1. Definitions
| Term | Meaning |
|---|---|
| Platform | The multi-tenant SaaS application operated by Amica, accessible at amicaschoolportal.com and its subdomains |
| School / Subscriber | The Nigerian private school institution that has registered and been provisioned a tenant account |
| School Administrator | A bursar, principal, or authorised staff member assigned the school_admin role |
| Teacher | A staff member assigned the teacher role, permitted to enter student scores and view class rosters |
| Guardian | A parent or legal guardian of an enrolled student, assigned the guardian role |
| Student Data | All personal data relating to enrolled students, including academic results, financial records, and contact information |
| Platform Data | Anonymised, aggregated, or operational data generated by use of the Platform that does not identify individuals |
| Subscription | The active plan (Starter, Academy Per-Term, or Academy Annual) under which a School accesses the Platform |
| Term | An academic term as defined in the Nigerian private school calendar (approximately three per academic session) |
| NDPR | Nigeria Data Protection Regulation 2019 and the Nigeria Data Protection Act 2023, together with all subsidiary instruments and guidelines issued by the Nigeria Data Protection Commission (NDPC) |
2. Account Registration & School Provisioning
2.1 Schools are provisioned exclusively by Platform administrators. Public self-registration is not available.
2.2 The School Administrator who accepts these Terms represents and warrants that:
- They are at least 18 years of age
- They are authorised to enter into contracts on behalf of the School
- All information provided during onboarding is accurate, current, and complete
- The School is a legitimately registered institution operating in compliance with applicable Nigerian law, including the Education (National Minimum Standards and Establishment of Institutions) Act
2.3 Each School is allocated an isolated tenant environment. Tenant isolation is enforced at the database level via PostgreSQL Row Level Security. The Platform will not knowingly permit cross-tenant data access.
2.4 Schools are responsible for maintaining the security of their credentials. The Platform offers SMS OTP multi-factor authentication. School Administrators and Teachers are required to enrol in MFA. Guardians are strongly encouraged to do so.
2.5 The School must promptly notify the Platform at security@amicaschoolportal.com if it suspects any unauthorised access to its account.
3. Permitted Use
3.1 The Platform may be used solely for:
- Managing student enrolment records
- Generating and tracking school fee invoices
- Collecting fee payments via integrated payment gateways (Paystack, Flutterwave)
- Recording, computing, and publishing academic results
- Generating and distributing student report cards
- Communicating fee and results information to Guardians via SMS
3.2 The following uses are expressly prohibited:
- Uploading data relating to individuals who are not enrolled students, staff, or guardians of the School
- Using the Platform to process payments for purposes other than school fee collection
- Attempting to access, probe, or test the security of any other tenant's data
- Reverse engineering, decompiling, or extracting the Platform's source code
- Reselling or sublicensing access to the Platform to any third party
- Using the Platform in connection with any unlawful purpose under Nigerian law
3.3 The School is solely responsible for the accuracy of all data it enters into the Platform, including student scores, fee structures, and guardian contact information.
4. Subscription, Billing & Payment
4.1 Plan Structure
The Platform offers three plan types:
| Plan | Student Cap | Teacher Cap | Class Cap | PDF Reports | SMS | API Access |
|---|---|---|---|---|---|---|
| Starter (Free) | 30 | 5 | 5 | No | No | No |
| Academy (Per-Term) | Unlimited | Unlimited | Unlimited | Yes (watermarked) | Yes | Yes |
| Academy (Annual) | Unlimited | Unlimited | Unlimited | Yes (watermarked) | Yes | Yes |
| Custom | Unlimited | Unlimited | Unlimited | Yes | Yes | Yes |
The Platform reserves the right to adjust Starter plan limits on 30 days' written notice to active Starter Schools.
4.2 Pricing
Prices are published at amicaschoolportal.com/#pricing and are denominated in Nigerian Naira (₦). Academy is billed per term. Schools that choose to pay for the full academic year (3 terms) upfront receive a 10% discount on the total annual price.
4.3 Payment
All payments are processed by Paystack or Flutterwave. The School's payment details are handled directly by those processors and are not stored on Platform servers. The Platform stores only Paystack-issued payment references and, for auto-renew subscriptions, a tokenised card reference issued by Paystack's card tokenisation service.
4.4 Grace Period
If a paid subscription lapses (term ends, payment fails, or renewal is not completed), the School enters a 7-day grace period. During the grace period, the School retains read access to its data. Write operations — adding students, recording payments, entering scores — are suspended until renewal is completed.
4.5 Suspension
If payment is not received within 7 days of the grace period start, the School's account is suspended. Data is retained for 90 days following suspension. After 90 days, the Platform reserves the right to permanently delete the School's data. The Platform will send written notice at least 14 days before any data deletion.
4.6 Refunds
Given the term-aligned billing model, refunds are not issued for partially used terms. Exceptions are made only where the Platform has experienced a material service outage (as defined in clause 9) during the paid term, or where required by Nigerian consumer protection law.
4.7 Taxes
All prices are exclusive of Value Added Tax (VAT) where applicable. The Platform will apply VAT at the rate prescribed by Nigerian law and issue a VAT-compliant invoice.
5. Acceptable Use of Student Data
5.1 The School, as Data Controller under the NDPR and Nigeria Data Protection Act 2023, is responsible for ensuring it has a lawful basis for processing each category of student and guardian data it enters into the Platform.
5.2 The Platform, as Data Processor, will process Student Data only on the documented instructions of the School and will not use Student Data for any purpose other than providing the Platform services.
5.3 The School warrants that:
- It has obtained all necessary consents, or has an alternative lawful basis under NDPR, for uploading personal data of students, guardians, and staff
- It has notified affected individuals of the existence of this Platform and the categories of their data processed herein, in accordance with NDPR Article 2.1(1)(b)
- It will not upload sensitive personal data (as defined by NDPR) beyond what is strictly necessary for the Platform's stated purposes
5.4 The Platform will not sell, share, or disclose Student Data to any third party except:
- Sub-processors listed in Schedule 1 of this Agreement, for the sole purpose of delivering Platform services
- Where required by a valid order of a Nigerian court or competent regulatory authority
- Where disclosure is necessary to prevent imminent harm to a child
6. Report Cards & Result Distribution
6.1 PDF report cards generated on paid plans carry a visible watermark identifying the downloading Guardian's name (first name and last initial) and a partial phone number. This watermark is a document control measure.
6.2 The School is responsible for ensuring it has the authority to publish academic results and to make them accessible to identified Guardians. The Platform provides the technical mechanism; the School controls when results are published and to whom.
6.3 Report card PDFs are stored in a private, access-controlled storage bucket. Download links are time-limited (15 minutes) and are generated on authenticated request only. The Platform does not generate permanent public URLs for any report card PDF.
7. Intellectual Property
7.1 The Platform, including its source code, design, trademarks, and documentation, is the sole property of Amica. Nothing in these Terms transfers any intellectual property rights to the School.
7.2 The School retains full ownership of all Student Data it uploads to the Platform. By uploading data, the School grants the Platform a limited, non-exclusive, royalty-free licence to process that data solely to provide the Platform services.
7.3 The Platform may use aggregated, anonymised, non-identifiable usage statistics derived from Platform activity for product improvement and benchmarking purposes.
8. Warranties & Disclaimers
8.1 The Platform warrants that it will:
- Apply commercially reasonable security measures, including encryption in transit and at rest, database-level tenant isolation, and access controls
- Process Student Data only in accordance with the Data Processing Agreement in Part B of this document
- Notify the School within 72 hours of becoming aware of a personal data breach affecting the School's data, in accordance with NDPR obligations
8.2 The Platform does not warrant:
- Uninterrupted or error-free operation of any third-party service integrated with the Platform (including Paystack, Flutterwave, Termii, and Supabase)
- That SMS messages will be delivered to numbers registered on the Nigerian DND registry, even via the DND channel — delivery is the responsibility of Termii
- Compatibility with devices or browsers not tested by the Platform
8.3 The Platform is provided "as is" to the extent permitted by Nigerian law. Nothing in these Terms excludes liability for fraud, personal injury, or any matter that cannot lawfully be excluded.
9. Service Level & Uptime
9.1 The Platform targets 99.5% monthly uptime, measured on a calendar month basis, excluding:
- Scheduled maintenance windows (notified at least 48 hours in advance)
- Outages caused by third-party infrastructure (Railway, Neon, Upstash, Supabase)
- Force majeure events
9.2 A "material service outage" means Platform unavailability exceeding 4 continuous hours, or cumulative downtime exceeding 12 hours in a calendar month, where the cause lies within the Platform operator's direct control.
9.3 Status updates during outages will be published at https://status.amicaschoolportal.com.
10. Limitation of Liability
10.1 To the maximum extent permitted by Nigerian law, the Platform's total liability to a School for any claim arising under or in connection with these Terms shall not exceed the total Subscription fees paid by that School in the 3 months preceding the claim.
10.2 The Platform shall not be liable for any indirect, consequential, or economic loss, including loss of revenue, loss of data (except where caused by the Platform's negligence), or loss of business opportunity.
10.3 Nothing in this clause limits the Platform's liability under the NDPR for data processing failures, or liability that cannot be excluded under Nigerian consumer protection law.
11. Termination
11.1 By the School: A School may terminate its subscription at any time by notifying support@amicaschoolportal.com. Termination takes effect at the end of the current billing period. Data export must be requested before termination; the Platform will provide a structured export in CSV format within 5 business days of request.
11.2 By the Platform: The Platform may terminate a School's account immediately, without refund, if the School:
- Materially breaches these Terms and fails to remedy the breach within 14 days of written notice
- Uses the Platform for any unlawful purpose
- Provides materially false information during onboarding
11.3 Data on Termination: Following termination or suspension, Student Data is retained for 90 days to allow export. After 90 days, all School data is permanently deleted from production systems within 30 days. Backups are purged on their natural rotation cycle (maximum 30 additional days). The Platform will issue a written deletion confirmation on request.
12. Governing Law & Dispute Resolution
12.1 These Terms are governed by the laws of the Federal Republic of Nigeria.
12.2 Any dispute arising from or relating to these Terms shall first be referred to good-faith negotiation between the parties for a period of 30 days.
12.3 If negotiation fails, the dispute shall be submitted to the Lagos Multi-Door Courthouse (LMDC) for mediation under its rules. If mediation fails, the dispute shall be finally resolved by arbitration under the Arbitration and Mediation Act 2023 (Nigeria), with the seat of arbitration in Lagos.
12.4 Nothing prevents either party from seeking urgent injunctive or declaratory relief from a competent Nigerian court.
13. Amendments
13.1 The Platform may update these Terms by posting revised Terms at https://amicaschoolportal.com/terms and notifying School Administrators by email and in-platform notice at least 30 days before the changes take effect.
13.2 Continued use of the Platform after the effective date of revised Terms constitutes acceptance of those Terms.
13.3 Material amendments to the Data Processing Agreement in Part B require the School's explicit re-acceptance before taking effect.
This Data Processing Agreement forms part of the Terms of Service and governs the processing of personal data by the Platform on behalf of the School, in accordance with the Nigeria Data Protection Regulation 2019 (NDPR) and the Nigeria Data Protection Act 2023 (NDPA).
14. Roles & Responsibilities
14.1 The School is the Data Controller in respect of all Student Data, Guardian Data, and Staff Data uploaded to or generated within the School's tenant environment.
14.2 The Platform (Amica) is the Data Processor, processing personal data solely on the documented instructions of the School and for no other purpose.
14.3 Where the Platform processes data for its own operational purposes (account management, billing, fraud prevention), it acts as a Data Controller in its own right and processes that data under its Privacy Policy (https://amicaschoolportal.com/privacy).
15. Categories of Personal Data Processed
| Category | Data Subjects | Examples | Lawful Basis (School's responsibility) |
|---|---|---|---|
| Student identity | Enrolled students | Full name, date of birth, class, admission number | Contract / Legitimate interest |
| Academic records | Enrolled students | Subject scores, grades, class position, term results | Contract / Legitimate interest |
| Financial records | Students / Guardians | Invoice amounts, payment status, payment references | Contract (fee obligation) |
| Guardian contact | Parents / Legal guardians | Full name, phone number (partial display only in watermarks) | Contract / Consent |
| Staff identity | Teachers, administrators | Full name, email, phone, role | Contract (employment) |
| Authentication data | All users | Hashed OTP codes (Redis, 10-min TTL), session tokens | Contract / Legitimate interest |
15.1 The Platform does not require and Schools must not upload:
- National Identity Numbers (NIN) or BVN of students or guardians
- Medical or health data
- Religious or political affiliation data
- Biometric data
If such data is uploaded in breach of this clause, the Platform will notify the School and delete the data.
16. Platform's Obligations as Data Processor
16.1 Processing only on instructions. The Platform will process personal data only on documented instructions from the School, as set out in these Terms and through the Platform's configured features.
16.2 Confidentiality. The Platform will ensure that all personnel authorised to process Student Data are bound by appropriate confidentiality obligations.
16.3 Security measures. The Platform implements and maintains the following technical and organisational measures:
| Measure | Implementation |
|---|---|
| Encryption in transit | TLS 1.2+ enforced on all connections |
| Encryption at rest | Neon PostgreSQL encrypted at rest; Supabase Storage AES-256 |
| Tenant isolation | PostgreSQL Row Level Security; school_id scoping at query execution |
| Access control | Role-based access (RBAC) via Spatie Permission; MFA required for admins |
| Key management | Payment gateway keys encrypted per school; never exposed in responses |
| Audit logging | All data access events logged to audit log with user, timestamp, action |
| Private file storage | Report card PDFs in private bucket; 15-minute signed URLs only |
| Secure deletion | Data deletion on account termination per clause 11.3 |
16.4 Sub-processors. The Platform engages the sub-processors listed in Schedule 1. The Platform will notify the School at least 30 days before adding a new sub-processor. If the School objects to a new sub-processor on reasonable data protection grounds, it may terminate its subscription without penalty by notice within the 30-day period.
16.5 Data subject rights. Where a student, guardian, or staff member exercises a data subject right under NDPR (access, rectification, erasure, portability, objection), the Platform will assist the School in fulfilling that request within the Platform's technical capabilities. The School, as Data Controller, is responsible for acknowledging and responding to data subject requests within the NDPR-prescribed timeframe (30 days).
16.6 Data Protection Impact Assessment. The Platform will provide reasonable assistance to the School if a Data Protection Impact Assessment (DPIA) is required in connection with the Platform's processing activities.
16.7 Data transfers. All personal data is processed within infrastructure located in the AWS Africa (Cape Town) region (aws-af-south-1) or the nearest available African region, except where a sub-processor listed in Schedule 1 processes data in another jurisdiction. Where data is processed outside Nigeria, the Platform will ensure an adequate level of protection consistent with NDPR transfer requirements.
17. Personal Data Breach Notification
17.1 The Platform will notify the School without undue delay, and in any event within 72 hours of becoming aware of a personal data breach affecting the School's data.
17.2 Notification will include, to the extent then known:
- Nature of the breach and categories of data affected
- Approximate number of data subjects affected
- Likely consequences of the breach
- Measures taken or proposed to address the breach
17.3 The School, as Data Controller, is responsible for notifying the Nigeria Data Protection Commission (NDPC) and affected data subjects as required by the NDPA 2023 and NDPR.
17.4 The Platform will cooperate fully with any NDPC investigation arising from a breach.
18. Data Retention & Deletion
18.1 The Platform retains personal data for the duration of the active School subscription plus 90 days following termination or suspension (to allow data export).
18.2 After the 90-day retention window:
- All Student Data, Guardian Data, and Staff Data is permanently deleted from production databases
- Storage objects (report card PDFs) are purged
- Backups are purged on their natural rotation cycle (maximum 30 additional days from deletion trigger)
18.3 The Platform will issue a written confirmation of deletion on request.
18.4 Authentication logs and audit logs may be retained for up to 12 months in anonymised form for security and fraud detection purposes, after which they are permanently deleted.
19. School's Obligations as Data Controller
By accepting these Terms, the School warrants that it:
19.1 Has appointed or will appoint a Data Protection Officer (DPO) or designated data privacy contact where required by NDPR and NDPA 2023, and will register with the NDPC where mandated by the Act.
19.2 Has a lawful basis under NDPR Article 2.1 for each category of personal data it uploads to the Platform.
19.3 Has provided or will provide a privacy notice to students, guardians, and staff, in plain language, that discloses:
- The identity and contact details of the School as Data Controller
- The categories of personal data collected and processed
- The purposes of processing
- That a third-party data processor (Amica) is used to provide the Platform services
- Data subject rights under NDPR and how to exercise them
19.4 Will not instruct the Platform to process personal data in a manner that would violate Nigerian law or cause the Platform to violate applicable law.
19.5 Is responsible for obtaining valid, freely given, specific, and informed consent from Guardians before sending them SMS notifications, where consent is the chosen lawful basis.
19.6 Will ensure that student data uploaded to the Platform is limited to what is necessary for the stated purposes (data minimisation, NDPR principle).
20. Audit Rights
20.1 The School may, on reasonable written notice of at least 30 days and no more than once per 12-month period, request an audit of the Platform's data processing activities relevant to the School's data. The audit will be conducted by a mutually agreed independent auditor at the School's cost.
20.2 In lieu of a full audit, the Platform will make available on request its most recent third-party security assessment, penetration test summary (redacted), and NDPC compliance documentation.
21. Payment Gateway Terms
21.1 Fee payments collected through the Platform are processed by Paystack (paystack.com) and/or Flutterwave (flutterwave.com). Use of these gateways is also subject to their respective terms of service and acceptable use policies.
21.2 The Platform is not a payment institution and does not hold, transmit, or settle funds on behalf of Schools. All fund settlement is handled directly by Paystack or Flutterwave and is subject to their settlement timelines and dispute resolution processes.
21.3 The School is responsible for its own compliance with any Central Bank of Nigeria (CBN) regulations applicable to fee collection from parents, including any requirements relating to receipting and financial record-keeping under the Private Schools Regulations.
22. SMS Notification Terms
22.1 SMS notifications are dispatched via Termii (termii.com) using the DND-compliant channel. The Platform cannot guarantee delivery to numbers registered on the Nigerian DND registry, though it takes all technically available steps to maximise delivery.
22.2 The School is responsible for obtaining any regulatory consent required before sending marketing or non-transactional SMS messages to guardians. The Platform's SMS capabilities are designed for transactional messages only — payment confirmations, result alerts, and fee reminders.
22.3 The Platform implements PII-minimal SMS templates. SMS content is limited to the first name and last initial of the guardian. Full financial amounts are included in payment confirmations as these are required for transactional completeness.
23. Academic Records & Results
23.1 The Platform provides tools to enter, compute, and publish academic results. The accuracy of scores entered by Teachers is the sole responsibility of the School. The Platform computes grades from the scores provided using the grading scale configured by the School Administrator.
23.2 The Platform does not certify, validate, or warrant the accuracy of any academic result. Published results are the sole representation of the School, not of the Platform.
23.3 Report cards generated by the Platform are formatted documents. The School is responsible for ensuring the format, content, and branding comply with any applicable regulatory requirements for academic records in Nigeria.
Schedule 1 — Approved Sub-Processors
| Sub-Processor | Purpose | Data Processed | Location |
|---|---|---|---|
| Neon Inc. (neon.tech) | PostgreSQL database hosting | All tenant data | AWS aws-af-south-1 (Cape Town) |
| Upstash Inc. (upstash.com) | Redis cache & queue | Session tokens, OTP hashes (no plaintext), queue job metadata | Nearest available region |
| Supabase Inc. (supabase.com) | Private file storage | Report card PDFs (private bucket, signed URL access only) | AWS eu-west-2 or nearest |
| Paystack (Africa) Ltd (paystack.com) | Payment processing | Payment references, tokenised card data (auto-renew only) | Nigeria / AWS |
| Flutterwave Inc. (flutterwave.com) | Alternative payment processing | Payment references | Nigeria / AWS |
| Termii Inc. (termii.com) | SMS dispatch | Guardian phone numbers, first name, last initial | Nigeria |
| Resend Inc. (resend.com) | Transactional email | School admin email addresses, account management emails | United States (SCCs apply) |
| Sentry Inc. (sentry.io) | Error tracking | Stack traces, anonymised request metadata (no student data) | United States (SCCs apply) |
| Railway Corp. (railway.app) | Application hosting | Application processes (no direct data storage) | AWS us-east-1 |
Where a sub-processor processes data outside Nigeria, the Platform relies on Standard Contractual Clauses (SCCs) or the sub-processor's participation in a recognised adequacy framework. The School may request copies of the relevant transfer mechanisms on written request to dpo@amicaschoolportal.com.
Schedule 2 — NDPR Compliance Summary
| NDPR Requirement | How Addressed |
|---|---|
| Lawful basis for processing | School's responsibility as Data Controller; warranted in clause 19.2 |
| Data minimisation | Platform collects only what is necessary; clause 15.1 prohibits NIN/BVN/biometric upload |
| Purpose limitation | Student Data processed only for Platform services; no secondary commercial use |
| Data subject rights | Clause 16.5 — Platform assists School with access, rectification, erasure, portability requests |
| Breach notification | Clause 17 — 72-hour notification to School; School notifies NDPC and data subjects |
| Data retention | Clause 18 — subscription duration + 90 days; then permanent deletion |
| Transfer safeguards | Schedule 1 — SCCs for non-Nigerian sub-processors |
| DPO appointment | School's obligation where required; clause 19.1 |
| Privacy notice | School's obligation; clause 19.3 |
| NDPC registration | School's obligation where mandated by NDPA 2023 |
Acceptance
By completing the onboarding process and activating a School account on the Platform, the School Administrator confirms that:
- They have read and understood these Terms of Service and Data Processing Agreement in full
- They have the authority to bind the School to these Terms
- The School accepts these Terms as a legally binding agreement
- The School accepts the Data Processing Agreement and appoints Amica as its Data Processor for Student Data within the Platform
Terms of Service v1.0 — Amica. Legal queries: legal@amicaschoolportal.com · Data protection: dpo@amicaschoolportal.com · Nigeria Data Protection Commission: ndpc.gov.ng