Skip to content
SchoolIntel
Sign inBook a demo

03 / Legal

Data Processing Addendum

The terms under which SchoolIntel processes Customer Data on your behalf. This Addendum is incorporated by reference into our Terms of Service and applies to processing subject to the GDPR, UK GDPR, and CCPA.

Last updated · May 2, 2026

For procurement teamsThis page is our standard, pre-signed Data Processing Addendum (“DPA”). By executing an Order or accepting our Terms of Service, the Customer agrees to this DPA as an integral part of those Terms. Enterprise customers who need a counter-signed DPA on company letterhead can email hello@schoolintel.co and we will return a signed copy within two business days.

Scope and parties

This Data Processing Addendum (“DPA”) is entered into between SchoolIntel, Inc. (“SchoolIntel”) and the Customer identified in the applicable Order or Terms (“Customer”). It governs SchoolIntel's processing of Customer Personal Data on Customer's behalf in the course of providing the Services. In the event of a conflict between this DPA and the Terms of Service, this DPA controls with respect to Personal Data.

Definitions

  • “Applicable Data Protection Laws” means the GDPR, the UK GDPR, the CCPA/CPRA, and any other privacy or data protection laws applicable to the processing of Customer Personal Data.
  • “Customer Personal Data” means Personal Data within Customer Data that SchoolIntel processes on behalf of Customer in the course of providing the Services.
  • “Personal Data”, “Data Subject”, “Controller”, “Processor”, “Sub-processor”, and “Process” have the meanings given in Applicable Data Protection Laws.
  • “Standard Contractual Clauses” or “SCCs” means the contractual clauses adopted by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, and the UK International Data Transfer Addendum issued by the UK Information Commissioner.

Roles of the parties

For Customer Personal Data, Customer is the Controller and SchoolIntel is the Processor. SchoolIntel is a Controller of certain other Personal Data it processes about Customer (e.g. account administrator details and Service usage), as described in our Privacy Policy; that processing is outside the scope of this DPA.

Details of processing

  • Subject matter and duration:SchoolIntel's provision of the Services to Customer for the term of the underlying agreement, plus any wind-down period during which Customer Data may be returned or deleted.
  • Nature and purpose of processing:hosting, enrichment, search, and analytics of Customer Personal Data to enable Customer's go-to-market team to identify, qualify, and contact international school accounts.
  • Categories of Data Subjects:Customer's authorized Users; school staff and other professional contacts in the contact lists Customer uploads.
  • Categories of Personal Data: name, business email, job title, employer (school), public professional URL, business phone, and any custom fields Customer chooses to upload. Customer shall not upload special categories of data within the meaning of Article 9 GDPR.

Customer instructions

SchoolIntel will Process Customer Personal Data only on Customer's documented instructions, including (i) as set out in the Terms, this DPA, and any Order, (ii) as needed to provide and secure the Services, and (iii) as required by applicable law (in which case SchoolIntel will, where permitted, inform Customer of the legal requirement). SchoolIntel will inform Customer if, in its opinion, an instruction infringes Applicable Data Protection Laws.

Personnel and confidentiality

SchoolIntel limits access to Customer Personal Data to personnel who need access for the purposes of providing the Services, ensures those personnel are bound by appropriate confidentiality obligations, and provides them with privacy and security training on a regular basis.

Security measures

SchoolIntel will implement and maintain technical and organizational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include, at minimum:

  • Encryption of Personal Data in transit (TLS 1.2+) and at rest.
  • Role-based access controls, least-privilege provisioning, and centralized identity and access management with mandatory MFA for administrators.
  • Logging and monitoring of access to production systems containing Customer Personal Data, with anomaly alerting.
  • A documented vulnerability management program with regular dependency scanning, patching SLAs, and at least annual third-party penetration testing.
  • Secure software development practices including code review, automated testing, and secret scanning.
  • A documented incident response plan with defined roles, escalation paths, and breach notification procedures.
  • Vendor security review for all Sub-processors before they are given access to Customer Personal Data.
  • Backups, disaster-recovery procedures, and tested restoration processes.

Sub-processors

Customer authorizes SchoolIntel to engage Sub-processors to Process Customer Personal Data, provided that SchoolIntel:

  • Maintains an up-to-date list of Sub-processors at /legal/sub-processors.
  • Imposes contractual obligations on each Sub-processor that are no less protective than those in this DPA.
  • Remains liable for the acts and omissions of its Sub-processors as if they were its own.
  • Provides Customer with at least 30 days' advance notice (by updating the Sub-processors page and, on request, by email) of any intended change to its Sub-processor list. Customer may object on reasonable data-protection grounds within that period; if the parties cannot resolve the objection, Customer may terminate the affected portion of the Services and receive a pro-rated refund of prepaid fees.

Data subject requests

SchoolIntel will, taking into account the nature of the processing, provide reasonable assistance to enable Customer to fulfil its obligations to respond to Data Subject requests under Applicable Data Protection Laws, including by providing the technical means within the Services for Customer to access, export, correct, or delete Customer Personal Data. If SchoolIntel receives a Data Subject request directly relating to Customer Personal Data, it will refer the Data Subject to Customer unless legally required to respond directly.

Personal data breach

SchoolIntel will notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notice will include, to the extent then known: the nature of the breach, categories and approximate number of Data Subjects and records affected, likely consequences, and measures taken or proposed to address it. SchoolIntel will provide Customer with the information reasonably necessary for Customer to meet its own breach-notification obligations.

International transfers

Customer Personal Data may be Processed in the United States and in any other country where SchoolIntel or its Sub-processors maintain facilities. To the extent SchoolIntel processes Customer Personal Data subject to the GDPR or UK GDPR in a country that has not received an adequacy decision, the parties agree to incorporate the Standard Contractual Clauses (Module 2 — controller to processor) and, where applicable, the UK International Data Transfer Addendum, which are deemed signed and entered into by the parties as of the effective date of this DPA. The optional clauses are completed as follows:

  • Clause 7 (Docking): not applicable.
  • Clause 9 (Sub-processors):Option 2 (general authorization) with 30 days' advance notice as set out above.
  • Clause 11 (Redress): independent dispute resolution option not selected.
  • Clause 17 (Governing law): Republic of Ireland.
  • Clause 18 (Forum): the courts of the Republic of Ireland.

Audits

SchoolIntel will make available to Customer all information reasonably necessary to demonstrate compliance with this DPA. On Customer's reasonable written request and no more than once per 12-month period, SchoolIntel will respond to a written security questionnaire and, where available, provide its most recent third-party audit report (e.g. SOC 2 Type II, when published) under confidentiality. On-site audits are available only to enterprise customers under a separate written agreement, at the requesting party's expense, and on at least 30 days' written notice.

Return and deletion

On termination or expiry of the Services, SchoolIntel will (i) make Customer Data available for export through the Services for at least 30 days, after which SchoolIntel will delete Customer Personal Data from production systems within a further 30 days, and (ii) delete copies in backups within their normal retention cycle (no longer than 90 days), unless retention of certain Personal Data is required by applicable law, in which case SchoolIntel will isolate and protect it until deletion is permitted.

CCPA service-provider terms

To the extent SchoolIntel Processes Personal Information about California residents on behalf of Customer, SchoolIntel acts as a “Service Provider” as that term is defined in the California Consumer Privacy Act, as amended (“CCPA”). SchoolIntel will not (i) sell or share such Personal Information, (ii) retain, use, or disclose it for any purpose other than the business purposes specified in the Terms and this DPA, or (iii) combine Personal Information received from Customer with Personal Information received from any other source, except as permitted by the CCPA.

General

  • Term.This DPA takes effect when the Customer accepts the Terms or executes an Order and continues until all Customer Personal Data has been deleted in accordance with the “Return and deletion” section.
  • Liability.Each party's liability arising out of or related to this DPA is subject to the liability limits in the Terms.
  • Counterparts. Where a counter-signed copy is required, this DPA may be executed in counterparts and by electronic signature.
  • Conflict. Where this DPA conflicts with the SCCs on a matter of EU/UK law, the SCCs prevail.

Annex I — Parties, processing, supervisory authority

This Annex completes the information required by the EU Standard Contractual Clauses for transfers from EU controllers to non-EU processors (Module 2).

A. List of parties

Data exporter (Controller).The Customer identified in the applicable Order or Terms of Service. Contact details, role, and signature are recorded in the Customer's account profile and on the Order.

Data importer (Processor).

  • SchoolIntel, Inc.
  • A Delaware corporation, United States
  • Contact: hello@schoolintel.co (privacy team)
  • Activities relevant to the data transferred: provision of the SchoolIntel sales-intelligence Services described in the Terms of Service, including hosting, enrichment, search, and analytics of Customer Personal Data
  • Signature: deemed signed by the parties upon acceptance of the Terms or execution of an Order

B. Description of the transfer

ItemDetail
Categories of data subjectsCustomer's authorized Users; school staff and other professional contacts in lists Customer uploads
Categories of personal dataName, business email, business phone, job title, employer (school), public professional URL, and any custom fields Customer chooses to upload. No special categories of personal data within the meaning of GDPR Article 9.
Sensitive dataNone. Customer shall not upload sensitive personal data (Article 9 GDPR special categories) or data of children under 16.
Frequency of transferContinuous, for the duration of the subscription
Nature of processingHosting, search, enrichment, scoring, and export of Customer Personal Data to enable B2B go-to-market activities
PurposeProvision of the Services as described in the Terms of Service; security, support, and improvement of the Services
Retention periodFor the duration of the subscription plus the wind-down period set out in the “Return and deletion” section above
Sub-processorsSee Annex III

C. Competent supervisory authority

For data exporters established in the EU, the competent supervisory authority is the supervisory authority of the EU Member State in which the Customer is established, or where the Customer has not designated one in writing, the supervisory authority of the Member State in which the data subjects whose personal data is transferred under the SCCs in relation to the offering of goods or services to them, or whose behaviour is monitored, are located. For Customers established in the United Kingdom, the competent supervisory authority is the UK Information Commissioner's Office (ICO).

Annex II — Technical and organizational measures

SchoolIntel implements and maintains the technical and organizational measures listed below to protect Customer Personal Data, in accordance with Article 32 GDPR.

  • Encryption in transit. All connections to the SchoolIntel application and APIs are protected with TLS 1.2 or higher with strong cipher suites. Older protocols are disabled.
  • Encryption at rest. Customer Personal Data stored in our databases and object storage is encrypted at rest using AES-256 keys managed by our infrastructure providers (Supabase / Vercel) under their respective key-management systems.
  • Access control. Role-based access control with least-privilege provisioning. Mandatory multi-factor authentication for all SchoolIntel personnel with access to production systems. Periodic access reviews.
  • Audit logging. Centralized, append-only audit logs for production database reads and writes that touch Customer Personal Data. Anomaly alerting on the logs.
  • Network security. Production infrastructure is isolated behind authenticated APIs; ingress is fronted by a managed WAF and DDoS protection (Cloudflare).
  • Secure software development. Mandatory peer code review, automated dependency and secret scanning, and static analysis on every change. Dependency patches on a documented SLA.
  • Vulnerability management. Continuous dependency scanning, periodic third-party penetration testing (planned annually post-launch), and a security disclosure program at hello@schoolintel.co.
  • Incident response.Documented incident response plan with defined roles, on-call rotation, and breach notification procedure (72-hour customer notification SLA — see “Personal data breach” above).
  • Backups. Daily automated backups of production databases retained for up to 90 days. Periodic restoration testing.
  • Personnel. All SchoolIntel personnel with access to Customer Personal Data are bound by written confidentiality obligations and complete privacy and security training annually.
  • Vendor security review. Every Sub-processor is security-reviewed before being granted access to Customer Personal Data, and is contractually bound to obligations no less protective than those in this DPA.

This list reflects the minimum measures we maintain. We may improve, replace, or supplement individual measures over time provided the overall level of protection is not reduced.

Annex III — Sub-processors

The current list of authorized Sub-processors, the services they provide, and the regions in which they may process Customer Personal Data is published and maintained at /legal/sub-processorsand is incorporated into this DPA by reference. Customer authorizes SchoolIntel to engage the listed Sub-processors and any new Sub-processors added in accordance with the “Sub-processors” section above.

UK International Data Transfer Addendum

For transfers of personal data subject to the UK GDPR, the parties incorporate the UK International Data Transfer Addendum (version B1.0, in force 21 March 2022) issued by the UK Information Commissioner. The Addendum is completed as follows:

  • Table 1 (Parties): as set out in Annex I.A above.
  • Table 2 (Approved EU SCCs):the EU SCCs referenced in the “International transfers” section above (Module 2, controller to processor), with optional clauses completed as stated there.
  • Table 3 (Appendix Information): as set out in Annex I.B, Annex II, and Annex III.
  • Table 4 (Ending the Addendum): either party may end the Addendum where it is changed, in line with section 19 of the Addendum.

Article 27 representatives

SchoolIntel is established outside the European Union and the United Kingdom. Where required by Article 27 of the EU GDPR or the UK GDPR, SchoolIntel has appointed (or is in the process of appointing) representatives in the EU and the UK who can be contacted by data subjects and supervisory authorities.

  • EU representative: appointment in progress. Until the appointment is finalized, contact hello@schoolintel.cowith “EU GDPR Article 27” in the subject line.
  • UK representative: appointment in progress. The same address applies in the interim.

We will update this section with the named representatives and their physical addresses upon appointment. Customers do not need to take any action; the appointments are an obligation of SchoolIntel as data importer / processor.