Data Processing Agreement (DPA)
Data Processing Agreement (DPA)
Version: v1.0
Last Updated: November 12, 2025
1. Parties
This Data Processing Agreement (“Agreement”) is made between:
Controller:
The educational institution or school using FacePass to manage student attendance (“Controller”).
Processor:
TechKluster LLC
30 N Gould St Ste R
Sheridan, WY 82801
United States of America
(“Processor,” “FacePass,” “we,” “us,” or “our”).
2. Purpose
The Controller engages the Processor to process personal and biometric data on its behalf for the purpose of:
Managing student attendance using AI-based face recognition;
Sending attendance notifications to authorized parents and guardians; and
Providing attendance reports and school management tools.
The Processor will process data only as instructed by the Controller and in compliance with this Agreement and applicable law.
3. Definitions
“Personal Data” means any information relating to an identified or identifiable individual (student, parent, or staff).
“Processing” means any operation performed on Personal Data, such as collection, storage, transmission, or deletion.
“Data Subject” means the individual to whom the Personal Data relates.
“Sub-processor” means any third party engaged by the Processor to process data on behalf of the Controller.
4. Data Processing Terms
The Processor shall process Personal Data only for the purposes described above and in accordance with the Controller’s documented instructions.
The Processor shall ensure that all personnel authorized to process Personal Data are bound by confidentiality obligations.
The Processor shall maintain records of all processing activities, as required under Article 30 of the GDPR.
5. Categories of Data Processed
| Category | Examples |
|---|---|
| Student Information | Name, ID, class, photo |
| Biometric Data | Facial embeddings (for AI verification) |
| Attendance Data | Check-in/out timestamps and photos |
| Parent Data | Name, contact info, relationship |
| School Staff Data | Name, contact info, role |
| Technical Data | Device IDs, app logs |
6. Sub-Processors
The Processor uses the following approved Sub-Processors for infrastructure and operations:
| Sub-Processor | Purpose | Location | Compliance |
|---|---|---|---|
| Google Cloud Platform (Firebase, Cloud Run, Cloud Storage, Firestore) | Cloud hosting, authentication, and storage | United States | GDPR, ISO 27001, SOC 2 |
| Stripe, Inc. (if applicable) | Subscription billing | United States | GDPR, PCI DSS |
The Processor shall notify the Controller in advance of any intended changes to Sub-Processors and allow objections where appropriate.
7. Security Measures
The Processor implements technical and organizational measures (TOMs) to ensure data protection, including:
AES-256 encryption for all stored data
TLS 1.3 for network transmission
Access control, role-based permissions, and MFA
Data segregation between schools (tenants)
24/7 monitoring and incident response
Regular penetration testing and vulnerability assessments
Detailed security documentation is available upon request.
8. Data Breach Notification
In the event of a Personal Data Breach, the Processor shall:
Notify the Controller within 72 hours of discovery.
Provide details of the breach, affected data subjects, and remedial actions taken.
Assist the Controller with regulatory and data subject notifications.
9. Data Retention and Deletion
| Data Type | Retention | Deletion Procedure |
|---|---|---|
| Face embeddings | Until student withdrawal or consent revocation | Secure deletion from Firestore and backups |
| Check-in/out photos | 30 days | Automated deletion process |
| Attendance records | Duration of school contract | Deleted 30 days post-contract |
| Backups | Up to 90 days | Overwritten on rotation schedule |
Upon contract termination or written request, the Processor will:
Delete or return all Personal Data to the Controller, and
Certify completion of data destruction.
10. Rights of Data Subjects
The Processor shall assist the Controller in fulfilling Data Subject rights requests, including:
Access to data
Correction
Deletion (“Right to be Forgotten”)
Restriction or objection to processing
Data portability
All requests are handled within 30 days unless extended by law.
11. International Data Transfers
If data is transferred outside the EEA or UK, the Processor shall:
Use Standard Contractual Clauses (SCCs);
Ensure equivalent protection measures under GDPR Article 46; and
Store data primarily in the United States on Google Cloud’s secure infrastructure.
12. Audit and Compliance
The Controller has the right to:
Request documentation demonstrating compliance (e.g., audit summaries, certifications);
Conduct remote audits (no more than once per year) with reasonable notice;
Receive immediate notification if the Processor cannot comply with this Agreement.
13. Liability
Each party’s liability under this DPA is subject to the limitations and exclusions set forth in the FacePass Terms of Service.
The Processor is not liable for data loss or damage caused by the Controller’s misuse, system misconfiguration, or noncompliance with GDPR.
14. Governing Law and Jurisdiction
This Agreement is governed by the laws of Wyoming, USA, except where the Controller operates in the EU or UK, in which case GDPR/UK GDPR applies.
Disputes shall be resolved through good faith negotiation or arbitration, as defined in the Terms of Service.
15. Contact Information
Data Protection Officer (DPO):
TechKluster LLC
30 N Gould St Ste R
Sheridan, WY 82801
United States of America
Email: privacy@getfacepass.app
16. Change Log
v1.0 (Nov 2025) – Initial release for global school compliance