Data Processing Agreement (DPA)
Status: Active
Last Updated: May 19, 2026
This Data Processing Agreement ("DPA") forms part of the agreement between:
- Customer (School), as data controller (or equivalent under applicable law), and
- BassemLabs Inc., as data processor, processing personal information on behalf of the Customer.
1. Scope and Purpose
This DPA governs BassemLabs processing of personal information to provide school information system services under the main services agreement.
2. Roles
- Customer determines the purposes and means of processing customer data.
- BassemLabs processes personal information only on documented customer instructions, except where otherwise required by law.
3. Compliance Framework
BassemLabs will implement controls appropriate to applicable privacy laws and contractual obligations, including support for school obligations under PIPEDA where applicable.
4. Categories of Data and Data Subjects
Data Subjects
- Students
- Parents/guardians
- School staff and administrators
Personal Information Categories
- Identity and profile data
- Contact data
- Attendance/academic/administrative records
- Billing and invoicing metadata
- Support and account activity logs
5. Processing Activities
BassemLabs processes personal information to:
- Host and operate the platform.
- Provide customer support.
- Maintain system security and reliability.
- Perform backups, incident response, and service operations.
6. Security Measures
BassemLabs maintains technical and organizational measures including:
- Strong role-based access controls, scoped authorization checks, and tenant scoping controls designed to prevent cross-organization access.
- Encryption at rest using AES-256 for core storage systems and encrypted secret storage for private integration material.
- HSM-backed root-key architecture for encryption of private integration material (such as API keys and credentials).
- Encryption in transit with TLS 1.2 minimum and TLS 1.3 by default where client/device compatibility allows.
- Internal service-to-service communication protected with TLS 1.3.
- Monitoring, incident response workflows, and privileged-access controls.
7. Security Incident Notification
BassemLabs will notify Customer without undue delay and no later than 24 hours after confirmation of a security incident affecting Customer personal information, unless a shorter period is required by law or contract.
Notification will include available information reasonably needed by Customer to meet legal obligations.
8. Subprocessors
BassemLabs may use subprocessors to deliver the service. BassemLabs will:
- Maintain an up-to-date list of subprocessors.
- Ensure subprocessors are subject to data-protection obligations materially consistent with this DPA.
- Remain responsible for subprocessor performance under this DPA.
Current subprocessors and hosting regions are listed in Schedule 3.
9. International Transfers
Customer data may be processed in Canada and the United States based on selected deployment region and enabled product features.
BassemLabs will apply transfer safeguards required by applicable law.
10. Data Subject Rights and Assistance
BassemLabs will provide reasonable assistance for customer responses to lawful data-subject requests, considering the nature of processing.
11. Audit and Information Rights
All customer-data access and modification activity is auditable. BassemLabs maintains audit trails for data-access and data-modification activity for at least 90 days.
Upon reasonable request and confidentiality obligations, BassemLabs may provide available documentation and responses needed for customer due diligence, including security/process evidence relevant to this DPA.
12. Return and Deletion
Upon termination and customer instruction, BassemLabs will:
- Provide customer data export through a verified process.
- Delete customer data, except where retention is required by law or legitimate accounting/recordkeeping obligations.
13. Order of Precedence
If this DPA conflicts with the main agreement regarding data processing obligations, this DPA governs those obligations.
14. Governing Law, Jurisdiction, and Legal Contact
This DPA follows the governing-law terms of the main services agreement and applies to all processing activities performed by BassemLabs on behalf of the customer.
If no governing-law clause exists in the main agreement:
- Delaware law applies by default, excluding conflict-of-law rules.
- Mandatory Canadian legal requirements remain applicable for Canadian customer data.
- For Canadian customers, a customer-specific addendum may designate a Canadian province for governing law and forum.
For legal/privacy notices related to this DPA:
15. Schedule 1 - Processing Details
- Subject matter: School information system platform delivery
- Duration: Term of services agreement plus limited retention window as required by law/contract
- Nature: Collection, storage, organization, retrieval, support, deletion/export
- Purpose: Service delivery, support, security, reliability
16. Schedule 2 - Security Control Summary
- Access control and least-privilege role enforcement
- Organization-level data isolation
- Encryption in transit and at rest
- Operational monitoring and incident handling
17. Schedule 3 - Subprocessor Register
- Amazon Web Services (AWS) - cloud hosting and infrastructure (
us-east-1,ca-central-1), including encrypted data storage systems (database and object storage). - Stripe - payment processing (payments data context)
- Twilio - notification and messaging delivery
- OpenAI - AI text generation for report-card comments (feature-limited context; model training on customer data disabled; prompts are anonymized and exclude user-identifiable data)