Operator Data Processing Agreement
1. Parties and Scope
This Data Processing Agreement ("DPA") is entered into between the educational center subscribing to the Service ("Operator" or "Controller") and Acivem Solutions ("HWA" or "Processor"). It governs the processing of personal data carried out by HWA on behalf of the Operator under the Operator Terms.
2. Definitions
Terms such as "personal data", "processing", "data subject", "controller", and "processor" have the meanings given in Ley 1581 de 2012 and Decreto 1377 de 2013.
3. Subject Matter and Duration
HWA processes personal data solely to provide the Service to the Operator. Processing continues for the term of the Operator Terms and any wind-down period defined in Section 11.
4. Nature and Purpose of Processing
- Account management for attendants, students, and staff.
- Calendar, attendance, and communication functionality.
- Security monitoring, backup, and disaster recovery.
- Technical support requested by the Operator.
5. Categories of Data and Data Subjects
- Data subjects: Operator staff, students, parents/guardians, attendants.
- Categories: identifiers, contact data, role/membership, attendance records, calendar entries, in-app messages, technical/log data.
- No sensitive data should be uploaded unless expressly permitted by the Service.
6. Obligations of the Operator
- Obtain and document all authorizations required from data subjects, including parents/guardians of minors.
- Provide accurate privacy notices to its data subjects.
- Use the Service in accordance with applicable Colombian law.
- Configure access controls, roles, and retention settings appropriately.
7. Obligations of HWA
- Process personal data only on documented instructions from the Operator.
- Ensure that personnel authorized to process data are bound by confidentiality.
- Implement the technical and organizational measures described in Annex A.
- Assist the Operator in responding to data subject requests and regulatory inquiries.
- Notify the Operator without undue delay, and in any event within seventy-two (72) hours, of any confirmed personal data breach affecting Operator data.
8. Sub-Processors
The Operator authorizes HWA to engage sub-processors listed in Annex B, including:
- Auth0 (Okta): identity and access management.
- Cloud hosting provider: infrastructure and storage.
- Transactional email provider: system notifications.
HWA will notify the Operator of additions or replacements at least thirty (30) days in advance. The Operator may object on reasonable grounds related to data protection.
9. International Transfers
Where sub-processors operate outside Colombia, HWA implements contractual safeguards aligned with SIC guidance for cross-border data transfers.
10. Security Measures (Annex A summary)
- Encryption in transit (TLS 1.2+) and at rest for production stores.
- Role-based access control and least-privilege administration.
- Centralized audit logging and monitoring.
- Regular vulnerability scanning and patch management.
- Documented backup and disaster-recovery procedures.
- Security awareness training for staff with access to personal data.
11. Return or Deletion
Upon termination of the Operator Terms, HWA will, at the Operator's choice, return or delete Operator personal data within ninety (90) days, except where retention is required by law.
12. Audit Rights
The Operator may, upon thirty (30) days' written notice and no more than once per year, request reasonable audit evidence (certifications, summaries of penetration tests, or written responses to questionnaires).
13. Liability
Liability under this DPA is governed by the limitation of liability set forth in the Operator Terms.
14. Governing Law
This DPA is governed by the laws of the Republic of Colombia.
15. Contact
For DPA matters: dpo@acivem-solutions.com.