Data Processing Agreement

This Data Processing Agreement (“DPA”) supplements the Terms of Service or signed order form between the Customer (the “Controller”) and Marc Bonis-Charancle EI, trading as Galago (Pamoja.ai) (the “Processor”). It is provided to support the parties’ obligations under Regulation (EU) 2016/679 (GDPR) and equivalent national rules. A signed bilateral version of this DPA can be issued on request — the published version applies by default.

Nothing in this DPA constitutes a claim of formal GDPR “certification”. The DPA is designed to establish a GDPR-ready contractual framework and to help the Controller manage data responsibly.

• Controller — the Customer organisation that subscribes to Pamoja.ai and uploads or generates personal data on the platform.
• Processor — Marc Bonis-Charancle EI, trading as Galago, registered at 39 rue Marcel Cerdan, 92160 Antony, France.

The Processor processes personal data exclusively to provide the Pamoja.ai platform to the Controller. Processing covers scholarship programme administration, student profiles, donor and sponsorship records, school information, academic data, uploaded documents, communication logs, billing data, user accounts and security logs, as further described in the Terms of Service and the order form.

The DPA applies for the duration of the subscription, plus the agreed export and deletion period after termination (typically 30 days unless otherwise agreed in writing).

• Hosting, structuring and displaying programme data on behalf of the Controller.
• Analysing, reporting and generating exports requested by the Controller.
• Sending communications initiated by the Controller through the platform.
• Operating, securing, monitoring and supporting the service.

• Students enrolled in the Controller’s programmes.
• Donors and sponsors of the Controller.
• School staff, partner schools and trustees.
• Foundation staff, administrators and end users with access to the platform.

• Identity data (name, gender, date of enrolment).
• Contact data (email, phone, address).
• School data (school name, programme, year, location).
• Academic data (grades, milestones, certificates).
• Documents uploaded by the Controller (applications, ID documents, school reports, contracts).
• Sponsorship and donation data (high-level).
• Communication logs (emails, messages, audit trails).
• Access logs and security data.
• Billing and administrative data.

The platform is not intended to process special-category data (article 9 GDPR) and the Controller should not upload such data unless the parties have specifically agreed and assessed the safeguards.

• Process personal data only on the Controller’s documented instructions, including via the platform configuration and the order form.
• Ensure that persons authorised to process personal data are bound by confidentiality.
• Implement appropriate technical and organisational security measures (see Security).
• Engage subprocessors only under written terms providing equivalent protections (see Subprocessors).
• Assist the Controller in responding to data-subject requests by providing tools and information.
• Notify the Controller without undue delay of any personal-data breach affecting Customer Data.
• At the Controller’s choice, delete or return all personal data after the end of the services and delete existing copies, unless retention is required by law.
• Provide reasonable information needed for audits, including independent third-party reports where available.

• Ensure a lawful basis for the processing carried out via the platform.
• Provide all required notices and obtain all required consents from data subjects.
• Only upload personal data the Controller is authorised to process.
• Configure user accounts, roles and access rights appropriately, and revoke access promptly when required.
• Inform the Processor without undue delay of any data-subject request received that requires the Processor’s assistance.

The Controller authorises the Processor to use the subprocessors listed at /subprocessors. The Processor will give the Controller reasonable prior notice of changes (additions or replacements) and the Controller may object on reasonable data-protection grounds.

Where personal data is transferred outside the EU/EEA, the parties rely on the transfer mechanisms provided by Chapter V GDPR — typically the European Commission’s Standard Contractual Clauses, supplemented by additional technical and organisational measures where required.

The technical and organisational measures applicable to the service are described at /security and in any signed annex.

The DPA is governed by the law of France and is subject to the limitation-of-liability and dispute-resolution clauses in the Terms of Service or the signed order form. In case of conflict, the signed order form prevails over this published DPA.

For DPA-related queries, signed copies, or audit requests: marcbonischarancle@gmail.com.