Data Processing Agreement

1.1 Service Provider. Simple Software Development LLC, trading as or providing the Edminhub platform, is the Service Provider under this DPA.

1.2 Customer. The Customer is the school, educational institution, or legal entity subscribing to or using the Service under the applicable SaaS Subscription Agreement.

1.3 Relationship to Main Agreement. This DPA supplements the SaaS Subscription Agreement. If there is a conflict between this DPA and the SaaS Subscription Agreement regarding the processing of personal information, this DPA will control only to the extent of that conflict. All commercial, payment, suspension, warranty, liability, dispute, and termination provisions of the SaaS Subscription Agreement remain in effect unless expressly amended in this DPA.

3.1 Customer as Controller. The Customer determines what Personal Information is entered into the Service, who may access it, the purposes for which it is used, and the legal basis for collecting and processing it.

3.2 Service Provider as Processor. Simple Software Development LLC processes Customer Data on behalf of the Customer for the limited purpose of providing, supporting, maintaining, securing, improving, and administering the Service.

3.3 No Legal or Compliance Guarantee. Simple Software Development LLC provides a technology platform. The Customer remains responsible for determining whether its use of the Service complies with laws, regulations, school policies, education rules, parent or guardian consent requirements, and recordkeeping obligations applicable to the Customer.

3.4 Customer Instructions. The Customer instructs Simple Software Development LLC to process Customer Data as necessary to provide the Service, comply with the SaaS Subscription Agreement, support users, maintain security, prevent abuse, comply with law, and perform related operational activities.

Simple Software Development LLC will process Customer Data only for the following purposes:

• providing access to and operation of the Edminhub platform;
• school administration workflows, learner records, attendance, academic, disciplinary, subject, class, teacher, parent, guardian, and user-account functions configured by the Customer;
• support, troubleshooting, maintenance, backup, recovery, security monitoring, fraud prevention, and abuse prevention;
• service improvement, provided that Personal Information is not sold and learner information is not used for advertising purposes;
• compliance with applicable law, lawful requests, legal process, accounting, audit, tax, or regulatory obligations; and
• any additional purpose expressly agreed in writing between the parties.

The Customer is responsible for:

• ensuring it has the necessary authority, consent, legal basis, institutional mandate, or parent/guardian authorisation to collect, upload, and process Personal Information in the Service;
• ensuring that Personal Information entered into the Service is accurate, relevant, lawful, and limited to what is reasonably necessary for school administration and educational purposes;
• managing user accounts, roles, permissions, and access rights correctly;
• promptly removing or changing access when users leave the school, change roles, or no longer require access;
• ensuring users keep login credentials confidential and do not share accounts;
• ensuring devices, networks, browsers, and local systems used to access the Service are reasonably secure;
• responding to requests from learners, parents, guardians, staff, regulators, or other persons where the Customer is legally responsible for such requests;
• retaining any independent records, reports, exports, or statutory records that the Customer is required to keep outside the Service; and
• using the Service in accordance with applicable law, school policies, the SaaS Subscription Agreement, and this DPA.

Simple Software Development LLC will:

• process Customer Data only in accordance with this DPA, the SaaS Subscription Agreement, the Security and Privacy Statement, the Customer's documented instructions, and applicable legal obligations;
• apply reasonable technical and organisational safeguards intended to protect the confidentiality, integrity, and availability of Customer Data;
• restrict administrative access to authorised personnel or authorised service providers who need access for legitimate operational, support, maintenance, or security purposes;
• take reasonable steps to ensure that persons with authorised access to Customer Data are subject to confidentiality obligations;
• use Customer Data only to provide, support, secure, maintain, administer, and improve the Service, unless otherwise required by law or agreed in writing;
• not sell Customer Data; and
• not use Learner Data for advertising purposes.

The following commitments are material privacy commitments of Simple Software Development LLC:

For clarity, these commitments do not prevent Simple Software Development LLC from using reputable service providers to host, operate, secure, support, monitor, back up, email, or improve the Service, provided that such providers process Customer Data only as necessary to provide their services and subject to appropriate access restrictions or confidentiality obligations.

Simple Software Development LLC will maintain reasonable safeguards appropriate to the nature of the Service, the type of Customer Data processed, and the size and maturity of the platform. These safeguards may include:

Security measures may evolve over time as the Service matures. This DPA does not require Simple Software Development LLC to maintain any specific certification unless expressly agreed in writing.

10.1 Daily Backups. Simple Software Development LLC performs daily backups of the Service with a retention period of 7 days.

10.2 Point-in-Time Backups. Point-in-time backups may be available where the Customer makes a special written arrangement with Edminhub / Simple Software Development LLC. Additional fees, technical limitations, retention conditions, or service terms may apply.

10.3 Purpose of Backups. Backups are intended for disaster recovery, operational resilience, and restoration of service where technically possible. Backups are not a substitute for the Customer's own recordkeeping, data governance, statutory retention, or independent export of important records.

10.4 No Absolute Recovery Guarantee. Simple Software Development LLC will use reasonable efforts to restore data from available backups where technically feasible, but does not guarantee that all data can be restored in every circumstance, including where data loss is caused by Customer error, incorrect user permissions, intentional deletion by authorised users, third-party failures, cyberattacks, force majeure events, or circumstances outside the reasonable control of Simple Software Development LLC.

11.1 Authorisation. The Customer authorises Simple Software Development LLC to use reputable Sub-processors and third-party service providers to host, operate, secure, support, monitor, back up, email, or improve the Service.

11.2 Categories. Sub-processors may include cloud hosting providers, database providers, storage providers, email delivery providers, monitoring providers, backup providers, security tools, support tools, and professional advisers.

11.3 Restrictions. Simple Software Development LLC will take reasonable steps to ensure that Sub-processors are permitted to process Customer Data only as necessary to provide their services and are subject to appropriate confidentiality or data protection obligations.

11.4 Changes. Simple Software Development LLC may change Sub-processors from time to time where reasonably necessary for operational, technical, security, pricing, or service reasons. Where required by applicable law or contract, Simple Software Development LLC will provide reasonable notice or information about material Sub-processor changes.

The Customer acknowledges that the Service may be hosted or supported using cloud infrastructure, personnel, systems, or Sub-processors located outside the Customer's country. The Customer authorises such processing and transfer to the extent necessary to provide, secure, support, monitor, back up, or improve the Service.

Where applicable law requires specific transfer safeguards, the parties will cooperate in good faith to implement commercially reasonable safeguards. Simple Software Development LLC is not required to localise data or use a particular hosting region unless expressly agreed in writing and commercially available under the Customer's plan.

13.1 Customer Responsibility. Because the Customer generally acts as Controller, the Customer is responsible for responding to requests from learners, parents, guardians, teachers, staff, regulators, courts, or other authorities relating to Customer Data, unless applicable law requires otherwise.

13.2 Assistance. Simple Software Development LLC will provide reasonable assistance to the Customer, taking into account the nature of the Service, the information available to Simple Software Development LLC, and the Customer's plan. Additional fees may apply for extensive, complex, urgent, or out-of-scope assistance.

13.3 Direct Requests. If Simple Software Development LLC receives a direct request relating to Customer Data, it may refer the requester to the Customer unless legally required to respond directly.

14.1 Response. In the event of a confirmed Security Incident affecting Customer Data, Simple Software Development LLC will take reasonable steps to investigate the incident, contain and mitigate its impact, restore affected services where technically possible, and notify the Customer where appropriate.

14.2 Notification. Notification timelines may depend on the nature of the incident, applicable legal requirements, third-party dependencies, forensic requirements, law enforcement restrictions, and the information reasonably available at the time.

14.3 Information Provided. Where appropriate and reasonably available, notice may include a summary of the incident, the categories of Customer Data reasonably believed to be affected, mitigation steps taken or planned, and recommended Customer actions.

14.4 No Admission. Any notice, investigation, mitigation step, communication, or assistance relating to a Security Incident will not be interpreted as an admission of fault, liability, breach of contract, negligence, or legal responsibility by Simple Software Development LLC, its directors, officers, employees, agents, affiliates, or Sub-processors.

14.5 Customer-Caused Incidents. The Customer remains responsible for incidents caused by Customer systems, devices, networks, credentials, user actions, misconfigured permissions, unauthorised internal access, or failure to manage accounts properly.

15.1 Export. During an active subscription, the Customer may request available exports or reports supported by the Service. Custom exports, migration assistance, or special formatting may be subject to additional fees and technical limitations.

15.2 Termination. Upon termination or expiry of the subscription, the Customer may request export of available Customer Data within a reasonable period and before deletion, provided that all outstanding fees have been paid and the request is technically feasible.

15.3 Retention. After termination, Simple Software Development LLC may retain Customer Data for a limited period for backup, legal, audit, accounting, billing, dispute, compliance, security, or operational purposes, after which it may delete or anonymise the data in accordance with its retention practices, unless otherwise agreed in writing.

15.4 Backup Deletion. Customer Data may remain in backups until those backups expire or are overwritten in the ordinary course of backup retention. Simple Software Development LLC is not required to isolate, edit, or delete individual records from backups unless technically feasible and legally required.

16.1 Security Information. Simple Software Development LLC may provide reasonable security information, policy summaries, or assurance documents to the Customer where commercially appropriate and subject to confidentiality requirements.

16.2 Limited Audit Right. Any audit or review requested by the Customer must be reasonable, proportionate, limited to information necessary to verify compliance with this DPA, conducted during normal business hours, subject to prior written notice, and must not compromise the security, confidentiality, availability, or operations of the Service or any other customer.

16.3 Restrictions. The Customer may not conduct penetration testing, vulnerability scanning, load testing, social engineering, code review, infrastructure review, physical inspection, or intrusive assessment of the Service without prior written approval from Simple Software Development LLC.

16.4 Costs. Customer-requested audits, questionnaires, legal reviews, custom compliance assessments, or extensive security reviews may be charged at Simple Software Development LLC's then-current professional service rates.

Each party must keep confidential any non-public information received from the other party in connection with the Service, including Customer Data, security information, business information, pricing, technical architecture, credentials, reports, vulnerabilities, and incident information. Confidential information may be used only for purposes related to the Service, this DPA, the SaaS Subscription Agreement, legal compliance, or dispute resolution.

Simple Software Development LLC will not sell Customer Data and will not use Learner Data for advertising purposes. This restriction does not prevent Simple Software Development LLC from using aggregated, anonymised, or de-identified information for service improvement, analytics, security, performance monitoring, business planning, or product development, provided that such information does not identify the Customer or any individual learner, parent, guardian, teacher, or staff member.

The Customer agrees to indemnify, defend, and hold harmless Simple Software Development LLC, its affiliates, owners, directors, officers, employees, agents, contractors, and Sub-processors from and against any third-party claims, demands, proceedings, fines, penalties, losses, damages, liabilities, costs, and expenses, including reasonable legal fees, arising out of or relating to:

• the Customer's breach of this DPA or the SaaS Subscription Agreement;
• Customer Data submitted to or processed through the Service;
• the Customer's failure to obtain required consents, authorisations, legal bases, or parent/guardian permissions;
• the Customer's failure to comply with laws applicable to its collection, use, disclosure, retention, or Processing of Personal Information;
• claims by learners, parents, guardians, teachers, staff, regulators, or third parties relating to the Customer's use of the Service or Customer Data;
• unauthorised access caused by Customer-controlled accounts, devices, networks, credentials, permissions, or users; and
• Customer instructions that violate law, third-party rights, or this DPA.

20.1 Liability Cap. To the fullest extent permitted by law, the total aggregate liability of Simple Software Development LLC arising out of or relating to this DPA, Customer Data, Personal Information, privacy, security, confidentiality, backups, data loss, or Security Incidents will be subject to the limitation of liability in the SaaS Subscription Agreement.

20.2 Exclusion of Indirect Losses. To the fullest extent permitted by law, Simple Software Development LLC will not be liable for indirect, incidental, special, exemplary, punitive, or consequential damages, including loss of profits, loss of revenue, loss of goodwill, loss of business opportunity, business interruption, reputational harm, or loss of data, except to the extent such exclusion is prohibited by applicable law.

20.3 No Personal Liability. To the fullest extent permitted by law, no owner, director, officer, employee, agent, contractor, shareholder, member, manager, affiliate, or representative of Simple Software Development LLC will have any personal liability to the Customer or any third party arising out of or relating to the Service, this DPA, the SaaS Subscription Agreement, Customer Data, Personal Information, backups, data loss, Security Incidents, or privacy-related claims. Any claim must be brought only against Simple Software Development LLC as the contracting entity.

20.4 No Third-Party Beneficiaries. This DPA is entered into for the benefit of the parties only and does not create rights for learners, parents, guardians, teachers, staff, users, regulators, or other third parties, except where applicable law expressly provides otherwise.

Each party will comply with privacy and data protection laws applicable to it in connection with the use and provision of the Service. The Customer remains responsible for laws applicable to its collection, use, disclosure, retention, and instructions relating to Personal Information. Simple Software Development LLC remains responsible for the reasonable security and confidentiality measures it applies as service provider and Processor.

If applicable law requires additional contractual terms, transfer terms, security measures, data residency obligations, or regulatory filings not included in this DPA, the parties will cooperate in good faith to address those requirements. Additional work, cost, technical changes, or legal documentation may be subject to separate agreement and additional fees.

Simple Software Development LLC may design and operate Edminhub using practices aligned with recognised security and privacy principles, including ISO/IEC 27001 control concepts and OWASP secure application development guidance. Unless expressly stated in writing, the Service is not represented as certified under ISO/IEC 27001, ISO 9001, SOC 2, Cyber Essentials, or any other formal certification scheme.

This DPA is governed by the governing law and dispute resolution provisions of the SaaS Subscription Agreement unless the parties expressly agree otherwise in writing.

If there is a conflict between this DPA, the SaaS Subscription Agreement, and the Security and Privacy Statement, the following order will apply for the specific subject matter concerned:

1. the SaaS Subscription Agreement for commercial, payment, suspension, service, warranty, liability, governing law, and dispute matters;
2. this DPA for Personal Information Processing, Customer Data, Processor obligations, and data protection matters; and
3. the Security and Privacy Statement for explanatory security and privacy practices, unless a statement is expressly incorporated as a binding obligation.

• Role-based access controls for user functions where supported by the Service.
• Administrative access restricted to authorised personnel and service providers with a legitimate need.
• Encrypted connections where supported for user access to the Service.
• Daily backups with a 7-day retention period.
• Audit logs or system logs for significant system and user activity where supported by the Service.
• Reasonable vulnerability review, remediation, and secure development practices as the platform matures.
• Reasonable incident response procedures for confirmed Security Incidents affecting Customer Data.
• Use of reputable third-party infrastructure, hosting, storage, monitoring, email, backup, security, support, or operational providers.

• Assign users to the correct roles and permissions.
• Remove or suspend access promptly when users leave or change responsibilities.
• Ensure passwords and account credentials are not shared.
• Use reasonably secure devices, browsers, and networks to access the Service.
• Train users on appropriate handling of learner and school information.
• Avoid uploading unnecessary sensitive information.
• Maintain independent copies or exports of records where required by law, school policy, or operational need.
• Notify Simple Software Development LLC promptly if unauthorised access, credential compromise, or misuse is suspected.