Data Processing Addendum

This Data Processing Addendum explains how SchoolOS processes personal data on behalf of schools and partners that use the platform. It applies where SchoolOS processes school-controlled personal data as a service provider or processor.

If a signed agreement between SchoolOS and a school or partner includes different data processing terms, that signed agreement controls for that customer.

The school is usually the controller of school records because it decides what information is collected, which users can access it, and why it is used. SchoolOS usually acts as the processor for that school-controlled data.

SchoolOS may act as a controller for its own business operations, including account management, billing, support, security, abuse prevention, product analytics, and direct marketing where permitted.

SchoolOS will process school-controlled personal data only to provide, secure, support, maintain, and improve SchoolOS; comply with lawful instructions from the school; or meet legal obligations.

The school is responsible for ensuring that its instructions are lawful and that it has the required rights, notices, and permissions to use SchoolOS.

Processed data may include school administrator details, staff records, student records, parent or guardian records, attendance, fees, invoices, receipts, messages, admissions, assessments, results, files, images, website content, audit logs, and technical usage data.

SchoolOS personnel and service providers with access to school-controlled data must handle it confidentially and only for authorized purposes.

We maintain reasonable technical and organizational measures designed to protect data, including access controls, backups, monitoring, secure hosting practices, and security-focused development processes.

SchoolOS may use trusted subprocessors for hosting, storage, email, SMS, payment processing, support, analytics, security, backups, and related services. We remain responsible for subprocessors we engage to process school-controlled personal data under our instructions.

Schools may contact SchoolOS for information about key subprocessors used for their deployment.

If SchoolOS receives a request from a parent, student, staff member, or other person about school-controlled data, we may direct the requester to the school or notify the school so it can respond.

SchoolOS will provide reasonable support to schools responding to valid access, correction, deletion, export, or objection requests where the platform supports it.

If SchoolOS becomes aware of a security incident affecting school-controlled personal data, we will take reasonable steps to investigate, contain, and notify affected schools without undue delay, considering the nature of the incident and applicable law.

Upon termination or valid request, SchoolOS will provide reasonable options to export, return, or delete school-controlled data, subject to active billing, legal obligations, backup retention, fraud prevention, and technical feasibility.