ADEK School Digital Policy — Self-Attestation
OMNIA Inclusion Ltd's clause-by-clause mapping against the ADEK School Digital Policy (v1.1, September 2024, compliance effective AY 2025/26).
Version: 1.1 Last updated: 1 June 2026 Status: Self-attestation by OMNIA Inclusion Ltd. Not independently audited.
This document is provided to assist Abu Dhabi private schools with their ADEK due-diligence obligations when adopting third-party EdTech. It is a self-attestation, not an external audit certificate. Schools remain responsible for their own ADEK compliance.
Scope
This attestation covers OMNIA Inclusion Ltd's processing of pupil, staff, and parent data on behalf of ADEK-regulated Abu Dhabi private schools using the OMNIA SEND platform.
ADEK Digital Policy v1.1 is structured around five pillars. Each row below maps OMNIA's practice against the pillar's headline requirements.
Pillar 1 — Governance & accountability
| Requirement | OMNIA's position | Evidence |
|---|---|---|
| Named accountable owner for digital systems | OMNIA Inclusion Ltd as data processor; School DPO as controller | UAE Addendum §2.3, §2.4 |
| Documented vendor due diligence | Public sub-processor list; DPIA; security overview | /legal/sub-processors, /legal/dpia, /legal/security |
| Annual review of vendor compliance | UAE Addendum §7.3 commits both parties to 12-monthly review | UAE Addendum §7.3 |
| Board-level visibility | School admin dashboard surfaces all processing, audit log, DSAR | Built into product |
Pillar 2 — Data protection & privacy
| Requirement | OMNIA's position | Evidence |
|---|---|---|
| Lawful basis under PDPL | School confirms lawful basis in UAE Addendum §2.4(b) | UAE Addendum §2.4 |
| Special-category data handling (SEND, health) | All such data treated as special-category; access restricted to authorised staff | UAE Addendum §4.4 |
| Parental notification / consent model | Configurable per school in Admin → School → Setup | Built into product |
| Data-subject rights (access, correction, deletion) | 30-day SLA; runbook published | /legal/pdpl-dsr-runbook |
| Cross-border transfer safeguards | Contractual safeguards + school instruction (interim pending PDPL Executive Regulations); Connected-tier schools may elect Azure OpenAI BYOK in uaenorth to keep AI processing inside the UAE | UAE Addendum §3.2 |
| AI data residency (BYOK) | Connected tier supports Azure OpenAI in uaenorth (Dubai data centre) under the school's own Azure tenancy; key AES-256-GCM-encrypted at rest, never returned to client | Built into product; school's own Azure DPA |
| Sub-processor transparency | Live public list; change-notification template ready | /legal/sub-processors, /legal/subprocessor-change-template |
Pillar 3 — Cybersecurity & infrastructure
| Requirement | OMNIA's position | Evidence |
|---|---|---|
| Encryption in transit | TLS 1.2+ enforced on all endpoints | /legal/security |
| Encryption at rest | AES-256 at the database and storage layer (Supabase/AWS eu-west-1) | /legal/security |
| Access control | RLS enforced per school; explicit school_id scoping on every server function | Codebase-enforced |
| MFA for privileged accounts | Mandatory TOTP for admin / superadmin roles | Built into product |
| Audit logging | Tamper-evident audit_logs and system_audit_logs tables; admin-visible | Built into product |
| Backup & disaster recovery | Daily managed backups via Supabase; 7-day point-in-time recovery | /legal/security |
| Incident response | Breach SOP published; UAE Data Office + School notified per PDPL §9 timelines | /legal/breach-sop, UAE Addendum §2.3(c) |
| Penetration testing | Annual third-party pen test (in progress — first test scheduled before first UAE go-live) | Plan documented |
Pillar 4 — Safeguarding & pupil welfare
| Requirement | OMNIA's position | Evidence |
|---|---|---|
| No use of pupil data for AI training | Explicit prohibition in UAE Addendum §2.3(e) | UAE Addendum §2.3 |
| PII scrubbing before any AI gateway call | Enforced server-side chokepoint (scrubPii / scrubMessages) | Codebase-enforced |
| Restricted access to SEND / health data | Role-based access; pastoral / SENCo / inclusion lead only | Built into product |
| Pupil voice & parent voice — private tokens | Rate-limited, hashed, expiring tokens | Built into product |
| No third-party advertising or tracking on pupil data | Confirmed — no ad networks; analytics is first-party only | /legal/cookies |
Pillar 5 — Acceptable use & digital citizenship
| Requirement | OMNIA's position | Evidence |
|---|---|---|
| Aligned with School's Acceptable Use Policy | OMNIA does not override; supplements School's AUP | UAE Addendum §1.2 |
| Pupil-facing surfaces appropriate for age | Pupil voice surfaces use age-appropriate language; no open chat | Built into product |
| No exposure to external content without School control | Closed system — no public social or chat surfaces | Built into product |
| Staff training materials available | In-product user guide; CPD module | /guide, /admin/cpd |
Outstanding items
- Independent penetration test — scheduled before first UAE school go-live. Will be added to evidence pack on completion.
- ISO 27001 certification — not currently held. Roadmap item for FY 2026/27.
- Arabic-language UI — courtesy only; not currently provided. Roadmap item subject to demand.
Sign-off
This attestation is signed by OMNIA Inclusion Ltd's accountable officer. The School's DPO is welcome to request supporting evidence for any row above.
OMNIA Inclusion Ltd Signed: _________________________________ Title: _________________________________ Date: _____ / _____ / 20___