Daily Tab · Legal

Institutional Data Agreement

Data Processing Agreement Between Daily Tab and Educational Institutions

Effective Date: July 2026 Version 1.1

DAILY TAB

INSTITUTIONAL DATA AGREEMENT

Data Processing Agreement Between Daily Tab and Educational Institutions

Effective Date: July 2026 | Version 1.1

Preamble

This Institutional Data Agreement ("Agreement" or "DPA") governs the processing of personal data by Daily Tab ("Processor" or "Service Provider") on behalf of the educational institution that has been granted access to the Daily Tab Platform ("College" or "Controller"). This Agreement supplements and forms an integral part of the Terms of Service and Privacy Policy of Daily Tab.

This Agreement has been prepared to satisfy the data processing agreement requirements of the EU General Data Protection Regulation (GDPR) Article 28, the UK GDPR, Brazil's LGPD Article 37, India's Digital Personal Data Protection Act 2023, Sri Lanka's Personal Data Protection Act 2022, and equivalent provisions under other applicable data protection frameworks globally. In the event of any conflict between this Agreement and the Terms of Service regarding the processing of personal data, this Agreement shall prevail.

1. Definitions

Capitalized terms in this Agreement have the meanings assigned to them in the Privacy Policy and Terms of Service. Additionally:

2. Roles, Relationship, and Scope

2.1 Data Controller

The College is the Data Controller in respect of all Institutional Data. As Data Controller, the College determines the purposes for which, and the manner in which, Institutional Data is processed. The College bears primary legal responsibility for ensuring that its processing of personal data through the Platform complies with all applicable data protection laws.

2.2 Data Processor

Daily Tab is the Data Processor in respect of Institutional Data. Daily Tab processes Institutional Data solely on the documented instructions of the College, for the purpose of providing the Platform and related services. Daily Tab shall not process Institutional Data for any purpose independent of, or beyond the scope of, such instructions, except where required by applicable law.

2.3 Scope of Processing

Subject Matter Nature of Processing Purpose Duration
Student personal data (names, roll numbers, attendance records) Storage, retrieval, display, and report generation Attendance management and institutional record-keeping Duration of the College's use of the Platform
Teacher personal data (name, email, credentials) Storage, authentication, communication User authentication and Platform access Duration of active Teacher membership
Admin personal data (email, credentials) Storage, authentication Platform administration Duration of active Admin account

3. Processor Obligations

Daily Tab, as Processor, shall:

4. Controller Obligations and Warranties

The College, as Controller, warrants and undertakes that:

5. Sub-Processors

The College hereby grants general authorization for Daily Tab to engage the sub-processors identified in the Privacy Policy (Supabase, Inc., Resend, Inc., and Cloudflare, Inc.) as of the effective date of this Agreement. Daily Tab shall provide the College with notice of any intended addition or replacement of sub-processors, and the College shall have the right to object to such changes on reasonable grounds within fourteen (14) days of such notice. Where the College raises a legitimate objection and the parties cannot resolve the matter within a further fourteen (14) days, either party may terminate the Agreement on written notice.

Daily Tab shall ensure that each sub-processor is bound by a written agreement containing data protection obligations equivalent to those set out in this Agreement, and shall remain fully liable to the College for the acts and omissions of its sub-processors to the same extent as if Daily Tab had performed the processing directly.

6. International Data Transfers

Institutional Data is processed and stored in Tokyo, Japan (AWS ap-northeast-1 region). The following transfer mechanisms apply depending on the College's jurisdiction:

College Jurisdiction Transfer Mechanism
EU / EEA Standard Contractual Clauses (Controller-to-Processor, EC 2021/914)
United Kingdom UK International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs
Brazil Standard Contractual Clauses or equivalent safeguards as approved by ANPD
India Subject to DPDPA cross-border transfer provisions; College responsible for obtaining any required government approval
China Subject to PIPL; College responsible for completing security assessment where applicable
All other jurisdictions Daily Tab implements appropriate safeguards; specific mechanisms available upon request

Where Standard Contractual Clauses or equivalent instruments are required, those clauses are incorporated into and form part of this Agreement by reference. Colleges requiring executed copies of applicable SCCs or transfer instruments should contact Daily Tab through the details provided at dailytab.app.

7. Personal Data Breach Notification

Upon becoming aware of a Personal Data Breach affecting Institutional Data, Daily Tab shall notify the affected College without undue delay and, where feasible, within seventy-two (72) hours of becoming aware of the breach. The notification shall include, to the extent available:

The College is solely responsible for evaluating whether the breach requires notification to affected data subjects and/or the relevant supervisory authority under applicable law, and for fulfilling all such notification obligations. Daily Tab shall provide reasonable cooperation to the College in meeting its breach notification obligations.

All audit requests and compliance inquiries should be directed to support@dailytab.app.

8. Audit and Demonstration of Compliance

Daily Tab shall, upon reasonable written request from the College, provide such information and documentation as is reasonably necessary to demonstrate compliance with this Agreement and applicable data protection law. The following conditions apply to audit activities:

Where certification, third-party audit reports, or equivalent documentation are available, Daily Tab may provide these in satisfaction of audit requests.

9. Deletion and Return of Data

Upon termination of the College's access to the Platform for any reason, or upon written request from the College at any time, Daily Tab shall, at the College's election: (i) permanently delete all Institutional Data from its systems and those of its sub-processors; or (ii) return all Institutional Data to the College in a commonly used, machine-readable format before deletion. Such deletion or return shall be completed within thirty (30) calendar days of the College's written request, and Daily Tab shall provide written confirmation of completion.

Notwithstanding the foregoing, Daily Tab may retain personal data where, and to the extent that, retention is required by applicable law, provided that Daily Tab shall ensure the continued confidentiality of such data and shall not process it for any purpose beyond that required by law.

10. Liability Under This Agreement

Each party's liability under this Agreement shall be subject to the limitations and exclusions set out in the Terms of Service. Where applicable law imposes liability on a Processor that has acted outside or contrary to the lawful instructions of the Controller, or on a Processor that has acted contrary to the provisions of GDPR Chapter IV or equivalent provisions under applicable law, the provisions of applicable law shall govern such liability to the extent they impose obligations beyond those in the Terms of Service.

11. Term, Survival, and Termination

This Agreement shall remain in force for the duration of the College's access to the Platform. Termination of the Terms of Service for any reason shall automatically terminate this Agreement, subject to the survival of obligations in Sections 7, 8, 9, and 10, which shall survive termination indefinitely.

12. Governing Law

This Agreement shall be governed by the same governing law as the Terms of Service, as determined by the jurisdiction of the College. For Colleges subject to the GDPR or UK GDPR, the parties acknowledge that this Agreement is intended to comply with the requirements of GDPR Article 28 and shall be interpreted accordingly.

13. Precedence and Severability

In the event of any conflict between this Agreement and the Terms of Service with respect to the processing of personal data, this Agreement shall prevail. If any provision of this Agreement is found to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.

© 2026 Daily Tab. All rights reserved. This document is subject to periodic review and amendment. The most current version is available at dailytab.app.