1. Parties & roles
This Data Processing Agreement (“DPA”) is entered into between the customer institution (“Controller”) and the Center for Digital Governance and Agentic Innovation (CDGAI), CECOS University of IT and Emerging Sciences, F-5, Phase 6, Hayatabad, Peshawar, KP, Pakistan (“Processor”), and forms part of the Terms of Service.
The Controller determines the purposes and means of processing personal data. The Processor acts solely on the Controller's documented instructions and does not process personal data for its own independent purposes.
2. Subject & nature of processing
- Operating an AI-powered WhatsApp helpdesk for the Controller's students and staff.
- Storing message content, hashed sender identifiers, language metadata, and ticket records.
- Providing analytics dashboards and audit logs to the Controller via the admin panel.
- Forwarding low-confidence queries to human agents designated by the Controller.
3. Categories of data subjects & personal data
Data subjects: students (current, prospective, alumni), teaching and administrative staff.
Personal data processed:
- Phone number — stored as a SHA-256 hash in the primary database; raw number held in Redis with a TTL not exceeding 24 hours of inactivity.
- Message content — text, images, audio, and documents sent to the institution's WhatsApp number.
- Language indicator — detected language of each message.
- Timestamps and conversation IDs.
- Admin activity logs — login events, ticket actions, knowledge base edits, threshold changes.
- Institutional content — FAQs, policies, and academic calendars uploaded by the Controller's administrators.
The Processor does not intentionally collect CNICs, financial account numbers, or full payment card numbers. If such data appears in a message, it is redacted from analytics and prompt context.
4. Processing instructions
The Processor shall process personal data only on documented instructions from the Controller, except where required by applicable Pakistani law. The Processor shall inform the Controller if it believes an instruction infringes applicable data protection rules before carrying it out.
5. Sub-processors
The Processor has engaged the following sub-processors to deliver the service. The Controller grants general authorisation for these sub-processors:
| Sub-processor | Purpose | Data location |
|---|---|---|
| Meta / WhatsApp Business API | Message delivery | Global (Meta infrastructure) |
| OpenAI | AI response generation | US (no training on customer data) |
| Railway | Backend hosting & PostgreSQL database | US (primary region) |
| NeonDB | Admin authentication database | US (primary region) |
| ImageKit | Media file storage & CDN | Global CDN |
| Vercel | Admin panel frontend hosting | Global edge network |
| Upstash Redis | Session & rate-limit cache | Global (nearest region) |
The Controller will be notified at least 30 days before any change to the sub-processor list. The Controller may object to a new sub-processor in writing within that period; if the parties cannot resolve the objection, the Controller may terminate the service under the Terms of Service.
6. Security measures
- TLS 1.3 encryption in transit; AES-256 encryption at rest.
- Phone numbers stored only as SHA-256 hashes in permanent storage.
- Role-based access control with mandatory multi-factor authentication for admin accounts.
- Immutable, append-only audit logging of all admin and system actions.
- Automatic PII redaction from analytics, prompt context, and logs.
- BullMQ job queue with dead-letter queue to prevent message loss.
- Periodic security reviews of the codebase and infrastructure.
7. International transfers
Some sub-processors (OpenAI, Railway, NeonDB, Vercel) are located outside Pakistan. The Processor uses contractual safeguards with each sub-processor aligned with internationally recognised standards (including GDPR Standard Contractual Clauses where applicable) to ensure an equivalent level of protection for personal data transferred internationally.
No student message content is used by sub-processors for their own training, profiling, or commercial purposes beyond delivering the contracted service.
8. Data subject rights
Taking into account the nature of the processing, the Processor shall assist the Controller in responding to requests from data subjects exercising their rights (access, correction, deletion, restriction, portability, objection) within statutory timeframes. Requests must be submitted by the Controller to cdgai@cecos.edu.pk; the Processor will respond within 5 business days.
9. Personal data breach notification
The Processor will notify the Controller without undue delay — and within 72 hours where feasible — of any confirmed personal data breach affecting the Controller's data. Notification will include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.
10. Audits
The Controller may, on reasonable written notice (not less than 30 days) and no more than once per calendar year, request a review of the Processor's compliance with this DPA. Such reviews shall be conducted during normal business hours, at the Controller's expense, and shall not unreasonably disrupt the Processor's operations.
11. Deletion on termination
Within 30 days of expiry or termination of the Terms of Service, the Processor shall, at the Controller's choice, return or securely delete all personal data processed on behalf of the Controller, except where retention is required by applicable Pakistani law.
12. Data protection contact
cdgai@cecos.edu.pk · CDGAI, CECOS University of IT and Emerging Sciences, F-5, Phase 6, Hayatabad, Peshawar, KP — Pakistan · +92-91-5860291-3