Last updated: 2026. For a specific data processing agreement, email info@legacylink.tech.
Roles under GDPR
The institution is the Data Controller — it determines the purposes and means of processing alumni personal data.
SalesCollab (Pty) Ltd, operating LegacyLink, is the Data Processor — it processes data on the controller's documented instructions under a written Data Processing Agreement (DPA).
Lawful basis
- Direct alumni communications are typically processed on the basis of legitimate interests (the ongoing alumni relationship).
- Any third-party marketing or fundraising by external sponsors requires explicit consent, captured and revocable in the alumni profile.
- Special-category data (e.g. health, religion) is not collected by default and requires an explicit lawful basis before enablement.
Data subject rights
Alumni can exercise access, rectification, erasure, restriction, portability, and objection rights through the in-product privacy centre. Requests received by the institution are actioned by LegacyLink within the statutory timeframe.
International transfers
Where alumni data leaves the EU/EEA, transfers are governed by Standard Contractual Clauses (2021/914) with the receiving processor. A Transfer Impact Assessment template is available on request.
Sub-processors
A current list of sub-processors (hosting, email delivery, WhatsApp Business, error monitoring) is provided with the DPA and updated in advance of any change. Institutions may object to a new sub-processor.
Security controls
- Tenant isolation via row-level security.
- AES-256 encryption at rest, TLS 1.2+ in transit.
- Append-only audit logs on privileged actions.
- Least-privilege staff access and MFA on operator accounts.
Breach notification
LegacyLink notifies the controller without undue delay after becoming aware of a personal-data breach, providing the information the controller needs to meet its own 72-hour notification obligation to the supervisory authority.
Data Protection Impact Assessments
A DPIA template scoped to alumni engagement platforms is provided on request, covering onboarding, communications, giving, and mentorship modules.
Shared responsibility: LegacyLink provides the platform controls described above. Each institution (the data controller) is responsible for its own lawful basis, alumni notices, retention decisions, and any additional local requirements. This page is app-owner editable content, not independent legal advice or a certification issued by a third party.
