Operator Agreement / Data Processing Addendum
POPIA sections 20–21 / GDPR Article 28
Between:
[School Name], a [public school / independent school / other] operating from [School Address] (the "School" or "Responsible Party" / "Controller");
and
Teleios IT Consulting (Pty) Ltd, a private company registered in the Republic of South Africa under registration number [CIPC registration number], with its registered office at [Registered address], operating the Skoolara platform ("Skoolara" or "Operator" / "Processor"). Teleios IT Consulting (Pty) Ltd's designated Information Officer is Sachen Govender, registered with the Information Regulator of South Africa under reference 2026-005741.
Each a "Party" and together the "Parties".
1. Background
1.1. The School has subscribed to the Skoolara platform for the administration of the School and the education of its learners.
1.2. In the course of operating the platform, Skoolara processes personal information on behalf of the School. The School is the Responsible Party under POPIA and, where applicable, the Controller under GDPR; Skoolara is the Operator / Processor.
1.3. This Operator Agreement / Data Processing Addendum (the "Addendum") sets out the written agreement required by POPIA sections 20 and 21 and GDPR Article 28. It forms part of the Terms of Service between the Parties and prevails over any inconsistent provision in those Terms in relation to the processing of personal information.
2. Definitions
In this Addendum, unless the context indicates otherwise:
- "Applicable Data Protection Laws" means POPIA, GDPR (where applicable), and any other applicable data-protection legislation.
- "Personal Information" has the meaning given in POPIA and includes "personal data" as defined in GDPR.
- "Data Subject" means a natural person to whom Personal Information relates, including learners, parents, guardians and staff of the School.
- "Security Compromise" has the meaning given in POPIA s22 and includes a "personal data breach" as defined in GDPR Art 4(12).
- "Sub-Operator" means a sub-processor engaged by Skoolara to process Personal Information on behalf of the School.
- Capitalised terms not defined here have the meanings given in POPIA.
3. Subject matter and duration
3.1. Subject matter. The processing of Personal Information by Skoolara on behalf of the School for the purpose of providing the Skoolara platform.
3.2. Duration. This Addendum commences on the earlier of (i) the effective date of the School's subscription or (ii) the date Skoolara begins to process Personal Information on behalf of the School, and continues for as long as Skoolara processes such Personal Information.
4. Nature and purpose of processing
Skoolara processes Personal Information to:
- host and serve the Skoolara platform;
- store and make available learner, parent and staff records;
- deliver messages and notifications;
- produce reports (academic, attendance, administrative);
- facilitate statutory submissions configured by the School;
- provide support and maintenance services; and
- carry out security, audit and integrity functions.
Skoolara processes Personal Information only on the documented instructions of the School, which are embodied in the Terms of Service, this Addendum, configurations made by the School within the platform, and any further written instructions accepted by Skoolara.
5. Types of personal information and categories of data subjects
5.1. Categories of Data Subjects:
- learners (the majority of whom are children);
- parents and legal guardians of learners;
- principals, teachers, administrative and support staff of the School; and
- other individuals added by the School (e.g. emergency contacts, service providers).
5.2. Categories of Personal Information:
- identification data (name, date of birth, SA ID/passport number, gender, nationality);
- contact data (address, telephone, email);
- academic data (marks, assessments, reports);
- attendance data;
- disciplinary and pastoral notes;
- financial data (fees, invoices);
- medical and health data voluntarily provided (special-category / special personal information);
- documents uploaded by the School or parents (birth certificates, IDs, reports);
- images and photographs;
- communications (messages, notifications);
- authentication and audit data (logins, device identifiers, IP addresses).
6. Obligations of Skoolara (Operator)
6.1. Instructions. Skoolara shall process Personal Information only on the documented instructions of the School, except where required to do otherwise by law (in which case Skoolara shall, unless prohibited, inform the School).
6.2. Confidentiality. Skoolara shall ensure that personnel authorised to process Personal Information are bound by written confidentiality obligations or a statutory duty of confidentiality.
6.3. Security. Skoolara shall implement and maintain appropriate technical and organisational measures to safeguard Personal Information, taking into account the state of the art, cost of implementation, nature of the information, and the risks to Data Subjects. Measures shall include:
- encryption in transit (TLS 1.2+) and at rest;
- role-based access controls and least-privilege principles;
- multi-factor authentication for administrative access;
- vulnerability management and security testing;
- logical and physical access controls;
- audit logging of access to Personal Information;
- secure software-development lifecycle practices;
- backup and restoration procedures;
- incident detection and response capabilities;
- regular security awareness training for personnel.
6.4. Sub-Operators. Skoolara may engage Sub-Operators subject to clause 7.
6.5. Assistance with Data-Subject requests. Skoolara shall, taking into account the nature of the processing, assist the School by appropriate technical and organisational measures, insofar as possible, to respond to requests by Data Subjects exercising their rights under Applicable Data Protection Laws.
6.6. Assistance with compliance. Skoolara shall assist the School in ensuring compliance with its obligations under POPIA s19-22 and GDPR Articles 32-36, including security, breach notification, and data-protection impact assessments.
6.7. Breach notification. Skoolara shall notify the School without undue delay, and in any event within 72 hours of becoming aware of a Security Compromise affecting Personal Information processed under this Addendum. Such notification shall, to the extent known, describe:
- the nature of the Security Compromise, including the categories and approximate number of Data Subjects and records affected;
- the name and contact details of the Skoolara point of contact;
- the likely consequences; and
- the measures taken or proposed to address the Security Compromise, including measures to mitigate its adverse effects.
Skoolara shall cooperate with the School to enable the School to meet its own notification obligations to the Information Regulator, supervisory authorities and Data Subjects.
6.8. Records. Skoolara shall maintain records of processing activities carried out on behalf of the School as required by POPIA and GDPR Art 30(2), and shall make such records available to the School on request.
6.9. Return or deletion. On termination of the Addendum or expiry of the subscription, Skoolara shall, at the School's election, return and/or delete all Personal Information processed on behalf of the School in accordance with clause 11.
7. Sub-Operators
7.1. General authorisation. The School grants Skoolara general authorisation to engage Sub-Operators, subject to this clause.
7.2. Current Sub-Operators. At the effective date, the following Sub-Operators are engaged:
| Sub-Operator | Role | Location of processing |
|---|---|---|
| Amazon Web Services EMEA SARL | Application + database hosting | eu-west-1 (Ireland, EU) |
| Cloudflare, Inc. — Cloudflare R2 | Object storage for uploaded files (identity documents, medical certificates, report attachments) | Cloudflare global network (cross-border) |
| Google LLC — Firebase Cloud Messaging | Push-notification delivery | Google global infrastructure (cross-border) |
[Email provider placeholder] |
Transactional email | [Location] |
[Payment provider placeholder] |
Fee processing (optional) | [Location] |
[Error-tracking provider placeholder] |
Error and performance monitoring | [Location] |
7.3. Changes to Sub-Operators. Skoolara shall notify the School at least 30 days in advance of any addition or replacement of Sub-Operators. The School may object to a proposed Sub-Operator on reasonable, documented grounds related to data-protection. Where the Parties cannot resolve an objection, the School may terminate the affected part of the subscription without penalty.
7.4. Contracts with Sub-Operators. Skoolara shall impose on each Sub-Operator, by written contract, data-protection obligations equivalent to those in this Addendum. Skoolara remains liable to the School for the performance of each Sub-Operator.
8. International transfers
8.1. Personal Information processed through Skoolara is stored outside the Republic of South Africa: database records reside in AWS eu-west-1 (Ireland); uploaded files reside in Cloudflare R2 across Cloudflare's global network; and push-notification delivery uses Firebase Cloud Messaging on Google infrastructure.
8.2. For each such cross-border transfer, Skoolara shall ensure an appropriate basis under POPIA s72 and, where GDPR applies, under GDPR Chapter V, including:
- an adequacy decision where available;
- Standard Contractual Clauses or equivalent contractual safeguards;
- binding corporate rules; or
- another lawful transfer mechanism.
8.3. On request, Skoolara shall provide the School with copies of relevant transfer safeguards (with commercially sensitive terms redacted).
9. Audit rights
9.1. Skoolara shall make available to the School the information reasonably necessary to demonstrate compliance with this Addendum.
9.2. Skoolara undertakes annual independent security assessments (for example, ISO/IEC 27001, SOC 2 or equivalent) and will share executive summaries with the School on request and subject to confidentiality.
9.3. On reasonable notice (not less than 30 days), and no more than once per year unless a Security Compromise has occurred or a regulator has required it, the School (or a qualified independent auditor appointed by it and acceptable to Skoolara, which acceptance shall not be unreasonably withheld) may audit Skoolara's compliance with this Addendum. Audits shall:
- be conducted during normal business hours;
- not unreasonably disrupt Skoolara's operations;
- respect the confidentiality of Skoolara and its other customers; and
- be at the School's cost, unless material non-compliance is found, in which case Skoolara shall bear reasonable costs.
10. Liability
10.1. Each Party's liability under this Addendum is subject to the limitations and exclusions in the Terms of Service, save that nothing in this Addendum limits liability that cannot lawfully be limited (including liability for fraud, wilful misconduct, or statutory administrative fines payable to a regulator in respect of that Party's own acts or omissions).
10.2. Where both Parties are responsible for an event causing damage to a Data Subject, liability shall be apportioned in accordance with POPIA and, where applicable, GDPR Art 82(4)-(5).
11. Termination and data return
11.1. Termination. This Addendum terminates automatically on the termination or expiry of the Terms of Service between the Parties.
11.2. Return and deletion. Within 30 days after termination, Skoolara shall, at the School's election:
- return all Personal Information to the School in a structured, commonly used, machine-readable format; and/or
- delete all Personal Information from Skoolara's active systems.
11.3. Backups. Personal Information contained in routine backups shall be deleted in accordance with the rolling backup-retention cycle set out in data-retention-schedule.md.
11.4. Legal retention. Where law requires Skoolara to retain specific Personal Information, Skoolara shall retain it for the period required and protect it by appropriate security measures during that period.
11.5. Written confirmation. On request, Skoolara shall provide the School with written confirmation of return or deletion.
12. Order of precedence
12.1. In the event of any conflict between this Addendum and the Terms of Service, this Addendum prevails in relation to the processing of Personal Information.
12.2. In the event of any conflict between this Addendum and Applicable Data Protection Laws, the laws prevail.
13. Miscellaneous
13.1. Amendments. This Addendum may be amended only in writing signed by both Parties, save that Skoolara may update sub-Operators in accordance with clause 7.
13.2. Governing law. This Addendum is governed by the laws of the Republic of South Africa.
13.3. Jurisdiction. The Parties submit to the exclusive jurisdiction of the competent courts of the Republic of South Africa.
14. Signatures
For the School (Responsible Party / Controller):
Name: ____ Capacity: ____ Signature: ____ Date: ____
For Skoolara (Operator / Processor):
Name: ____ Capacity: ____ Signature: ____ Date: ____
End of Operator Agreement / Data Processing Addendum (draft v0.1).