Data Processing Agreement (DPA)

Updated: Apr 16, 2026

This Data Processing Agreement forms part of the Terms of Service between the Customer (Controller) and Be Bright Solutions (Processor) for the ESMS platform. It governs how we process personal data on your behalf.

1. Scope & Roles

  • Customer is the data controller; Be Bright Solutions is the data processor.
  • Processing is limited to providing ESMS services (admissions, attendance, messaging, billing, analytics).

2. Data Types & Subjects

  • Data subjects: students, parents/guardians, staff, and administrators.
  • Data types: contact details, identifiers, attendance, academic records, communications metadata, payment references (no card storage), and uploaded documents.

3. Processor Obligations

  • Process data only on documented instructions from the Customer.
  • Implement appropriate technical and organizational security measures.
  • Ensure personnel confidentiality and security training.
  • Notify the Customer of personal data breaches without undue delay.

4. Subprocessors

We engage vetted subprocessors for hosting, messaging, email, and analytics. Current subprocessors and regions are documented in our Vendor Messaging & Email Agreement. We remain responsible for their performance.

5. International Transfers

Where data moves across regions, we apply appropriate safeguards (such as SCCs or equivalent). Customers may request region-specific hosting where available.

6. Data Subject Rights

We will assist the Customer in responding to requests (access, correction, deletion, restriction, portability) using available platform tools or support processes.

7. Security

  • Encryption in transit (HTTPS/TLS) and at rest for supported data stores.
  • Access controls with least privilege; audit logs for sensitive actions where available.
  • Regular backups and disaster recovery procedures.

8. Retention & Deletion

Customer controls retention. Upon contract end or written request, we will delete or return personal data unless retention is required by law or for legitimate defense.

9. Audits

Upon reasonable notice, Customers may request information needed to demonstrate compliance. We may satisfy this via certificates, summaries of penetration tests, or supervised reviews.

10. Term

This DPA remains in effect for the duration of the Customer’s use of ESMS and thereafter as required to wind down services and delete data.