Data Processing Addendum (DPA)
Effective date: June 1, 2026
This Data Processing Addendum ("DPA") forms part of the agreement between Procta ("Processor") and the customer ("Controller") for the use of Procta's exam proctoring services.
1. Definitions
"Personal Data" means any information relating to an identified or identifiable natural person processed under the Agreement. "Processing" means any operation performed on Personal Data, including collection, storage, use, and deletion.
2. Scope of Processing
The Processor will process Personal Data on behalf of the Controller for the following purposes:
- Student identity verification (name, email, photograph, roll number)
- Exam proctoring (video/audio recordings, screen captures, keystroke patterns)
- Academic integrity analysis (violation detection, risk scoring)
- Results management (exam scores, grade records, performance analytics)
3. Processor Obligations
The Processor shall:
- Process Personal Data only on documented instructions from the Controller
- Ensure personnel authorized to process Personal Data are bound by confidentiality
- Implement appropriate technical and organizational measures (see Security Questionnaire)
- Notify the Controller of any personal data breach without undue delay
- Assist the Controller in fulfilling data subject rights requests
- Delete or return all Personal Data at the end of the Agreement
4. Sub-processors
The Controller authorizes the following sub-processors:
- Supabase (PostgreSQL database, US) — student records, exam data
- Redis (in-memory cache) — session state, frame buffer (no persistent storage)
- Groq / OpenAI-compatible LLM — AI grading suggestions (no training on customer data)
- Razorpay (payment processing, India) — billing data only
5. Data Subject Rights
The Controller may exercise data subject rights through the Privacy Center at /privacy, which provides:
- Data export (JSON download of all Personal Data)
- Account deletion (anonymization of all Personal Data)
- Consent records (audit trail of consent events)
6. Data Retention
- Screenshots: 90 days
- Phone camera frames: 24 hours
- Violation logs: 1 year
- Exam answers and scores: Duration of account
- Audit trails: 1 year
7. Security Measures
Refer to our Security Questionnaire for a detailed description of technical and organizational security measures.
This DPA is provided as a template. A fully executed version can be requested from legal@procta.net.