This Data Protection Impact Assessment (DPIA) is an internal and institutional document prepared to
demonstrate how SuperMind Education Services (“SuperMind”, “we”, “our”, or “us”) protects personal data
in line with NDPR, GDPR, FERPA, COPPA, and other global data protection standards. It is intended for
schools, universities, regulators, auditors, partners, and investors who require assurance that our
platform processes data safely and lawfully.
1. Executive Summary
SuperMind Education Services is an AI-powered educational platform used by students, teachers, schools,
partners, and institutions. The platform processes sensitive and high-risk data, including student
identities, academic records, exam scripts, AI-graded assessments, wallet transactions, and teacher
information.
This DPIA describes what data we process, why we process it, how it flows through the system, what
risks are involved, and which safeguards we have implemented to reduce those risks to an acceptable level.
The purpose is to ensure that our processing is transparent, necessary, proportionate, and compliant with
applicable laws, especially where minors and exam records are involved.
2. System Overview
SuperMind provides a unified digital environment for learning and school management, including:
AI-assisted exam grading (objective and theory scripts)
Student and teacher dashboards
Lesson uploads (videos, notes, and materials)
Classroom forums and announcement tools
Academic timetables and attendance features
Partner advertisement and impression tracking system
Wallet and coin system for in-platform payments
Cloud-based media storage via Backblaze B2
Payment processing through Flutterwave
The platform is suitable for primary, secondary, tertiary, and vocational institutions and can operate
across multiple countries and regions.
3. Purpose of This DPIA
This DPIA is required because SuperMind processes:
Children’s and students’ personal data
Exam scripts, grades, and academic profiles
Payment-related data and wallet balances
Files and content stored in cloud infrastructure
Data processed by AI systems for grading and analytics
These activities are categorised as high-risk under NDPR, GDPR, FERPA, and similar frameworks. The DPIA
helps us:
Identify and document potential privacy and security risks
Describe the measures we use to mitigate those risks
Demonstrate accountability and compliance to institutions and regulators
Ensure that our processing is fair, lawful, and transparent
4. Description of Data Processing
4.1 Categories of Data Collected
A. Personal Identification Data
Full name
Email address
Phone number
Password (stored in encrypted/hashed form)
Country, state, and city
School, university, department, or class information (where applicable)
Profile photo or avatar (optional)
B. Educational & Academic Data
Uploaded exam scripts and answer sheets
AI-graded responses and scoring breakdowns
Grades, scores, and performance analytics
Attendance, timetables, and course schedules
Lesson content, notes, and teaching materials
Teacher feedback and comments on student work
C. Usage & Interaction Data
Forum posts, classroom conversations, and replies
Likes, reactions, and other engagement signals
Lesson, video, and resource viewing history
Login and navigation patterns (for analytics and stability)
D. Technical & Device Data
IP address and approximate geo-location
Browser type and version
Device type and operating system
Login timestamps and session identifiers
Cookies and similar technologies used for authentication and security
E. Payment & Wallet Data (via Flutterwave)
All financial transactions, such as wallet top-ups, coin purchases, subscriptions, and partner advertisement
payments, are processed securely by Flutterwave. SuperMind does not store card numbers, CVV,
or full bank account details.
We may receive and store:
Transaction reference and payment status
Amount, currency, and time of payment
Wallet and coin balances related to user accounts
F. Files & Media Stored via Backblaze B2
Lesson videos and images
PDF notes and scanned exam scripts
Partner advertisement images and media
Other educational attachments uploaded through the platform
4.2 How Data Flows Through the System
Users register and create accounts → identification data stored in our secure database.
Students and teachers upload scripts or lessons → files stored in Backblaze B2.
AI processes exam content → grades and feedback written back to the SuperMind database.
Users purchase coins or subscriptions → payments handled by Flutterwave; references returned to SuperMind.
Users interact via forums and dashboards → activity and interaction logs stored for functionality and analytics.
Institutions may view student performance reports → restricted to authorised institutional accounts.
5. Legal Basis for Processing
SuperMind processes personal data based on the following legal grounds (depending on user location and context):
Consent – provided when users register, upload content, or choose optional features.
Contractual necessity – to supply educational and platform services users have requested.
Legitimate interest – to maintain and improve platform performance, security, and user experience.
Legal obligations – where we must retain certain records for regulatory, financial, or academic reasons.
Vital interests – protecting the privacy and safety of children and students in online environments.
6. Risk Identification
The following key risks were identified in relation to SuperMind’s processing activities:
Risk Area
Description
Severity (Pre-Control)
Unauthorised access
Attempted hacking, credential theft, or misuse of admin accounts.
High
Children’s data protection
Misuse or over-collection of minors’ personal and academic data.
High
Exam script exposure
Leakage of exam scripts or graded responses to unauthorised parties.
High
Payment risks
Fraudulent transactions or interception of payment data.
Medium
Cloud storage breach
Unauthorised access to Backblaze B2 buckets or hosted files.
Medium
Weak user authentication
Users using simple passwords or sharing credentials.
Medium
Data retention beyond necessity
Keeping data longer than required for academic or legal purposes.
Medium
7. Risk Mitigation Measures
7.1 Technical Measures
Use of HTTPS/SSL for secure data transmission where supported.
Strong password hashing (e.g. bcrypt/argon2) and secure credential storage.
Role-based access control for admin, teacher, institution, and student accounts.
Input validation and protection against SQL injection and cross-site scripting (XSS).
Rate limiting and monitoring on login and other sensitive endpoints.
Server-side logging, intrusion detection, and access monitoring.
Secure storage and rotation of API keys and cloud access credentials.
Encrypted and access-controlled Backblaze B2 buckets.
7.2 Organisational Measures
Limited and logged access to production databases and admin tools.
Internal guidance and policies on handling student and exam data.
School and institutional agreements outlining responsibilities for student privacy.
Procedures for responding to user data rights requests and incidents.
7.3 Payment Security (Flutterwave)
All card and sensitive payment data handled by Flutterwave, a PCI-DSS Level 1 compliant processor.
Use of secure, tokenised payment flows.
No storage of card numbers, CVV, or full bank account details on SuperMind systems.
Logging of transaction references and status only.
7.4 Children’s & Students’ Data
Collection limited to what is necessary for educational purposes.
Institutions can request data export or deletion in line with academic rules.
Student accounts kept separate from administrative or staff accounts.
No sale of children’s or students’ data to third parties.
8. Data Retention
SuperMind applies the following general retention principles:
Account data: retained while the account is active or until the user/institution requests deletion, subject to legal or academic requirements.
Exam results and educational records: retained as required by schools, universities, or applicable education laws.
Payment records: retained for at least the minimum period required for financial, audit, and tax laws (typically 5 years or more).
System logs: normally retained between 30 and 90 days, unless needed for security investigations.
Uploaded lessons and materials: retained until removed by the uploader or until an institutional arrangement ends.
9. International Data Transfers
SuperMind may use cloud infrastructure and services that are hosted in different countries, including
regions in Africa, Europe, Asia, and North America. Where personal data is transferred across borders,
we aim to ensure that:
Appropriate contractual or legal safeguards are in place (e.g. standard contractual clauses).
Data is transmitted over encrypted channels.
Processors such as Flutterwave and Backblaze B2 maintain strong security and compliance.
10. Children’s Data & Educational Compliance
SuperMind is designed with special consideration for minors and students and seeks to align with:
FERPA (Family Educational Rights and Privacy Act) for student records in the United States.
COPPA principles for online services used by children.
NDPR (Nigeria Data Protection Regulation).
GDPR (General Data Protection Regulation) in the European Union.
Institutions using SuperMind are responsible for ensuring that appropriate parental or guardian consent
is obtained where required and that our platform is used in a way that respects student rights and
educational regulations.
11. Third-Party Processors
SuperMind currently relies on the following key third-party processors:
Flutterwave – payment gateway for processing secure financial transactions.
Backblaze B2 – cloud storage provider for hosting educational files and media.
Optional infrastructure providers – such as hosting and security services, which may include firewall and DDoS protection.
Each processor is selected based on its security posture, reliability, and compliance with international
standards. Processor relationships are reviewed periodically.
12. User Rights and Requests
Users (or their institutions) may exercise data protection rights in accordance with NDPR, GDPR, FERPA and
similar regulations, including:
Right of access to personal data held by SuperMind.
Right to request correction of inaccurate or incomplete information.
Right to request deletion of certain data, subject to legal and academic obligations.
Right to object to or restrict certain processing activities.
Right to data portability where applicable.
Right to withdraw consent where processing is based on consent.
Requests can be made by contacting:
support@supermindeducation.com.
For institutional deployments, schools and universities may coordinate student data requests through
their designated administrators.
13. Residual Risk Assessment
After applying the technical and organisational measures described above, the residual privacy and
security risk for users is assessed as low to medium, and appropriate for an educational
technology platform operating at scale.
Continuous monitoring, logging, and periodic reviews of this DPIA are planned in order to reflect new
features, regulatory changes, and evolving security threats.
14. DPIA Approval & Review
This DPIA has been prepared and approved by the management and data protection team of SuperMind
Education Services.