← Back to Karo

Data Processing Agreement

Version 1.1. Last updated: 13 July 2026.

Every school using Karo signs this DPA on its first authenticated sign-in. It sits alongside the Terms of Service and the Privacy Policy, and is supported by the risk assessment in the Data Protection Impact Assessment.

DATA PROCESSING AGREEMENT (Version 1.1)

This Data Processing Agreement ("DPA") forms part of the agreement between:

(A) The school, college, university, or other education institution
    identified in the Karo account of the accepting user ("Controller"),
    represented by the signatory below; and

(B) Karo Digital Classics Ltd, a company incorporated in the Republic of Kenya,
    operator of the Karo school-operations platform ("Processor",
    "Karo").

together the "Parties". Karo processes personal data on the Controller's
behalf as its processor within the meaning of the Kenya Data Protection
Act, 2019 and, where applicable to the Controller, Article 28 of the EU
General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR").

1. SUBJECT MATTER AND DURATION
   Karo processes personal data solely to provide the Karo platform to
   the Controller: enrolling students and guardians, issuing invoices,
   collecting payments through regulated payment processors, delivering
   receipts and notices, and producing operational reports. This DPA
   applies for as long as the Controller's Karo account is active and,
   for retention purposes, for the periods set out below.

2. CATEGORIES OF DATA SUBJECTS AND PERSONAL DATA
   Data subjects: staff members, students, and guardians of students.
   Categories of personal data: full names, phone numbers, email
   addresses, admission numbers, class and stream assignments, guardian
   relationships, invoice line items, payment references, receipt
   numbers, message delivery status, and login/audit metadata. Karo does
   not process special-category data (health, religion, political
   opinion, biometrics) as a normal course of business. Card and mobile-
   money credentials are never stored on Karo; those are held by the
   regulated payment processor.

3. ROLES
   The Controller determines the purposes and means of processing and is
   solely responsible for the lawful basis of every record it enters
   into Karo. Karo processes personal data only on the Controller's
   documented instructions, which for standard operations are the
   configurations and actions performed through the Karo application.
   Additional instructions must be given in writing to
   info@karoschool.net.

4. PROCESSOR OBLIGATIONS
   Karo will:
   (a) process personal data only on the Controller's instructions and
       only for the platform's operating purposes;
   (b) ensure every person authorised to access personal data is bound
       by a written duty of confidentiality;
   (c) implement and maintain the technical and organisational security
       measures described in Schedule A below;
   (d) assist the Controller in responding to data-subject rights
       requests (access, rectification, erasure, restriction,
       portability, objection) within the timelines that apply to the
       Controller under the Act or GDPR;
   (e) notify the Controller without undue delay, and no later than
       seventy-two (72) hours after becoming aware, of any personal-data
       breach affecting the Controller's data;
   (f) at the Controller's choice, delete or return all personal data
       at the end of the service, subject to the retention periods in
       clause 8; and
   (g) make available all information reasonably necessary to
       demonstrate compliance with this DPA and permit audits carried
       out by the Controller or an independent auditor mandated by the
       Controller, at reasonable intervals, on reasonable notice, and
       subject to appropriate confidentiality undertakings.

5. CONTROLLER OBLIGATIONS
   The Controller warrants that it has a lawful basis to process the
   personal data it enters into Karo, has provided any notices required
   under the Act or GDPR to its data subjects, and will not upload
   personal data of any child except in the ordinary course of school
   administration.

6. CONFIDENTIALITY AND NON-DISCLOSURE
   Each Party may receive or access non-public information from the other
   Party in connection with setting up, operating, evaluating, supporting,
   auditing, or improving a Karo account ("Confidential Information").
   Confidential Information includes, without limitation: platform source
   code, database schemas, API keys, integration credentials, security
   controls, product roadmaps, pricing arrangements, user lists, message
   templates, fee structures, student and guardian data, payment settlement
   details, banking configuration, school operational records, and any
   information marked or reasonably understood as confidential.

   Each Party will: (a) hold the other Party's Confidential Information in
   strict confidence; (b) use it only for the purposes of using, providing,
   supporting, securing, or evaluating Karo; (c) protect it with at least
   the same degree of care it uses for its own confidential information,
   and never less than reasonable care; (d) disclose it only to employees,
   contractors, sub-processors, or professional advisers who need to know
   it and are bound by equivalent confidentiality duties; (e) not reproduce,
   reverse-engineer, decompile, attempt to derive source code from, copy,
   benchmark publicly, or replicate any Karo software or infrastructure;
   and (f) not use Confidential Information to compete with, undermine, or
   harm the other Party's business, staff, schools, guardians, students, or
   suppliers.

   These obligations do not apply to information that is publicly known
   through no breach of this DPA, already lawfully possessed without a duty
   of confidentiality, independently developed without reference to the
   other Party's Confidential Information, or required to be disclosed by
   law or a competent authority, provided the receiving Party gives prompt
   written notice where lawful. No license, ownership, or intellectual-
   property right is granted by disclosure. All Karo software, brand assets,
   documentation, templates, and derivative works remain the property of
   Karo Digital Classics Ltd.

   Confidentiality obligations apply for the duration of the Controller's
   Karo account and for 10 years thereafter.
   Obligations relating to personal data, trade secrets, source code,
   security controls, credentials, and banking or payment configuration
   survive for as long as the information remains legally protectable or
   confidential. The Parties acknowledge that breach may cause irreparable
   harm, and the non-breaching Party may seek injunctive relief in addition
   to any other remedy available at law or equity.

7. SUB-PROCESSORS
   The Controller authorises Karo to engage the following categories of
   sub-processors:
   (i)   cloud hosting and database (Supabase, hosted on Amazon Web
         Services within a region approved for the Controller's data
         residency);
   (ii)  transactional messaging carriers (Twilio for WhatsApp and SMS,
         Africa's Talking as an SMS alternative where available, Resend
         for email);
   (iii) payment processing (Paystack for card and mobile-money
         settlement to the Controller's own bank account);
   (iv)  document generation and delivery (Karo's own PDF orchestrator
         and the storage layer above).
   Karo will impose data-protection obligations on each sub-processor
   that are no less protective than this DPA. Karo will notify the
   Controller of any intended change of, or addition to, sub-processors
   at least thirty (30) days in advance and give the Controller the
   opportunity to object on reasonable data-protection grounds.

8. INTERNATIONAL TRANSFERS
   Where personal data is transferred outside Kenya or, for GDPR-subject
   Controllers, outside the European Economic Area, Karo will rely on
   an adequacy decision, the standard contractual clauses issued by the
   European Commission (2021/914), or the Office of the Data Protection
   Commissioner-approved safeguards, whichever apply. A copy of the
   applicable safeguard is available on request.

9. RETENTION
   Karo retains personal data for as long as the Controller's account
   is active. On termination:
   (a) Financial records — invoices, receipts, payments, payment
       allocations, and the append-only audit log — are retained for
       7 years from the date each record was
       created. This is the maximum lawful retention required by
       Kenyan tax and public-audit statutes and is applied so records
       remain available to auditors and to the Controller for the full
       lawful period.
   (b) Operational records — students, guardians, staff, message logs,
       branding assets — are retained in a thirty (30) day archive from
       which the Controller may restore, then purged, unless the
       Controller requests earlier deletion or a legal hold applies.
   (c) DPA and Terms acceptance records are retained for
       10 years for compliance evidence.
   (d) Backups follow their own thirty (30) day rolling schedule and
       are then overwritten.

10. DATA-SUBJECT REQUESTS
   If Karo receives a request from a data subject relating to personal
   data processed on the Controller's behalf, Karo will (a) not respond
   substantively other than to acknowledge receipt and route the
   request to the Controller, and (b) provide the Controller with
   reasonable assistance to respond within its statutory time limits.

11. LIABILITY AND INDEMNITY
    The Parties' liability under this DPA is subject to the limits set
    out in the Karo Terms of Service. Neither Party excludes liability
    that cannot lawfully be excluded, including liability under the
    Act for breaches attributable to that Party.

12. GOVERNING LAW AND JURISDICTION
    This DPA is governed by the laws of the Republic of Kenya. The
    courts of Nairobi have exclusive jurisdiction, without prejudice
    to either Party's right to seek interim relief in any competent
    jurisdiction, and to any mandatory rights of a data subject under
    the Act or GDPR to bring proceedings in the courts of their
    habitual residence.

13. ORDER OF PRECEDENCE
    In case of conflict, this DPA prevails over the Karo Terms of
    Service to the extent of the conflict on data-protection matters,
    followed by the Terms of Service, followed by any Karo policy
    published on karoschool.net.

SCHEDULE A — TECHNICAL AND ORGANISATIONAL MEASURES

A1. Encryption
    All traffic between browsers, phones, and Karo is encrypted in
    transit using industry-standard TLS. Databases, backups, and file
    storage are encrypted at rest. Passwords are stored as one-way
    hashes.

A2. Access control
    Access to the platform is restricted through per-tenant row-level
    security. Two-step verification is mandatory for every account.
    Sensitive actions (adding a bank account, exporting data,
    impersonation by platform support) require a fresh one-time code
    and are written to an immutable audit trail.

A3. Tenant isolation
    Each school's data is sealed in its own tenant. Row-level rules
    apply to every read and write. A staff member from one school
    cannot read another school's records.

A4. Financial record integrity
    Invoices and receipts are permanent once issued; corrections are
    made by cancellation and re-issue so the original record survives.
    Every action that touches money is written to an append-only audit
    log with actor, timestamp, and delta.

A5. Incident response
    Karo maintains a documented incident-response procedure. Suspected
    personal-data breaches are triaged within twenty-four (24) hours
    and notified to the Controller within seventy-two (72) hours of
    confirmation, together with a written description of the incident,
    the data affected, and mitigations taken.

A6. Sub-processor management
    Sub-processors are subject to written data-protection agreements
    at least as protective as this DPA and are reviewed at least
    annually.

A7. Data-subject request tooling
    Access, rectification, and export operations are available to the
    Controller through the Karo platform. Erasure and portability
    requests are supported by the Karo support team on written
    instruction from the Controller.

ACCEPTANCE

By checking the acceptance box and submitting your full name, your
role at the Controller institution, and the Controller's legal name,
You confirm that You are authorised to bind the Controller to this
DPA, including its confidentiality and non-disclosure obligations, on the
Controller's behalf. You confirm that You have read, understood, and agreed
to it. Your typed full name constitutes your electronic
signature under applicable law.

Contact: info@karoschool.net

Questions about this DPA? Write to info@karoschool.net.