Proteksi Data dari Aplikasi Sekolah Indonesia

Data Protection

At Pena School, protecting data is part of the foundation we’re built on. As an Aplikasi Sekolah Indonesia trusted with the records of students, staff, and families, we recognize that schools handle some of the most sensitive information there is — and that trust has to be earned through real safeguards, not just promises. This page explains how we protect your data in practice: the principles we follow, the technical and organizational measures we put in place, and our commitments under Indonesia’s Personal Data Protection Law (UU PDP). We’ve written it plainly so that administrators, teachers, and parents can clearly understand how their information is kept safe.

This page complements our Privacy Policy, which describes in detail what data we collect and how it is used. Here, we focus on how we protect it.

Last updated: 7 June 2026

1. Our Data Protection Principles

Everything we do with personal data is guided by the following principles:

Lawfulness and transparency: we process data only with a valid legal basis and explain clearly how it is used.
Purpose limitation: data is collected for specific, legitimate educational purposes and not used in ways incompatible with them.
Data minimization: we collect only the data needed to deliver the Services.
Accuracy: we provide tools for schools to keep data correct and up to date.
Storage limitation: data is kept only as long as necessary.
Integrity and confidentiality: data is protected against unauthorized access, loss, or misuse.
Accountability: we take responsibility for compliance and can demonstrate it.

2. Roles and Responsibilities

In line with UU PDP, the school or education foundation that subscribes to Pena School generally acts as the data controller — it decides what data is collected and is responsible for obtaining the necessary consent, including parental consent for students. Sevima acts as the data processor, handling personal data on the institution's behalf, strictly according to its instructions and this framework.

For data we collect directly — such as website visitors and account administrators — Sevima acts as the data controller.

3. Technical Safeguards

We apply layered technical measures to protect personal data, including:

Encryption in transit using industry-standard protocols (HTTPS/TLS) for data moving between your device and our servers.
Access controls and role-based permissions so users can only see the data relevant to their role (administrator, teacher, staff, parent, or student).
Authentication safeguards, including secure password storage and session management.
Network and infrastructure security, including firewalls, monitoring, and protections against unauthorized access.
Regular backups to support recovery in the event of an incident.

4. Organizational Safeguards

Technology alone is not enough. We also maintain organizational measures such as:

Restricting internal access to personal data on a need-to-know basis;
Confidentiality obligations for our staff and contractors;
Vetting and contractually binding third-party service providers to data-protection standards;
Internal review of our security practices and policies.

5. Data Location and Hosting

Personal data may be processed and stored on servers and infrastructure located both inside and outside Indonesia. While our core systems are hosted in Indonesia, certain components of our infrastructure — such as content delivery networks, load balancers, and cloud service providers — may operate from other locations, and we may use servers outside Indonesia as our platform grows. Wherever data is processed, we ensure an adequate level of protection consistent with UU PDP and applicable regulations, and we contractually require our providers to uphold appropriate data-protection standards (see Section 4).

6. Protecting Student and Children's Data

Because Pena School serves K12 institutions, much of the data we handle relates to children (minors under 18). We apply additional care:

Student data is used only to deliver educational services to the institution — never for advertising or unrelated purposes.
Sensitive features such as facial-recognition or geolocation-based attendance are optional and enabled only at the institution's discretion, and should be used with appropriate parental consent.
Parents and guardians may exercise data-protection rights over their child's data, generally through the school as data controller.

7. Data Retention and Deletion

We retain personal data only for as long as it is needed to provide the Services or to meet legal and contractual obligations. When data is no longer required, we delete or anonymize it. Upon termination of an institution's subscription, data is handled according to the agreement with that institution, including secure deletion or return where requested.

8. Data Subject Rights

Subject to applicable law, individuals may request to access, correct, delete, or restrict the processing of their personal data, withdraw consent, or obtain a copy of their data. Requests can be made using the contact details below; where data is controlled by a school or foundation, we will direct the request to that institution.

9. Incident Response

In the event of a personal-data breach, we follow an internal response process to contain and assess the incident, mitigate harm, and — where required by UU PDP — notify the relevant supervisory authority and affected data subjects within the applicable timeframe.

10. Contact

For any questions or requests relating to data protection at Pena School, please contact us:

Sevima — Pena School
Email: hello@penaschool.com
Website: penaschool.com
Address: Medokan Asri Tengah MA-2 Blok Q No.12, Medokan Ayu, Kecamatan Rungkut, Surabaya, Jawa Timur 60295.

11. Updates to This Page

We may update our data protection practices from time to time. Material changes will be reflected by updating the "Last updated" date above and, where appropriate, by notifying users through the Services.