Operator Agreement (POPIA / GDPR DPA)
version 2026-06-24 · effective 2026-06-24
1. Capacity
Under POPIA s20–21 and (where applicable) GDPR Article 28, the School is the Responsible Party / Controller for personal information processed on the platform and A&O is the Operator / Processor. A&O processes only on the School's documented instructions.
2. Scope of processing
| Subject matter | Duration | Nature & purpose | Categories of data subjects | Categories of personal information |
|---|---|---|---|---|
| Providing the A&O platform. | Duration of the subscription + retention schedule. | Hosting, storage, communication, billing, analytics, support. | Children, parents/guardians, school staff, applicants. | Identity, contact, attendance, classroom, fees, photos/video, medical notes provided by parents, communications. |
3. Security measures
- TLS 1.2+ in transit; AES-256 at rest for managed databases and storage.
- Role-based access control + row-level security in the database.
- Least-privilege access for engineers; access reviews at least annually.
- Logging and audit trails on privileged operations.
- Backups taken daily; restore procedure tested at least annually.
- Vulnerability patching on a regular cadence; dependency scanning on every build.
4. Subprocessors
Current subprocessors are listed at /legal/subprocessors. A&O will give the School at least 30 days' notice of new or replaced subprocessors; the School may object on reasonable grounds.
5. International transfers
Where personal information is transferred outside the Republic of South Africa, A&O will rely on lawful transfer mechanisms (POPIA s72) and, for EU/UK transfers, on Standard Contractual Clauses or equivalent safeguards under GDPR Chapter V.
6. Data subject requests
A&O will, taking into account the nature of the processing, assist the School in responding to data subject requests (access, correction, deletion, objection, portability) within statutory deadlines.
7. Breach notification
A&O will notify the School of a confirmed security compromise affecting the School's personal information without undue delay and, where feasible, within 72 hours of confirmation, in accordance with the Breach Notification Policy.
8. Audit rights
The School may, on 30 days' written notice and at its own cost, audit A&O's compliance with this agreement no more than once per year, or as required by a regulator. A&O may satisfy an audit request by providing existing third-party reports (e.g. SOC 2, ISO 27001) where applicable.
9. Return / deletion on termination
On termination of the subscription, A&O will, at the School's written instruction within 30 days, return the School's personal information in a structured, commonly used, machine-readable format and then delete it from production systems within 30 days and from backups within 90 days, unless retention is required by law.
10. Liability
Liability under this Operator Agreement is subject to the limits set out in the School Subscription Agreement, except where law provides otherwise (e.g. liability of the Responsible Party to data subjects under POPIA).