Data Processing Agreement
Effective date: 1 July 2026 · Version 1.0
1. Parties
This Data Processing Agreement (“DPA”) is between the school creating a Quorum workspace (“the School” or “Responsible Party”) and Quorum (“the Operator”). It governs how Quorum processes personal information on behalf of the School in accordance with the Protection of Personal Information Act 4 of 2013 (“POPIA”).
2. Roles under POPIA
The School is the Responsible Party — it determines the purpose and means of processing personal information within its workspace. Quorum is the Operator — it processes personal information only on documented instruction from the School, and for no other purpose.
3. What information we process
- School name, province, and EMIS number
- Names and email addresses of SGB members and staff added to the workspace
- Governance documents generated or uploaded by the School
- Audit log entries (which user performed which action, and when)
Quorum does not process learner personal information. Do not upload or input learner records, disciplinary files, or medical information into the platform.
4. How we use your information
Quorum processes the School’s information solely to provide the governance workspace service: document generation, compliance calendar, member management, and related features. We do not sell, share, or use school data for marketing, profiling, or any purpose beyond delivering the service.
5. Sub-processors
Quorum uses the following third-party sub-processors to deliver the service. Each is bound by appropriate data protection terms:
- Supabase — database and authentication (EU region)
- Vercel — hosting and deployment
- Anthropic — AI document generation (prompts include school context; no data retained for training)
- Sentry — error monitoring (anonymised stack traces only)
6. Data retention
We retain the School’s data for as long as the subscription is active. On cancellation, data is retained for 90 days to allow export, then deleted. The School may request immediate deletion at any time by contacting us.
7. Security
Quorum implements appropriate technical and organisational measures including: encryption in transit (TLS) and at rest, row-level security on all school data, audit logging of material actions, and regular security testing after each development sprint.
8. Your rights
The School may request access to, correction of, or deletion of its data at any time. Contact us at privacy@quorum.co.za. We will respond within 30 days.
9. Legal basis
Processing is based on the contractual necessity of providing the Quorum service to the School, and on the School’s consent as expressed by accepting this DPA at account creation.
10. Governing law
This DPA is governed by the laws of the Republic of South Africa. Disputes will be subject to the jurisdiction of the South African courts.
By creating a Quorum workspace, the account creator confirms they are authorised to accept this DPA on behalf of the School, and that the School accepts these terms.