Schoolyst
Legal

Data Processing Agreement

How Schoolyst processes data on behalf of educational institutions.

Effective date: June 9, 2026 · Last updated: June 9, 2026

This Data Processing Agreement ("DPA") forms part of the agreement between Schoolyst ("Schoolyst," "Processor," "we," "us," or "our") and the educational institution or organization that subscribes to the Schoolyst platform ("Customer," "Controller," "Data Fiduciary," "you," or "your").

This DPA applies where Schoolyst processes Personal Data on behalf of the Customer in connection with the Services provided under our Terms of Service. It describes the roles, responsibilities, and safeguards governing that processing.

By using the Services to manage institutional data, the Customer agrees to this DPA. If there is a conflict between this DPA and the Terms regarding data protection obligations, this DPA prevails with respect to data processing.

1. Definitions

In this DPA:

  • "Personal Data" means any information relating to an identified or identifiable natural person processed by Schoolyst on behalf of the Customer through the Services.
  • "Customer Data" means all data, including Personal Data, uploaded, submitted, or generated by the Customer or its authorized users in the Services.
  • "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, alteration, retrieval, and deletion.
  • "Subprocessor" means a third party engaged by Schoolyst to process Personal Data on behalf of the Customer.
  • "Data Protection Laws" means applicable laws relating to privacy and data protection, including the Digital Personal Data Protection Act, 2023 (India), the Information Technology Act, 2000 and SPDI Rules (India), and the General Data Protection Regulation (EU) 2016/679 where applicable.
  • "Services" means the Schoolyst school management software platform and related support described in the Terms.

2. Roles of the Parties

2.1 Customer as Data Controller / Data Fiduciary

The Customer determines the purposes and means of processing Personal Data relating to its students, parents, guardians, staff, and other individuals managed through the platform. The Customer is responsible for:

  • Ensuring a lawful basis exists for all Personal Data uploaded to Schoolyst.
  • Providing required privacy notices to data subjects (students, parents, staff).
  • Obtaining consents and authorizations, particularly for children and minors, as required by applicable law.
  • Responding to data subject requests relating to Customer Data, with Schoolyst's assistance as described below.
  • Ensuring accuracy and quality of Customer Data.
  • Configuring appropriate user roles and access within the platform.

2.2 Schoolyst as Data Processor / Data Processors

Schoolyst processes Customer Data only on documented instructions from the Customer, as set forth in the Terms, this DPA, and the Customer's use of the Services. Schoolyst shall not process Customer Data for its own independent purposes except as necessary to:

  • Provide, secure, and maintain the Services.
  • Comply with applicable law.
  • Generate aggregated, de-identified analytics to improve the platform, provided such data cannot reasonably identify individuals.

2.3 Schoolyst as Independent Controller

Schoolyst acts as an independent data controller (fiduciary) for certain data, including account registration information of Customer administrators, billing contacts, website visitor data, support communications directed to Schoolyst, and platform security logs. Such processing is governed by our Privacy Policy, not this DPA.

3. Details of Processing

  • Subject matter: Provision of school management software Services
  • Duration: For the term of the subscription and retention periods thereafter
  • Nature and purpose: Hosting, storage, organization, retrieval, display, backup, and transmission of institutional records for school administration
  • Categories of data subjects: Students (including minors), parents/guardians, teachers, school staff, administrators, and other individuals whose data the Customer uploads
  • Types of Personal Data: Names, contact details, dates of birth, academic records, attendance, examination results, fee and payment records, photographs, identification numbers, and other data uploaded by the Customer
  • Sensitive data: The Customer is responsible for determining whether special categories of data (e.g., health, biometric, or other sensitive personal data under Indian law) are uploaded and for ensuring lawful processing. Schoolyst processes such data only on Customer instructions.

4. Customer Instructions

Schoolyst will process Customer Data only in accordance with the Customer's documented instructions, which include:

  • Configuration and use of the Services by authorized users.
  • Written instructions provided through support tickets or email.
  • Applicable provisions of the Terms and this DPA.

If Schoolyst believes an instruction violates Data Protection Laws, we will inform the Customer without undue delay. Schoolyst is not liable for processing performed in accordance with the Customer's lawful instructions.

5. Confidentiality

Schoolyst ensures that personnel authorized to process Customer Data are bound by confidentiality obligations and receive appropriate training on data protection. Customer Data is treated as confidential information under the Terms.

6. Security Measures

Schoolyst implements technical and organizational measures designed to protect Customer Data against unauthorized or unlawful processing, accidental loss, destruction, or damage. Measures include, as appropriate:

  • Encryption of data in transit (TLS 1.2+) and at rest.
  • Role-based access controls and authentication mechanisms.
  • Network security, firewalls, and intrusion monitoring.
  • Regular backups and disaster recovery planning.
  • Logging and audit trails for administrative access.
  • Vulnerability management and security patching.
  • Employee background checks and security awareness training.
  • Vendor security assessments for infrastructure providers.

The Customer is responsible for maintaining the security of its user accounts, passwords, and internal access policies. Security details may be supplemented in separate security documentation upon request.

7. Subprocessors

7.1 Authorization

The Customer provides general authorization for Schoolyst to engage Subprocessors to support delivery of the Services (for example, cloud hosting, email delivery, payment processing, and monitoring). A current list of key Subprocessors is available upon written request to privacy@schoolyst.in.

7.2 Subprocessor Obligations

Schoolyst imposes data protection obligations on Subprocessors substantially similar to those in this DPA, including appropriate security measures and confidentiality requirements. Schoolyst remains responsible for Subprocessor performance of data processing obligations.

7.3 Changes to Subprocessors

Schoolyst will notify the Customer of material changes to Subprocessors by updating documentation or email notice, allowing the Customer a reasonable opportunity to object on legitimate data protection grounds. If the Customer objects and the parties cannot resolve the concern, the Customer may terminate the affected Services as described in the Cancellation Policy.

8. International Transfers

Customer Data may be stored and processed in India and other countries where Schoolyst or its Subprocessors maintain facilities. Schoolyst ensures appropriate safeguards for cross-border transfers consistent with Data Protection Laws, including contractual protections and security assessments.

9. Data Subject Rights

Schoolyst will assist the Customer, to the extent reasonably possible and as required by Data Protection Laws, in fulfilling data subject requests to access, correct, delete, restrict, or port Personal Data contained in Customer Data.

If Schoolyst receives a data subject request directly relating to Customer Data, we will promptly redirect the request to the Customer unless legally prohibited from doing so. The Customer is responsible for responding to such requests as the data controller/fiduciary.

Schoolyst may provide reasonable tools within the Services to help the Customer manage data subject requests (for example, data export and record correction features).

10. Personal Data Breach

Schoolyst will notify the Customer without undue delay after becoming aware of a Personal Data breach affecting Customer Data, providing information reasonably available to assist the Customer in meeting its breach notification obligations, including:

  • The nature of the breach.
  • Categories and approximate number of data subjects affected.
  • Likely consequences and measures taken or proposed to address it.
  • A point of contact for further information.

Schoolyst will cooperate with the Customer's investigation and take reasonable steps to mitigate harm and prevent recurrence.

11. Data Retention and Deletion

Upon termination or expiry of the Services, Schoolyst will delete or return Customer Data in accordance with the Cancellation Policy and Customer instructions, except where retention is required by applicable law.

The Customer should export Customer Data before cancellation. Schoolyst will provide reasonable assistance for data export during the active subscription and any applicable grace period.

Residual copies in encrypted backups may persist for a limited period before routine deletion as described in our Privacy Policy.

12. Audits and Compliance

Schoolyst will make available information reasonably necessary to demonstrate compliance with this DPA, which may include summaries of security practices, certifications where available, and responses to reasonable security questionnaires.

Upon written request and subject to confidentiality obligations, the Customer may conduct or appoint an independent auditor to review Schoolyst's compliance, no more than once per year unless required by a supervisory authority or following a material security incident. Audits shall be conducted during business hours with reasonable advance notice, shall not unreasonably disrupt operations, and shall be at the Customer's expense unless a material breach of this DPA is confirmed.

13. Children and Student Data

The Customer acknowledges that Customer Data may include Personal Data of children and students. The Customer represents that it has obtained all necessary parental, guardian, or legal authorizations before uploading such data.

Schoolyst will not use student Personal Data for targeted advertising or unrelated marketing. Processing is limited to providing the Services on the Customer's instructions.

14. DPDP Act (India) Specific Terms

Where the DPDP Act applies:

  • The Customer is the Data Fiduciary for Customer Data; Schoolyst is the Data Processor.
  • Schoolyst will process Personal Data only for the purposes specified in this DPA and the Customer's lawful instructions.
  • Schoolyst will implement reasonable security safeguards as required under the DPDP Act.
  • Schoolyst will notify the Customer of Personal Data breaches as described in Section 10.
  • Schoolyst will delete Personal Data upon the Customer's request at the end of retention periods, subject to legal exceptions.
  • The Customer may contact Schoolyst's Grievance Officer at privacy@schoolyst.in for processor-related concerns.

15. GDPR Specific Terms (Where Applicable)

Where the GDPR applies to processing of Customer Data:

  • The Customer is the controller; Schoolyst is the processor under Article 28 GDPR.
  • Schoolyst will assist with data protection impact assessments and prior consultation with supervisory authorities where required, taking into account the nature of processing and information available.
  • The parties agree that the EU Standard Contractual Clauses or UK International Data Transfer Addendum may be incorporated by reference if required for lawful transfers, upon Customer request.

16. Liability

Liability arising from this DPA is subject to the limitations and exclusions set forth in the Terms of Service, except where prohibited by Data Protection Laws.

17. Term and Termination

This DPA is effective for the duration of the Customer's use of the Services and continues until all Customer Data has been deleted or returned in accordance with this DPA. Sections that by nature should survive (including confidentiality, audit records, and liability limitations) will survive termination.

18. Amendments

Schoolyst may update this DPA to reflect changes in law or processing practices. Material changes will be notified to Customers with reasonable advance notice. Continued use of the Services after the effective date constitutes acceptance unless the Customer terminates as permitted under the Terms.

19. Contact

For data processing inquiries, contact:

  • Data Protection / Privacy: privacy@schoolyst.in
  • Legal: legal@schoolyst.in
  • Address: Schoolyst, 6th Phase, JP Nagar, Bengaluru, Karnataka 560078, India