Data Processing Agreement and Sub-processors
This Data Processing Agreement ("DPA") applies where an educational institution (the "Data Fiduciary" or "Controller") uses BigBeeSec, a unit of Geethanjali Technologies (the "Data Processor"), to process personal data of its students and staff. It forms part of the partnership agreement and supports the DPDP Act, 2023 and, where applicable, the GDPR.
1. Roles
The Institution determines the purposes and means of processing its students' and staff's personal data and is the Controller. BigBeeSec processes that data on the Institution's documented instructions and is the Processor. For data BigBeeSec collects for its own purposes (for example platform security), BigBeeSec is the Controller, as described in the Privacy Policy.
2. Scope and instructions
BigBeeSec will process personal data only to provide the Platform and on the Institution's documented instructions, including this DPA, and will tell the Institution if an instruction appears to breach applicable law.
3. Categories
- Data subjects: the Institution's students, instructors, and contacts.
- Personal data: names, institutional emails, optional phone numbers, department and batch, profile photos, verification documents, and usage and consent records.
4. Obligations of the Processor
BigBeeSec will:
- keep personal data confidential and ensure personnel are bound by confidentiality;
- apply appropriate technical and organisational security (encryption in transit, hashed passwords, field-level encryption for identity documents, least-privilege access, logging);
- assist the Institution with data-subject requests and, where relevant, breach notification and impact assessments;
- notify the Institution without undue delay after becoming aware of a personal data breach; and
- on termination, delete or return personal data, subject to legal retention.
5. Sub-processors
The Institution authorises BigBeeSec to engage sub-processors under written terms no less protective than this DPA. Current categories of sub-processors:
| Category | Purpose | Location |
|---|---|---|
| Cloud hosting and database | Run the Platform and store data | disclosed in the current sub-processor list |
| Transactional email delivery | Send verification and notification email | disclosed in the current sub-processor list |
| SMS OTP delivery | Send one-time passcodes | disclosed in the current sub-processor list |
BigBeeSec will give the Institution prior notice of any intended addition or replacement of a sub-processor and a chance to object on reasonable data-protection grounds.
6. International transfers
Where a sub-processor processes data outside India, BigBeeSec will use transfer mechanisms appropriate under the DPDP Act and, where applicable, GDPR safeguards such as standard contractual clauses.
7. Audit
BigBeeSec will make available information reasonably necessary to demonstrate compliance and will allow audits under reasonable, confidential, mutually agreed terms.
8. Liability and term
This DPA runs for the term of the partnership and survives until all personal data is deleted or returned. Liability is subject to the partnership agreement.