Trust
Data Processing Agreement
Most schools don't need a signed DPA — but where local regulators or governance frameworks require one, we provide a standard agreement at no cost.
What we process
Personal data of students, parents, and staff necessary to run a Quran school: names, contact phone or email, attendance, grades, behaviour notes, payment ledger.
Why we process
On the documented instructions of the school (the controller). Min Dugsi processes only to deliver the features the school has enabled — never for training, advertising, or resale.
Where it lives
All managed-tier data and application traffic stay inside the EU. No data leaves the EEA without an explicit tenant opt-in for AI suggestions. The sub-processor list with named providers lives in the GDPR playbook.
How long
See the retention defaults in the GDPR playbook. Tenant admins may shorten any default; we honour the shorter period.
Your rights as controller
Audit, instruct, and terminate. We notify of every sub-processor change with a 30-day window. We notify of data breaches without undue delay (and at most within 72 hours of discovery).
