P
ProofSchool

Legal

Data Processing Addendum

Version 1.0 · Effective 14 May 2026

This Data Processing Addendum (“DPA”) supplements the Terms of Service between the School (“Data Fiduciary”) and ProofChain Private Limited (“Data Processor”, “ProofChain”). It governs the processing of personal data through ProofSchool and is executed by counter-signed PDF at subscription start. The current published version is reproduced below.

1.Roles

  • The School is the Data Fiduciary under the Digital Personal Data Protection Act 2023 (“DPDP”) — it determines the purpose and means of processing.
  • ProofChain is the Data Processor — it processes personal data only on the School's documented instructions.
  • For minor data, the parents / lawful guardians provide consent on behalf of the Child. ProofChain implements the consent capture flow; the School is responsible for the underlying consent relationship with the parent.

2.Documented instructions

The School's documented instructions to ProofChain are the combination of (a) these Terms and DPA; (b) the configuration of the School's admin dashboard, templates, and sections; and (c) explicit support requests filed through the support channel. ProofChain will not process personal data outside these instructions.

3.Confidentiality

ProofChain personnel with access to school or student data are bound by written confidentiality obligations equivalent to those in this DPA. Access is logged and minimised to what is necessary to operate the service.

4.Sub-processors

The School authorises ProofChain to engage the sub-processors listed in Schedule 2 below. ProofChain will:

  • Impose data protection obligations on sub-processors no less protective than those in this DPA.
  • Give the School at least 30 days' notice before engaging a new sub-processor with access to school or student personal data.
  • Allow the School to object to a new sub-processor in good faith. If no resolution is reached within 30 days of the objection, the School may terminate without penalty and request refund of any unused portion of the subscription fee.
  • Remain liable to the School for the acts and omissions of its sub-processors with respect to the School's data.

5.Security measures

ProofChain shall maintain the technical and organisational security measures described in Schedule 3. The School is responsible for the security of credentials issued to its principal-administrator and any onward access controls within the School.

6.Data principal rights

ProofChain shall assist the School in responding to Data Principal rights requests under the DPDP Act (access, correction, erasure, nomination). Where ProofChain receives a Data Principal request directly, it shall promptly route the request to the School and not act on it without the School's instruction, except where required by law.

7.Breach notification

If ProofChain becomes aware of a personal data breach affecting the School's data, ProofChain shall notify the School in writing without undue delay and in any event within 72 hours of discovery, with the facts then available concerning scope, cause, and remediation. ProofChain shall cooperate with the School in its own statutory notifications to the Data Protection Board and to affected Data Principals where required.

8.Audit rights

The School may, on 30 days' written notice and not more than once per 12 months (except after a confirmed security incident), audit ProofChain's compliance with this DPA. Audits are conducted at the School's expense and during ordinary business hours. ProofChain may provide third-party security attestations (when available) in lieu of on-site audit.

9.International transfers

All processing happens within India (asia-south1 / Mumbai). ProofChain does not transfer school or student personal data outside India for processing. Inference calls to third-party AI providers (Anthropic) are bound by Schedule 2 conditions and do not constitute a cross-border transfer under the DPDP Act's implementation rules as currently published.

10.Return and deletion

On termination of the subscription, ProofChain shall:

  • Maintain access to school + student data for 90 days to allow export.
  • After the 90-day window, delete school + student personal data from all live systems. Backups containing the data will be expunged on the standard backup-rotation cycle (90 days).
  • Retain audit-trail records of consent and deletion, plus billing records, for the period required by Indian law (8 years for tax / accounting records).
  • Provide written confirmation of deletion to the School on request.

11.Term, liability, governing law

This DPA enters into force on the effective date of the School's subscription and continues until all personal data has been deleted in accordance with Section 10. Liability under this DPA is subject to the limitations in the Terms of Service. The DPA is governed by the laws of India and the courts at Coimbatore, Tamil Nadu have exclusive jurisdiction.

Schedule 1Categories of personal data processed

  • School admin: name, email, phone (optional), role, school affiliation.
  • Teacher: name, employee code (optional), email (optional), subjects, sections, grade band.
  • Student response: anonymous answers (no identifiers), language preference, response timestamp, hashed IP (rate-limit and audit).
  • Parental consent record: consent token, hashed IP, terms version, timestamp, school + class reference.
  • Teacher artifact submissions: structured text (lesson plan, assessment paper, reflective practice).
  • Billing: invoice metadata; card / UPI handled by Razorpay and not stored by ProofChain.
  • Diagnostic logs (filtered to exclude response content).

Schedule 2Sub-processors

The following sub-processors are engaged as of the effective date:

Sub-processorPurposeRegion
Google Cloud / FirebasePrimary hosting, database (Firestore), storage, authentication, Cloud Functions runtime.asia-south1 (Mumbai)
AnthropicAI inference for narrative report generation and artifact evaluation. Customer inputs are not used for model training per Anthropic policy.US (cross-border processing under contractual safeguards)
RazorpayPayment processing for annual subscription orders and recharge packs. PCI-DSS compliant. Card / UPI details never reach ProofChain.India
ResendTransactional email delivery (invoices, password resets, report-ready notifications).US
SentryError monitoring for the admin dashboard. Diagnostic data only; response content is filtered out before transmission.US
Better StackUptime monitoring and status page. No customer data passes through.EU

The current sub-processor list is also published at /dpa and reviewed quarterly.

Schedule 3Technical and organisational measures

  • Encryption in transit — TLS 1.2+ on all public endpoints. HSTS enabled.
  • Encryption at rest — Firestore + Cloud Storage AES-256 by default (Google-managed keys).
  • Authentication — Firebase Auth, strong password requirements, session expiry, optional admin MFA for the principal-administrator.
  • Authorisation — Firestore Security Rules enforce school-level data isolation. Engineers do not have production read access without a logged + approved access request.
  • Network — Cloud Functions and Firestore served by Google Cloud (asia-south1); no public network exposure of databases.
  • Logging & monitoring — Sentry for application errors (response content filtered out); Better Stack for uptime; Firebase audit logs; a ProofSchool-specific immutable audit log for admin actions, consent capture, AI generation, and credit debits.
  • Personnel security — confidentiality obligations, role-based access, prompt revocation on offboarding.
  • Backup & recovery — Firestore PITR (point-in-time recovery) with 7-day window. Backups inherit at-rest encryption and asia-south1 region.
  • Vulnerability management — quarterly dependency audit; security advisories tracked.
  • Incident response — documented and rehearsed 72-hour breach notification path.