Data Processing Agreement
Terms governing ACTI's processing of student activity data on behalf of schools.
1. Parties and roles
This Data Processing Agreement (“DPA”) is entered into between:
- The School(“Data Controller”) — the educational institution that has entered into a Platform Terms of Service agreement with ACTI for the use of the ACTI Analytics platform.
- ACTI ANALYTICS PTY LTD(ACN 697 563 027), a proprietary company with limited liability, incorporated on 28 April 2026 in the Australian Capital Territory, Australia (“Data Processor” or “ACTI”) — the provider of the ACTI Analytics platform.
This DPA supplements the Platform Terms of Service and may be executed as a standalone agreement or as an attachment to that agreement.
The School determines the purposes and means of processing student activity data. ACTI processes activity data solely on behalf of and under the instructions of the School.
2. Scope of processing
Subject matter
ACTI processes student activity data to provide the ACTI Analytics platform — a device activity analytics service for Australian secondary schools.
Duration
Processing begins when the School first deploys the ACTI agent on school-managed devices and continues until the termination of the Platform Terms of Service, plus a maximum of 30 days for data deletion.
Nature and purpose
The ACTI agent installed on school-managed devices collects device activity signals (foreground application, active browser tab, audio state) every 5 seconds. These signals are transmitted to ACTI’s servers, stored in a database, and aggregated into analytics dashboards accessible to the School’s authorised staff. The purpose is to provide the School with visibility into how school-issued devices are used during instructional time.
3. Data subjects and data types
Categories of data subjects
Secondary school students, typically aged 12–18, who use school-managed devices on which the ACTI agent is installed.
Types of activity data processed
| Data type | Description |
|---|---|
| Device identifier | An opaque identifier assigned by the school to each managed device. ACTI does not store, and has no means of accessing, any mapping between these identifiers and student names. |
| Application name | The name of the foreground application (e.g. “Google Chrome”, “Microsoft Word”) |
| Browser tab title / URL | The title or URL of the active tab in supported browsers |
| Audio state | Whether audio is currently playing on the device |
| Timestamps | Start and end timestamps for each activity segment (ISO 8601) |
| Activity classification | Whether the activity is classified as on-task or off-task, based on configurable rules |
Data not collected
ACTI does not collect student names, email addresses, keystrokes, screenshots, screen recordings, camera or microphone audio, file contents, location data, or biometric information.
4. Processor obligations
ACTI, as the Data Processor, will:
- Process activity data only on documented instructions from the School, unless required by law to do otherwise (in which case, ACTI will inform the School before processing unless legally prohibited from doing so)
- Ensure that persons authorised to process activity data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality
- Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in section 6
- Not engage additional sub-processors without the School’s prior consent, as described in section 5
- Assist the School in responding to requests from data subjects exercising their rights under the Australian Privacy Principles
- Assist the School in ensuring compliance with obligations relating to security, breach notification, and privacy impact assessments
- At the School’s choice, delete or return all activity data upon termination of the Agreement, as described in section 9
- Make available to the School all information necessary to demonstrate compliance with these obligations and allow for audits as described in section 10
ACTI may retain and use aggregated, non-identifiable data (from which no individual student or school can be identified) after termination for the purposes of improving the platform and contributing to academic research in education technology. This data cannot be re-identified.
5. Sub-processors
The School authorises ACTI to engage the following sub-processors:
| Provider | Service | Data processed | Location |
|---|---|---|---|
| Railway | Backend hosting and database | All student activity data (stored in PostgreSQL) | Singapore |
| Vercel | Frontend hosting | Dashboard requests (no student activity data stored) | United States |
| Firebase (Google) | Authentication | Authorised User authentication tokens | United States |
ACTI will notify the School at least 30 days before adding or replacing a sub-processor. The notification will include the sub-processor’s name, location, and the processing it will perform. If the School objects, it may terminate the Agreement within that 30-day period.
ACTI will enter into written agreements with each sub-processor that impose data protection obligations no less protective than those set out in this DPA.
6. Security measures
ACTI implements the following technical and organisational measures to protect activity data:
Encryption
- All data in transit is encrypted using TLS 1.2 or higher
- All data at rest is encrypted in the production database
- Authentication tokens on student devices are stored in the operating system keychain
Access controls
- Production database access is restricted to authorised ACTI personnel
- Dashboard access requires Firebase authentication with school-managed Google accounts
- Teachers see only their own classes; administrators see school-wide aggregates
- API endpoints require valid JWT authentication tokens
Application security
- All database queries use parameterised inputs to prevent SQL injection
- All API endpoints are rate-limited
- No stack traces or internal errors are exposed in production responses
- CORS is restricted to authorised origins
Operational security
- Segment ingestion uses idempotent upsert operations to ensure data integrity
- The agent buffers data locally and retries with exponential backoff on network failure
- Audit logging is maintained for administrative actions
7. Breach notification
In the event of a data breach that affects student activity data processed under this DPA, ACTI will:
- Notify the School within 72 hours of becoming aware of the breach
- Provide the School with sufficient information to assess the nature and scope of the breach, including the types and approximate number of records affected
- Take immediate steps to contain and remediate the breach
- Cooperate with the School in investigating the breach and fulfilling any notification obligations
The School is responsible for determining whether the breach is an “eligible data breach” under the Notifiable Data Breaches scheme (Part IIIC of the Privacy Act 1988) and for making any required notification to the Office of the Australian Information Commissioner (OAIC) and affected individuals.
ACTI will assist the School with notifications as reasonably requested.
8. Data subject rights
Under Australian Privacy Principles 12 and 13, individuals have the right to access and request correction of their personal information.
Because ACTI processes student activity data on behalf of the School, requests from students or parents regarding access, correction, or deletion of this data should be directed to the School in the first instance.
ACTI will assist the School in responding to such requests by:
- Providing the School with the relevant data upon request
- Correcting or deleting data as instructed by the School
- Responding within 10 business days of receiving the School’s instruction
9. Return and deletion of data
Upon termination of the Platform Terms of Service, the School may choose one of the following:
- Return: ACTI will provide the School with a complete export of its student activity data in a structured, commonly used format (e.g. CSV or JSON) within 14 days of the termination date.
- Deletion: ACTI will securely delete all student activity data within 30 days of the termination date. Deletion includes removal from production databases and backups (backups will be purged within 90 days).
ACTI will provide written confirmation of deletion upon the School’s request.
10. Audit rights
The School has the right to verify ACTI’s compliance with this DPA. ACTI will support this by:
- Providing the School, upon written request, with a summary of the security measures in place and any relevant certifications or audit reports
- Responding to reasonable written security questionnaires within 15 business days
- Permitting the School (or an independent auditor appointed by the School and bound by confidentiality) to conduct an audit of ACTI’s data processing practices, with at least 30 days’ prior written notice, no more than once per 12-month period, during normal business hours
The School will bear the costs of any audit it initiates, unless the audit reveals material non-compliance by ACTI, in which case ACTI will bear the reasonable costs.
11. Governing law
This DPA is governed by the laws of the Australian Capital Territory, Australia. It is subject to the jurisdiction provisions of the Platform Terms of Service.
In the event of any conflict between this DPA and the Platform Terms of Service, this DPA will prevail to the extent of the inconsistency with respect to the processing of student activity data.