Data Processing Agreement (DPA)

Last updated: November 28, 2025

This Data Processing Agreement ("DPA") is incorporated into and forms part of Ekogni's agreement with a School or Educational Institution (the "Controller") that purchases an institutional license to use the Ekogni CBT platform (the "Service"). This DPA reflects the parties' obligations under the Nigeria Data Protection Regulation (NDPR) and related guidance.

1. Roles and Processing

• Controller: The School or Educational Institution purchasing an institutional license.
• Processor: Ekogni, processing personal data on behalf of the Controller.
• Subject Matter: Provision of the CBT platform, including exam creation, delivery, grading, and account management.
• Duration: For the term of the subscription and any legally required retention period.
• Nature and Purpose: Hosting and processing exam content, user accounts, audit logs, and billing metadata to provide and secure the Service.
• Categories of Data Subjects: Students, teachers, admins, and billing contacts designated by the Controller.
• Categories of Personal Data: Names, emails, student/staff IDs, roles, profile images (optional), usage/activity logs; payment confirmations and references (via Paystack). Ekogni does not store card data.

2. Controller Instructions

Ekogni will process personal data only on documented instructions from the Controller, including those in this DPA, the Terms of Service, and through the Controller's configuration and use of the Service.

3. Confidentiality

Ekogni ensures that persons authorized to process personal data are subject to appropriate confidentiality obligations.

4. Security

Ekogni implements appropriate technical and organizational measures, including encryption in transit, hashed passwords, role-based access controls, row-level security, backups, and monitoring. See our Security page for an overview.

5. Subprocessors

Controller authorizes Ekogni to engage subprocessors necessary to provide the Service. Current subprocessors are listed on our Subprocessors page. Ekogni will impose data protection obligations on subprocessors consistent with this DPA and remain responsible for their performance.

6. International Transfers

Data is stored in the EU (Ireland) by our database provider (Supabase). Transfers occur solely to provide the Service. Ekogni ensures appropriate safeguards as described in our Privacy Policy.

7. Assistance

Taking into account the nature of processing, Ekogni will assist the Controller by appropriate technical and organizational measures, insofar as possible, for the fulfillment of the Controller's NDPR obligations to respond to requests for access, correction, deletion, and portability.

8. Breach Notification

Ekogni will notify the Controller without undue delay after becoming aware of a personal data breach affecting the Controller's data and provide information reasonably required for the Controller to meet its legal obligations.

9. Return and Deletion

At termination of the Service, Ekogni will delete personal data within 90 days, except where retention is required by law (e.g., billing records). Upon request within that period, Ekogni will provide a data export (JSON) for the Controller.

10. Audits

Upon reasonable written request and subject to confidentiality, Ekogni will provide information necessary to demonstrate compliance with this DPA. Where information provided is insufficient, the Controller may conduct an audit limited to Ekogni's processing facilities and systems relevant to the Service, during normal business hours, without disrupting operations, and no more than once per year.

11. Contact

Questions about this DPA: support@ekogni.com. For a countersigned copy, contact us with your school details (legal name, address, signatory).