Legal
Data Processing Agreement
A plain-English DPA between your school (the controller) and Zion (the processor) for the personal data that flows through the service. If your country requires a counter-signed version, email us.
1. The parties and the basics
You, the school or organisation using Zion, are the "Controller" of student and staff personal data. Zion, operated by Sipho Yawe, is the "Processor". This DPA applies whenever Zion processes personal data on the Controller's instruction.
2. What we process and why
The Controller decides what data is entered. Categories typically include student records (name, ID, learning centre, PACE assignments), daily goals and scores, attendance, test scores and moderation records, and staff profiles (supervisors, monitors). We process it to deliver the Zion service described in the Terms.
3. Acting on instruction
Zion processes personal data only on the Controller's documented instructions (including those embedded in how you configure and use the service), unless required by law. If we believe an instruction breaches data-protection law, we will tell you.
4. Confidentiality and security
People who access personal data on our side are bound by confidentiality. We apply reasonable, generally-accepted security measures: multi-tenant row-level security, encryption in transit, role-based access, hardened server-only ingestion of public submissions, audit logging on grade changes, and least-privilege keys for sub-processors.
5. Sub-processors
We use the sub-processors listed in our Privacy Policy. We will give the Controller reasonable notice before adding or replacing a sub-processor, and the Controller may object on reasonable grounds. Sub-processors are bound to data protection terms no less protective than this DPA.
6. International transfers
Where personal data is transferred to a country whose law does not provide an essentially equivalent level of protection, we rely on appropriate safeguards (such as the Standard Contractual Clauses) and choose vendor regions to keep data close to the school where possible.
7. Helping you with rights and breaches
We will help the Controller, at reasonable cost, with: responding to data-subject requests; conducting data-protection impact assessments; consultations with regulators; and meeting incident-response obligations. We will tell you about a personal-data incident affecting your tenant without undue delay after we become aware of it.
8. Audit
On reasonable written notice, we will give the Controller information necessary to demonstrate compliance with this DPA, and accept an audit by an independent third party under reasonable confidentiality terms.
9. Return and deletion
On termination, the Controller can export its data for a reasonable period. After that, we delete personal data from active systems within a reasonable period and from backups on the next cycle, unless retention is required by law.
10. Term and changes
This DPA applies for as long as Zion processes personal data on the Controller's instruction. We may update it to track legal or operational changes, and will notify material updates by email or in-app.
11. Contact
Data-protection questions: support@zionapp.co.