery.
13.1 Authorized Sub-processors
The following sub-processors are currently authorized:
| Sub-processor | Entity | Purpose | Data Transferred | Location |
|---|---|---|---|---|
| Hostinger VPS | Hostinger International Ltd. | Infrastructure hosting and data storage | All institutional and user data | EU (Lithuania) |
| Payment Gateways | Third-party certified payment processors | Fee transaction processing | Transaction IDs, payment status | India |
| SMS/Email Providers | Third-party communication services | Transactional SMS and email delivery | Phone numbers, email addresses | India |
| Meta Platforms (WhatsApp Business Cloud API) | Meta Platforms Ireland Limited (outside US/Canada/Brazil) / Meta Platforms Inc. (US/Canada/Brazil) | WhatsApp transactional notification delivery on behalf of the Institution | Institution identifier, end-user phone numbers, approved message template content, message delivery status | United States / Ireland (Meta infrastructure) |
The Processor will maintain this list and notify the Controller of any material changes to sub-processors.
13.2 Conditions for Engagement
The Processor ensures that all Sub-processors:
- Are bound by written agreements
- Provide equivalent data protection obligations
- Process data only for defined purposes
- Maintain appropriate security standards
13.3 Responsibility
- The Processor remains fully liable for actions of Sub-processors
- Any failure by Sub-processors is treated as failure of the Processor
13.4 Sub-processor Transparency
- A list of Sub-processors should be maintained and made available to the Controller
- Updates to Sub-processors will be communicated where materially relevant
14. International Data Transfers
14.1 General Principle
Data is primarily processed within infrastructure selected by the Processor
14.2 Cross-Border Transfers
If data is transferred outside India:
- Transfers are limited to necessary services
- Appropriate safeguards are implemented
- Data protection obligations remain equivalent
14.3 Safeguards
Safeguards may include:
- Contractual obligations with vendors
- Secure transmission (encryption)
- Access restrictions
15. Assistance with Data Subject Rights
The Processor assists the Controller in responding to requests from Data Subjects.
15.1 Types of Requests
- Access requests
- Correction requests
- Deletion requests
- Restriction of processing
15.2 Mechanism
Support includes:
- Providing data access tools
- Enabling data export
- Supporting deletion or modification
15.3 Limitation
- Processor does not directly respond to end users
- All requests must be routed through the Controller
16. Audit and Compliance Rights
16.1 Audit Support
The Processor shall:
- Provide reasonable information demonstrating compliance
- Offer access to:
- Security documentation
- Policies and procedures
16.2 Audit Methods
Audits may include:
- Documentation review
- System-generated audit logs
- Compliance reports
16.3 Restrictions
Audits must:
- Be reasonable and not disrupt operations
- Respect confidentiality and security controls
16.4 Audit Costs
Unless otherwise agreed:
Audit costs are borne by the Controller
17. Record Keeping
The Processor maintains records of:
- Processing activities
- Security measures
- Incident reports
18. Compliance Cooperation
The Processor shall:
Cooperate with the Controller in:
- Regulatory inquiries
- Compliance verification
19. Data Return and Deletion
19.1 Upon Termination or Expiry
Upon termination of the agreement or subscription:
The Controller may request:
- Full data export, or
- Data deletion
19.2 Data Export
Data will be provided in a structured, commonly used format
Export may include:
- Student records
- Academic data
- Financial records
- User data
19.3 Data Deletion
Upon valid request:
Data will be:
- Permanently deleted from active systems, or
- Anonymized where deletion is not immediately feasible
19.4 Backup Deletion Limitation
- Data may remain in backups temporarily
- Complete deletion occurs after backup rotation cycles
19.5 Deletion Timeline
Standard deletion timeline: within 30 days of verified request
20. Retention After Termination
If no deletion request is made:
Data may be retained for:
- Up to 12-24 months
Purpose:
- Reactivation
- Legal compliance
- Dispute handling
21. Liability (DPA-Specific)
21.1 Processor Liability
The Processor is liable only for:
- Breach of obligations explicitly defined in this DPA
- Failure to implement agreed security measures
21.2 Exclusions
The Processor is NOT liable for:
- Actions or omissions of the Controller
- Improper data collection by the Institution
- Misuse of credentials
- Unauthorized access caused by Controller negligence
21.3 Liability Cap
Total liability under this DPA shall not exceed:
Amount paid by the Controller in the last billing cycle
22. Indemnification
The Controller agrees to indemnify and hold harmless the Processor against:
- Claims arising from unlawful data collection
- Failure to obtain required consent
- Violations of applicable data protection laws
- Misuse of personal data by the Institution
23. Termination of DPA
23.1 Linked to Main Agreement
This DPA is automatically terminated upon termination of the main service agreement
23.2 Survival of Clauses
The following obligations survive termination:
- Confidentiality
- Data protection obligations
- Liability clauses
- Data deletion obligations
24. Conflict with Other Documents
In case of conflict:
- DPA prevails for data protection matters
- Then Privacy Policy
- Then Terms & Conditions
25. Amendments
- This DPA may be updated periodically
- Material changes will be communicated
- Continued use implies acceptance
26. Governing Law
This DPA is governed by:
Laws of India
27. Jurisdiction
All disputes shall be subject to exclusive jurisdiction of courts located in:
Punjab, India
28. Contact Information
For data protection and DPA-related queries:
Email: info@campus24x7.in
29. Meta WhatsApp Business API - Data Processing Addendum
29.1 Scope of this Addendum
This section governs the specific data processing activities that occur when the Institution activates the WhatsApp Business notification feature powered by Meta's WhatsApp Business Cloud API. It supplements all other sections of this DPA and prevails in case of conflict specifically for WhatsApp-related data processing.
29.2 Role Clarification for WhatsApp Data Flows
For WhatsApp notification processing, the roles are structured as follows:
- The Institution is the end operator (Client) of the WhatsApp Business Account (WABA) and the Data Controller for end-user phone numbers and communication content
- Campus 24x7 is the Tech Provider and Data Processor, processing data on behalf of the Institution to deliver notifications via Meta's API
- Meta Platforms Ireland Limited / Meta Platforms Inc. is an independent sub-processor engaged by Campus 24x7 to deliver messages over the WhatsApp network
- Meta operates under its own WhatsApp Business Terms of Service and Privacy Policy for data it processes on its own infrastructure
29.3 Data Flows - What is Transferred to Meta
When a WhatsApp notification is triggered, the following data is transmitted from Campus 24x7's systems to Meta's WhatsApp Business Cloud API:
- Institution's WhatsApp Business Account (WABA) identifier
- End-user phone number (in E.164 international format)
- Pre-approved message template name and approved variable values (e.g., student name, fee amount, date)
- Message delivery request metadata (timestamp, request ID)
The following data is NOT transmitted to Meta:
- Student academic records
- Financial account details or payment credentials
- Attendance raw records
- Any data beyond what is necessary for message delivery
29.4 Data Received from Meta
Campus 24x7 receives the following data back from Meta's API:
- Message delivery status (sent, delivered, read, failed)
- WhatsApp message ID
- Timestamp of delivery events
- Error codes in case of delivery failure
This data is used solely for delivery confirmation, support, and audit logging. It is not used for profiling, analytics beyond operational reporting, or any commercial purpose.
29.5 Retention of WhatsApp Message Data
- Message delivery logs (status, timestamp, message ID) are retained for a maximum of 90 days for operational support and audit purposes
- Actual message content (template variables) is not stored beyond the point of successful API submission
- Phone numbers used for WhatsApp delivery are retained only as part of the user's active profile in the platform and are deleted in accordance with the standard data deletion process (Section 19)
- Upon termination of WhatsApp integration by the Institution, all WhatsApp-specific delivery logs are deleted within 30 days
29.6 International Data Transfer - Meta
The engagement of Meta as a sub-processor for WhatsApp message delivery constitutes an international transfer of personal data (specifically end-user phone numbers) outside India, to Meta's infrastructure in the United States and/or Ireland.
Safeguards in place:
- Campus 24x7 engages Meta under Meta's Business Messaging Technology Provider Terms, which include contractual data protection obligations
- Data transmitted is limited strictly to what is necessary for message delivery (data minimization)
- Transmission is encrypted using TLS 1.2+ at all times
- The Institution, by activating the WhatsApp feature, acknowledges and authorizes this international transfer for the purpose of WhatsApp notification delivery
The Institution is responsible for ensuring its end users are made aware that their phone numbers will be processed by Meta's infrastructure for message delivery, in accordance with applicable Indian law.
29.7 Meta's Independent Data Processing
Campus 24x7 acknowledges that Meta may independently process certain data (such as message metadata, delivery analytics, and platform integrity data) in accordance with Meta's own Privacy Policy and WhatsApp Business Terms of Service. This independent processing by Meta is outside the scope of this DPA and Campus 24x7's control. The Institution should review Meta's applicable policies for a complete understanding of Meta's data processing practices.
29.8 Data Subject Rights - Meta-Originated Requests
If Meta receives and communicates a Data Subject Rights (DSR) request (access, correction, deletion, or restriction) related to data processed in connection with the Institution's WABA or WhatsApp notifications:
- Campus 24x7 will notify the Institution within 48 hours of receiving such communication from Meta
- Campus 24x7 will provide the Institution with all information available to fulfil the request
- The Institution (as Data Controller) is responsible for determining the appropriate response and directing Campus 24x7 accordingly
- Campus 24x7 will execute the Institution's instructions within 30 days, subject to technical feasibility
- Campus 24x7 will not independently respond to or fulfil Meta-originated DSR requests without the Institution's authorization, except where required by applicable law or Meta's Platform Terms
29.9 Institution's Obligations for WhatsApp Data Processing
By activating the WhatsApp notification feature, the Institution warrants and agrees that:
- It has obtained valid, explicit opt-in consent from all end users (parents/students/guardians) for receiving WhatsApp communications from the Institution
- It has lawfully collected and is entitled to provide end-user phone numbers to Campus 24x7 for WhatsApp delivery
- All message content submitted for template approval and delivery is accurate, lawful, and compliant with Meta's WhatsApp messaging policies and applicable Indian law (including TRAI regulations)
- It will maintain records of end-user opt-in consents and make them available to Campus 24x7 or Meta upon request
- It will promptly notify Campus 24x7 of any opt-out or unsubscribe requests received from end users, so that Campus 24x7 can suppress further WhatsApp messages to those users
29.10 Campus 24x7's Obligations for WhatsApp Data Processing
Campus 24x7 (as Processor and Tech Provider) shall:
- Process end-user phone numbers and message data solely for the purpose of delivering the Institution's approved WhatsApp notifications
- Not use Meta Platform Data (data received from or via Meta's APIs) for any purpose other than transactional message delivery and operational support
- Not combine Meta Platform Data with data from other sources for profiling, advertising, or any commercial purpose
- Not attempt to re-identify, reverse-engineer, or augment Meta Platform Data
- Maintain API credentials (access tokens, webhook verification tokens) securely - stored encrypted, never exposed to the Institution or end users, rotated periodically and immediately upon suspected compromise
- Delete Meta Platform Data in accordance with Section 29.5 of this Addendum
- Notify the Institution within 48 hours of any breach or suspected breach involving WhatsApp message data
29.11 Termination of WhatsApp Processing
Upon termination of the WhatsApp integration (whether by the Institution's request, non-payment, Meta's enforcement action, or any other reason):
- Campus 24x7 will cease all WhatsApp API calls for the Institution within 24 hours of termination
- Message delivery logs will be made available to the Institution for export for a period of 30 days post-termination
- All WhatsApp-specific data (delivery logs, WABA configuration) will be permanently deleted within 30 days of the export window closing
- Campus 24x7 will initiate WABA off-boarding from its Tech Provider account in accordance with Meta's procedures