Data Processing Addendum

This DPA governs SquareCampus’s processing of personal data on behalf of the Institution while providing the SquareCampus Service. The duration of this DPA matches the Institution’s subscription or the underlying agreement, unless otherwise required by law.

The Institution determines the purposes and means of processing personal data and acts as the Controller; SquareCampus processes personal data solely on behalf of the Institution as the Processor.

The data processed depends on the Institution’s configuration and usage and may include:

• Student data (names, contact details, academic records, attendance, photos);
• Staff and teacher data (roles, timetables, salary metadata if stored);
• Parent/guardian information (contacts, relationship to students);
• Institutional administrative and billing data;
• Technical and usage logs associated with user accounts.

Data subjects may include students, parents/guardians, teachers, staff, and other authorised users of the Service.

SquareCampus shall:

• Process data only on documented instructions from the Institution;
• Ensure authorised personnel are subject to confidentiality obligations;
• Implement appropriate technical and organisational security measures;
• Notify the Institution without undue delay upon discovering a data breach;
• Assist the Institution with subject requests or regulator interactions when requested;
• Provide information to demonstrate compliance and allow for audits under reasonable conditions.

The Institution shall:

• Ensure it has rights, consents, and legal bases for supplying personal data;
• Remain responsible for the accuracy and legality of the data submitted;
• Comply with applicable data protection obligations, including notices to subjects;
• Not instruct SquareCampus to process data in a manner that violates applicable law.

The Institution authorises SquareCampus to engage sub-processors such as cloud hosts, SMS/email gateways, and backup providers.

SquareCampus shall:

• Impose data protection obligations on sub-processors comparable to this DPA;
• Remain responsible for sub-processor acts and omissions as if performed by SquareCampus.

Where data transfers outside India are required, SquareCampus will take reasonable steps to comply with applicable laws, including implementing safeguards where required.

If SquareCampus receives a data subject request, we will direct the request to the Institution, unless we are authorised or legally required to respond directly.

SquareCampus will assist the Institution in fulfilling requests such as access, correction, or deletion, subject to technical feasibility and the Institution’s instructions.

In the event of a personal data breach under this DPA, SquareCampus shall:

• Notify the Institution without undue delay after becoming aware of the breach;
• Share information reasonably available to support the Institution’s regulatory or notification obligations.

Upon termination of the subscription or upon written request, SquareCampus shall:

• Delete or anonymise personal data processed on behalf of the Institution; or
• Return the data in a reasonable format where export functionality is agreed.

SquareCampus may retain data where required by law, dispute resolution, or backup purposes, after which it will be deleted or anonymised.

In the event of a conflict between this DPA and the main agreement or Terms of Service, this DPA governs data processing obligations.

This DPA is governed by Indian law. Disputes are subject to the jurisdiction provisions of the main agreement, typically the courts of Bengaluru, Karnataka, India.