Data Processing Agreement

1. Definitions

"Personal Data", "Data Subject", "Processing", "Controller", and "Processor" have the meanings given to them in the GDPR (Regulation (EU) 2016/679), and equivalent meanings under the Bangladesh Data Protection Act and India DPDP Act where applicable.

2. Subject matter and duration

The Processor processes Personal Data on behalf of the Controller solely to deliver the Services (learning platform, AI tutoring, video, payment processing, and related features) for the term of the underlying Agreement. On termination, the Controller may export data for 30 days, after which the Processor will delete or anonymise it (clause 9).

3. Nature and purpose of processing

• Account creation, authentication, and access control
• Course enrolment, progress tracking, certificates
• AI-tutor interactions and content recommendations
• Payment processing (via SSLCommerz and other licensed gateways)
• Transactional emails and in-app notifications
• Analytics and product improvement (aggregated where possible)

4. Categories of data subjects and data

Data subjects: the Controller's students, instructors, and administrators.

Personal Data categories: identification (name, email, phone), authentication data, learning activity, assessment results, payment metadata (no card numbers stored by IQRA — handled by PCI-DSS-certified gateways), IP address and device fingerprints for security, optional profile data (avatar, bio, language).

No special-category data (health, religion, etc.) is intentionally collected.

5. Processor obligations

• Process Personal Data only on documented instructions from the Controller
• Ensure persons authorised to process Personal Data are bound by confidentiality
• Implement appropriate technical and organisational measures (see clause 7)
• Assist the Controller in responding to data-subject requests (access, rectification, erasure, portability)
• Notify the Controller without undue delay (and within 72 hours) of any Personal Data Breach

6. Sub-processors

The Controller authorises the use of the following sub-processors:

• Hosting / infra: the Controller-approved cloud provider (e.g. AWS, DigitalOcean)
• Email delivery: SMTP provider configured by Controller
• Payment gateways: SSLCommerz, Stripe (region-dependent)
• AI providers: Google Gemini, OpenAI (where enabled) — prompts may contain learning content
• Error monitoring: Sentry (if enabled)

IQRA will notify the Controller at least 30 days before adding or replacing any sub-processor. The Controller may object on reasonable data-protection grounds.

7. Security measures

• TLS 1.2+ in transit (HSTS preload), AES-256 at rest for sensitive fields
• Passwords hashed with bcrypt; two-factor authentication available
• Rate limiting, error monitoring, audit logging
• Least-privilege access; role-based authorisation
• Daily encrypted database backups with documented restore procedure
• Vulnerability scanning of dependencies in CI

8. International transfers

Where Personal Data is transferred outside the Controller's jurisdiction, the Processor relies on Standard Contractual Clauses (EU SCCs 2021/914) or an equivalent legal mechanism. The Controller will be informed of the relevant transfer mechanism on request.

9. Return or deletion of data

On termination of the Services, the Processor will, at the Controller's election, return or delete all Personal Data (including all copies held by sub-processors) within 30 days, except where retention is required by law (tax records, court orders).

10. Audit rights

The Controller may, no more than once per year (or after a confirmed breach), request reasonable information demonstrating compliance with this DPA. Audits on the Processor's premises require 30 days' notice and must not unreasonably interfere with operations.

11. Liability and governing law

Liability under this DPA is governed by the limitations in the underlying Agreement. The DPA is governed by the laws specified in the underlying Agreement; in the absence of a choice of law, the laws of the People's Republic of Bangladesh apply.

12. Signing

To execute a signed copy of this DPA, contact legal@iqralms.com with your organisation name, billing address, and the authorised signatory. We will return a counter-signed PDF within 5 business days.