Data Processing Agreement
Version 1.1. Last updated: 13 July 2026.
Every school using Karo signs this DPA on its first authenticated sign-in. It sits alongside the Terms of Service and the Privacy Policy, and is supported by the risk assessment in the Data Protection Impact Assessment.
DATA PROCESSING AGREEMENT (Version 1.1)
This Data Processing Agreement ("DPA") forms part of the agreement between:
(A) The school, college, university, or other education institution
identified in the Karo account of the accepting user ("Controller"),
represented by the signatory below; and
(B) Karo Digital Classics Ltd, a company incorporated in the Republic of Kenya,
operator of the Karo school-operations platform ("Processor",
"Karo").
together the "Parties". Karo processes personal data on the Controller's
behalf as its processor within the meaning of the Kenya Data Protection
Act, 2019 and, where applicable to the Controller, Article 28 of the EU
General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR").
1. SUBJECT MATTER AND DURATION
Karo processes personal data solely to provide the Karo platform to
the Controller: enrolling students and guardians, issuing invoices,
collecting payments through regulated payment processors, delivering
receipts and notices, and producing operational reports. This DPA
applies for as long as the Controller's Karo account is active and,
for retention purposes, for the periods set out below.
2. CATEGORIES OF DATA SUBJECTS AND PERSONAL DATA
Data subjects: staff members, students, and guardians of students.
Categories of personal data: full names, phone numbers, email
addresses, admission numbers, class and stream assignments, guardian
relationships, invoice line items, payment references, receipt
numbers, message delivery status, and login/audit metadata. Karo does
not process special-category data (health, religion, political
opinion, biometrics) as a normal course of business. Card and mobile-
money credentials are never stored on Karo; those are held by the
regulated payment processor.
3. ROLES
The Controller determines the purposes and means of processing and is
solely responsible for the lawful basis of every record it enters
into Karo. Karo processes personal data only on the Controller's
documented instructions, which for standard operations are the
configurations and actions performed through the Karo application.
Additional instructions must be given in writing to
info@karoschool.net.
4. PROCESSOR OBLIGATIONS
Karo will:
(a) process personal data only on the Controller's instructions and
only for the platform's operating purposes;
(b) ensure every person authorised to access personal data is bound
by a written duty of confidentiality;
(c) implement and maintain the technical and organisational security
measures described in Schedule A below;
(d) assist the Controller in responding to data-subject rights
requests (access, rectification, erasure, restriction,
portability, objection) within the timelines that apply to the
Controller under the Act or GDPR;
(e) notify the Controller without undue delay, and no later than
seventy-two (72) hours after becoming aware, of any personal-data
breach affecting the Controller's data;
(f) at the Controller's choice, delete or return all personal data
at the end of the service, subject to the retention periods in
clause 8; and
(g) make available all information reasonably necessary to
demonstrate compliance with this DPA and permit audits carried
out by the Controller or an independent auditor mandated by the
Controller, at reasonable intervals, on reasonable notice, and
subject to appropriate confidentiality undertakings.
5. CONTROLLER OBLIGATIONS
The Controller warrants that it has a lawful basis to process the
personal data it enters into Karo, has provided any notices required
under the Act or GDPR to its data subjects, and will not upload
personal data of any child except in the ordinary course of school
administration.
6. CONFIDENTIALITY AND NON-DISCLOSURE
Each Party may receive or access non-public information from the other
Party in connection with setting up, operating, evaluating, supporting,
auditing, or improving a Karo account ("Confidential Information").
Confidential Information includes, without limitation: platform source
code, database schemas, API keys, integration credentials, security
controls, product roadmaps, pricing arrangements, user lists, message
templates, fee structures, student and guardian data, payment settlement
details, banking configuration, school operational records, and any
information marked or reasonably understood as confidential.
Each Party will: (a) hold the other Party's Confidential Information in
strict confidence; (b) use it only for the purposes of using, providing,
supporting, securing, or evaluating Karo; (c) protect it with at least
the same degree of care it uses for its own confidential information,
and never less than reasonable care; (d) disclose it only to employees,
contractors, sub-processors, or professional advisers who need to know
it and are bound by equivalent confidentiality duties; (e) not reproduce,
reverse-engineer, decompile, attempt to derive source code from, copy,
benchmark publicly, or replicate any Karo software or infrastructure;
and (f) not use Confidential Information to compete with, undermine, or
harm the other Party's business, staff, schools, guardians, students, or
suppliers.
These obligations do not apply to information that is publicly known
through no breach of this DPA, already lawfully possessed without a duty
of confidentiality, independently developed without reference to the
other Party's Confidential Information, or required to be disclosed by
law or a competent authority, provided the receiving Party gives prompt
written notice where lawful. No license, ownership, or intellectual-
property right is granted by disclosure. All Karo software, brand assets,
documentation, templates, and derivative works remain the property of
Karo Digital Classics Ltd.
Confidentiality obligations apply for the duration of the Controller's
Karo account and for 10 years thereafter.
Obligations relating to personal data, trade secrets, source code,
security controls, credentials, and banking or payment configuration
survive for as long as the information remains legally protectable or
confidential. The Parties acknowledge that breach may cause irreparable
harm, and the non-breaching Party may seek injunctive relief in addition
to any other remedy available at law or equity.
7. SUB-PROCESSORS
The Controller authorises Karo to engage the following categories of
sub-processors:
(i) cloud hosting and database (Supabase, hosted on Amazon Web
Services within a region approved for the Controller's data
residency);
(ii) transactional messaging carriers (Twilio for WhatsApp and SMS,
Africa's Talking as an SMS alternative where available, Resend
for email);
(iii) payment processing (Paystack for card and mobile-money
settlement to the Controller's own bank account);
(iv) document generation and delivery (Karo's own PDF orchestrator
and the storage layer above).
Karo will impose data-protection obligations on each sub-processor
that are no less protective than this DPA. Karo will notify the
Controller of any intended change of, or addition to, sub-processors
at least thirty (30) days in advance and give the Controller the
opportunity to object on reasonable data-protection grounds.
8. INTERNATIONAL TRANSFERS
Where personal data is transferred outside Kenya or, for GDPR-subject
Controllers, outside the European Economic Area, Karo will rely on
an adequacy decision, the standard contractual clauses issued by the
European Commission (2021/914), or the Office of the Data Protection
Commissioner-approved safeguards, whichever apply. A copy of the
applicable safeguard is available on request.
9. RETENTION
Karo retains personal data for as long as the Controller's account
is active. On termination:
(a) Financial records — invoices, receipts, payments, payment
allocations, and the append-only audit log — are retained for
7 years from the date each record was
created. This is the maximum lawful retention required by
Kenyan tax and public-audit statutes and is applied so records
remain available to auditors and to the Controller for the full
lawful period.
(b) Operational records — students, guardians, staff, message logs,
branding assets — are retained in a thirty (30) day archive from
which the Controller may restore, then purged, unless the
Controller requests earlier deletion or a legal hold applies.
(c) DPA and Terms acceptance records are retained for
10 years for compliance evidence.
(d) Backups follow their own thirty (30) day rolling schedule and
are then overwritten.
10. DATA-SUBJECT REQUESTS
If Karo receives a request from a data subject relating to personal
data processed on the Controller's behalf, Karo will (a) not respond
substantively other than to acknowledge receipt and route the
request to the Controller, and (b) provide the Controller with
reasonable assistance to respond within its statutory time limits.
11. LIABILITY AND INDEMNITY
The Parties' liability under this DPA is subject to the limits set
out in the Karo Terms of Service. Neither Party excludes liability
that cannot lawfully be excluded, including liability under the
Act for breaches attributable to that Party.
12. GOVERNING LAW AND JURISDICTION
This DPA is governed by the laws of the Republic of Kenya. The
courts of Nairobi have exclusive jurisdiction, without prejudice
to either Party's right to seek interim relief in any competent
jurisdiction, and to any mandatory rights of a data subject under
the Act or GDPR to bring proceedings in the courts of their
habitual residence.
13. ORDER OF PRECEDENCE
In case of conflict, this DPA prevails over the Karo Terms of
Service to the extent of the conflict on data-protection matters,
followed by the Terms of Service, followed by any Karo policy
published on karoschool.net.
SCHEDULE A — TECHNICAL AND ORGANISATIONAL MEASURES
A1. Encryption
All traffic between browsers, phones, and Karo is encrypted in
transit using industry-standard TLS. Databases, backups, and file
storage are encrypted at rest. Passwords are stored as one-way
hashes.
A2. Access control
Access to the platform is restricted through per-tenant row-level
security. Two-step verification is mandatory for every account.
Sensitive actions (adding a bank account, exporting data,
impersonation by platform support) require a fresh one-time code
and are written to an immutable audit trail.
A3. Tenant isolation
Each school's data is sealed in its own tenant. Row-level rules
apply to every read and write. A staff member from one school
cannot read another school's records.
A4. Financial record integrity
Invoices and receipts are permanent once issued; corrections are
made by cancellation and re-issue so the original record survives.
Every action that touches money is written to an append-only audit
log with actor, timestamp, and delta.
A5. Incident response
Karo maintains a documented incident-response procedure. Suspected
personal-data breaches are triaged within twenty-four (24) hours
and notified to the Controller within seventy-two (72) hours of
confirmation, together with a written description of the incident,
the data affected, and mitigations taken.
A6. Sub-processor management
Sub-processors are subject to written data-protection agreements
at least as protective as this DPA and are reviewed at least
annually.
A7. Data-subject request tooling
Access, rectification, and export operations are available to the
Controller through the Karo platform. Erasure and portability
requests are supported by the Karo support team on written
instruction from the Controller.
ACCEPTANCE
By checking the acceptance box and submitting your full name, your
role at the Controller institution, and the Controller's legal name,
You confirm that You are authorised to bind the Controller to this
DPA, including its confidentiality and non-disclosure obligations, on the
Controller's behalf. You confirm that You have read, understood, and agreed
to it. Your typed full name constitutes your electronic
signature under applicable law.
Contact: info@karoschool.net
Questions about this DPA? Write to info@karoschool.net.
