BestPeopleDo
Start AI Match
Discover
All schoolsProgramsLocationsCompare
Categories
Best for STEMBest boardingBest for international familiesBest for future leaders
More
AI MatchInsightsFor SchoolsContact / Advisor
Start AI Match
Talk to advisorSign in
Back to home
Schools

Data Processing Agreement

Last updated: 2026-04-01

Download Markdown
This DPA template is offered to schools partnering with BestPeopleDo. It maps to GDPR Article 28, the UK GDPR, and Türkiye's KVKK. Square-bracketed values are completed at signature. The full document is also available as a downloadable Markdown for redlining.

1. Parties

Controller is the School. Processor is MEC Eğitim Danışmanlık Hizmetleri Ltd. Şti., trading as BestPeopleDo, registered in Ataşehir, İstanbul, Türkiye.

2. Subject matter & duration

BestPeopleDo processes personal data on the School's behalf solely to deliver the agreed Services for the term of the B2B Schools Agreement plus the deletion period defined in §11 of the full document.

3. Processor obligations

BestPeopleDo will:

  • process personal data only on the School's documented instructions, including any cross-border transfers;
  • ensure personnel handling personal data are bound by confidentiality;
  • implement the technical and organisational measures (TOMs) listed in Annex II — including TLS 1.2+ encryption in transit, AES-256 at rest, role-based access, and quarterly access review;
  • engage sub-processors only with prior notice and equivalent contractual obligations (Annex III lists current sub-processors);
  • assist the School with data-subject requests and Article 32–36 GDPR obligations.

4. Personal data breaches

BestPeopleDo will notify the School within 48 hours of becoming aware of a personal data breach affecting Controller data, with the information required under Article 33(3) GDPR to the extent then known.

5. Sub-processors

Authorised sub-processors are listed in Annex III of the full document. The School will be notified of additions or replacements with at least 14 days to object on reasonable data-protection grounds.

6. International transfers

Where personal data is transferred outside the EEA, UK, or Türkiye, the parties rely on the European Commission's Standard Contractual Clauses (SCCs) Module 2 or 3 as applicable, the UK International Data Transfer Addendum, and (for Türkiye-resident data) KVKK Article 9 compliance.

7. Audits

The School may, no more than once per calendar year and on at least 30 days' written notice, conduct a documentary audit. On-site production audits are not permitted; current third-party audit reports (e.g. SOC 2, ISO 27001) and written responses are made available instead.

8. Deletion or return

On termination of the B2B Schools Agreement, the School chooses whether BestPeopleDo returns the personal data in a commonly used format or deletes it. Default behaviour after 30 days is deletion within 60 days, with statutory-retention exceptions remaining subject to this DPA until securely erased.

Annex II — Technical & organisational measures (highlights)

Full TOMs and sub-processor list are in the downloadable Markdown. Highlights include:

  • TLS 1.2+ for all external traffic, HSTS, internal service-mesh TLS.
  • AES-256 server-side encryption on database, object storage, and backups; daily encrypted backups with 30-day retention and quarterly restore tests.
  • Role-based access with least-privilege; quarterly review; SSO + MFA on all admin access.
  • Production runs on AWS eu-central-1 (Frankfurt) — no on-prem servers, no removable media in production.
  • Documented breach-notification procedure with 24/7 on-call escalation and 14-day post-incident review.

These TOMs are reviewed at least annually and after any material incident.

Contact

DPA negotiation, redline requests, or sub-processor questions: dpa@bestpeopledo.com.

Advisor AI Match