ClassAddmin

Legal

Data processing addendum

Last updated 4 June 2026

1. Definitions

  • “Controller” — the school, which decides why and how the personal data is processed.
  • “Processor” — Modularpath Systems Ltd, which processes the personal data on the controller’s documented instructions.
  • “Sub-processor” — any third party we engage to process personal data on our behalf in the course of running the service.
  • “Personal data” — any information relating to an identified or identifiable natural person, as defined by Ghana’s Data Protection Act 2012 (Act 843).
  • “Data subjects” — pupils, applicants, guardians, school staff, and any other individuals whose data the controller stores in ClassAddmin.

2. Subject matter, nature and purpose

The processor processes personal data on the controller’s behalf for the sole purpose of providing the ClassAddmin service described in the controller’s subscription. That includes:

  • storing and retrieving pupil, guardian, applicant, staff and operational records the controller creates;
  • sending operational SMS and email on the controller’s behalf (e.g. attendance notices, fee reminders, report-card publish notifications);
  • generating reports, PDFs and exports from the controller’s data;
  • operating the parent portal under tokens minted from the controller’s data;
  • maintaining audit logs and backups required to keep the service safe and recoverable.

The duration of processing is the duration of the controller’s subscription, plus a defined wind-down (see §13).

3. Categories of data subjects and personal data

The controller may upload or generate the following categories of personal data through use of the service:

  • Pupils & applicants — name, date of birth, sex, nationality, religion, photo, home address, class assignment, attendance, grades, remarks, disciplinary records, fee balance.
  • Guardians — name, phone, email, relationship, payment status, communications history.
  • Staff — name, contact details, role, salary and payroll inputs, performance notes.
  • Operational metadata — sign-in events, audit entries, message delivery logs, payment metadata.

4. Processor obligations

The processor will:

  1. process personal data only on the controller’s documented instructions, including with regard to international transfers;
  2. ensure that persons authorised to process personal data are bound by confidentiality;
  3. implement appropriate technical and organisational measures to protect personal data (see §7);
  4. engage sub-processors only on the terms set out in §6;
  5. assist the controller in responding to data-subject requests (§9);
  6. notify the controller of personal-data breaches per §10;
  7. at the end of the contract, return or delete personal data per §13;
  8. make available to the controller all information necessary to demonstrate compliance with these obligations.

5. Controller obligations

The controller is responsible for:

  • having a lawful basis to collect each category of personal data they upload;
  • providing the data subjects with the privacy notices required by law;
  • obtaining any required consents (e.g. for marketing SMS or images of minors used outside the service);
  • configuring role-based access correctly inside the app so each staff member sees only what they should;
  • responding to data-subject requests addressed directly to the school (the processor will assist).

6. Sub-processors

The controller authorises the processor to engage the following sub-processors:

  • Supabase, Inc. (US) — managed Postgres database, file storage, authentication. Privacy.
  • Cloudflare, Inc. (US) — Workers runtime, CDN, Turnstile bot protection, image transformations. Privacy.
  • Paystack Payments Ltd (NG/GH) — payment processing for MoMo, Visa, Mastercard. Terms.
  • Arkesel Ltd (GH) — SMS delivery on the controller’s behalf. arkesel.com.
  • Resend, Inc. (US) — transactional email delivery. Privacy.
  • Anthropic, PBC (US) — large-language-model API for the marketing live-chat assistant. Per Anthropic’s commercial terms, customer data is not used to train Anthropic models.
  • OpenAI, LLC (US) — fallback large-language-model API for the marketing live-chat assistant. Per OpenAI’s API terms, API data is not used to train models by default.
  • Voyage AI, Inc. (US) — text-embedding API for the help-article retriever.

6.1 Notice of new sub-processors

The processor will give the controller at least 30 days’ advance written notice before adding or replacing a sub-processor, with sufficient detail for the controller to assess the change. If the controller reasonably objects on data-protection grounds, the processor will work in good faith to address the concern; if no resolution can be agreed, the controller may terminate the subscription with no early-termination penalty.

7. Security measures

The processor maintains a documented security programme that includes:

  • Encryption — TLS 1.2+ in transit; AES-256 at rest in the primary database and storage layer.
  • Tenant isolation — Postgres row-level security policies enforced at the database, not the application; service-role bypass restricted to narrow, audited paths.
  • Authentication — Supabase Auth with hardware-backed credential storage; optional MFA for staff accounts.
  • Authorisation — least-privilege role assignments, server-side enforcement on every mutation.
  • Network — workloads served from Cloudflare Workers behind WAF, Turnstile, and per-IP rate limits on public endpoints.
  • Audit — append-only audit log of administrative changes, retained for the life of the subscription.
  • Backups — daily Postgres point-in-time backups retained 7 days, off-site.
  • Vendor due diligence — sub-processors reviewed for their own security posture before adoption.
  • Vulnerability handling — quarterly dependency review, monthly patch cycle for non-critical, 7-day target for critical CVEs.
  • Personnel — all engineers under written confidentiality, background-checked before production access, access reviewed quarterly.

8. International transfers

Some sub-processors process personal data outside Ghana (principally in the United States and the European Union). The processor relies on the data-protection commitments those sub-processors offer (including, where applicable, Standard Contractual Clauses) and on the security measures in §7. Where the controller requires data residency commitments beyond these, contact us before subscribing — we may need to discuss bespoke arrangements.

9. Data-subject requests

Data subjects exercise their rights against the controller (the school), not directly against the processor. If a data subject contacts the processor about access, correction, deletion, restriction, objection or portability, we will redirect them to the school and notify the school promptly.

On the controller’s written request, the processor will assist with fulfilling these requests by providing exports, configuration changes or other technical support, within reasonable limits.

10. Personal-data breach notification

If the processor becomes aware of a personal-data breach affecting the controller’s data, the processor will notify the controller without undue delay, and in any event within 72 hours, with:

  • the nature of the breach and the categories and approximate volume of data subjects and records concerned;
  • the likely consequences;
  • the measures taken or proposed to address the breach and to mitigate its effects.

Where the full detail isn’t available within 72 hours, the processor will share what is known and update the controller as the picture firms up.

11. Confidentiality

The processor will treat the controller’s personal data as confidential, will use it only for the purposes set out in §2, and will not disclose it to any third party except to sub-processors per §6 or where required by law.

12. Audit and reporting

On reasonable written notice, the processor will make available to the controller information necessary to demonstrate compliance with this DPA, including summary reports of security controls, sub-processor lists, and breach history. On-site audits are by mutual agreement and at the controller’s cost; the processor will not unreasonably refuse.

13. Return or deletion of data on termination

On termination of the subscription:

  1. the controller may export the personal data in a structured, machine-readable format (CSV) at any time during the 30-day post-termination window at no charge;
  2. at the end of that window, the processor will delete the personal data from live systems within a further 60 days;
  3. routine encrypted backups containing residual copies will be aged out within a further 30 days and not restored except for disaster recovery covering the original processing period;
  4. once deletion is complete the processor will, on the controller’s written request, certify the deletion.

Aggregate, non-identifying analytics (e.g. counts of total bookings or aggregate API traffic) may be retained indefinitely.

14. Liability

Each party’s liability under this DPA is governed by the liability provisions of the underlying Terms of Service.

15. Order of precedence

If there is any conflict between this DPA and the Terms of Service, this DPA controls with respect to the processing of personal data.

16. Governing law

This DPA is governed by the laws of the Republic of Ghana, with the dispute-resolution forum set out in the Terms of Service.

17. Contact

Data-protection contact for this DPA: privacy@classaddmin.com. For commercial questions, including bespoke residency or breach-notification arrangements, write to hello@classaddmin.com.