Data Processing Agreement

The Processor provides portfolio folder management software that creates and manages Google Drive folders for students enrolled in classes at the Controller's school. Processing continues for the duration of the active service subscription. Upon termination, clause 11 applies.

The Processor performs the following operations on personal data: collection (via Google OAuth and Google Classroom API), storage (in an isolated per-school database schema), structuring (organising by subject, class, and student), use (creating and modifying Google Drive folder permissions), retrieval (serving the student and teacher dashboard), and deletion (per the retention schedule in clause 13).

The sole purpose of processing is to enable the Controller's teaching staff to manage student portfolio folders and lock or unlock them during assessment periods.

The following categories of personal data are processed:

• Student full names and school email addresses
• Student Google account identifiers (numeric IDs issued by Google)
• Student profile photographs (from Google account)
• Class enrolment records (which student belongs to which class)
• Google Drive folder URLs for each student's portfolio
• Portfolio lock/unlock event timestamps and associated teacher records
• Teacher and staff names, email addresses, and Google account identifiers
• Teacher OAuth access and refresh tokens (encrypted at rest using AES-256-GCM)

No special category data (as defined in UK GDPR Article 9) is collected by the Processor.

Students enrolled at the Controller's school; teaching staff and administrators who use the service on behalf of the Controller.

The Processor will process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by applicable UK law; in such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

Note on Google Drive access scope: During sign-in, the Processor requests the drive Google OAuth scope. This is required solely to create and manage the school's Shared Drive portfolio folder structure on the Controller's behalf. The Processor does not access, read, or modify any files in a teacher's personal Google Drive outside the school's portfolio Shared Drive.

The Processor ensures that all persons authorised to process the personal data are subject to a duty of confidentiality, whether by contract or applicable statutory obligation, and will not process the personal data except in accordance with the Controller's instructions.

The Processor implements the following measures pursuant to UK GDPR Article 32:

• Encryption at rest: OAuth tokens, refresh tokens, and service account keys are encrypted using AES-256-GCM with a 32-byte key stored separately from the data.
• Encryption in transit: All data transmitted between the application and external services uses TLS 1.2 or higher.
• Tenant isolation: Each school's data is held in a separate PostgreSQL schema. Cross-school data access is architecturally prevented.
• Role-based access controls: Access is restricted by role (Teacher, Head of Subject, Examinations Officer, Headteacher, School Admin). Each role sees only the data appropriate to their function.
• Audit logging: All administrative actions are recorded in an immutable audit log with timestamp and acting user ID.
• Infrastructure security: Application and database hosted on ISO-27001-certified cloud infrastructure with automatic patch management.

The Controller grants general written authorisation for the Processor to engage the following sub-processors. The Processor will notify the Controller of any intended addition or replacement of sub-processors, giving the Controller a reasonable opportunity to object before the change takes effect.

Any sub-processor engaged by the Processor will be subject to data protection obligations equivalent to those in this Agreement.

The Processor provides self-service tools in the Admin panel for Subject Access Requests (Article 15), Right to Erasure (Article 17), and retention management (Article 5(1)(e)). Additional assistance with rights requests is available within 5 working days of receiving written notice from the Controller.

The Processor will notify the Controller of any personal data breach without undue delay and in any event within 24 hours of becoming aware, regardless of assessed risk level. The Processor will assist with DPIAs under Article 35 by providing technical documentation on request.

Upon termination, the Processor will, at the Controller's written election, either return all personal data in machine-readable format (JSON/CSV) within 14 days, or permanently delete all personal data within 30 days, with written confirmation of deletion. If no election is made within 30 days of termination, the Processor will delete the data.

The Processor will make available all information necessary to demonstrate compliance and allow audits and inspections by the Controller or their mandated auditor on at least 10 working days' written notice, conducted during business hours with minimal disruption.

Personal data is retained for the period configured by the Controller in the Admin panel (default: 36 months from last update). The Controller is responsible for setting a period appropriate to their obligations under UK GDPR Article 5(1)(e).

Primary personal data storage and application hosting is on Google Cloud Platform in the europe-west2 (London) region, within UK jurisdiction. No international transfer occurs for this data.

Google LLC processes data in the United States for Google OAuth, Drive, and Classroom API calls. These transfers are covered by the UK-US Data Bridge (the UK's adequacy arrangement for US companies, in force October 2023; Google participates) and Google's Workspace for Education Data Processing Amendment, which incorporates Standard Contractual Clauses approved for use under UK GDPR Article 46. Regional API endpoints are not available from Google; this arrangement is standard for all UK schools using Google Workspace for Education.

Upstash Inc. stores Redis queue data in the UK (eu-west-2, London) region. No international transfer occurs for this data.

No personal data is transferred to any country without adequate protection or an approved transfer mechanism.

By accepting this Agreement, the Controller confirms it has identified a valid UK GDPR Article 6 lawful basis for this processing, has provided appropriate privacy information to data subjects, has considered any required DPIA under Article 35, and that the accepting person is authorised to bind the institution.

This Agreement is governed by the laws of England and Wales. The parties submit to the exclusive jurisdiction of the courts of England and Wales.