LAST UPDATED: July 5, 2026 • JURISDICTION: INDIA

Data Processing Agreement (DPA)

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Consisto ("Data Processor") and the educational institution or corporate entity ("Data Controller") utilizing the Service.

1. Scope and Roles

In the context of European (GDPR), Californian (CCPA), and Indian (DPDP) data protection frameworks:

  • The Customer (School/Institution) acts as the Data Controller, determining the purposes and means of processing personal data.
  • Consisto acts as the Data Processor, processing personal data solely on behalf of the Data Controller and in accordance with their documented instructions.

2. Nature and Purpose of Processing

Consisto processes personal data for the sole purpose of providing the educational software-as-a-service (SaaS) platform, including features like task management, journaling, whiteboarding, and community forums. The types of personal data processed include names, email addresses, school identification codes, and user-generated content.

3. Obligations of the Data Processor

Consisto agrees to:

  • Process personal data only on documented instructions from the Controller, unless required to do so by applicable law.
  • Ensure that persons authorized to process the personal data have committed themselves to confidentiality.
  • Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk (including End-to-End Encryption for designated features).
  • Assist the Controller, by appropriate technical and organizational measures, for the fulfillment of the Controller's obligation to respond to requests for exercising the data subject's rights.
  • Notify the Controller without undue delay after becoming aware of a personal data breach.
  • At the choice of the Controller, delete or return all the personal data to the Controller after the end of the provision of services relating to processing, and delete existing copies unless law requires storage of the personal data.

4. Sub-processors

The Controller authorizes Consisto to engage sub-processors (e.g., Google Firebase, Razorpay, Didit) to process personal data. Consisto shall inform the Controller of any intended changes concerning the addition or replacement of other processors, thereby giving the Controller the opportunity to object to such changes.

Consisto imposes the same data protection obligations as set out in this DPA on any sub-processor by way of a contract.

5. Security of Processing

Consisto has implemented rigorous security architectures, including:

  • AES-256-GCM encryption at rest for sensitive database fields.
  • TLS 1.2+ for all data in transit.
  • Client-side End-to-End Encryption (E2EE) for personal journals, ensuring that neither Consisto nor any sub-processor can decrypt the content.