Ardent SMS
FeaturesPricingFor SchoolsFor Parents
Sign inBook Demo
Demo

Data Processing Agreement (DPA)

Standard Processor Commitments

For Schools: This Data Processing Agreement (DPA) outlines our commitments as a data processor when handling student, staff, and guardian data on behalf of your institution. A full, executable DPA is included in your Master Service Agreement.

1. Scope and Roles

This DPA summary outlines the commitments Ardent Africa Technology LTD ("Processor") makes to its School partners ("Controller") regarding the processing of personal data. These terms are fully incorporated into our standard Master Service Agreement (MSA).

2. Processor Obligations

Ardent agrees to:

  • Process data only on documented instructions from the Controller, unless required by law.
  • Ensure personnel are committed to confidentiality through binding non-disclosure agreements.
  • Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
  • Assist the Controller in responding to data subject requests and ensuring compliance with statutory security obligations.

3. Sub-processing

Ardent uses a limited number of high-tier subprocessors (e.g., AWS, Supabase, Paystack) to provide the Service. We remain fully liable for the performance of our subprocessors and will provide the Controller with notice of any intended changes to our subprocessor list.

4. Data Breach Notification

In the event of a personal data breach, Ardent will notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of the breach. We will provide detailed information regarding the nature of the breach and the measures taken to mitigate its effects.

5. Audit Rights

Ardent shall make available to the Controller all information necessary to demonstrate compliance with our DPA obligations and shall allow for and contribute to audits conducted by the Controller or another auditor mandated by the Controller.

5. Data Subject Rights

Ardent will assist the Controller in fulfilling data subject rights requests, including:

  • Right of Access: Providing data exports in machine-readable formats within 30 days
  • Right to Rectification: Enabling Controllers to correct inaccurate data through the platform
  • Right to Erasure: Permanently deleting data upon Controller request (subject to legal retention requirements)
  • Right to Restriction: Temporarily suspending processing of specific data sets
  • Right to Data Portability: Exporting data in CSV, JSON, or PDF formats

Response time: Within 5 business days of receiving a valid request from the Controller.

6. Security Measures

Ardent implements comprehensive technical and organizational measures (TOMs):

  • Encryption: AES-256 at rest, TLS 1.3 in transit
  • Access Controls: Role-based access control (RBAC) with multi-factor authentication (MFA)
  • Network Security: Firewalls, intrusion detection systems, DDoS protection
  • Data Isolation: Multi-tenant architecture with Row-Level Security (RLS)
  • Monitoring: 24/7 security monitoring and incident response
  • Backups: Daily automated backups with 30-day retention
  • Penetration Testing: Annual third-party security audits
  • Staff Training: Mandatory security and privacy training for all personnel

7. Data Processing Records

Ardent maintains detailed records of all processing activities, including:

  • Categories of data processed
  • Purposes of processing
  • Categories of data subjects
  • Recipients of personal data
  • International data transfers (if applicable)
  • Retention periods
  • Security measures implemented

These records are available to Controllers upon request and to supervisory authorities during audits.

8. Return and Deletion of Data

Upon termination of the service agreement or upon Controller request:

  • Data Export: Complete data export provided in standard formats (CSV, JSON, PDF)
  • Retention Period: 90-day grace period for data recovery after termination
  • Secure Deletion: Permanent deletion using industry-standard data sanitization methods
  • Deletion Certificate: Written confirmation of deletion provided upon request
  • Backup Deletion: Data removed from all backup systems within 90 days

9. Liability and Indemnification

Ardent's liability under this DPA is subject to the limitations set forth in the Master Service Agreement. However, we maintain:

  • Professional liability insurance covering data breaches and privacy violations
  • Cyber liability insurance with minimum coverage of $2 million USD
  • Commitment to indemnify Controllers for losses arising from our breach of this DPA
Request Full DPA Documentation

For a complete, executable copy of our Data Processing Agreement or to discuss specific data processing requirements:

Email: legal@ardentsms.com
Phone: +233 (0) 30 123 4567

Legal Department
Ardent Africa Technology LTD
123 Independence Avenue
Accra, Ghana