Loading Data Processing Agreement
Effective Date: February 26, 2026
This Agreement satisfies Article 2.3 of the NDPR requiring written agreements between Data Controllers and Data Processors.
1. Parties
Data Controller: The registered school using Gradely.info ("School")
Data Processor: Remit Integrated Services LTD, operating gradely.info ("Gradely")
This Agreement governs the processing of personal data by Gradely on behalf of the School in connection with the Gradely Info Portal services.
2. Scope of Processing
Gradely processes the following categories of personal data on behalf of the School:
- Student Data: Student ID, name, class/grade, academic results, attendance records
- Parent/Guardian Data: Name, email address, phone number, relationship to student
- Authentication Data: Hashed passwords, login timestamps, session tokens
- Usage Data: Feature access logs, announcement delivery records (anonymized where possible)
Purpose of Processing: To provide the Gradely Info Portal services, including student result management, parent access authentication, announcement delivery, and subscription management.
3. School Responsibilities (Data Controller)
The School agrees to:
- Obtain lawful basis for collecting student and parent data under NDPR 2019 (consent, contract, legal obligation, or legitimate interest)
- Ensure data accuracy and update records when information changes
- Respond to data subject requests (access, correction, deletion) within required timelines
- Notify Gradely within 24 hours of becoming aware of any personal data breach
- Comply with all applicable Nigerian data protection laws, including the NDPR 2019 and Cybercrimes Act 2015
- Obtain necessary consents from parents/guardians before uploading student data to the platform
4. Gradely Responsibilities (Data Processor)
Gradely agrees to:
- Process personal data only on documented instructions from the School
- Implement appropriate technical and organizational security measures (encryption at rest and in transit, access controls, regular security audits)
- Ensure personnel authorized to process personal data are bound by confidentiality obligations
- Assist the School in responding to data subject requests and regulatory inquiries
- Notify the School without undue delay upon becoming aware of a personal data breach
- Delete or return all personal data upon termination of services, unless retention is required by Nigerian law
- Maintain records of processing activities as required by NDPR Article 2.6
5. Sub-Processors
The School acknowledges that Gradely engages the following third-party sub-processors to deliver services:
- Paystack (Flutterwave): Payment processing for school subscriptions
- Infobip: SMS notification delivery
- Resend: Email notification delivery
- AWS/Render: Cloud hosting and infrastructure
Gradely maintains written agreements with all sub-processors requiring equivalent data protection standards. The School may object to new sub-processors by contacting support@gradely.info within 14 days of notice.
6. Data Security Measures
Gradely implements the following security measures to protect personal data:
- Encryption: TLS 1.3 for data in transit; AES-256 encryption for sensitive data at rest
- Access Controls: Role-based access, multi-factor authentication for admin accounts, principle of least privilege
- Monitoring: 24/7 security monitoring, intrusion detection, regular vulnerability assessments
- Backups: Encrypted daily backups with 30-day retention; tested restoration procedures
- Training: Regular security awareness training for all personnel with data access
7. Data Breach Notification
In the event of a personal data breach:
- Gradely will notify the School within 24 hours of becoming aware of the breach
- Notification will include: nature of breach, categories of data affected, likely consequences, measures taken
- Gradely will assist the School in notifying the Nigeria Data Protection Bureau (NDPB) within 72 hours if required
- Gradely will assist the School in notifying affected data subjects where the breach poses high risk to their rights
8. Data Retention & Deletion
Retention Period: Personal data is retained for the duration of the School's active subscription plus 30 days thereafter.
Deletion Process: Upon termination or written request, Gradely will securely delete all personal data within 30 days, except where retention is required by Nigerian law (e.g., tax records, audit logs).
School-Requested Deletion: Schools may request deletion of specific student/parent records via the admin dashboard or by contacting support@gradely.info. Gradely will process deletion requests within 14 days.
9. International Data Transfers
Gradely's infrastructure may process data outside Nigeria. Where transfers occur:
- Transfers comply with NDPR Article 2.12 requirements for adequate safeguards
- Standard Contractual Clauses or equivalent protections are in place with sub-processors
- The School consents to such transfers by using the Gradely services
10. Audit & Compliance
School Audit Rights: The School may request a compliance report annually. On-site audits require 30 days' notice and are subject to Gradely's security policies.
Regulatory Cooperation: Both parties agree to cooperate with the Nigeria Data Protection Bureau (NDPB) and other relevant authorities in investigations or compliance reviews.
11. Liability & Indemnification
Gradely Liability: Gradely's total liability under this Agreement shall not exceed the fees paid by the School in the 12 months preceding the claim, except for breaches of confidentiality or data protection obligations.
School Indemnification: The School agrees to indemnify Gradely against claims arising from the School's unlawful collection, use, or disclosure of personal data.
12. Term & Termination
This Agreement remains in effect for the duration of the School's use of Gradely services. Either party may terminate with 30 days' written notice. Upon termination, Gradely will delete or return personal data as specified in Section 8.
13. Governing Law & Dispute Resolution
This Agreement is governed by the laws of Nigeria. Any disputes shall first be resolved through good-faith negotiation. If unresolved, disputes shall be submitted to the exclusive jurisdiction of Nigerian courts.