← Back to Karo

Data Protection Impact Assessment

Version 1.0. Last reviewed: 13 July 2026. Maintained by Karo Digital Classics Ltd.

This Data Protection Impact Assessment ("DPIA") is Karo's structured review of the risks that processing personal data on the Karo platform poses to the rights and freedoms of natural persons — principally students, guardians, and staff of the schools that use Karo. It is published in the interests of transparency and to help each school meet its own accountability obligations under the Kenya Data Protection Act, 2019 (the "Act") and, where relevant, the GDPR.

1. Description of the processing

Karo is a school-operations platform. It stores staff, student, and guardian records for each subscribing school, issues invoices, accepts payments through a regulated payment processor, delivers branded receipts and reminders over WhatsApp, SMS, and email, and produces operational reports for school leadership. Personal data includes names, phone numbers, email addresses, admission numbers, class and stream assignments, guardian relationships, invoice line items, payment references, and message delivery status. Card and mobile-money credentials are never stored on Karo.

2. Necessity and proportionality

Each data category is directly necessary for the fee-collection and communication workflow the school has instructed Karo to perform. Karo does not collect data beyond what a school administrator would hold on paper today (guardian phone, student class, fee status). No special-category data is processed in the ordinary course of use. Karo does not sell data, does not share it with advertisers, and does not train third-party AI on school data.

3. Data subjects and lawful basis

The lawful basis for processing is determined by the school as controller. In typical use it is (a) the performance of a contract with the guardian for the delivery of educational services, and (b) the school's legitimate interests in operating an accurate fee ledger, subject to the guardian's rights. Karo processes on the school's documented instructions as processor under the DPA.

4. Risks and safeguards

RiskLikelihoodImpactMitigationResidual
Cross-tenant data leakage between schoolsLowHighPer-row RLS scoped to school membership; every query filtered by school_id; contract tests for cross-tenant access.Low
Unauthorised staff access to a school accountMediumHighMandatory two-step verification; passkey/biometric sign-in; step-up OTP on bank changes; append-only audit log; sensitive routes gated by the _authenticated layout.Low
Bank redirection fraud (attacker swaps payout account)LowVery HighOnly owner can add or change a bank account; fresh OTP and password re-entry required; new accounts held in review with name-match against the school's legal name; email notice to all owners on every change.Low
Guardian phone number misuse (SMS pumping, message misdelivery)MediumMediumProvider-side SMS geo permissions; per-guardian verification via YES-confirm template; message-log delivery callbacks; opt-out on every marketing-style message; no marketing sends.Low
Payment reconciliation errors (wrong student credited)MediumMediumImmutable invoice/receipt lineage; append-only payment allocations; Paystack reconciler polls for missed webhooks; audit log records every allocation change with actor.Low
Data-subject request goes unansweredLowMediumRequests received by Karo are routed to the school within 24 hours; export and rectification are self-service in the platform; erasure supported on written instruction.Low
Personal-data breach at a sub-processorLowHighSub-processors reviewed annually; written data-protection agreements at least as protective as our DPA; 72-hour breach notification to the school; encrypted at rest across every layer.Medium
Retention beyond lawful periodLowMediumRetention windows codified in code (7 years financial, 30 days operational archive, 30 days rolling backups); each acceptance record locks the exact window the user signed under.Low
International-transfer non-complianceLowMediumHosting region selected per data-residency requirement; SCCs / ODPC-approved safeguards for onward transfers; sub-processor list published in the DPA.Low
Loss of availability (platform outage during fee cycle)MediumMediumManaged database with point-in-time recovery; daily backups; offline-payment recording so a school can continue capturing manual payments during an outage.Low

5. Consultation

Karo consults with pilot-school owners and bursars on material changes to processing before rolling them out platform-wide. Schools with GDPR obligations are encouraged to consult their own Data Protection Officer before signing the DPA.

6. Review

This DPIA is reviewed at least annually, and whenever there is a material change to processing (new data category, new sub-processor, new legal ground). Contact info@karoschool.net to request the review log.

See also the Data Processing Agreement, the Privacy Policy, and the Terms of Service.