Institutional Data Agreement
Data Processing Agreement Between Daily Tab and Educational Institutions
DAILY TAB
INSTITUTIONAL DATA AGREEMENT
Data Processing Agreement Between Daily Tab and Educational Institutions
Effective Date: July 2026 | Version 1.1
Preamble
This Institutional Data Agreement ("Agreement" or "DPA") governs the processing of personal data by Daily Tab ("Processor" or "Service Provider") on behalf of the educational institution that has been granted access to the Daily Tab Platform ("College" or "Controller"). This Agreement supplements and forms an integral part of the Terms of Service and Privacy Policy of Daily Tab.
This Agreement has been prepared to satisfy the data processing agreement requirements of the EU General Data Protection Regulation (GDPR) Article 28, the UK GDPR, Brazil's LGPD Article 37, India's Digital Personal Data Protection Act 2023, Sri Lanka's Personal Data Protection Act 2022, and equivalent provisions under other applicable data protection frameworks globally. In the event of any conflict between this Agreement and the Terms of Service regarding the processing of personal data, this Agreement shall prevail.
1. Definitions
Capitalized terms in this Agreement have the meanings assigned to them in the Privacy Policy and Terms of Service. Additionally:
"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries as approved by the European Commission and equivalent instruments under applicable law.
"Supervisory Authority" means the competent data protection authority in the jurisdiction of the College.
"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.
"Processing Instructions" means the instructions from the College to Daily Tab regarding the processing of personal data, as set out in this Agreement and the Terms of Service.
2. Roles, Relationship, and Scope
2.1 Data Controller
The College is the Data Controller in respect of all Institutional Data. As Data Controller, the College determines the purposes for which, and the manner in which, Institutional Data is processed. The College bears primary legal responsibility for ensuring that its processing of personal data through the Platform complies with all applicable data protection laws.
2.2 Data Processor
Daily Tab is the Data Processor in respect of Institutional Data. Daily Tab processes Institutional Data solely on the documented instructions of the College, for the purpose of providing the Platform and related services. Daily Tab shall not process Institutional Data for any purpose independent of, or beyond the scope of, such instructions, except where required by applicable law.
2.3 Scope of Processing
| Subject Matter | Nature of Processing | Purpose | Duration |
| Student personal data (names, roll numbers, attendance records) | Storage, retrieval, display, and report generation | Attendance management and institutional record-keeping | Duration of the College's use of the Platform |
| Teacher personal data (name, email, credentials) | Storage, authentication, communication | User authentication and Platform access | Duration of active Teacher membership |
| Admin personal data (email, credentials) | Storage, authentication | Platform administration | Duration of active Admin account |
3. Processor Obligations
Daily Tab, as Processor, shall:
Process Institutional Data only in accordance with the documented instructions of the College as set out in these Terms, unless otherwise required by applicable law, in which case Daily Tab shall notify the College before processing unless such notification is legally prohibited.
Ensure that all persons authorized to process Institutional Data are bound by appropriate confidentiality obligations, either contractual or statutory.
Implement appropriate technical and organizational security measures to protect Institutional Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.
Engage sub-processors only with the prior general or specific authorization of the College, as provided under Section 5, and ensure all sub-processors are bound by data protection obligations no less protective than those set out in this Agreement.
Assist the College, insofar as technically and operationally feasible, in fulfilling the College's obligations to respond to data subject requests, and in meeting obligations relating to security, data protection impact assessments, and consultations with supervisory authorities.
Notify the College of any Personal Data Breach without undue delay and in accordance with Section 7.
At the College's election, delete or return all Institutional Data upon termination of the Agreement in accordance with Section 9.
Make available to the College all information reasonably necessary to demonstrate compliance with this Agreement, and permit and contribute to audits conducted by the College or a mandated auditor, subject to the conditions in Section 8.
4. Controller Obligations and Warranties
The College, as Controller, warrants and undertakes that:
All personal data submitted to the Platform has been collected lawfully and for a specified, explicit, and legitimate purpose consistent with the College's use of the Platform.
The College has a valid and documented lawful basis for each category of processing it instructs Daily Tab to perform, including where consent is required as the exclusive lawful basis under applicable law (including for the processing of data of minors).
The College has provided, or will provide, all required notices and disclosures to data subjects regarding the processing of their personal data through the Platform.
The College has obtained all necessary authorizations from relevant supervisory authorities where required by applicable law (including data localization or transfer authorizations under India's DPDPA, China's PIPL, or other applicable instruments).
Processing Instructions issued to Daily Tab are lawful and will not cause Daily Tab to violate any applicable law.
The College will promptly update or correct Institutional Data that is inaccurate.
5. Sub-Processors
The College hereby grants general authorization for Daily Tab to engage the sub-processors identified in the Privacy Policy (Supabase, Inc., Resend, Inc., and Cloudflare, Inc.) as of the effective date of this Agreement. Daily Tab shall provide the College with notice of any intended addition or replacement of sub-processors, and the College shall have the right to object to such changes on reasonable grounds within fourteen (14) days of such notice. Where the College raises a legitimate objection and the parties cannot resolve the matter within a further fourteen (14) days, either party may terminate the Agreement on written notice.
Daily Tab shall ensure that each sub-processor is bound by a written agreement containing data protection obligations equivalent to those set out in this Agreement, and shall remain fully liable to the College for the acts and omissions of its sub-processors to the same extent as if Daily Tab had performed the processing directly.
6. International Data Transfers
Institutional Data is processed and stored in Tokyo, Japan (AWS ap-northeast-1 region). The following transfer mechanisms apply depending on the College's jurisdiction:
| College Jurisdiction | Transfer Mechanism |
| EU / EEA | Standard Contractual Clauses (Controller-to-Processor, EC 2021/914) |
| United Kingdom | UK International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs |
| Brazil | Standard Contractual Clauses or equivalent safeguards as approved by ANPD |
| India | Subject to DPDPA cross-border transfer provisions; College responsible for obtaining any required government approval |
| China | Subject to PIPL; College responsible for completing security assessment where applicable |
| All other jurisdictions | Daily Tab implements appropriate safeguards; specific mechanisms available upon request |
Where Standard Contractual Clauses or equivalent instruments are required, those clauses are incorporated into and form part of this Agreement by reference. Colleges requiring executed copies of applicable SCCs or transfer instruments should contact Daily Tab through the details provided at dailytab.app.
7. Personal Data Breach Notification
Upon becoming aware of a Personal Data Breach affecting Institutional Data, Daily Tab shall notify the affected College without undue delay and, where feasible, within seventy-two (72) hours of becoming aware of the breach. The notification shall include, to the extent available:
A description of the nature and approximate scope of the Personal Data Breach, including the categories and estimated number of data subjects and records affected.
The likely consequences of the breach, including the assessed risk to affected data subjects.
The measures taken or proposed to be taken to address the breach and to mitigate its adverse effects.
Contact details for further information.
The College is solely responsible for evaluating whether the breach requires notification to affected data subjects and/or the relevant supervisory authority under applicable law, and for fulfilling all such notification obligations. Daily Tab shall provide reasonable cooperation to the College in meeting its breach notification obligations.
All audit requests and compliance inquiries should be directed to support@dailytab.app.
8. Audit and Demonstration of Compliance
Daily Tab shall, upon reasonable written request from the College, provide such information and documentation as is reasonably necessary to demonstrate compliance with this Agreement and applicable data protection law. The following conditions apply to audit activities:
Audit requests must be submitted in writing with a minimum of thirty (30) days prior notice.
Audits shall be conducted no more than once per calendar year, unless a specific confirmed breach warrants an additional review.
Audits shall be conducted during normal business hours in a manner that minimizes disruption to the Platform and Daily Tab's operations.
The College shall bear all costs of any audit it conducts or commissions.
Any auditor appointed by the College must be subject to confidentiality obligations with respect to information obtained during the audit.
Where certification, third-party audit reports, or equivalent documentation are available, Daily Tab may provide these in satisfaction of audit requests.
9. Deletion and Return of Data
Upon termination of the College's access to the Platform for any reason, or upon written request from the College at any time, Daily Tab shall, at the College's election: (i) permanently delete all Institutional Data from its systems and those of its sub-processors; or (ii) return all Institutional Data to the College in a commonly used, machine-readable format before deletion. Such deletion or return shall be completed within thirty (30) calendar days of the College's written request, and Daily Tab shall provide written confirmation of completion.
Notwithstanding the foregoing, Daily Tab may retain personal data where, and to the extent that, retention is required by applicable law, provided that Daily Tab shall ensure the continued confidentiality of such data and shall not process it for any purpose beyond that required by law.
10. Liability Under This Agreement
Each party's liability under this Agreement shall be subject to the limitations and exclusions set out in the Terms of Service. Where applicable law imposes liability on a Processor that has acted outside or contrary to the lawful instructions of the Controller, or on a Processor that has acted contrary to the provisions of GDPR Chapter IV or equivalent provisions under applicable law, the provisions of applicable law shall govern such liability to the extent they impose obligations beyond those in the Terms of Service.
11. Term, Survival, and Termination
This Agreement shall remain in force for the duration of the College's access to the Platform. Termination of the Terms of Service for any reason shall automatically terminate this Agreement, subject to the survival of obligations in Sections 7, 8, 9, and 10, which shall survive termination indefinitely.
12. Governing Law
This Agreement shall be governed by the same governing law as the Terms of Service, as determined by the jurisdiction of the College. For Colleges subject to the GDPR or UK GDPR, the parties acknowledge that this Agreement is intended to comply with the requirements of GDPR Article 28 and shall be interpreted accordingly.
13. Precedence and Severability
In the event of any conflict between this Agreement and the Terms of Service with respect to the processing of personal data, this Agreement shall prevail. If any provision of this Agreement is found to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.
© 2026 Daily Tab. All rights reserved. This document is subject to periodic review and amendment. The most current version is available at dailytab.app.