Data Processing Addendum (DPA) v1.0
**What this means in 60 seconds**
- This addendum governs how we, and any university or partner you choose to
share with, process personal data.
- We act as data controller for your account; partners who receive your data
act as independent controllers under a signed DPA.
- No partner receives anything until they sign this DPA and you switch on the
B2B share consent. Each share is a point-in-time snapshot, never a live feed.
This policy applies to universities, schools, and recruitment partners that receive student lead data from ScholarAI.
1. **DPA required**. No data is shared until a Data Processing Agreement incorporating GDPR Article 28, UK DPA 2018, and PDPB equivalents is signed and recorded in `institutions.dpa_signed_at`. 2. **Snapshot only**. Each lead is a point-in-time JSON snapshot. Future profile changes do not retro-update past shares. 3. **Purpose limitation**. Use is restricted to admissions and scholarship outreach to the specific student concerned. No onward transfer, no resale, no model training. 4. **Retention**. Partners delete or return data within 12 months unless the student becomes an enrolled applicant. 5. **Sensitive categories not shared**. Religion, political views, and biometric data are not collected and cannot be requested. 6. **Audit rights**. We may audit DPA-signing partners on 30 days' notice.