FastLearners

Data Processing Addendum (DPA)

For Schools, NGOs, Educational Partners and Institutions

Effective Date: 10 April 2026

3 Chief Aaron Nteubong Street, Okorombokho, Eastern Obolo, Akwa Ibom State, Nigeria

This Data Processing Addendum (“DPA”) forms part of the main agreement between the parties and governs the processing of personal data by FastLearners Limited on behalf of the Controller. It is entered into between:

FastLearners Limited

(“Processor” or “FastLearners”)

Address: 3 Chief Aaron Nteubong Street, Okorombokho, Eastern Obolo, Akwa Ibom State, Nigeria

1. Purpose and Scope

This DPA sets out the rights and obligations of the Parties with respect to the processing of personal data in connection with the provision of digital learning tools, online educational content, student progress tracking, and related services by FastLearners to the Controller.

The Processor will process personal data solely on behalf of the Controller and in accordance with the terms of this DPA and the main service agreement. This DPA ensures compliance with the Nigeria Data Protection Act 2023 (NDPA), the General Application and Implementation Directive (GAID) 2025, and other applicable data protection laws.

2. Categories of Data Subjects

The personal data processed under this DPA relates to the following categories of data subjects:

  • Students (including minors under 18 years of age)
  • Teachers and educators
  • Parents or legal guardians
  • School administrators and other authorised staff of the Controller

3. Types of Personal Data

The Processor may process the following categories of personal data as instructed by the Controller:

  • Identification data (full names, usernames)
  • Contact information (email addresses, phone numbers)
  • Educational data (class/grade level, subjects, academic performance, quiz/test results, progress analytics, and learning activity logs)
  • Login and usage data (IP addresses, device information, timestamps, and session data)
  • Any other personal data that the Controller uploads or instructs the Processor to process in connection with the services

The Processor does not process sensitive personal data (such as health, biometric, or religious data) unless explicitly instructed in writing by the Controller and in full compliance with NDPA requirements for special categories of data.

4. Nature, Purpose, and Duration of Processing

The Processor will process the personal data only for the following documented purposes:

  • Creating and managing student and staff accounts on the FastLearners Platform
  • Delivering personalised educational content and digital learning experiences
  • Tracking and analysing academic progress and learning outcomes
  • Generating reports and analytics for the Controller (e.g., class performance dashboards)
  • Providing technical support and maintaining the functionality of the Platform
  • Complying with legal obligations or as otherwise instructed in writing by the Controller

Processing shall continue for the duration of the main service agreement between the Parties, unless otherwise terminated earlier in accordance with this DPA or the main agreement.

5. Processor Obligations

FastLearners, as the Processor, agrees to:

a. Process personal data only on documented instructions from the Controller, including with regard to international transfers. If the Processor is required by law to process data without such instructions, it will inform the Controller of that legal requirement before processing, unless prohibited by law.

b. Ensure that all persons authorised to process the personal data are bound by confidentiality obligations and have received appropriate training on data protection.

c. Implement and maintain appropriate technical and organisational security measures to protect the personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures shall take into account the state of the art, the costs of implementation, the nature, scope, context and purposes of processing, and the risk of varying likelihood and severity to the rights and freedoms of natural persons.

d. Assist the Controller in fulfilling its obligations under the NDPA, including responding to data subject requests (access, rectification, erasure, restriction, portability, or objection), conducting Data Protection Impact Assessments (DPIA), and ensuring compliance with children’s data protection requirements.

e. Notify the Controller without undue delay (and in any event within 48 hours) upon becoming aware of any personal data breach involving the Controller’s data. The notification shall include all relevant details required under the NDPA to enable the Controller to notify the NDPC and affected data subjects where necessary.

f. Make available to the Controller all information necessary to demonstrate compliance with its obligations as a Processor and allow for audits or inspections (including on-site inspections where reasonably required) by the Controller or its appointed auditor. The Processor shall contribute to such audits at the Controller’s reasonable request.

g. At the choice of the Controller, delete or return all personal data to the Controller upon termination or expiry of the services and delete existing copies unless applicable law requires storage of the personal data. Any remaining backups shall be securely purged within 90 days.

6. Sub-processors

The Processor may engage sub-processors (such as cloud hosting providers, analytics services, or payment processors) to carry out specific processing activities.

The Processor shall:

  • Maintain an up-to-date list of sub-processors and make it available to the Controller upon request.
  • Ensure that each sub-processor is bound by a written agreement that imposes the same data protection obligations as set out in this DPA.
  • Remain fully liable to the Controller for the performance of each sub-processor’s obligations.

The Controller may object to the appointment or replacement of any sub-processor within 14 days of being notified. If the Controller objects, the Parties shall discuss in good faith to find a mutually acceptable solution.

7. International Data Transfers

The Processor may transfer personal data outside Nigeria only where appropriate safeguards are in place in accordance with the NDPA and GAID 2025. Such safeguards may include:

  • Standard Contractual Clauses (SCCs) approved by the NDPC or equivalent mechanisms
  • Binding Corporate Rules (where applicable)
  • Adequacy decisions issued by the NDPC
  • Other appropriate safeguards approved by the NDPC

The Processor shall inform the Controller of any intended international transfers and provide details of the safeguards in place.

8. Liability and Indemnity

Each Party shall be liable for any damage caused by a breach of this DPA. The Processor shall indemnify the Controller against any direct losses, claims, or regulatory fines arising from the Processor’s failure to comply with its obligations under this DPA, to the extent such failure is attributable to the Processor.

9. Termination and Governing Law

This DPA shall terminate automatically upon termination or expiry of the main service agreement. Upon termination, the Processor’s obligations under Section 5(g) regarding deletion or return of data shall apply.

This DPA shall be governed by and construed in accordance with the laws of the Federal Republic of Nigeria. Any disputes arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the competent courts in Nigeria.

The Parties acknowledge that this DPA supplements and does not replace any obligations under the NDPA or other applicable laws.

10. Contact and Data Protection Officer

Data Protection Officer (DPO): Oladele Joshua O.

DPO Email: joshua.oladele@fastlearnersapp.com

Company: FastLearners Limited

Support Email: support@fastlearnersapp.com

Address: 3 Chief Aaron Nteubong Street, Okorombokho, Eastern Obolo, Akwa Ibom State, Nigeria