Back to Home

Data Processing Agreement

StudentConnect - How We Process and Protect Your Data

Last Updated: January 18, 2026  |  Effective Date: January 18, 2026

Table of Contents

  1. Introduction
  2. Definitions
  3. Scope and Purpose
  4. Categories of Data
  5. Processing Details
  6. Security Measures
  7. Sub-Processors
  8. Data Subject Rights
  9. International Transfers
  10. Breach Notification
  11. Audit Rights
  12. Termination
  13. Contact Information

1. Introduction

This Data Processing Agreement ("DPA") is entered into between AARA Technologies ("Processor," "we," "us") and the school or organization using StudentConnect Services ("Controller," "you").

This DPA supplements and forms part of the Terms of Service and Privacy Policy. It describes the data processing activities performed by StudentConnect on behalf of schools.

Purpose: This DPA ensures compliance with applicable data protection laws including GDPR, CCPA, India's DPDP Act, and other relevant regulations governing the processing of personal data in educational contexts.

2. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person.
  • "Processing" means any operation performed on Personal Data, such as collection, storage, use, disclosure, or deletion.
  • "Data Controller" means the entity (school) that determines the purposes and means of processing Personal Data.
  • "Data Processor" means the entity (StudentConnect) that processes Personal Data on behalf of the Controller.
  • "Data Subject" means the individual whose Personal Data is processed (students, parents, teachers).
  • "Sub-Processor" means a third party engaged by the Processor to process Personal Data.
  • "Data Breach" means unauthorized access to, or acquisition, use, or disclosure of Personal Data.

3. Scope and Purpose of Processing

3.1 Controller's Role

The school (Controller) is responsible for:

  • Determining which Personal Data to input into StudentConnect
  • Obtaining necessary consents from parents/guardians
  • Ensuring data accuracy and completeness
  • Responding to data subject requests
  • Complying with applicable education privacy laws

3.2 Processor's Role

StudentConnect (Processor) processes Personal Data to:

  • Provide the StudentConnect platform and services
  • Enable school management and communication features
  • Maintain system security and integrity
  • Provide technical support
  • Comply with legal obligations
Processing Limitations: StudentConnect will only process Personal Data:
  • For the purposes specified in this DPA
  • In accordance with Controller's documented instructions
  • As required by applicable law

4. Categories of Data Processed

4.1 Data Subjects

Category Description
Students Children enrolled in the school
Parents/Guardians Legal guardians of enrolled students
Teachers Teaching staff employed by the school
Administrators School administrative personnel

4.2 Types of Personal Data

Data Category Examples Sensitivity
Identity Data Name, date of birth, photo, student ID Standard
Contact Data Phone number, email address Standard
Educational Data Grades, attendance, assignments Standard
Device Data Device type, OS version, app version Standard
Usage Data Login times, features accessed Standard
Sensitive Data: StudentConnect does NOT require or process special categories of data (health data, biometric data, religious beliefs) unless explicitly provided by the school for legitimate educational purposes.

5. Processing Details

5.1 Processing Activities

Activity Purpose Legal Basis
User Authentication Secure access to platform Contract performance
Attendance Tracking Record student attendance Contract performance / Legitimate interest
Grade Management Store and report academic records Contract performance
Communication Enable school-parent messaging Contract performance / Consent
Notifications Send alerts and reminders Contract performance / Consent
Analytics Improve service quality (anonymized) Legitimate interest
Support Provide technical assistance Contract performance

5.2 Processing Duration

Personal Data will be processed for the duration of the service agreement and retained according to our Data Retention Policy.

6. Security Measures

StudentConnect implements comprehensive technical and organizational measures to protect Personal Data:

6.1 Technical Measures

  • Encryption: TLS 1.2+ for data in transit, AES-256 for data at rest
  • Authentication: Secure OTP-based login, Firebase Authentication
  • Access Control: Role-based access control (RBAC), least privilege principle
  • Database Security: Firestore Security Rules, field-level access controls
  • Network Security: Firewall protection, DDoS mitigation via Google Cloud
  • Monitoring: Real-time security monitoring, intrusion detection
  • Backup: Automated daily backups with encryption

6.2 Organizational Measures

  • Personnel: Background checks, confidentiality agreements, security training
  • Access Management: Regular access reviews, immediate revocation upon termination
  • Incident Response: Documented incident response procedures
  • Business Continuity: Disaster recovery and business continuity plans
  • Vendor Management: Security assessments of sub-processors
Infrastructure: StudentConnect is hosted on Google Cloud Platform (GCP), which maintains SOC 2, ISO 27001, and other compliance certifications.

7. Sub-Processors

StudentConnect engages the following sub-processors:

Sub-Processor Service Location Purpose
Google Cloud Platform Cloud Infrastructure US/Global Hosting, storage, computing
Firebase (Google) Backend Services US/Global Authentication, database, messaging
Google Analytics Analytics US Anonymized usage analytics

We will:

  • Notify the Controller of any intended changes to sub-processors
  • Ensure sub-processors are bound by equivalent data protection obligations
  • Remain fully liable for sub-processor compliance

8. Data Subject Rights

StudentConnect assists the Controller in fulfilling data subject requests:

8.1 Rights Supported

  • Right of Access: Export user data in machine-readable format
  • Right to Rectification: Allow data corrections through the platform
  • Right to Erasure: Delete user accounts and associated data
  • Right to Restriction: Limit processing upon request
  • Right to Portability: Export data in standard formats (JSON, CSV)
  • Right to Object: Opt-out of optional processing activities

8.2 Response Process

  1. Controller receives and verifies data subject request
  2. Controller submits request to StudentConnect (if assistance needed)
  3. StudentConnect processes request within 15 business days
  4. Controller communicates response to data subject

9. International Data Transfers

Personal Data may be transferred to and processed in countries outside India:

9.1 Transfer Mechanisms

  • Standard Contractual Clauses (SCCs) for EU data transfers
  • Google Cloud's data processing terms and commitments
  • Compliance with local data localization requirements where applicable

9.2 Safeguards

  • Sub-processors maintain equivalent security standards
  • Data is encrypted in transit and at rest
  • Access is limited to authorized personnel only

10. Data Breach Notification

In the event of a Personal Data breach:

10.1 StudentConnect Obligations

  • Notify the Controller within 24 hours of becoming aware of a breach
  • Provide details including nature of breach, data affected, likely consequences, and remedial measures
  • Cooperate with Controller's breach response
  • Document all breaches and remediation actions

10.2 Controller Obligations

  • Notify supervisory authorities within 72 hours (if required)
  • Notify affected data subjects without undue delay (if required)
  • Document the breach and response actions

11. Audit Rights

The Controller has the right to verify StudentConnect's compliance with this DPA:

11.1 Audit Options

  • Self-Assessment: Annual security questionnaire completion
  • Documentation Review: Provision of security policies and certifications
  • Third-Party Audit: Review of independent audit reports (SOC 2, etc.)
  • On-Site Audit: Upon reasonable notice, with confidentiality obligations

11.2 Audit Frequency

Controllers may conduct audits:

  • Once per contract year under normal circumstances
  • Following a significant security incident
  • As required by regulatory authorities

12. Termination and Data Return

Upon termination of the service agreement:

12.1 Data Export

  • Controller may export all data within 30 days of termination
  • Data export available in standard formats (JSON, CSV)
  • StudentConnect provides reasonable assistance with data migration

12.2 Data Deletion

  • Upon request, StudentConnect will delete all Personal Data within 30 days
  • Deletion includes backup copies within 90 days
  • Anonymized, aggregated data may be retained for analytics
  • Deletion certificate provided upon request

12.3 Survival

Sections relating to confidentiality, liability, and applicable law survive termination.

13. Contact Information

For questions about this DPA or to exercise audit rights:

AARA Technologies

Data Protection Contact: hello@scapp.in
Address: Hyderabad, Telangana, India
Phone: +91 8790176241
Website: https://scapp.in

Agreement: By using StudentConnect Services, the Controller agrees to this Data Processing Agreement. This DPA supersedes any previous data processing terms.

© 2026 AARA Technologies. All rights reserved.

Terms of Service | Privacy Policy | Cookie Policy | Data Processing