Data Processing Policy StreetSmart Impact

Hi! Welcome to StreetSmart Impact.
We are glad you use our platform to enable your organisation and its staff members, youth workers and volunteers to document activities and member progress or behaviour more efficiently.

The use of the StreetSmart Impact web app and mobile app involves the processing of personal data by Mobile School on behalf of the Customer. For that reason, Mobile School has adopted this Data Processing Agreement, which we kindly request you to read carefully.

This Agreement explains how personal data is processed in the context of StreetSmart Impact and how Mobile School ensures that such data is handled securely and in accordance with applicable data protection legislation.

1. Introduction

1.1 StreetSmart Impact is a solution developed by Mobile School, a non-profit organisation incorporated under the laws of Belgium, with registered office at Brabançonnestraat 25, 3000 Leuven, Belgium, and registered under company number BE-0478.688.664 (hereinafter “Mobile School”, “we”, “us” or “our”).
1.2 When the Customer (hereinafter “Customer” or “you”) uses StreetSmart Impact, Mobile School may have access to and process personal data on behalf of the Customer in connection with the provision of the Services.
1.3 This Data Processing Agreement (hereinafter the “Agreement”) applies to the processing of personal data by Mobile School on behalf of the Customer in the context of StreetSmart Impact.
1.4 The purpose of this Agreement is to define: how Mobile School manages, secures and processes personal data; and the responsibilities of both parties under applicable data protection legislation.
1.5 By using the Services of Mobile School, the Customer acknowledges that it has read and accepted this Agreement.

2. Definitions

In this Agreement, the following capitalised terms have the meanings set out below.

App

The mobile application developed by Mobile School through which information is collected and transmitted to the Platform.

Controller

The entity which determines the purposes and means of the processing of personal data. In the context of StreetSmart Impact, this is the Customer.

Data Breach

Any unauthorised disclosure, access, loss, alteration, destruction or other compromise of personal data.

Data Subject

The natural person to whom the personal data relates, such as youth workers, minors or contact persons.

End-user

The individuals authorised by the Customer to use the Platform and App, including youth workers, volunteers, staff members and other authorised users.

Personal Data

Any information relating to an identified or identifiable natural person, as defined under applicable data protection legislation. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to that person’s physical, physiological, genetic, mental, economic, cultural or social identity.

Platform

The StreetSmart Impact platform developed by Mobile School and used to collect, store, structure and analyse information related to activities and participants.

Processing

Any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Processor

The entity that processes personal data on behalf of the Controller. In this Agreement, this is Mobile School.

Services

All services provided by Mobile School that involve the processing of personal data, including access to the Platform, the App and related support services.

Sub-processor

Any third party engaged by Mobile School to process personal data on behalf of the Customer.

Applicable Data Protection Legislation

The General Data Protection Regulation (EU) 2016/679 (“GDPR”); the Belgian Privacy Act of 30 July 2018; Directive 2002/58/EC (ePrivacy Directive); and any other applicable or successor data protection legislation.

3. Use of the services

3.1 The parties acknowledge that:
- the Customer acts as Controller of the personal data entered into StreetSmart Impact; and
- Mobile School acts as Processor of such personal data.
3.2 Mobile School shall process personal data only on documented instructions from the Customer, unless processing is required by applicable law.
3.3 The Customer is responsible for:
- determining which personal data are collected and entered into the Platform;
- ensuring that such processing complies with Applicable Data Protection Legislation;
- informing End-Users and Data Subjects about the processing of their personal data; and
- ensuring that only lawful and appropriate personal data are entered into the Services.
3.4  The Customer remains responsible for the actions and omissions of its End-Users when using the Services.
3.5 Mobile School will not access personal data unless this is necessary:
- to provide the Services;
- to resolve technical issues;
- to maintain, secure or improve the platform; or
- when requested or authorised by the Customer.

4. Object

4.1 The Customer acknowledges that, as a consequence of using the Services, Mobile School shall process personal data on behalf of the Customer.
4.2 Mobile School shall process personal data in a proper, careful and lawful manner and in accordance with Applicable Data Protection Legislation and other applicable rules concerning the processing of personal data.
4.3 More specifically, Mobile School shall implement appropriate technical and organisational security measures, as described in Annex II, and shall use its expertise to perform the Services in accordance with applicable data protection requirements.
4.4 The Customer retains control over:
- how personal data must be processed by Mobile School;
- the types of personal data processed;
- the purposes of the processing; and
- whether such processing is proportionate and lawful.
4.5 Because the Customer may collect personal data relating to minors, the Customer shall ensure that such collection is lawful and that Data Subjects are informed about the processing of their personal data through an appropriate privacy notice written in clear and understandable language, including where relevant for minors.

5. Security of processing

5.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing, Mobile School shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
5.2 These measures are intended to protect personal data against:
- unauthorised or unlawful processing;
- accidental loss, destruction or damage; and
- risks affecting the confidentiality, integrity and availability of personal data.
5.3 The security measures implemented by Mobile School are described in Annex II.

6. Sub-processors

6.1 The Customer agrees that Mobile School may engage third-party Sub-processors in connection with the performance of the Services.
6.2 Mobile School shall ensure that any Sub-processor is bound by data protection obligations that are no less protective than those set out in this Agreement, insofar as applicable to the nature of the services provided by that Sub-processor.
6.3 The current Sub-processors used by Mobile School are listed in Annex III, including their identity and country of location.
6.4 Mobile School may update Annex III whenever a Sub-processor is added, replaced or removed and shall notify the Customer of significant changes.
6.5 If the Customer wishes to object to a new Sub-processor on reasonable data protection grounds, the Customer must notify Mobile School in writing within thirty (30) days after the relevant update.
6.6 If such objection is well founded, Mobile School will use reasonable efforts to:
- make available a change in the Services; or
- recommend a commercially reasonable change to the Customer’s use of the Services in order to avoid the processing of personal data by the objected Sub-processor.
6.7 If such change cannot reasonably be implemented within thirty (30) days following the objection, the Customer may terminate the Services relating to the affected processing activities.
6.8 Mobile School remains responsible for the acts and omissions of its Sub-processors as if it were performing the relevant Services itself.

7. Transfer of personal data to third countries

7.1 Mobile School shall ensure that any transfer of personal data to a country outside the European Economic Area is carried out in accordance with Applicable Data Protection Legislation.
7.2 Such transfers shall only take place where:
- the European Commission has adopted an adequacy decision; or
- appropriate safeguards are implemented, including the Standard Contractual Clauses adopted by the European Commission under Decision (EU) 2021/914, binding corporate rules, or any other recognised transfer mechanisms under Applicable Data Protection Legislation.

8. Confidentiality

8.1 Mobile School shall treat all personal data as confidential and shall not disclose or transfer such personal data to third parties without the Customer’s prior authorisation, unless required by law or by a competent public authority.
8.2 Where legally permitted, Mobile School shall inform the Customer of the scope and nature of any such disclosure before the disclosure takes place or, where that is not possible, as soon as reasonably possible thereafter.
8.3 Personnel authorised to process personal data are informed of the confidential nature of the data and are bound by confidentiality obligations.
8.4 Access to personal data is limited to personnel who require such access for the performance of the Services.

9. Notification

9.1 Mobile School shall inform the Customer without undue delay if:
- it receives a request from a competent public authority relating to the processing of Personal Data;
- it intends to disclose Personal Data to a competent public authority, unless legally prohibited; or
- it becomes aware of or reasonably suspects a Data Breach.
9.2 In the event of a Data Breach, Mobile School shall:
- notify the Customer without undue delay after becoming aware of the Data Breach;
- provide reasonable assistance to enable the Customer to comply with its legal obligations under applicable data protection legislation; and
- take appropriate measures to mitigate the effects of the Data Breach and to prevent similar incidents.

10. Rights of data subjects

10.1 If Mobile School receives a request from a Data Subject regarding the exercise of their rights under applicable data protection legislation, Mobile School shall notify the Customer without undue delay.
10.2 Mobile School shall not respond directly to such requests unless instructed or authorised by the Customer, unless required by applicable law.
10.3 Taking into account the nature of the processing, Mobile School shall provide reasonable assistance to the Customer in fulfilling its obligations to respond to Data Subject requests.

11. Liability

11.1 Each party shall be responsible for its own compliance with applicable data protection legislation and this Agreement. Each party shall be liable for damages, claims or administrative fines resulting from its own breach of this Agreement or applicable data protection legislation.
11.2 The liability of Mobile School under this Agreement shall be subject to the limitations set out in the Terms of Service.

12. Return and deletion of Personal Data

12.1 Upon termination of the Services, the Customer’s access to the Personal Data shall be deactivated.
12.2 Mobile School may retain the Personal Data for a limited period following termination, solely for the purpose of enabling data export or reactivation requests from the Customer. During this period, Mobile School shall not access or actively process the Personal Data.
12.3 After this period, the Personal Data shall be deleted or anonymised, unless retention is required by applicable law.
12.4 Where a Data Subject’s profile is deleted within the Services, the related Personal Data shall be deleted or anonymised without undue delay.

13. Audit and compliance

13.1 Mobile School shall make available to the Customer all information reasonably necessary to demonstrate compliance with this Agreement.
13.2 Upon reasonable prior notice, Mobile School shall allow for audits or inspections by the Customer or an independent auditor mandated by the Customer, provided that:
(a) such audits are limited to what is reasonably necessary;
(b) they do not unreasonably interfere with Mobile School’s operations; and
(c) appropriate confidentiality obligations are respected.

14. Term

This Data Processing Agreement shall remain in force for as long asMobile School processes Personal Data on behalf of the Customer in connectionwith the Services.

Annexes:

- Annex I – Description of processing
- Annex II – Description of security measures
- Annex III – List of Sub-processors

Annex I – Description of processing

I. Categories of Personal Data
General

✓ First name and surname
✓ Nickname or preferred name
✓ Email address
✓ Photograph
✓ IP address

✓ Telephone number
✓ Address
✓ Gender
✓ Date of birth
✓ All other Personal Data voluntarily provided by the Data Subject to the Customer

Personal data relating to minors

✓ Nationality
✓ Language
✓ Vital status (alive/deceased)
✓ Legal status (e.g. citizen, migrant, asylum seeker, refugee)
✓ Housing status (e.g. homeless, slum, accommodation centre, refugee camp,on the move)
✓ Administrative status (e.g. residence permit, ID card, passport,temporary residence permit, birth certificate – yes/no/unknown)
✓ Skills
✓ Contact persons (e.g. parent, guardian, teacher, partner, sibling)
✓ Evaluation reports

✓ Participation data (location, activities attended)
✓ Activity overview (e.g. sports, arts, culture, music)
✓ Mood indicators (including average positivity and activity levels, andregistered moods such as negative-active, positive-active, negative-inactiveand positive-inactive)
✓ Average confidence and learning status
✓ Notes (including details, address, mood, date, topic, life event and visibility)
✓ Social map
✓ Goals (started and ended goals (realised/failed/canceled/started), goal types, goal evaluation statuses)

PERSONAL DATA RELATING TO END-USERS:

✓ Job title or role within the organisation

Remark:
The categories of Personal Data listed above reflect the standard use of the Services. The Customer determines which Personal Data are collected and processed through the Services and remains responsible for ensuring that such processing complies with applicable data protection legislation, including where special categories of Personal Data may be involved.

II. Categories of Data Subjects

o Minors
o Contact persons of minors
o Youth workers and other End-Users

III. Nature and purpose of Processing

Nature of Processing:
o Collection
o Storage
o Structuring and organisation
o Consultation and retrieval
o Analysis and reporting
o Updating and modification
o Deletion or anonymisation

Means of Processing:
o StreetSmart Impact web platform
o StreetSmart Impact mobile application

Purpose of Processing:
o Providing and maintaining the Services
o Supporting Customer operations and reporting
o Technical support and platform improvement

IV. Retention

Personal Data is processed for the duration of the Services.
Upon termination:
- access is deactivated;
- Personal Data may be retained for a limited period to enable export or reactivation;
- after this period, Personal Data is deleted or anonymised unless retention is required by law.
If a Data Subject profile is deleted, the associated Personal Data is deleted or anonymised without undue delay.

Annex II – Security measures

Mobile School implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the nature, scope, context and purposes of the processing.

These measures are designed to protect Personal Data against unauthorised or unlawful processing and against accidental loss, destruction or damage, and to ensure the confidentiality, integrity and availability of Personal Data.

Such measures include, but are not limited to, the following:
1. Data protection and encryption
- Personal Data is encrypted at rest using industry-standard encryption mechanisms (e.g. AES-256 or equivalent);
- Personal Data is encrypted in transit using secure communication protocols (e.g. TLS 1.2/1.3 or equivalent);
- Authentication credentials are protected using secure hashing algorithms (e.g. PBKDF2 or equivalent);
2. Infrastructure and hosting security
- Personal Data is hosted within a secure cloud environment located within the European Economic Area (EEA), using industry-standard infrastructure providers (e.g. Amazon Web Services (AWS) or equivalent);
- Databases are hosted within private network environments and are not publicly accessible;
- Access to databases is restricted to authorised backend systems operating within the same secure environment;
- Access to infrastructure is secured using credentials with minimum privileges required to perform operational functions (least privilege principle);
- Infrastructure components may be deployed in isolated environments (e.g. container-based infrastructure such as Docker or equivalent) to enhance system security and isolation;
3. Access control and authentication
- Access to the Services is restricted to authorised users through secure authentication mechanisms;
- Identity and access management is implemented using industry-standard protocols and systems (e.g. OpenID Connect-based solutions such as Keycloak or equivalent);
- Administrative and developer access to infrastructure is protected by additional safeguards, including multi-factor authentication;
- Individual credentials are used for system access and activities are logged for audit purposes;
- Access rights are regularly reviewed and updated;
4. Data storage and backups
- Personal Data and application data are stored in secure relational database systems (e.g. MySQL or equivalent technologies), with logical separation between different data types where appropriate (e.g. separation of user credentials and application data);
- Schema changes and database updates are managed through controlled deployment processes, including automated scripts, testing in staging environments and validation prior to production release;
5. Data storage, media and backups
- Media files (such as images or videos) are stored in secure cloud storage solutions (e.g. AWS S3 or equivalent), and are not publicly accessible;
- Access to stored media is controlled through secure delivery mechanisms (e.g. time-limited URLs via content delivery networks such as AWS CloudFront or equivalent);
- Regular backups of Personal Data are performed and stored in a secure private network environment;
- Backups are encrypted and retained only for a limited period (e.g. operational retention periods such as seven (7) days or equivalent);
6. Application and operational security
- All communication between users and the Services is secured using HTTPS protocols;
- External communications with infrastructure (e.g. via cloud provider APIs) are conducted over secure channels;
- Logging and monitoring mechanisms are implemented to detect, investigate and respond to security incidents;
- Audit logs are maintained for a limited period (e.g. up to 90 days or equivalent) to track access and system activity;
- System changes are managed through controlled deployment processes, including testing in development, QA and staging environments before release to production;
7. Mobile application security
- Where the mobile application is used without an internet connection, limited Personal Data may be temporarily stored on the device;
- Such data is encrypted and protected using access control mechanisms (e.g. PIN or device-level security configured during setup);
- Locally stored data is automatically synchronised securely when connectivity is restored and deleted after synchronisation or upon removal of the application;
8. Data lifecycle and deletion
- Where Personal Data is deleted from the Platform, such data is erased or anonymised without undue delay;
- Where applicable, certain aggregated or anonymised data (e.g. evaluation data) may be retained for statistical purposes without the possibility of identifying the Data Subject;
9. Personnel and organisational measures
- Access to Personal Data is limited to personnel who require such access for the performance of the Services;
- Personnel are subject to confidentiality obligations;
- Access to infrastructure and systems is secured through individual credentials and monitored through audit logs;
10. Continuous improvement
Mobile School regularly reviews and updates its technical and organisational measures to ensure that they remain appropriate in light of technological developments, emerging risks and industry best practices.
11. Additional information
Upon reasonable request, Mobile School may provide additional information regarding its security measures, subject to confidentiality obligations.

Annex III – List of Sub-processors

Mobile School engages the following Sub-processors for the provision ofthe Services:

Name: Amazon Web Services EMEA (SARL)
Type of processing: Cloud hosting and infrastructure
Country: Germany

Name: Halcyon
Type of processing: Software development and technical support
Country: Romania

Mobile School may update this list from time to time in accordance withArticle 6 of this Agreement.