Data Processing Agreement
Last updated: July 17, 2026. Standard data-processing terms for Pankesh customers, schools, and service clients.
1. When this DPA applies
This DPA applies when Pankesh processes personal data on behalf of a customer through Pankesh.School, Pankesh.Tech services, hosted dashboards, custom software, integrations, maintenance, automation, or support.
- The customer and processor legal names are the parties identified in the applicable signed agreement, accepted order, or invoice.
- It supplements the Terms of Service, Privacy Policy, written proposal, order form, subscription plan, or school/customer agreement.
- If a signed agreement contains different data-processing terms, that signed agreement controls for that customer.
- This DPA does not cover personal data that Pankesh processes as an independent controller for its own billing, marketing, website analytics, legal, or business administration.
2. Roles
For customer-controlled data, the customer is the controller and Pankesh is the processor/service provider. For school records, the school or institute decides what data is collected and how it is used.
- The customer must provide lawful instructions and obtain any required notices, permissions, consents, or approvals.
- Pankesh processes personal data only to provide, secure, support, maintain, improve, and document the requested services.
- Pankesh may process limited operational data as controller for billing, security, logs, fraud prevention, legal compliance, and support administration.
3. Processing instructions
Pankesh will process customer personal data according to documented instructions in the agreement, dashboard configuration, support request, integration settings, or written communication.
- We may refuse instructions that appear unlawful, unsafe, technically impossible, or outside the agreed service scope.
- The customer is responsible for the accuracy, quality, legality, and permissions for data submitted to the services.
- Customer administrators control role permissions, user access, tenant settings, data entry, exports, and deletion requests where available.
4. Security measures
Pankesh uses reasonable technical and organizational safeguards appropriate to the service type, data sensitivity, customer plan, and risk.
- Role-based access, least-privilege internal access, password hashing, admin controls, and authentication protections.
- Encryption in transit where supported, secure hosting configuration, backups, logging, monitoring, and vulnerability review.
- Confidentiality obligations for staff, contractors, and service providers who may access customer data.
- Separation of school/customer accounts where the product architecture supports tenant-based operation.
- Incident response processes for suspected unauthorized access, data leakage, abuse, or system compromise.
5. Subprocessors
The customer authorizes Pankesh to use subprocessors needed to deliver the services. These may include hosting, database, backup, payment, email, SMS, WhatsApp, analytics, support, development, storage, domain, security, and AI providers.
- Subprocessors are required to protect personal data according to their role and the applicable agreement.
- Pankesh remains responsible for its own obligations under this DPA when using subprocessors.
- For AI-enabled features, third-party AI providers may process prompts, files, outputs, metadata, and safety logs needed to perform the requested feature.
- Customers may request current subprocessor information for their account or enterprise review.
6. AI and sensitive data
Customers must not submit sensitive, confidential, regulated, student, health, financial, biometric, or high-risk data to AI-enabled features unless they have approved that use and the required safeguards are in place.
- The customer remains responsible for reviewing AI outputs before use.
- AI outputs should not be used as the sole basis for legal, medical, financial, educational, employment, admission, disciplinary, safety, or other high-impact decisions.
- Pankesh may disable AI workflows that create legal, privacy, safety, or security risk.
- Where an enterprise customer needs stricter AI terms, those terms should be documented in a signed order or addendum.
7. Data subject requests
Pankesh will reasonably assist the customer with access, correction, deletion, export, restriction, objection, or consent-withdrawal requests where required by applicable law and technically feasible.
- For school/student data, requests should normally be directed to the school first.
- Pankesh may redirect a requester to the customer when the customer controls the data.
- Assistance that requires custom engineering, recovery, or manual review may be chargeable if outside normal support scope.
- We may verify identity and authority before helping with a request.
8. Security incidents
If Pankesh confirms a personal-data breach affecting customer-controlled data, we will notify the affected customer without undue delay and, where practical, within 72 hours after confirmation.
- Notice may include known facts, affected systems, likely data categories, mitigation steps, and recommended customer actions.
- The customer is responsible for any notices to students, parents, staff, customers, regulators, or other people unless law or a signed agreement says otherwise.
- Pankesh may delay details if disclosure would increase security risk or interfere with investigation.
9. Return, deletion, and audit
On request or termination, Pankesh will reasonably support data export, return, deletion, or account closure according to the product capability, customer plan, backups, legal retention, and outstanding payment status.
- Backup deletion may occur on a delayed cycle according to backup retention practices.
- Pankesh may retain limited records required for tax, legal, billing, security, fraud prevention, dispute, and compliance purposes.
- Enterprise customers may request reasonable security documentation or audit information, subject to confidentiality and protection of other customers.
- On-site audits, custom reports, or third-party audits require prior written agreement and may be chargeable.
10. International processing and contact
Customer data may be processed in India and other countries where Pankesh, its team, infrastructure, or subprocessors operate.
- Where required, Pankesh will use reasonable contractual safeguards for international transfers.
- Customers with strict residency or compliance needs should document them before onboarding.
- For DPA questions or a signed copy, contact contact@pankesh.in.
Request a signed DPA
Share your organization name, product, domain, and any required compliance terms.