Skip to main content
STEM Impact Academy
Schools

Data Processing Addendum

Last updated: April 2026

1. Overview

This Data Processing Addendum ("DPA") supplements the Terms of Service and applies to schools using STEM Impact Academy. It governs how we process personal data on behalf of educational institutions.

2. Definitions

  • Controller: the school
  • Processor: SIC Kenya
  • Data Subjects: students, teachers, staff
  • Personal Data: as defined in Kenya's Data Protection Act, 2019

3. Scope of Processing

SIC Kenya processes student and staff data solely for:

  • Platform operation
  • Enrollment management
  • Progress tracking
  • Grading
  • Certificate issuance
  • Classroom sync

4. Data Controller Obligations

Schools must:

  • Obtain necessary consents
  • Ensure lawful basis for processing
  • Inform data subjects
  • Maintain data accuracy
  • Comply with Data Protection Act 2019

5. Data Processor Obligations

SIC Kenya will:

  • Process data only on documented instructions
  • Ensure staff confidentiality
  • Implement technical and organizational security measures
  • Assist with data subject requests
  • Delete or return data upon contract termination
  • Make available information for audits

6. Subprocessors

Current subprocessors:

  • Google Cloud Platform (hosting/database)
  • Firebase Authentication
  • Resend (email)
  • Google Classroom API (when connected)

We will notify schools 30 days before adding new subprocessors.

7. Data Security Measures

  • Encryption at rest (AES-256) and in transit (TLS 1.3)
  • Access controls and role-based permissions
  • Regular security reviews
  • Incident response procedures
  • SOC 2 and ISO 27001 certified infrastructure

8. Data Breach Response

We will notify the school within 72 hours of becoming aware of a data breach. The notification will include:

  • Nature of the breach
  • Categories of data affected
  • Approximate number of records affected
  • Remedial measures taken
  • Contact point for further information

9. Data Retention & Deletion

Data is retained while the school account is active. Upon termination:

  • Personal data deleted within 30 days
  • Anonymized analytics may be retained
  • Certificates remain verifiable

10. International Transfers

Data is processed in the US (Google Cloud). Standard contractual clauses apply. Kenya Data Protection Act compliance is maintained.

11. Contact

For DPA inquiries, contact us at dpa@stemimpactcenterkenya.org. Schools may request a signed copy of this addendum.