Data Processing Agreement (DPA)

Effective Date: 30 March 2026

Platform: Campus 24x7 - School ERP System

This Data Processing Agreement ("DPA") forms part of the Terms & Conditions between:

  • Campus 24x7 ("Processor", "Service Provider"), and
  • The subscribing educational institution ("Controller", "Institution")

1. Purpose

This DPA governs the processing of personal data by the Processor on behalf of the Controller.

Objectives:

  • Define responsibilities of both parties
  • Ensure lawful data processing
  • Establish security and compliance obligations

2. Scope

This DPA applies to:

  • All personal data processed through the platform
  • All operations performed on behalf of the Institution
  • All users (students, parents, staff, administrators)

3. Definitions

For clarity and enforceability:

  • Personal Data: Any information relating to an identifiable individual
  • Sensitive Personal Data (SPDI): Data defined under Indian SPDI Rules (e.g., financial data, passwords)
  • Processing: Collection, storage, use, transmission, or deletion of data
  • Controller: Institution determining purpose and means of processing
  • Processor: Campus 24x7 processing data on behalf of Controller
  • Sub-processor: Third-party service provider engaged by Processor
  • Data Subject: Individual whose data is processed (student, parent, staff)
  • Data Breach: Unauthorized access, disclosure, or loss of data

4. Roles and Relationship

4.1 Controller (Institution)

The Institution:

  • Determines purpose and lawful basis of processing
  • Controls what data is collected
  • Is responsible for compliance with applicable laws

4.2 Processor (Campus 24x7)

Campus 24x7:

  • Processes data only on documented instructions from the Controller
  • Does not independently decide purpose of processing
  • Implements technical and organizational safeguards

4.3 No Joint Control

  • Parties are not joint controllers
  • Responsibilities are clearly separated

5. Nature and Purpose of Processing

5.1 Nature of Processing

Processing includes:

  • Collection
  • Storage
  • Organization
  • Retrieval
  • Transmission
  • Deletion

5.2 Purpose of Processing

  • Student lifecycle management
  • Attendance tracking
  • Fee and financial management
  • Examination and reporting
  • Communication (SMS/email/notifications)

6. Categories of Data Subjects

Data subjects include:

  • Students (including minors)
  • Parents/guardians
  • Teachers and staff
  • Institutional administrators

7. Categories of Personal Data

7.1 General Personal Data

  • Name
  • Contact details
  • Role/designation

7.2 Student Data

  • Academic records
  • Attendance
  • Communication data

7.3 Sensitive Personal Data (SPDI)

  • Financial data (fees, transactions)
  • Login credentials (hashed passwords)

7.4 Technical Data

  • IP address
  • Device information
  • Usage logs

8. Duration of Processing

  • Processing continues for the duration of the subscription
  • Post-termination:
  • Data retained per Privacy Policy
  • Deleted or anonymized after retention period

9. Processor Obligations

Campus 24x7 (Processor) shall:

9.1 Process Data Only on Instructions

  • Process personal data strictly based on documented instructions from the Institution
  • Not use data for independent purposes
  • Not sell, rent, or commercially exploit data

9.2 Ensure Lawful Processing Support

  • Assist the Controller in meeting legal obligations
  • Provide necessary tools (logs, exports, controls) for compliance

9.3 No Unauthorized Disclosure

Not disclose personal data to third parties without:

  • Authorization from Controller, or
  • Legal obligation

9.4 Data Minimization

  • Process only data necessary for service delivery
  • Avoid excessive or unnecessary data handling

9.5 Accuracy Support

Provide mechanisms for:

  • Data correction
  • Updates by authorized users

10. Security Measures (Technical & Organizational)

The Processor implements layered security aligned with industry practices.

10.1 Infrastructure Security

  • Hosted on Hostinger VPS
  • Server hardening (SSH keys, firewall, restricted access)
  • Environment isolation (production/staging/dev)

10.2 Network Security

  • HTTPS (TLS 1.2+) encryption
  • Reverse proxy via Nginx
  • Rate limiting and request throttling

10.3 Application Security

  • Backend: NestJS with validation pipelines
  • Frontend: React (TypeScript)
  • Protection against:
  • SQL Injection
  • XSS
  • CSRF

10.4 Authentication & Access

  • Password hashing (bcrypt)
  • Multi-Factor Authentication (MFA) for privileged users
  • JWT-based authentication
  • Session expiration controls

10.5 Authorization Controls

  • Role-Based Access Control (RBAC)
  • Custom permissions per institution
  • Strict API-level enforcement

10.6 Multi-Tenant Isolation

  • Institution-scoped queries
  • Middleware validation to prevent cross-tenant access

10.7 Logging & Monitoring

Centralized managed logging

Monitoring of:

  • Login activity
  • Data changes
  • Suspicious events

10.8 Backup & Recovery

  • Automated backups
  • Secure storage
  • Periodic restoration testing

10.9 Vulnerability Management

  • Regular updates of dependencies
  • Security patches applied
  • Periodic vulnerability assessments

11. Confidentiality

11.1 Personnel Confidentiality

  • All personnel with access to data are bound by confidentiality obligations
  • Access limited based on role and necessity

11.2 Data Access Restriction

  • Access granted only to authorized personnel
  • Strict access control enforcement

11.3 Non-Disclosure

Data shall not be disclosed except:

  • As required for service delivery
  • As required by law

12. Security Incident Management

12.1 Incident Detection

Continuous monitoring systems detect anomalies

12.2 Response Process

  • Immediate containment
  • Investigation and root cause analysis
  • Mitigation and remediation

12.3 Notification Obligation

Controller notified within a reasonable timeframe

Includes:

  • Nature of breach
  • Affected data
  • Mitigation actions

13. Use of Sub-processors

The Processor may engage third-party service providers ("Sub-processors") to support service delivery.

13.1 Authorized Sub-processors

Typical categories include:

  • Hosting Providers (e.g., VPS infrastructure)
  • Payment Gateways (transaction processing)
  • Communication Providers (SMS/email services)
  • Monitoring & Logging Services

13.2 Conditions for Engagement

The Processor ensures that all Sub-processors:

  • Are bound by written agreements
  • Provide equivalent data protection obligations
  • Process data only for defined purposes
  • Maintain appropriate security standards

13.3 Responsibility

  • The Processor remains fully liable for actions of Sub-processors
  • Any failure by Sub-processors is treated as failure of the Processor

13.4 Sub-processor Transparency

  • A list of Sub-processors should be maintained and made available to the Controller
  • Updates to Sub-processors will be communicated where materially relevant

14. International Data Transfers

14.1 General Principle

Data is primarily processed within infrastructure selected by the Processor

14.2 Cross-Border Transfers

If data is transferred outside India:

  • Transfers are limited to necessary services
  • Appropriate safeguards are implemented
  • Data protection obligations remain equivalent

14.3 Safeguards

Safeguards may include:

  • Contractual obligations with vendors
  • Secure transmission (encryption)
  • Access restrictions

15. Assistance with Data Subject Rights

The Processor assists the Controller in responding to requests from Data Subjects.

15.1 Types of Requests

  • Access requests
  • Correction requests
  • Deletion requests
  • Restriction of processing

15.2 Mechanism

Support includes:

  • Providing data access tools
  • Enabling data export
  • Supporting deletion or modification

15.3 Limitation

  • Processor does not directly respond to end users
  • All requests must be routed through the Controller

16. Audit and Compliance Rights

16.1 Audit Support

The Processor shall:

  • Provide reasonable information demonstrating compliance
  • Offer access to:
  • Security documentation
  • Policies and procedures

16.2 Audit Methods

Audits may include:

  • Documentation review
  • System-generated audit logs
  • Compliance reports

16.3 Restrictions

Audits must:

  • Be reasonable and not disrupt operations
  • Respect confidentiality and security controls

16.4 Audit Costs

Unless otherwise agreed:

Audit costs are borne by the Controller

17. Record Keeping

The Processor maintains records of:

  • Processing activities
  • Security measures
  • Incident reports

18. Compliance Cooperation

The Processor shall:

Cooperate with the Controller in:

  • Regulatory inquiries
  • Compliance verification

19. Data Return and Deletion

19.1 Upon Termination or Expiry

Upon termination of the agreement or subscription:

The Controller may request:

  • Full data export, or
  • Data deletion

19.2 Data Export

Data will be provided in a structured, commonly used format

Export may include:

  • Student records
  • Academic data
  • Financial records
  • User data

19.3 Data Deletion

Upon valid request:

Data will be:

  • Permanently deleted from active systems, or
  • Anonymized where deletion is not immediately feasible

19.4 Backup Deletion Limitation

  • Data may remain in backups temporarily
  • Complete deletion occurs after backup rotation cycles

19.5 Deletion Timeline

Standard deletion timeline: within 30 days of verified request

20. Retention After Termination

If no deletion request is made:

Data may be retained for:

  • Up to 12-24 months

Purpose:

  • Reactivation
  • Legal compliance
  • Dispute handling

21. Liability (DPA-Specific)

21.1 Processor Liability

The Processor is liable only for:

  • Breach of obligations explicitly defined in this DPA
  • Failure to implement agreed security measures

21.2 Exclusions

The Processor is NOT liable for:

  • Actions or omissions of the Controller
  • Improper data collection by the Institution
  • Misuse of credentials
  • Unauthorized access caused by Controller negligence

21.3 Liability Cap

Total liability under this DPA shall not exceed:

Amount paid by the Controller in the last billing cycle

22. Indemnification

The Controller agrees to indemnify and hold harmless the Processor against:

  • Claims arising from unlawful data collection
  • Failure to obtain required consent
  • Violations of applicable data protection laws
  • Misuse of personal data by the Institution

23. Termination of DPA

23.1 Linked to Main Agreement

This DPA is automatically terminated upon termination of the main service agreement

23.2 Survival of Clauses

The following obligations survive termination:

  • Confidentiality
  • Data protection obligations
  • Liability clauses
  • Data deletion obligations

24. Conflict with Other Documents

In case of conflict:

  • DPA prevails for data protection matters
  • Then Privacy Policy
  • Then Terms & Conditions

25. Amendments

  • This DPA may be updated periodically
  • Material changes will be communicated
  • Continued use implies acceptance

26. Governing Law

This DPA is governed by:

Laws of India

27. Jurisdiction

All disputes shall be subject to exclusive jurisdiction of courts located in:

Punjab, India

28. Contact Information

For data protection and DPA-related queries:

Email: info@campuse24x7.in