Data Governance

Your foundation owns 100% of the data in its Pamoja workspace — sponsors, students, schools, payments, communications, every record. Pamoja is the processor; you are the controller. We do not sell, rent, share or train AI models on your data.

If you leave Pamoja, the data leaves with you. We keep a 30-day grace period after account closure then permanently delete it.

All data is stored on Supabase (Postgres) in Frankfurt, Germany (eu-central-2), inside the European Economic Area. Backups are encrypted at rest and in transit. The web application runs on Vercel’s edge network. Both providers are SOC 2 Type II certified and sign data-processing agreements under GDPR.

Personal data does not leave the EEA except where required to deliver a specific feature you have opted into (e.g. AI grade-report reading uses Anthropic, covered under their enterprise DPA with no training on your data).

Every database query passes through row-level security. No user — including Pamoja staff — can read data from a foundation they do not belong to. Inside your workspace, access is governed by roles:

• Admin — full read/write, manages team and settings.
• Staff — scoped edit access to students, sponsors, schools, grades, events, programmes, leads.
• Auditor — read-only on students, donors, schools, grades, audit trail.
• Sponsor — limited portal: own sponsored students only.
• Student / Guardian / School — email-invited portal, upload-and-message only, revocable by admin at any time.

Every sign-in and every create / update / delete is recorded in an immutable audit log. Admins can see who did what, when, and from where.

Admins can export every table (students, sponsors, payments, academic results, communications, audit log, …) to Excel / CSV directly from the Exports page. No request form, no waiting period, no lock-in.

If you decide to migrate to a different platform (Salesforce, Airtable, a spreadsheet), you can do so with one export and no data-escape fees.

• TLS 1.2+ for all traffic; no plaintext endpoints.
• Passwordless magic-link authentication — no password database to leak.
• Row-level security enforced at the database layer, not just the application.
• Daily automated backups with point-in-time recovery for the last 7 days.
• All access to production data is audited.
• Vulnerability disclosures and security questions: contact@pamoja.ai.

• Supabase — database & authentication, EU-hosted.
• Vercel — application hosting & edge delivery.
• Anthropic — AI features; enterprise DPA, no model training on your data.
• Resend — transactional email delivery.

We notify admins by email before adding a new sub-processor with access to personal data.

In the event of a security incident affecting your data, we notify affected foundation admins within 72 hours of confirmation, in line with GDPR Article 33. The notice describes what happened, what data was involved, what we are doing, and what you should do.

Governance, procurement, audit or security questions go to contact@pamoja.ai.

We reply within two working days and happily hop on a call with your board or audit committee.