Data Processing Agreement

Last updated: 11 April 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between School IQ Labs Ltd, a company registered in England and Wales ("Processor", "we", "us"), and the organisation using the StaffIQ platform ("Controller", "you"). This DPA sets out the terms on which we process personal data on your behalf in connection with the StaffIQ service ("Service").

This DPA is entered into in accordance with Article 28 of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Definitions

In this DPA, capitalised terms not otherwise defined have the meaning given in the UK GDPR or the StaffIQ Terms of Service. Additionally:

  • "Data Protection Laws" means the UK GDPR, the Data Protection Act 2018, and any subordinate legislation, as amended from time to time.
  • "Personal Data" means any personal data processed by the Processor on behalf of the Controller in connection with the Service.
  • "Processing" has the meaning given in the UK GDPR and includes any operation performed on personal data.
  • "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
  • "Security Incident" means a personal data breach as defined in the UK GDPR.

2. Scope and Purpose of Processing

2.1 Subject Matter

The Processor provides a cloud-based compliance and HR management platform for schools. Processing is carried out for the duration of the Controller's subscription to the Service.

2.2 Nature and Purpose

The Processor processes Personal Data for the following purposes:

  • Storage, retrieval, and management of staff records
  • Management and tracking of compliance checks and the Single Central Record
  • Document storage and management
  • Generation of compliance alerts and notifications
  • Audit logging of user actions
  • Generation of workforce analytics and reports
  • Provision of technical support

2.3 Categories of Data Subjects

  • Current and former employees, workers, and volunteers of the Controller
  • Contractors and agency staff engaged by the Controller
  • Governors and trustees of the Controller
  • Authorised users of the Service (administrators, HR staff)

2.4 Types of Personal Data

  • Identity data: name, date of birth, photograph
  • Contact data: address, email, phone number
  • Employment data: job title, role type, department, contract type, start/end dates, salary
  • Identification numbers: National Insurance number, teacher reference number, Emirates ID, passport number
  • Compliance data: DBS certificate numbers and dates, right-to-work evidence, qualification records, safeguarding training dates, reference details
  • Demographic data: gender, nationality, ethnicity (where provided)
  • Documents: uploaded scans, certificates, and files
  • Technical data: IP addresses, login timestamps, user agent strings

3. Obligations of the Controller

The Controller shall:

  • Ensure that it has a valid legal basis for all processing carried out using the Service
  • Ensure that data subjects have been provided with appropriate privacy notices
  • Ensure the accuracy and relevance of Personal Data submitted to the Service
  • Respond to data subject requests, with the Processor's assistance where needed
  • Notify the Processor promptly of any changes affecting the processing

4. Obligations of the Processor

The Processor shall:

  • Process Personal Data only on the documented instructions of the Controller, unless required by law
  • Ensure that persons authorised to process Personal Data are subject to confidentiality obligations
  • Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (see section 7)
  • Engage Sub-processors only in accordance with the provisions of section 6
  • Assist the Controller in responding to data subject requests
  • Assist the Controller in meeting its obligations regarding data protection impact assessments and prior consultation with the ICO
  • Delete or return all Personal Data upon termination of the Service, at the Controller's choice, and delete existing copies unless retention is required by law
  • Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for audits

5. Instructions

The Controller's instructions to the Processor are set out in this DPA and the Terms of Service. The Controller may issue additional written instructions consistent with the terms of this DPA. If the Processor believes an instruction infringes Data Protection Laws, it shall promptly inform the Controller.

6. Sub-Processors

6.1 General Authorisation

The Controller provides general written authorisation for the Processor to engage Sub-processors. The Processor shall maintain a list of current Sub-processors and make it available upon request.

6.2 Notification of Changes

The Processor shall notify the Controller at least 30 days in advance of any intended addition or replacement of a Sub-processor. The Controller may object to a new Sub-processor on reasonable grounds related to data protection within 14 days of notification. If the objection is not resolved, the Controller may terminate the affected Service.

6.3 Sub-Processor Obligations

The Processor shall impose on each Sub-processor, by way of a written contract, data protection obligations equivalent to those set out in this DPA. The Processor remains fully liable to the Controller for the performance of each Sub-processor's obligations.

7. Security Measures

The Processor implements the following technical and organisational measures:

  • Encryption: TLS 1.2+ in transit; AES-256 at rest for databases and file storage
  • Access control: Role-based access with principle of least privilege; multi-factor authentication available
  • Tenant isolation: Logical separation of each Controller's data at application and database level
  • Audit logging: Immutable logs of all data access and modifications, with sensitive values excluded
  • Backup: Automated daily backups with encryption, tested regularly for restoration
  • Vulnerability management: Regular security assessments, dependency scanning, and penetration testing
  • Incident response: Documented incident response procedures with defined roles and escalation paths
  • Staff: All Processor personnel with access to Personal Data are subject to confidentiality agreements and receive data protection training

8. Security Incidents

The Processor shall:

  • Notify the Controller without undue delay and in any event within 72 hours of becoming aware of a Security Incident
  • Provide sufficient information to enable the Controller to meet its obligations to report the breach to the ICO and to affected data subjects
  • Cooperate with the Controller in investigating, mitigating, and remediating the Security Incident
  • Document the facts of the Security Incident, its effects, and the remedial actions taken

9. International Transfers

The Processor shall not transfer Personal Data outside the United Kingdom without appropriate safeguards in place. Where international transfers are necessary (for example, to Sub-processors), the Processor shall ensure:

  • The transfer is to a country with an adequacy decision, or
  • A UK International Data Transfer Agreement (IDTA) or equivalent safeguard is in place

The Processor shall conduct transfer impact assessments for all international transfers and make these available to the Controller upon request.

10. Data Subject Rights

The Processor shall assist the Controller in responding to data subject requests by:

  • Providing data export functionality within the platform
  • Enabling record rectification and deletion through the platform interface
  • Forwarding any data subject requests received directly by the Processor to the Controller without undue delay
  • Providing technical support for complex requests at the Controller's reasonable request

11. Audit Rights

The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA. The Controller (or an independent auditor appointed by the Controller) may conduct an audit of the Processor's data processing activities, subject to:

  • At least 30 days' written notice
  • Audits being conducted during normal business hours
  • The auditor entering into appropriate confidentiality obligations
  • No more than one audit per 12-month period, unless required following a Security Incident

12. Data Return and Deletion

Upon termination or expiry of the Service:

  • The Processor shall make the Controller's Personal Data available for export for a period of 30 days
  • After the 30-day period, the Processor shall permanently delete all Personal Data from live systems
  • Personal Data in backups shall be deleted within 30 days of deletion from live systems
  • Audit logs shall be retained for 12 months after termination for regulatory compliance, then permanently deleted
  • The Processor shall provide written confirmation of deletion upon the Controller's request

13. Term and Termination

This DPA shall remain in effect for the duration of the Controller's subscription to the Service. The provisions of this DPA relating to data deletion, confidentiality, and liability shall survive termination.

14. Liability

The liability of each party under this DPA is subject to the limitations set out in the Terms of Service. Nothing in this DPA excludes or limits either party's liability for breaches of Data Protection Laws to the extent such liability cannot be excluded or limited by law.

15. Governing Law

This DPA is governed by and construed in accordance with the laws of England and Wales. Any disputes arising from this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales.

16. Contact

For questions about this DPA or to request a signed copy, please contact:

School IQ Labs Ltd
Suite RA01, 195-197 Wood Street
London, E17 3NU
United Kingdom
Email: legal@staffiq.app