Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the agreement between MaktabMate Ltd ("Processor", "we", "us") and the organisation using the MaktabMate platform ("Controller", "you", "your maktab") for the provision of the MaktabMate service.

This DPA is entered into pursuant to Article 28 of the UK General Data Protection Regulation (UK GDPR) and Section 59 of the Data Protection Act 2018.

1. Definitions

• Personal Data: Any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the UK GDPR.
• Special Category Data: Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sex life or sexual orientation, as defined in Article 9 of the UK GDPR.
• Processing: Any operation performed on personal data, as defined in Article 4(2) of the UK GDPR.
• Data Subject: The individual to whom personal data relates (students, parents, staff).
• Sub-processor: A third party engaged by the Processor to process personal data on behalf of the Controller.

2. Scope and Purpose of Processing

The Processor shall process personal data on behalf of the Controller solely for the purpose of providing the MaktabMate school management platform, including:

• Student registration and record management
• Attendance tracking
• Academic progress tracking (Maktab and Hifdh programmes)
• House points management
• Homework management
• Fee management and payment recording
• Staff management and clock-in/clock-out
• Parent-staff communication
• Report generation

3. Types of Personal Data

Student Data

Names, dates of birth, gender, class enrolment, attendance, academic progress, house points, homework, fee records.

Parent/Guardian Data

Names, email addresses, phone numbers, relationship to student, communication records.

Staff Data

Names, email addresses, phone numbers, roles, class assignments, clock-in/clock-out records (including geolocation), communication records.

The data may include special category data, specifically religious affiliation, as all data subjects are associated with an Islamic educational institution.

4. Duration of Processing

Processing shall continue for the duration of the Controller's subscription to the MaktabMate service. Upon termination, the provisions of Section 12 (Data Return and Deletion) shall apply.

5. Processor Obligations

The Processor shall:

• Process personal data only on the documented instructions of the Controller, unless required by law to do otherwise
• Ensure that persons authorised to process personal data are subject to confidentiality obligations
• Implement appropriate technical and organisational measures to ensure security of processing (see Section 7)
• Respect the conditions for engaging sub-processors (see Section 8)
• Assist the Controller in responding to data subject requests (see Section 9)
• Assist the Controller in ensuring compliance with Articles 32–36 of the UK GDPR (security, breach notification, DPIAs, prior consultation)
• Delete or return all personal data at the end of the service, at the Controller's choice (see Section 12)
• Make available all information necessary to demonstrate compliance and allow for audits

6. Controller Obligations

The Controller shall:

• Ensure there is a lawful basis for all processing, including for special category data (religious affiliation)
• Provide appropriate privacy notices to data subjects (students, parents, staff)
• Obtain any necessary consents from parents/guardians for processing children's data
• Respond to data subject requests and inform the Processor where assistance is needed
• Ensure data entered into the platform is accurate and up to date
• Not upload data that is not necessary for the purposes of the Service

7. Security Measures

Technical Measures

• Encryption in transit (HTTPS/TLS) for all data transmission
• Encryption at rest (AES-256) for all stored data via Google Cloud
• Role-based access controls enforced through Firestore Security Rules
• Complete data isolation between organisations at the database level
• Authentication via Firebase Auth with email/password credentials
• Forced password change on first login for parent accounts

Organisational Measures

• Access to production data limited to authorised personnel only
• Infrastructure hosted on Google Cloud Platform (ISO 27001, ISO 27017, ISO 27018, SOC 1/2/3 certified)
• Database located in the United Kingdom (europe-west2, London)
• Regular review of security configurations and access controls

8. Sub-processors

The Controller provides general authorisation for the Processor to engage sub-processors. The Processor shall:

• Maintain a list of current sub-processors, available upon request
• Notify the Controller of any intended changes to sub-processors, giving reasonable notice
• Ensure each sub-processor is bound by data protection obligations no less protective than those in this DPA

8.1 Google Cloud Platform (Infrastructure Provider)

The Controller acknowledges and agrees that:

• Personal data is hosted on Google Cloud Platform (Firebase) infrastructure. Google acts as a sub-processor providing cloud infrastructure services.
• Data is encrypted at rest (AES-256) and in transit (TLS). Google manages the encryption keys as part of their standard infrastructure.
• Google is contractually bound by their Data Processing and Security Terms and may only access data for the purpose of providing infrastructure services.
• Google cannot use Controller data for advertising, AI training, analytics, product development, or any purpose beyond infrastructure provision.
• All Google employee access to customer data is logged, audited, and requires documented business justification.
• Google holds ISO 27001, ISO 27017, ISO 27018, and SOC 1/2/3 certifications, verified by independent auditors.
• Firebase Authentication data is stored in the United States; all other data is stored in the United Kingdom (europe-west2, London).

The Controller should make parents and staff aware of this infrastructure arrangement through their own privacy notices.

8.2 Other Sub-processors

Current sub-processors:

• Google Firebase (Google LLC): Database storage (UK) and user authentication (US). Google's Data Processing and Security Terms apply, including Standard Contractual Clauses.
• Stripe: Payment and subscription management. Processes billing data only.
• IONOS: Website hosting (EU). Static files only.
• EmailJS: Transactional email delivery.

9. Data Subject Requests

The Processor shall:

• Promptly notify the Controller if it receives a request from a data subject
• Not respond to data subject requests directly unless authorised by the Controller
• Provide the Controller with tools and assistance to fulfil data subject requests, including data export and deletion capabilities
• Respond to Controller requests for assistance within 10 business days

10. Data Breach Notification

The Processor shall:

• Notify the Controller without undue delay, and in any event within 24 hours, upon becoming aware of a personal data breach
• Provide the Controller with sufficient information to enable the Controller to meet its obligations to report the breach to the ICO within 72 hours
• Co-operate with the Controller in investigating and remediating the breach
• Document all breaches, including those that do not require notification to the ICO

11. International Transfers

The Processor stores the majority of personal data in the United Kingdom (Google Cloud, europe-west2). Firebase Authentication data is stored in the United States.

International transfers are protected by Google's compliance with the UK-U.S. Data Privacy Framework and Standard Contractual Clauses included in Google's Data Processing and Security Terms.

12. Data Return and Deletion

Upon termination of the Service:

• The Controller may request export of all their data in a machine-readable format (CSV/JSON) within 30 days of termination
• The Processor shall delete all Controller personal data within 90 days of termination, unless retention is required by law
• The Processor shall confirm deletion in writing upon request
• Backup copies shall be deleted in accordance with the Processor's backup rotation schedule, not to exceed 180 days

13. Audits

The Processor shall:

• Make available to the Controller all information necessary to demonstrate compliance with this DPA
• Allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller
• Provide written responses to reasonable compliance questionnaires within 20 business days

14. Liability

Each party's liability under this DPA shall be subject to the limitations and exclusions of liability set out in the main service agreement (Terms of Service) between the parties.

15. Governing Law

This DPA shall be governed by and construed in accordance with the laws of England and Wales. The parties submit to the exclusive jurisdiction of the courts of England and Wales.

16. Term and Termination

This DPA shall remain in effect for the duration of the Controller's use of the MaktabMate service. It shall automatically terminate when all personal data has been deleted or returned in accordance with Section 12.