Legal

Data Processing Addendum

Last updated: May 1, 2026

This Data Processing Addendum ("DPA") forms part of the Terms of Service between Teachers Performance ("Processor") and the subscribing school ("Controller", "you"). It describes how the Processor handles Personal Data on the Controller's behalf in connection with the Service.

1. Definitions

  • Personal Data — any information relating to an identified or identifiable natural person processed under the Service.
  • Data Subjects — typically faculty, students, deans, supervisors, HR, and other school staff or stakeholders enrolled in the Controller's tenant.
  • Sub-processor — a third party engaged by the Processor to process Personal Data.
  • Applicable Law — the Philippine Data Privacy Act (RA 10173) and, where applicable, the EU GDPR and equivalent foreign laws.

2. Subject Matter and Scope

The Processor will process Personal Data solely to provide the Service to the Controller, in accordance with the Controller's documented instructions, the Terms, and Applicable Law.

3. Categories of Data Subjects and Personal Data

Data Subjects: Faculty, students, deans, supervisors, HR officers, school administrators, IT staff, and other authorized end users of the Controller's tenant.

Personal Data categories:

  • Identification and contact details (name, email, username, role, department, employee/student ID);
  • Profile data (date of birth, position, account status, signature image);
  • Evaluation content (responses, ratings, free-text comments, peer/dean/self assessments);
  • System and audit data (logins, IP, browser, audit-log events);
  • Authentication data (hashed passwords, password-reset tokens).

4. Processor Obligations

The Processor shall:

  • Process Personal Data only on documented instructions from the Controller;
  • Ensure that personnel authorized to process Personal Data are bound by confidentiality;
  • Implement appropriate technical and organizational measures (Section 7);
  • Assist the Controller, taking into account the nature of processing, in fulfilling its obligations to respond to Data Subject rights requests;
  • Assist the Controller in ensuring compliance with security, breach-notification, and impact-assessment obligations;
  • Make available information necessary to demonstrate compliance with this DPA.

5. Sub-processors

The Controller authorizes the Processor to engage the following Sub-processors:

  • Railway, Inc. — application hosting and managed database (United States/EU regions).
  • Resend, Inc. — transactional email delivery (United States).

The Processor will give the Controller at least 14 days' notice before adding or replacing a Sub-processor. The Controller may object on reasonable data-protection grounds; if no satisfactory remedy is reached, the Controller may terminate the affected Service.

6. International Transfers

Where Personal Data is transferred outside the Philippines (or outside the EEA, for EEA Controllers), the Processor will rely on Standard Contractual Clauses, adequacy decisions, or equivalent safeguards required by Applicable Law.

7. Security Measures

  • Tenant isolation — separate database per Controller; cross-tenant access blocked at the framework level.
  • Encryption in transit — TLS 1.2+ for all client and inter-service traffic.
  • Encryption at rest — managed database storage encrypted by the hosting provider.
  • Access control — least-privilege access to production; role-based permissions inside the application; audit logging of administrative events.
  • Authentication — bcrypt-hashed passwords; CSRF protection on all state-changing requests; rate limiting on login and reset endpoints.
  • Backups — automated, encrypted daily backups with point-in-time recovery on supported plans.
  • Monitoring — application and infrastructure logs reviewed for security events.

8. Data Subject Rights

The Processor will, upon the Controller's reasonable request, provide tooling and assistance to enable the Controller to respond to Data Subject requests for access, rectification, erasure, restriction, portability, and objection.

9. Personal Data Breach

The Processor will notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data Breach affecting Controller data, providing sufficient information to enable the Controller to meet its own notification obligations.

10. Audits

The Controller may, at most once per year and on reasonable notice, request information necessary to verify the Processor's compliance with this DPA. Audits will be conducted at the Controller's expense and in a manner that does not unduly disrupt the Processor's operations or the security of other tenants.

11. Return or Deletion

On termination of the Service, the Processor will, at the Controller's election made within 30 days:

  • Provide a one-time export of Controller data in a structured machine-readable format; and/or
  • Delete or anonymize Controller Personal Data, subject to retention obligations imposed by Applicable Law.

After 30 days the Processor may permanently delete the Controller's tenant database without further notice.

12. Liability

The liability of each party under this DPA is subject to the limitations set out in the Terms of Service.

13. Governing Law

This DPA is governed by the laws of the Republic of the Philippines, without prejudice to the rights of Data Subjects under their local law.

14. Contact

Questions about this DPA or to request the executable counterpart copy: contact us via the contact page and tag the request "DPA".