Institution Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Stephen Spence trading as School Atlas (“School Atlas”, “we”) and the institution customer (the school, multi-academy trust, nursery group, or other education organisation — “the Institution”, “you”) who claims or subscribes to a profile or portal seat on School Atlas.

It applies to personal data that School Atlas processes on the Institution's behalf in connection with the portal — principally parent enquiries, review replies, and any analytics/contact data the Institution uploads or causes us to collect. It satisfies the written-contract requirement in Article 28(3) of the UK GDPR.

It does notapply to personal data where School Atlas is the controller in its own right — see our Privacy Policy for those processing activities (parent accounts, marketing, site analytics).

1. Definitions

“UK GDPR” means the retained EU General Data Protection Regulation as defined in section 3(10) of the Data Protection Act 2018, together with the Data Protection Act 2018.

“Data Protection Laws” means the UK GDPR, the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003 (as amended), and any successor or replacement legislation.

The terms “controller”, “processor”, “data subject”, “personal data”, “processing”, and “personal data breach” have the meanings given in the UK GDPR.

2. Roles of the parties

For personal data covered by this DPA (see clause 3), the Institution is the controller and School Atlas is the processor.

Where a parent submits an enquiry through a School Atlas enquiry form, the parent's data is passed to the Institution for follow-up. On receipt, the Institution becomes an independent controller of that data for the purposes of responding to the enquiry, running its admissions process, and retaining records under its own retention policy.

3. Subject matter, duration, nature and purpose

Subject matter— processing of personal data that the Institution submits to, generates through, or causes School Atlas to collect via the portal.

Duration— for the term of the Institution's claimed or paid relationship with School Atlas, plus up to 90 days to allow for data export (see clause 11).

Nature and purpose— collection, storage, organisation, retrieval, display through the portal, transmission to the Institution's nominated contact email, and deletion, in each case solely to provide the contracted portal features (profile management, enquiry capture, review replies, analytics).

4. Categories of data subjects and personal data

Categories of data subjects may include:

• prospective parents and guardians who submit an enquiry or review;
• Institution staff users invited to the portal (name, role, email, login metadata);
• named referees or contacts that the Institution adds to its profile.

Categories of personal data may include:

• contact data (name, email, phone, postcode);
• enquiry content (free-text message, year group, move timeline);
• review content and any Institution reply;
• portal access logs (IP address, timestamps, session metadata);
• aggregated profile-view analytics derived from parent traffic.

The Institution must not use the portal to submit special category data(Article 9 UK GDPR) or criminal offence data (Article 10) unless separately agreed in writing. Any such data submitted in free text (e.g. a parent volunteering SEN information in an enquiry) is processed by School Atlas only to the extent necessary to transmit and store the message.

5. Processor obligations

School Atlas shall:

1. process personal data only on the documented instructionsof the Institution, which for the duration of this DPA are: (a) the Terms of Service; (b) the portal's standard feature set as configured by the Institution; and (c) any written instruction we accept in response to a specific request. We will inform the Institution if, in our opinion, an instruction infringes the Data Protection Laws;
2. ensure that persons authorised to process personal data are bound by appropriate confidentiality obligations;
3. implement appropriate technical and organisational measures as described in clause 8;
4. respect the conditions for engaging sub-processors set out in clause 7;
5. taking into account the nature of the processing, assist the Institution by appropriate technical and organisational measures, insofar as this is possible, to respond to data-subject rights requests under Chapter III of the UK GDPR;
6. assist the Institution with its obligations under Articles 32 to 36 UK GDPR, taking into account the nature of processing and the information available to School Atlas;
7. at the Institution's choice, delete or return all personal data after the end of the provision of services (see clause 11);
8. make available to the Institution all information necessary to demonstrate compliance with Article 28 UK GDPR, and allow for and contribute to audits as described in clause 9.

6. Institution obligations

The Institution:

1. warrants that it has a valid lawful basis (Article 6 UK GDPR) and, where applicable, a condition for processing special category data (Article 9), for all personal data it submits to or causes to be processed through the portal;
2. is responsible for issuing its own privacy notice to staff users and, where relevant, reflecting the existence of the School Atlas enquiry channel in any admissions-stage privacy information it gives prospective parents;
3. must not upload personal data belonging to pupils, or to children in general, to open profile fields that are not designed to hold such data;
4. must keep portal access credentials confidential and promptly notify us of any suspected unauthorised access.

7. Sub-processors

The Institution gives general written authorisation for School Atlas to engage sub-processors for the performance of the services. Our current sub-processors are:

• Supabase Inc. — managed Postgres, Auth, and object storage (EU/UK regions).
• Vercel Inc. — application hosting, serverless compute, and CDN.
• Stripe Payments UK Ltd — subscription billing (only billing-contact data; no parent enquiry data).
• Resend (Plus Five Five Inc.) — transactional and notification email delivery.
• Trigger.dev — background job orchestration (ingest, notifications).
• Sentry (Functional Software Inc.) — error monitoring (IP, limited metadata; EU data region, PII scrubbing enabled).
• Upstash Inc. — rate-limit and cache store (ephemeral request metadata, no durable personal data).
• Anthropic PBC — AI model inference for parent tools (prompt / completion content; not retained for model training per Anthropic's commercial API terms).
• Google LLC — Google Analytics 4 (consented, opt-in pseudonymised usage data only).

We will give the Institution at least 30 days' prior written noticeof the addition or replacement of any sub-processor. The Institution may object on reasonable data-protection grounds by emailing legal@schoolatlas.co.uk within that period. If we cannot reasonably accommodate the objection, the Institution may terminate the affected service and receive a pro-rated refund of any unused prepaid period.

We remain liable for the acts and omissions of our sub-processors to the same extent as for our own.

8. Security

School Atlas maintains technical and organisational measures appropriate to the risk, including:

• encryption in transit (TLS 1.2+) and at rest for the primary database and object storage;
• role-based access control and row-level security policies in the database;
• least-privilege production access for engineering staff, with MFA required;
• automated daily database backups with point-in-time recovery;
• infrastructure logging and error monitoring through Sentry;
• a documented incident response workflow and personal-data-breach register.

We will notify the Institution without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting the Institution's data, providing the information required by Article 33(3) UK GDPR to the extent reasonably available to us. Where partial information is available before that window closes we will share what we have at that point and supplement it as the investigation progresses (Article 33(4) phased notification). The 72-hour ceiling matches the controller's own Article 33(1) deadline so the Institution has the practical maximum window in which to act.

9. Audit rights

The Institution may audit School Atlas's compliance with this DPA once per year, on at least 30 days' written notice, during normal business hours, and at the Institution's expense. In the first instance, the Institution agrees to accept responses to a reasonable written questionnaire and any third-party security reports we can provide. On-site audits are available for substantiated concerns or regulator requests.

10. International transfers

Primary processing takes place in the United Kingdom and the European Economic Area. Where a sub-processor processes personal data outside the UK / EEA (for example, in the United States), we rely on:

• an adequacy regulation made by the UK Secretary of State; or
• the International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, together with such supplementary measures as are required to meet the UK GDPR standard of essentially equivalent protection.

A list of relevant transfer mechanisms for each sub-processor is available on request to legal@schoolatlas.co.uk.

11. Return or deletion of data

On termination of the Institution's relationship with School Atlas (for any reason) the Institution may, within 90 days, request a one-off export of the personal data processed on its behalf — at a minimum, enquiry records and review replies — in a structured, commonly used, and machine-readable format.

At the end of that 90-day window, or sooner on written request, School Atlas will delete the personal data and, on request, certify deletion, save to the extent that continued retention is required by law.

12. Liability

Each party's liability under this DPA is subject to the overall limitation of liability set out in the Terms of Service, save for liability that cannot be limited or excluded under the Data Protection Laws (including direct liability to a data subject under Article 82 UK GDPR).

13. Precedence and changes

In the event of a conflict between this DPA and the Terms of Service, this DPA prevails on data-protection matters. We may update this DPA from time to time in line with clause 15 of the Terms of Service; material changes (including new sub-processors) will be notified as set out above.

14. Contact

For any matter concerning this DPA, including data-subject requests, breach notifications, or audit requests, please contact us at legal@schoolatlas.co.uk.

Acceptance

By claiming an Institution profile, subscribing to a paid institution tier, or otherwise accessing the School Atlas portal as an authorised representative of an Institution, you confirm that you have authority to bind the Institution and that the Institution agrees to be bound by this DPA.