This Data Processing Agreement ("DPA") forms part of the agreement between ClinAssess ("Processor") and a subscribing Institution ("Controller") and describes how ClinAssess processes personal data on the Institution's behalf. It supplements our Privacy Policy and Terms and Conditions.
1. Parties and Roles
The Institution acts as the Data Controller, determining the purposes and means of processing student and staff personal data. ClinAssess acts as the Data Processor, processing personal data solely to provide the Platform in accordance with the Institution's instructions and this DPA.
2. Subject Matter and Duration
This DPA covers the processing of personal data necessary to operate ClinAssess for the Institution, and remains in effect for as long as ClinAssess processes personal data on the Institution's behalf, including any period required for data return or deletion after termination.
3. Nature and Purpose of Processing
ClinAssess processes personal data to: authenticate users; store and display clinical assessment submissions; run automated originality/duplicate detection (OCR text extraction, perceptual hashing, and similarity comparison); generate dashboards and reports; and maintain platform security and audit logs.
4. Categories of Data Subjects
Processing under this DPA relates to the Institution's students, lecturers, examiners, heads of department, and administrative staff who are issued ClinAssess accounts.
5. Categories of Personal Data
Personal data processed may include: names, registration/staff numbers, institutional email addresses, role and department, submitted clinical assessment content and any personal data contained within it, sign-in and usage logs, and technical/device identifiers.
6. Processor Obligations
ClinAssess agrees to:
- Process personal data only on the Institution's documented instructions, unless required otherwise by law.
- Ensure personnel with access to personal data are bound by confidentiality obligations.
- Implement appropriate technical and organizational security measures, including encryption in transit, access controls, and audit logging.
- Assist the Institution in responding to data subject requests, to the extent reasonably required.
- Notify the Institution without undue delay upon becoming aware of a personal data breach affecting its data.
7. Sub-processors
ClinAssess may engage sub-processors — such as cloud hosting providers and, where enabled by the Institution, Google Workspace services (Drive, Docs, Sheets) — to support delivery of the Platform. ClinAssess remains responsible for ensuring sub-processors provide an equivalent level of data protection and will notify the Institution of material changes to its sub-processors where practicable.
8. Data Breach Notification
In the event of a confirmed personal data breach affecting Institution data, ClinAssess will notify the Institution without undue delay, providing available details of the nature of the breach, affected data, and remedial steps taken or planned.
9. Data Return and Deletion
On termination of the Institution's use of ClinAssess, and subject to any legal retention requirements, ClinAssess will, at the Institution's choice, return or delete personal data processed on its behalf within a reasonable period, less any data retained in encrypted backups for a limited time.
10. Audits
ClinAssess will provide the Institution with information reasonably necessary to demonstrate compliance with this DPA and will support reasonable audit or inspection requests, subject to confidentiality and security constraints.
11. Liability
Liability under this DPA is governed by the liability provisions in Section 15 of our Terms and Conditions, unless a separate signed agreement between ClinAssess and the Institution states otherwise.
12. Governing Law
This DPA is governed by the laws of Kenya, consistent with Section 22 of our Terms and Conditions.
13. Contact Us
Institutions with questions about this DPA, or wishing to formalize a signed data processing arrangement, can contact support@clinassess.graundra.com.