ClinAssess
ClinAssess
Home
Back home
Legal — Institutions

Data Processing Agreement (DPA)

Last updated: July 4, 2026 · Governed by the laws of Kenya

On this page
  • 1. Parties and Roles
  • 2. Subject Matter and Duration
  • 3. Nature and Purpose of Processing
  • 4. Categories of Data Subjects
  • 5. Categories of Personal Data
  • 6. Processor Obligations
  • 7. Sub-processors
  • 8. Data Breach Notification
  • 9. Data Return and Deletion
  • 10. Audits
  • 11. Liability
  • 12. Governing Law
  • 13. Contact Us

This Data Processing Agreement ("DPA") forms part of the agreement between ClinAssess ("Processor") and a subscribing Institution ("Controller") and describes how ClinAssess processes personal data on the Institution's behalf. It supplements our Privacy Policy and Terms and Conditions.

1. Parties and Roles

The Institution acts as the Data Controller, determining the purposes and means of processing student and staff personal data. ClinAssess acts as the Data Processor, processing personal data solely to provide the Platform in accordance with the Institution's instructions and this DPA.

2. Subject Matter and Duration

This DPA covers the processing of personal data necessary to operate ClinAssess for the Institution, and remains in effect for as long as ClinAssess processes personal data on the Institution's behalf, including any period required for data return or deletion after termination.

3. Nature and Purpose of Processing

ClinAssess processes personal data to: authenticate users; store and display clinical assessment submissions; run automated originality/duplicate detection (OCR text extraction, perceptual hashing, and similarity comparison); generate dashboards and reports; and maintain platform security and audit logs.

4. Categories of Data Subjects

Processing under this DPA relates to the Institution's students, lecturers, examiners, heads of department, and administrative staff who are issued ClinAssess accounts.

5. Categories of Personal Data

Personal data processed may include: names, registration/staff numbers, institutional email addresses, role and department, submitted clinical assessment content and any personal data contained within it, sign-in and usage logs, and technical/device identifiers.

6. Processor Obligations

ClinAssess agrees to:

  • Process personal data only on the Institution's documented instructions, unless required otherwise by law.
  • Ensure personnel with access to personal data are bound by confidentiality obligations.
  • Implement appropriate technical and organizational security measures, including encryption in transit, access controls, and audit logging.
  • Assist the Institution in responding to data subject requests, to the extent reasonably required.
  • Notify the Institution without undue delay upon becoming aware of a personal data breach affecting its data.

7. Sub-processors

ClinAssess may engage sub-processors — such as cloud hosting providers and, where enabled by the Institution, Google Workspace services (Drive, Docs, Sheets) — to support delivery of the Platform. ClinAssess remains responsible for ensuring sub-processors provide an equivalent level of data protection and will notify the Institution of material changes to its sub-processors where practicable.

8. Data Breach Notification

In the event of a confirmed personal data breach affecting Institution data, ClinAssess will notify the Institution without undue delay, providing available details of the nature of the breach, affected data, and remedial steps taken or planned.

9. Data Return and Deletion

On termination of the Institution's use of ClinAssess, and subject to any legal retention requirements, ClinAssess will, at the Institution's choice, return or delete personal data processed on its behalf within a reasonable period, less any data retained in encrypted backups for a limited time.

10. Audits

ClinAssess will provide the Institution with information reasonably necessary to demonstrate compliance with this DPA and will support reasonable audit or inspection requests, subject to confidentiality and security constraints.

11. Liability

Liability under this DPA is governed by the liability provisions in Section 15 of our Terms and Conditions, unless a separate signed agreement between ClinAssess and the Institution states otherwise.

12. Governing Law

This DPA is governed by the laws of Kenya, consistent with Section 22 of our Terms and Conditions.

13. Contact Us

Institutions with questions about this DPA, or wishing to formalize a signed data processing arrangement, can contact support@clinassess.graundra.com.

ClinAssess
About | Privacy Policy | Cookie Policy | Acceptable Use Policy | Academic Integrity Policy | Data Processing Agreement | Terms & Conditions
Student data is processed securely and only for educational purposes in accordance with your institution's policies.
Copyright © ClinAssess. All rights reserved.