Data Processing Agreement
This Data Processing Agreement (DPA) forms part of the OrvexCore service agreement between your institution and OrvexCore Ltd. It governs how we process personal data on your behalf under NDPR, GDPR, and applicable data protection law.
1. Definitions
In this Agreement: "Controller" means the educational institution contracting OrvexCore services. "Processor" means OrvexCore Ltd. "Personal Data" means any information relating to an identified or identifiable natural person as defined by applicable data protection law. "Processing" includes any operation performed on Personal Data.
2. Scope of Processing
OrvexCore processes Personal Data solely on the documented instructions of the Controller. The categories of data processed include student records (names, dates of birth, enrolment status), guardian contact information, payment history and financial records, attendance data, and academic results. Processing occurs within the OrvexCore platform infrastructure to deliver contracted services.
3. OrvexCore Obligations
OrvexCore shall: (a) process Personal Data only on documented Controller instructions; (b) ensure personnel authorised to process Personal Data are bound by appropriate confidentiality obligations; (c) implement technical and organisational measures as set out in our Security Policy; (d) assist the Controller in fulfilling data subject rights requests; (e) delete or return all Personal Data upon termination of the service agreement.
4. Sub-Processors
OrvexCore engages sub-processors to deliver its services, including cloud infrastructure providers, payment gateway operators, and communication platform vendors. A current list of sub-processors is available on request. OrvexCore shall notify the Controller of any intended changes to sub-processors with no less than 30 days' notice, providing the Controller the opportunity to object.
5. Data Transfers
Personal Data is processed primarily within data centres in West Africa and the European Economic Area. Where Personal Data is transferred to third countries, OrvexCore ensures appropriate safeguards are in place, including Standard Contractual Clauses or equivalent mechanisms approved by applicable supervisory authorities.
6. Security Measures
OrvexCore implements appropriate technical and organisational measures including: AES-256 encryption at rest, TLS 1.3 in transit, role-based access control, immutable audit logging, automated vulnerability scanning, and regular penetration testing. Full details are available in our Security Policy document.
7. Data Breach Notification
In the event of a Personal Data breach, OrvexCore shall notify the Controller without undue delay, and in any event within 72 hours of becoming aware of the breach, to the extent such notification is possible. Notification shall include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken.
8. Audit Rights
OrvexCore shall make available all information necessary to demonstrate compliance with obligations under this Agreement and shall allow for and contribute to audits and inspections conducted by the Controller or a mandated auditor. OrvexCore may require reasonable advance notice and impose confidentiality obligations on auditors.
9. Termination
Upon termination of the service agreement, OrvexCore shall, at the Controller's election, either delete or return all Personal Data to the Controller within 30 days, and delete existing copies thereafter, unless storage is required by applicable law.
Need a signed DPA?
Enterprise and regulated institution customers can request a countersigned Data Processing Agreement from our team.
Request signed DPA