Legal Center

Data Processing Addendum

Details about how SquareCampus processes Institution data on behalf of our customers.

Effective Date: 27 November 2025
Last Updated: 15 January 2026

Important Update: Section 6 (Controller Obligations) has been expanded to include enhanced access control requirements, credential security obligations, and incident response duties. Please review carefully.

1. Company & Scope

SquareCampus is a trademark and product brand of MDTechSpire. All services are provided by MDTechSpire, unless otherwise stated in a written agreement or order form.

References to "SquareCampus" in this DPA mean MDTechSpire.

This Data Processing Addendum ("DPA") forms part of the agreement between MDTechSpire and the Institution when referenced in an order form or contract.

2. Subject Matter and Duration

This DPA governs SquareCampus's processing of personal data on behalf of the Institution while providing the SquareCampus Service. The duration of this DPA matches the Institution's subscription or the underlying agreement, unless otherwise required by law.

3. Roles of the Parties

The Institution determines the purposes and means of processing personal data and acts as the Controller; MDTechSpire processes personal data solely on behalf of the Institution as the Processor.

4. Categories of Data and Data Subjects

The data processed depends on the Institution's configuration and usage and may include:

  • Student data (names, contact details, academic records, attendance, photos);
  • Staff and teacher data (roles, timetables, salary metadata if stored);
  • Parent/guardian information (contacts, relationship to students);
  • Institutional administrative and billing data;
  • Technical and usage logs associated with user accounts.

Data subjects may include students, parents/guardians, teachers, staff, and other authorised users of the Service.

5. Processor Obligations

SquareCampus shall:

  • Process data only on documented instructions from the Institution;
  • Ensure authorised personnel are subject to confidentiality obligations;
  • Implement appropriate technical and organisational security measures;
  • Notify the Institution without undue delay upon discovering a data breach;
  • Assist the Institution with subject requests or regulator interactions when requested;
  • Provide information to demonstrate compliance and allow for audits under reasonable conditions.

6. Controller Obligations

6.1 General Obligations

The Institution shall:

  • Ensure it has rights, consents, and legal bases for supplying personal data;
  • Remain responsible for the accuracy and legality of the data submitted;
  • Comply with applicable data protection obligations, including notices to subjects;
  • Not instruct SquareCampus to process data in a manner that violates applicable law.

6.2 Access Control Requirements

The Institution shall implement and maintain robust access controls including:

  • Role-Based Access: Implement role-based access controls ensuring users can only access data necessary for their legitimate job functions.
  • Access Reviews: Conduct periodic reviews (at minimum quarterly) of user access privileges and promptly revoke access for terminated or transferred personnel.
  • Audit Logging: Maintain internal records of who has been granted access to the Service and the business justification for such access.
  • Segregation of Duties: Implement appropriate segregation of duties to prevent any single individual from having excessive access to sensitive data or administrative functions.

6.3 Credential Security

The Institution shall ensure the security of all credentials including:

  • Unique Credentials: Ensuring each authorised user has unique login credentials that are not shared with any other person.
  • Secure Storage: Storing credentials securely and not in plain text, shared documents, or unsecured locations.
  • Credential Rotation: Implementing credential rotation policies and immediately rotating credentials upon any suspected compromise.
  • Prohibition on Sharing: Enforcing strict prohibitions on credential sharing with any person or entity outside the Institution's authorised personnel, including but not limited to competitors, consultants, and vendors.
  • Third-Party Access: Not providing credentials or access to any third party without SquareCampus's prior written consent, particularly to entities that compete with SquareCampus.

6.4 Incident Response Duties

The Institution shall promptly notify SquareCampus of any security incident including:

  • Any known or suspected credential compromise or unauthorised access;
  • Any attempt by competitors to gain access to the Institution's account;
  • Any data breach affecting data processed through the Service;
  • Any regulatory inquiry or legal process related to data processed by SquareCampus;
  • Any employee termination where there is reason to believe credentials may have been compromised or shared inappropriately.

6.5 Cooperation with Security Measures

The Institution agrees to:

  • Cooperate with SquareCampus's security audits and investigations when requested;
  • Implement any security recommendations provided by SquareCampus;
  • Provide documentation regarding access controls and credential management upon reasonable request;
  • Accept temporary service suspension if SquareCampus identifies security concerns requiring immediate remediation.

Violations of these Controller Obligations may constitute a material breach of the Terms of Service. See the Terms of Service Section 3 and Competitor Notice for additional information on security requirements and enforcement.

7. Security Measures

SquareCampus maintains administrative, technical, and organisational safeguards appropriate to the nature of the data and the risks presented by processing, including access controls, encryption in transit and at rest, monitoring, and backup procedures.

SquareCampus service data is hosted and processed in India. We do not transfer or store customer data outside India.

We pledge to keep data within the borders of India, no excuses or compromises.

8. Sub-processors

The Institution authorises SquareCampus to engage sub-processors such as cloud hosts, SMS/email gateways, and backup providers.

A current list of sub-processors is available upon request.

SquareCampus shall:

  • Impose data protection obligations on sub-processors comparable to this DPA;
  • Remain responsible for sub-processor acts and omissions as if performed by SquareCampus.

9. Data Subject Requests

If SquareCampus receives a data subject request, we will direct the request to the Institution, unless we are authorised or legally required to respond directly.

SquareCampus will assist the Institution in fulfilling requests such as access, correction, or deletion, subject to technical feasibility and the Institution's instructions.

10. Data Breach Notification

In the event of a personal data breach under this DPA, SquareCampus shall:

  • Notify the Institution without undue delay after becoming aware of the breach;
  • Share information reasonably available to support the Institution's regulatory or notification obligations.

11. Data Retention and Deletion

Upon termination of the subscription or upon written request, SquareCampus shall:

  • Delete or anonymise personal data processed on behalf of the Institution; or
  • Return the data in a reasonable format where export functionality is agreed.

SquareCampus may retain data where required by law, dispute resolution, or backup purposes, after which it will be deleted or anonymised.

12. Priority and Conflicts

In the event of a conflict between this DPA and the main agreement or Terms of Service, this DPA governs data processing obligations.

13. Governing Law

This DPA is governed by Indian law. Disputes are subject to the jurisdiction provisions of the main agreement, typically the courts of Bengaluru, Karnataka, India.

This Data Processing Addendum describes data processing obligations and should be reviewed by legal counsel to ensure compliance with applicable law.