Legal

Data Processing Agreement (DPA)

Last updated: 5 June 2026 · Effective date: 5 June 2026

Template notice: This DPA is a working template. A binding DPA should be executed between the parties and reviewed by qualified legal counsel. Replace all [bracketed] placeholders before use.

1. Roles of the parties

This DPA applies where AcadFlows ([Company Name]) processes personal data on behalf of a Customer institution (the “School”) in connection with the Service. The School is the data fiduciary / controller and AcadFlows is the data processor. It supplements the Terms & Conditions.

2. Scope & instructions

AcadFlows processes personal data only to provide the Service and on the School's documented instructions, including as set out in the Terms and this DPA, unless required otherwise by law. The subject matter, duration, nature and purpose of processing, the types of personal data and categories of data principals are described in the Service documentation and the School's configuration.

3. Processor obligations

Process personal data only on documented instructions.
Ensure persons authorised to process data are bound by confidentiality.
Implement appropriate technical and organisational security measures.
Not use personal data for our own purposes, advertising, or model training without authorisation.

4. Sub-processors

The School authorises AcadFlows to engage sub-processors listed in our Sub-processors page. We impose data-protection obligations on sub-processors no less protective than this DPA and remain responsible for their performance. We will give notice of intended changes and a reasonable opportunity to object.

5. Security measures

We maintain measures including encryption in transit and at rest, access controls, multi-factor authentication, per-tenant isolation, logging and monitoring, secure development practices, and periodic independent testing, as further described in our security documentation.

6. Breach notification

We will notify the School without undue delay, and in any case within [72 hours] of becoming aware of a personal data breach affecting the School's data, with information reasonably available to assist the School's own notification obligations.

7. Assisting data principals

Taking into account the nature of processing, we will assist the School by appropriate measures in responding to requests from data principals to exercise their rights, and in meeting the School's security, breach-notification and impact-assessment obligations.

8. Data location & transfers

Service data is hosted in India (AWS Mumbai, ap-south-1) by default. Any transfer outside India will be carried out only in accordance with applicable law and appropriate safeguards.

9. Return & deletion

On termination or on the School's request, we will return or delete personal data within [30] days, save where retention is required by law.

10. Audits

We will make available information necessary to demonstrate compliance and allow for audits, including inspections, by the School or an auditor it mandates, subject to reasonable confidentiality, scheduling and security requirements. We may satisfy audit requests by providing third-party audit reports (e.g. SOC 2, VAPT summaries) under NDA.

11. Contact

For DPA matters, contact privacy@acadflows.com, [Registered Address].