Legal

Data Processing
Agreement

Last updated: March 1, 2026 · Version 2.1

Summary: This DPA defines how Astralearnia processes personal data on your behalf — what data, under what instructions, how it is secured, where it is stored, and your rights as a Controller. To request a countersigned copy, email legal@astralearnia.com.

📄

Scope & Purpose

This DPA governs all processing of personal data carried out by Astralearnia Technologies Ltd ('Processor') on behalf of Client ('Controller').
Processing is carried out solely to deliver the contracted Astralearnia services as described in the Master Service Agreement.
Processor acts only on documented instructions from Controller and does not process data for any independent purpose.

⚙️

Nature of Processing

Processing activities include: storage, retrieval, structuring, adaptation, and analysis of learner and organisational data.
Categories of data processed: names, email addresses, job titles, learning progress records, assessment scores, and usage analytics.
Data subjects covered: Controller's employees, contractors, and authorised platform users.

🔐

Security Measures

AES-256 encryption at rest for all stored personal data; TLS 1.3 in transit.
Role-based access controls — only authorised personnel with a documented need may access personal data.
Annual third-party penetration testing and continuous vulnerability scanning.
SOC 2 Type II certification maintained on an annual basis.
Incident response plan with mandatory notification within 72 hours of confirmed breach.

🌍

International Data Transfers

Data is processed primarily in our Lagos, Nigeria primary data centre and AWS eu-west-1 (Ireland) region.
Transfers outside the EEA are protected by EU Standard Contractual Clauses (SCCs) 2021/914.
Adequacy decisions are monitored; Controller will be notified of any changes to transfer mechanisms.
On request, Processor provides a full record of sub-processor locations and transfer safeguards.

🤝

Sub-Processors

Astralearnia engages the following categories of sub-processors: cloud infrastructure, email delivery, payment processing, analytics.
A current list of named sub-processors is maintained at astralearnia.com/sub-processors and updated with 30-day notice.
Controller may reasonably object to a new sub-processor; process is detailed in Section 9 of the MSA.
All sub-processors are contractually bound to security standards no less stringent than this DPA.

⚖️

Data Subject Rights

Processor assists Controller in fulfilling GDPR Articles 15–22 rights (access, rectification, erasure, portability, objection).
Requests received directly by Processor are forwarded to Controller within 5 business days.
Processor provides technical means to export or delete data within 30 days of request.
Deletion is permanent and confirmed in writing; backup purge occurs within 90 days.

📋

Audit Rights

Controller may audit Processor's data processing activities upon 30 days' written notice, no more than once per year.
Processor provides relevant documentation, certifications (SOC 2, ISO 27001) in lieu of on-site audit where sufficient.
On-site audits are available at Controller's cost; scope is agreed in advance to minimise operational disruption.

🗑

Retention & Deletion

Personal data is retained only for the duration of the service agreement plus a 30-day grace period.
On termination, Controller may export all data via the platform export tools within the grace period.
After the grace period, all personal data is securely deleted from live systems and scheduled for purge from backups.
A deletion certificate is issued within 14 days of confirmed data destruction.

✉️

Contact

Data Protection Officer: dpo@astralearnia.com
Legal & DPA enquiries: legal@astralearnia.com
Astralearnia Technologies Ltd · Lagos, Nigeria
To request a countersigned DPA, contact legal@astralearnia.com with your company details.

Need a countersigned DPA?

Sent within 2 business days. Includes EU SCCs and annexes.

Request DPA →

Data ProcessingAgreement