Data Protection (RA 10173)

Last updated: April 16, 2026

1. Our Commitment

Shore, operated by OceanEd, is committed to full compliance with Republic Act No. 10173, the Data Privacy Act of 2012, and its Implementing Rules and Regulations issued by the National Privacy Commission (NPC). This page explains the specific measures we take to protect the personal data of Philippine K-12 schools, their staff, students, and families.

2. Roles Under the Data Privacy Act

  • Personal Information Controller (PIC): Each school using Shore is the PIC for the personal data collected through its website — inquiry forms, enrollment applications, alumni records, and similar content.
  • Personal Information Processor (PIP): Shore (OceanEd) acts as the PIP, processing data on behalf of the school strictly to operate, maintain, and support the Platform.

3. Lawful Basis for Processing

We process personal data only where a lawful basis exists under Sections 12 and 13 of RA 10173 — typically the consent of the data subject, the performance of a contract, compliance with a legal obligation, or the legitimate interests of the school and its community.

4. Organizational Security Measures

  • A designated Data Protection Officer (DPO) oversees compliance and acts as the primary contact for the NPC and data subjects.
  • Written data protection policies governing access, handling, and retention of personal data.
  • Annual privacy and security training for all OceanEd staff with access to Shore infrastructure.
  • Signed non-disclosure and data-processing agreements with every service provider that may handle customer data.

5. Technical Security Measures

  • Data in transit is protected by TLS 1.2+ with automatically renewed SSL certificates.
  • Data at rest is encrypted on Google Cloud and Firebase using industry-standard AES-256 encryption.
  • Role-based access control, multi-factor authentication, and audit logging for all administrative access.
  • Daily offsite backups with tested restore procedures and documented recovery objectives.
  • Continuous security monitoring, managed patching, and DDoS protection via Cloudflare.

6. Physical Security Measures

Shore runs on Google Cloud data centers that maintain ISO 27001, SOC 1, SOC 2, and SOC 3 certifications, with 24/7 physical security, biometric access controls, and redundant power and cooling.

7. Rights of Data Subjects

Under RA 10173, every data subject has the right to:

  • Be informed of the processing of their personal data.
  • Access their personal data.
  • Object to processing, including for direct marketing or automated decision-making.
  • Rectify inaccurate or incomplete data.
  • Erase or block unlawfully processed data.
  • Data portability in a commonly used electronic format.
  • Damages for violations of their rights under the Data Privacy Act.
  • File a complaint with the National Privacy Commission.

8. Data Retention and Disposal

Personal data is retained only for as long as necessary for the purposes for which it was collected, or as required by applicable law. When no longer needed, data is securely destroyed or anonymized in accordance with NPC Circular 16-01 and our internal disposal procedures.

9. Breach Notification

In the event of a personal data breach that is likely to give rise to a real risk of serious harm, we will notify the affected school and, where required, the National Privacy Commission within 72 hours of discovery, in compliance with NPC Circular 16-03.

10. Cross-Border Transfers

Personal data may be processed on infrastructure located outside the Philippines (primarily Google Cloud regions in Asia). Where this occurs, we ensure comparable protections through contractual safeguards and by choosing providers with recognized international privacy certifications.

11. Contact Our Data Protection Officer

To exercise your rights, ask questions about our compliance, or report a concern, contact our Data Protection Officer at theoceaned.com. You also have the right to contact the National Privacy Commission directly at privacy.gov.ph.