← Back to Legal Hub

Data Processing Agreement (DPA)

Part III of the Mentora Tanzania Legal Framework

This Data Processing Agreement forms an integral part of the Mentora Service Agreement between the Institution (Data Controller) and Evolucion Technologies Company Limited (Data Processor).

12. Roles of the Parties

Institution: Data Controller

The Institution determines the purposes and means of processing student and staff data.

Company: Data Processor

The Company processes Personal Data solely on documented instructions from the Institution.

13. Subject Matter of Processing

The processing relates to:

  • Educational content management
  • Student performance tracking
  • Lesson planning tools
  • Analytics dashboards
  • Communication systems
  • AI-powered instructional support

14. Duration of Processing

Processing shall continue for the duration of the service agreement unless terminated earlier in writing.

15. Nature and Purpose of Processing

Processing includes:

  • Collection of academic data
  • Secure storage and structuring
  • Analytics generation
  • AI-assisted lesson recommendations
  • Reporting and administrative summaries
  • System security and fraud prevention

Processing is strictly limited to educational delivery and institutional management.

16. Types of Personal Data Processed

  • Student identity data
  • Academic records
  • Teacher records
  • Attendance logs
  • Behavioral engagement metrics
  • Institutional administrative data

Sensitive personal data shall only be processed where explicitly authorized by the Controller.

17. Obligations of the Data Processor

The Company shall:

  • Process data only on documented instructions from the Controller
  • Ensure confidentiality of all personnel handling Personal Data
  • Implement appropriate technical and organizational measures to protect data
  • Assist the Controller in fulfilling data subject rights requests
  • Notify the Controller without undue delay upon discovery of a data breach
  • Cooperate with regulatory authorities where required by law
  • Delete or return all Personal Data upon termination of the agreement
  • Make available all information necessary to demonstrate compliance

18. Sub-Processors

The Company may engage sub-processors (e.g., cloud hosting providers) under written agreements ensuring:

  • Equivalent data protection standards
  • Confidentiality obligations
  • Security compliance

The Institution may request a current list of sub-processors at any time. The Company shall provide reasonable prior notice before engaging new sub-processors.

19. International Transfers

Where data is transferred outside Tanzania:

  • Adequate safeguards shall be applied in accordance with applicable law
  • Standard contractual clauses shall be implemented where necessary
  • Equivalent or higher levels of data protection shall be maintained
  • The Institution shall be informed of the countries and safeguards involved

20. Data Subject Rights Assistance

The Company shall assist the Institution in responding to:

  • Access requests — providing copies of personal data held
  • Rectification requests — correcting inaccurate or incomplete data
  • Erasure requests — deleting data where legally required
  • Objections to processing — ceasing processing where applicable
  • Data portability requests — providing data in structured, machine-readable format

Responses shall be facilitated within legally required timelines.

21. Data Breach Management

In case of a data breach, the Company shall:

  1. Implement immediate containment measures to limit the scope of the breach
  2. Conduct an internal investigation to determine the cause and extent
  3. Notify the Institution without undue delay (within 72 hours of discovery)
  4. Notify the relevant regulatory authority where required by law
  5. Implement remediation and prevention actions to prevent recurrence
  6. Provide a written incident report detailing impact, response, and corrective measures

22. Audit Rights

The Institution may, upon reasonable notice:

  • Request compliance documentation and certifications
  • Conduct remote or on-site audits
  • Review security certifications and third-party audit reports

Audits shall be conducted during normal business hours and shall not compromise the security of other clients' data.

23. Return or Deletion of Data

Upon termination of the service agreement:

  • All Personal Data shall be returned to the Institution or securely deleted at the Institution's election
  • Written confirmation of deletion shall be provided upon request
  • Backup deletion shall follow defined retention cycles (maximum 90 days)
  • Data may be retained where required by applicable law, subject to continued confidentiality

24. Indemnification

The Company shall indemnify the Institution against proven damages arising from Processor negligence or unlawful processing in breach of this Agreement.

The Institution shall indemnify the Company where damages arise from unlawful instructions provided by the Institution.

25. Confidentiality

Both Parties shall treat all shared information as confidential and shall not disclose to unauthorized third parties. This obligation survives termination of the Agreement.

26. Severability

If any provision of this Agreement is declared invalid or unenforceable, the remaining provisions shall remain in full force and effect.

27. Entire Agreement

This Agreement constitutes the entire understanding between the Parties concerning data protection and platform use, and supersedes all prior agreements and understandings relating to the subject matter hereof.

Contact

For DPA-related inquiries, contact: mentoratanzania@gmail.com.