LegalData Processing Agreement

Data Processing Agreement

Last updated: April 24, 2026

This Data Processing Agreement (the "DPA") forms part of the agreement between SLAET and your school (the "Customer") regarding the use of the SLAET school management platform. It governs how SLAET processes personal data on behalf of the Customer in compliance with the Nigeria Data Protection Act 2023 (NDPA) and related Nigerian privacy law.

By using SLAET, the Customer accepts the terms of this DPA. Schools that require a counter-signed DPA should email support@getslaet.com and SLAET will provide a signed PDF version on request.

1. Purpose and scope

This DPA applies to all personal data that the Customer, its staff, parents, or students provide to SLAET, or that SLAET otherwise processes on behalf of the Customer through the platform. It sets out the rights and obligations of both parties regarding that processing.

2. Definitions

  • Personal data: any information relating to an identified or identifiable individual, as defined by the NDPA.
  • Processing: any operation performed on personal data, including collection, storage, use, disclosure, and deletion.
  • Controller: the party that determines the purposes and means of processing personal data. For student, staff, and parent data entered into SLAET, the Controller is the Customer (the school).
  • Processor: the party that processes personal data on behalf of the Controller. For data entered into SLAET, the Processor is SLAET.
  • Subprocessor: a third party engaged by SLAET to help process personal data.
  • Data subject: the individual to whom the personal data relates (for example, a student, staff member, or parent).

3. SLAET's role

SLAET acts as a Processor in relation to personal data the Customer enters into or generates through the platform. SLAET will process personal data only on the Customer's documented instructions, which include the Customer's use of the platform's features and functionality, and these Terms.

4. The Customer's role

The Customer acts as the Controller and is responsible for:

  • Ensuring that personal data is collected and used lawfully, including obtaining any required consent from staff, parents, and students (or their guardians).
  • Ensuring that personal data is accurate and up to date.
  • Providing data subjects with appropriate notices about how their data is used by the school.
  • Complying with its own obligations under the NDPA and related Nigerian law.

5. Scope of processing

SLAET processes the following categories of personal data on behalf of the Customer:

  • Staff data: contact information, role, salary (if payroll module is used), and platform activity.
  • Student data: names, dates of birth, academic records, attendance records, fee records, and related information.
  • Parent and guardian data: contact information and communications sent or received through the platform.
  • Administrative data: any additional information the Customer chooses to store in the platform for management purposes.

The purpose of the processing is to provide the school management services described in the main agreement, including academic record-keeping, attendance, fee tracking, communications, and related administrative functions.

6. Duration and termination

This DPA takes effect when the Customer starts using SLAET and continues until the agreement between SLAET and the Customer is terminated. On termination, SLAET will delete or return personal data as described in Section 13.

7. SLAET's obligations as Processor

As Processor, SLAET will:

  • Process personal data only on the Customer's documented instructions, unless otherwise required by law.
  • Implement appropriate technical and organizational security measures to protect personal data, including encryption in transit and at rest, access controls, and regular security reviews.
  • Ensure that personnel with access to personal data are bound by confidentiality obligations.
  • Not engage any new subprocessor without providing the Customer an opportunity to object (see Section 8).
  • Assist the Customer in responding to data subject rights requests, to the extent reasonably possible.
  • Notify the Customer of any personal data breach without undue delay (see Section 10).
  • Cooperate with reasonable audits (see Section 11).

8. Subprocessors

SLAET uses the following subprocessors to deliver the platform:

  • Supabase: primary database and backend infrastructure.
  • Resend: transactional and newsletter email delivery.
  • Paystack: payment processing for subscription billing.
  • Cloudflare: content delivery, caching, and protection from attacks.

Each subprocessor is bound by written agreement to maintain appropriate security and confidentiality standards. SLAET remains responsible to the Customer for the acts and omissions of subprocessors.

SLAET will provide reasonable advance notice if it intends to add or change a subprocessor. The Customer may object on reasonable grounds, and SLAET will work with the Customer in good faith to address the concern. If the concern cannot be resolved, the Customer may terminate the agreement.

9. Data subject rights

Data subjects have rights under the NDPA, including the rights to access, correct, delete, and object to processing of their personal data.

The Customer is primarily responsible for responding to data subject requests. SLAET will provide reasonable assistance, including providing export tools, correcting data on request, and deleting records when the Customer instructs.

If a data subject contacts SLAET directly, we will refer them to the Customer, unless law requires otherwise.

10. Data breach notification

If SLAET becomes aware of a personal data breach affecting the Customer's data, we will notify the Customer without undue delay, typically within 72 hours of becoming aware of it. The notification will include, to the extent known:

  • The nature of the breach and the categories of data affected.
  • The approximate number of data subjects affected.
  • The likely consequences of the breach.
  • The measures taken or proposed to address the breach.

The Customer is responsible for any further notifications required to data subjects or regulators, though SLAET will assist as reasonably requested.

11. Audits

On reasonable written request, SLAET will make available information necessary to demonstrate compliance with this DPA. This typically takes the form of summaries, policy documents, and security attestations rather than direct audits of production systems, to protect the security of all customers.

On-site audits are not offered as a standard matter, because SLAET operates shared infrastructure and direct access would compromise the security of other schools. We will work with Customers with specific regulatory audit needs to find a reasonable alternative.

12. International transfers

SLAET's primary data storage is with Supabase, which may host data outside Nigeria. The Customer agrees that personal data may be transferred and processed internationally as necessary to provide the platform. SLAET will implement appropriate safeguards for such transfers in line with the NDPA's cross-border transfer requirements.

13. Data deletion on termination

On termination of the agreement, SLAET will, at the Customer's choice:

  • Delete personal data from the platform within 90 days of termination, except where retention is required by law; or
  • Provide the Customer with a final export of personal data before deletion, in a commonly used format.

Backup copies are deleted as part of our normal backup rotation, typically within 90 days.

14. Governing law

This DPA is governed by the laws of the Federal Republic of Nigeria and forms part of the main agreement between SLAET and the Customer. In the event of any conflict between this DPA and the main Terms of Service, this DPA controls with respect to data processing matters.

15. Contact and signing

Questions about this DPA, or requests for a counter-signed PDF version, should be directed to support@getslaet.com.

If your school requires a DPA executed under your own legal entity name, include the entity details in your email and we will return a signed PDF within a reasonable time.