Data Processing Addendum

Unless otherwise defined, capitalised terms in this DPA have the same meaning as in the main agreement (the “Agreement”) between the School and Makronexus.

• This DPA applies to all processing of personal data by Makronexus on behalf of the School in connection with the provision of the Services.
• This DPA is incorporated into and forms part of the Agreement. In the event of a conflict between this DPA and the Agreement, this DPA prevails with respect to data protection matters.
• This DPA applies to both cloud-hosted (SaaS) and self-hosted deployments, though specific security measures may vary based on deployment model.
• The School acknowledges that it is the Controller for all personal data processed through the Services and remains responsible for the lawfulness of its processing instructions.

3.1 Controller (School)

• Determines the purposes and means of processing personal data.
• Ensures a lawful basis exists for all processing (e.g. contractual necessity, legitimate interest, consent).
• Provides appropriate privacy notices to Data Subjects (learners, parents, staff).
• Obtains any consents required under applicable law.
• Manages user access, roles, and permissions within the platform.
• Ensures its processing instructions to Makronexus comply with applicable data protection law.
• Implements appropriate internal data governance policies.

3.2 Processor (Makronexus)

• Processes personal data only on documented instructions from the Controller, unless required by law.
• Implements appropriate technical and organisational measures to protect personal data.
• Assists the Controller in fulfilling its obligations under the Act (data subject requests, breach notification, impact assessments).
• Ensures that personnel authorised to process personal data are bound by confidentiality obligations.
• Engages sub-processors only with prior notice to the Controller and under data protection agreements.

4.1 Categories of Data Subjects

4.2 Categories of Personal Data

4.3 Purposes of Processing

4.4 Duration of Processing

Makronexus undertakes to:

• Process personal data only on the documented instructions of the School, including with regard to transfers of personal data to a third country, unless required to do so by law—in which case Makronexus will inform the School of that legal requirement before processing (unless prohibited by law).
• Ensure that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Take all measures required pursuant to Section 7 (Security Measures).
• Respect the conditions for engaging sub-processors as set out in Section 8.
• Taking into account the nature of the processing, assist the School by appropriate technical and organisational measures in fulfilling the School's obligation to respond to requests for exercising Data Subject rights.
• Assist the School in ensuring compliance with its obligations related to security, breach notification, data protection impact assessments, and prior consultation, taking into account the nature of processing and the information available to Makronexus.
• At the choice of the School, delete or return all personal data after the end of the provision of Services, and delete existing copies unless applicable law requires storage.
• Make available to the School all information necessary to demonstrate compliance with the obligations laid down in this DPA and the Act, and allow for and contribute to audits and inspections.
• Immediately inform the School if, in Makronexus's opinion, an instruction from the School infringes the Act or other applicable data protection provisions.

• Makronexus ensures that all personnel involved in processing personal data are bound by written confidentiality agreements or are under appropriate statutory obligations of confidentiality.
• Confidentiality obligations extend to all employees, contractors, and agents who have access to personal data in connection with the Services.
• Confidentiality obligations survive the termination of employment or engagement.
• Access to personal data is provided on a strict need-to- know basis, consistent with the principle of least privilege.

Makronexus implements and maintains the following security measures, which are reviewed and updated regularly:

• Prior notification: Makronexus will notify the School of any intended changes concerning the addition or replacement of sub-processors at least 30 days in advance (or such other period as agreed in the Agreement).
• Right to object: The School may object to a new sub-processor on reasonable data protection grounds within the notice period. If the School objects and Makronexus cannot reasonably accommodate the objection, either party may terminate the affected Services.
• Contractual obligations: Makronexus imposes data protection obligations on each sub-processor by way of a written contract that provides at least the same level of protection as this DPA.
• Liability: Makronexus remains fully liable to the School for the performance of each sub-processor's obligations.
• Current list: A current list of sub-processors is available upon request. Contact us for the latest sub-processor register.

8.1 Sub-Processor Categories

• Where personal data is transferred to a country outside Zimbabwe, Makronexus ensures that appropriate safeguards are in place as required by the Act.
• Safeguards include: contractual data protection clauses with sub-processors; assessment of the destination country's data protection framework; encryption and access controls; and pseudonymisation where feasible.
• The School may request information about the countries where personal data is processed and the safeguards in place.
• Where the School requires data residency within Zimbabwe, Makronexus will discuss feasible deployment options (including self-hosted or Zimbabwe-hosted infrastructure).

• Makronexus will assist the School in responding to Data Subject requests (access, rectification, erasure, restriction, portability, objection) by providing appropriate technical and organisational measures.
• If Makronexus receives a Data Subject request directly, it will promptly redirect the request to the School (unless legally prohibited) and will not respond independently unless instructed by the School.
• The platform provides built-in tools for Schools to manage Data Subject requests, including data export, record amendment, and record deletion capabilities.
• Makronexus will respond to School requests for assistance within 5 business days.

• Notification timeline: Makronexus will notify the School of a Data Breach without undue delay and in no event later than 72 hours after becoming aware of the breach.
• Initial notification content: The nature of the breach, categories and approximate number of Data Subjects affected, categories of data affected, likely consequences, and measures taken or proposed to address and mitigate the breach.
• Supplementary information: Where full details are not available at the time of initial notification, Makronexus will provide supplementary information as it becomes available.
• Documentation: Makronexus will document all Data Breaches, including facts, effects, and remedial action taken, and make this documentation available to the School.
• Regulatory notification: Makronexus will cooperate with the School in notifying POTRAZ or any other competent authority as required by the Act.
• Individual notification: The School remains responsible for notifying affected individuals where required. Makronexus will provide reasonable assistance in preparing such notifications.

• Where a type of processing is likely to result in a high risk to the rights and freedoms of Data Subjects, the School shall carry out a Data Protection Impact Assessment (DPIA) prior to the processing.
• Makronexus will provide the School with all information reasonably necessary to conduct a DPIA, including details about the nature of processing, security measures, and sub-processors.
• Makronexus will cooperate with the School and any supervisory authority in connection with prior consultation as required by the Act.

• Information access: Makronexus will make available to the School all information reasonably necessary to demonstrate compliance with this DPA and the Act.
• Audits: The School (or a mandated independent auditor) may conduct audits, including inspections, to verify Makronexus's compliance with this DPA. Audits will be conducted with reasonable notice (minimum 30 days), during business hours, and in a manner that does not unreasonably disrupt Makronexus's operations.
• Audit frequency: The School may conduct audits no more than once per 12-month period, unless required by a Data Breach or regulatory investigation.
• Costs: Each party bears its own costs in connection with audits, unless otherwise agreed.
• Third-party certifications: Where available, Makronexus may provide third-party audit reports or certifications (e.g. SOC 2, ISO 27001) as evidence of compliance, which the School may accept in lieu of an on-site audit.

• During the term: The School may export its data at any time using the platform's built-in export tools (CSV, PDF, and other supported formats).
• Post-termination export: Upon termination or expiry of the Agreement, Makronexus will make the School's personal data available for export for a period of 90 days (the “Export Period”), unless otherwise agreed in the Agreement.
• Deletion: After the Export Period, Makronexus will securely delete all personal data from production systems within 30 days. Encrypted backup copies will be purged within 180 days following the end of the Export Period.
• Certification: Upon request, Makronexus will provide written certification confirming that personal data has been deleted in accordance with this section.
• Exceptions: Makronexus may retain personal data beyond the deletion timeline only where required by applicable law (e.g. tax records, audit logs required for compliance). Retained data will be isolated and protected.

Makronexus maintains records of processing activities carried out on behalf of each School, as required by the Act. These records include:

• Name and contact details of the Processor (Makronexus) and each Controller (School).
• Categories of processing carried out on behalf of the School.
• Where applicable, details of transfers to third countries and the safeguards in place.
• A general description of technical and organisational security measures.

These records are maintained in electronic form and are available to the School and any supervisory authority upon request.

• Each party is liable for damage caused by processing that infringes the Act or this DPA.
• Makronexus is liable for damage caused by processing only where it has not complied with obligations of the Act specifically directed to processors, or where it has acted outside or contrary to the lawful instructions of the School.
• Liability limitations and exclusions agreed in the Agreement also apply to this DPA, except where prohibited by applicable law.
• Neither party excludes liability for: death or personal injury caused by negligence; fraud or fraudulent misrepresentation; or any other liability that cannot be excluded under applicable law.

• This DPA becomes effective on the date the Agreement takes effect and remains in force for as long as Makronexus processes personal data on behalf of the School.
• This DPA automatically terminates upon the expiry or termination of the Agreement, subject to the data return and deletion obligations in Section 14.
• Provisions of this DPA that by their nature should survive termination will continue to apply, including: confidentiality, data return and deletion obligations, liability, and audit rights (for a reasonable period post-termination).

For questions about this DPA, to request the current sub-processor register, or to initiate the formal DPA signing process, contact us: