Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the agreement between The PE Dept ("Processor", "we", "us") and the school, educational institution, or organization ("Controller", "you", "your") for the provision of PE planning and curriculum management services.

This DPA is entered into pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679 and the UK General Data Protection Regulation ("GDPR").

1. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person
• "Processing" means any operation performed on Personal Data (collection, storage, use, disclosure, deletion)
• "Data Subject" means an identified or identifiable natural person whose Personal Data is processed
• "Sub-processor" means any third party engaged by the Processor to process Personal Data
• "Services" means the PE planning and curriculum management services provided by The PE Dept
• "Security Incident" means any unauthorized access, disclosure, or loss of Personal Data

2. Scope and Parties

2.1 Data Controller

You (the School/Organization) are the Data Controller for:

• Student personal data
• Staff and employee personal data
• Educational records and assessment data
• Any data imported from your Management Information System (MIS)

As Data Controller, you:

• Determine the purposes and means of processing
• Are responsible for the lawful basis for processing
• Must ensure data subjects are informed of processing activities
• Are responsible for responding to data subject requests

2.2 Data Processor

The PE Dept acts as Data Processor when:

• Processing student data on your behalf
• Storing lesson plans containing student information
• Syncing data from your school MIS (via Wonde or other integrations)
• Managing staff accounts within your organization workspace

As Data Processor, we:

• Process data only on your documented instructions
• Implement appropriate security measures
• Assist you in fulfilling your data protection obligations
• Delete or return data upon termination

3. Subject Matter and Duration

3.1 Subject Matter

This DPA governs the processing of Personal Data necessary to provide:

• PE lesson planning and curriculum management tools
• Student roster management and class organization
• Assessment and progress tracking
• Integration with school Management Information Systems
• Collaboration tools for teaching staff

3.2 Duration

This DPA shall remain in effect for the duration of our service agreement. Upon termination:

• We will delete or return all Personal Data within 30 days
• We will provide written confirmation of data deletion upon request
• Backup data will be purged within 90 days of termination

4. Types of Personal Data Processed

4.1 Student Data

Data Category	Examples	Purpose
Identification	Full name, student ID	Account management, class organization
Educational	Year group, class assignments	Lesson planning, curriculum delivery
Assessment	Grades, progress notes, achievements	Progress tracking, reporting
Attendance	Lesson participation	Educational records
Special Categories	Medical conditions (PE-relevant), SEN status	Health and safety, differentiation

4.2 Staff Data

Data Category	Examples	Purpose
Identification	Full name, email address	Account management
Professional	Role, department, qualifications	Access control, collaboration
Usage	Activity logs, preferences	Service improvement

4.3 Data Not Collected

We do NOT collect or process:

• Financial or banking information of students
• Biometric data
• Genetic data
• Political opinions, religious beliefs, or trade union membership
• Sexual orientation or sex life data

5. Categories of Data Subjects

• Students: Children and young people enrolled in your educational institution (including those under 18)
• Teaching Staff: PE teachers, teaching assistants, and educators
• Administrative Staff: Coordinators, department heads, and school administrators
• Other Staff: Any personnel granted access to the platform by your organization

6. Processor Obligations

6.1 Lawful Processing (Article 28(3)(a))

We shall:

• Process Personal Data only on your documented written instructions
• Inform you if we believe an instruction infringes data protection law
• Not process Personal Data for any purpose other than providing the Services
• Not sell, rent, or otherwise commercially exploit student data
• Not use student data for advertising or marketing purposes

6.2 Confidentiality (Article 28(3)(b))

We shall ensure that:

• All personnel processing Personal Data are bound by confidentiality obligations
• Access to Personal Data is limited to authorized personnel only
• Staff receive appropriate data protection training
• Confidentiality obligations survive termination of employment

6.3 Security Measures (Article 28(3)(c))

We implement appropriate technical and organizational measures including:

Technical Measures:

• Encryption in transit (TLS 1.3) and at rest (AES-256)
• Role-based access control (RBAC)
• Multi-factor authentication for administrative access
• Regular security testing and vulnerability assessments
• Automated security monitoring and intrusion detection
• Secure backup and disaster recovery procedures

Organizational Measures:

• Information security policies and procedures
• Employee background checks and vetting
• Regular security awareness training
• Incident response procedures
• Access logging and audit trails

6.4 Sub-processors (Article 28(3)(d))

We use the following Sub-processors to provide the Services:

Sub-processor	Purpose	Location	Data Processed
Supabase Inc.	Database hosting and authentication	EU (Frankfurt) / US	All user data, authentication
Vercel Inc.	Application hosting and CDN	Global (edge)	Session data, static assets
Stripe Inc.	Payment processing	US / EU	Billing information (not student data)
Resend Inc.	Transactional email delivery	US	Email addresses, notification content
Wonde Ltd.	School MIS integration	UK	Student/staff data (when integration enabled)

Sub-processor Changes:

• We will notify you of any intended changes to Sub-processors
• You may object to changes within 30 days of notification
• We will not engage a new Sub-processor without adequate safeguards

6.5 Data Subject Rights (Article 28(3)(e))

We shall assist you in responding to requests from Data Subjects to exercise their rights under GDPR:

• Right of Access (Article 15): Export user data upon request
• Right to Rectification (Article 16): Correct inaccurate data
• Right to Erasure (Article 17): Delete data upon verified request
• Right to Restriction (Article 18): Restrict processing as required
• Right to Portability (Article 20): Provide data in machine-readable format
• Right to Object (Article 21): Cease processing upon valid objection

Response Timeline: We will respond to your assistance requests within 10 business days.

6.6 Security Incident Notification (Article 28(3)(f))

In the event of a Security Incident affecting your data:

Notification:

• We will notify you without undue delay, and in any event within 24 hours
• Notification will include: nature of incident, categories of data affected, likely consequences, measures taken

Assistance:

• We will assist you in notifying relevant supervisory authorities
• We will assist you in communicating with affected Data Subjects
• We will provide ongoing updates as the investigation progresses

Documentation:

• We will maintain records of all Security Incidents
• Records will include facts, effects, and remedial actions taken

6.7 Data Protection Impact Assessments (Article 28(3)(f))

We shall provide reasonable assistance with:

• Data Protection Impact Assessments (DPIAs)
• Prior consultations with supervisory authorities
• Documentation required for compliance demonstrations

6.8 Audit Rights (Article 28(3)(h))

You have the right to:

• Request evidence of our compliance with this DPA
• Conduct audits (with reasonable notice) of our data processing activities
• Appoint an independent auditor to assess compliance

We shall:

• Make available all information necessary to demonstrate compliance
• Allow and contribute to audits and inspections
• Immediately inform you of any compliance issues discovered

6.9 Data Deletion (Article 28(3)(g))

Upon termination of Services or your instruction:

Deletion Process:

• All Personal Data deleted within 30 days of termination
• Backup data purged within 90 days
• Written confirmation provided upon request

Exceptions:

• Data retained only where required by law
• Any retained data remains subject to this DPA

7. Controller Obligations

As Data Controller, you shall:

7.1 Lawful Basis

• Ensure a valid lawful basis exists for all processing
• Obtain necessary consents where required
• Maintain appropriate privacy notices for Data Subjects

7.2 Data Accuracy

• Ensure Personal Data provided to us is accurate and up-to-date
• Promptly notify us of any corrections required
• Verify data imported from MIS systems

7.3 Data Minimization

• Only provide Personal Data necessary for the Services
• Regularly review data held and request deletion of unnecessary data
• Implement appropriate retention policies

7.4 Data Subject Communication

• Handle Data Subject requests and queries
• Inform Data Subjects about processing activities
• Communicate any Security Incidents to affected individuals

8. International Data Transfers

8.1 Transfer Mechanisms

Where Personal Data is transferred outside the UK/EEA, we ensure adequate safeguards through:

• Standard Contractual Clauses (SCCs): EU Commission approved clauses
• UK International Data Transfer Agreement (IDTA): For UK transfers
• Adequacy Decisions: Where applicable (e.g., EU-US Data Privacy Framework)

8.2 Current Transfer Locations

Destination	Safeguard	Sub-processor
EU (Germany)	Adequacy Decision	Supabase
USA	SCCs + DPF	Vercel, Stripe, Resend
UK	N/A (domestic)	Wonde

8.3 Transfer Impact Assessment

We have conducted Transfer Impact Assessments for all international transfers and determined that adequate safeguards are in place to protect Personal Data.

9. Children's Data

9.1 Special Protections

We recognize that student data primarily concerns children. We implement additional safeguards:

• No direct marketing to students
• No behavioral profiling of children
• Age-appropriate privacy controls
• Parental access provisions where applicable
• Enhanced security for children's data

9.2 COPPA Compliance (US Schools)

For US schools, we comply with the Children's Online Privacy Protection Act (COPPA):

• Schools may consent on behalf of students for educational purposes
• We do not collect more information than necessary
• We provide schools with access to student data

9.3 Parental Rights

Parents/guardians may:

• Request access to their child's data through the school
• Request correction or deletion of inaccurate data
• Object to certain types of processing

10. Liability and Indemnification

10.1 Processor Liability

We shall be liable for damages caused by processing that:

• Violates GDPR provisions specifically directed at processors
• Acts outside or contrary to your lawful instructions

10.2 Controller Liability

You shall be liable for damages caused by:

• Processing that does not comply with GDPR
• Instructions given to us that cause non-compliance

10.3 Indemnification

Each party agrees to indemnify and hold harmless the other party from any claims, damages, or expenses arising from their breach of this DPA or applicable data protection laws.

11. Governing Law and Disputes

11.1 Governing Law

This DPA shall be governed by:

• UK Schools: Laws of England and Wales
• EU Schools: Laws of the EU Member State where the school is located
• Other: Laws of England and Wales

11.2 Supervisory Authority

The relevant supervisory authority is:

• UK: Information Commissioner's Office (ICO)
• EU: The supervisory authority in the EU Member State where the school is located

11.3 Dispute Resolution

Any disputes shall be resolved through:

1. Good faith negotiation between the parties
2. Mediation (if negotiation fails)
3. Courts of competent jurisdiction

12. Term and Termination

12.1 Effective Date

This DPA is effective from the date you accept it and continues until termination of the Services.

12.2 Survival

The following provisions survive termination:

• Data deletion obligations (Section 6.9)
• Confidentiality obligations (Section 6.2)
• Liability provisions (Section 10)
• Any provisions necessary to give effect to termination

13. Amendments

13.1 Changes to this DPA

We may update this DPA to:

• Reflect changes in data protection law
• Address guidance from supervisory authorities
• Improve our data protection practices

13.2 Notification

Material changes will be notified:

• By email to the account administrator
• Through the platform's notification system
• At least 30 days before taking effect

13.3 Continued Use

Continued use of the Services after changes take effect constitutes acceptance of the updated DPA.

14. Contact Information

Data Protection Inquiries

The PE Dept

• Data Protection Officer: [email protected]
• Privacy Team: [email protected]
• General Support: [email protected]

Mailing Address: The PE Dept Data Protection Team [Company Address]

Supervisory Authority

UK Information Commissioner's Office (ICO)

• Website: https://ico.org.uk
• Phone: 0303 123 1113
• Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

---

Annex A: Technical and Organizational Measures

A.1 Access Control

• Role-based access control (RBAC) enforced at database level
• Principle of least privilege applied to all access
• Multi-factor authentication for administrative access
• Automatic session timeout after inactivity
• Access logging and audit trails

A.2 Encryption

• TLS 1.3 for all data in transit
• AES-256 encryption for data at rest
• Encrypted backups with separate key management
• Secure key rotation procedures

A.3 Infrastructure Security

• Cloud infrastructure with SOC 2 Type II certification
• Network segmentation and firewalls
• DDoS protection and mitigation
• Regular vulnerability scanning and penetration testing
• 24/7 security monitoring

A.4 Incident Response

• Documented incident response procedures
• Incident response team with defined roles
• Regular incident response drills
• Post-incident review and improvement process

A.5 Business Continuity

• Automated backups with geographic redundancy
• Disaster recovery procedures and testing
• Recovery Point Objective (RPO): 24 hours
• Recovery Time Objective (RTO): 4 hours

---

Annex B: Sub-processor Details

B.1 Supabase Inc.

• Purpose: Database hosting, authentication, and storage
• Location: EU (Frankfurt, Germany) and US
• Data Processed: All user data, authentication credentials, uploaded files
• Safeguards: SOC 2 Type II certified, GDPR compliant, SCCs in place
• Privacy Policy: https://supabase.com/privacy

B.2 Vercel Inc.

• Purpose: Application hosting, content delivery, edge functions
• Location: Global edge network (US primary)
• Data Processed: Session data, cookies, static assets
• Safeguards: SOC 2 Type II certified, GDPR compliant, DPF certified
• Privacy Policy: https://vercel.com/legal/privacy-policy

B.3 Stripe Inc.

• Purpose: Payment processing and billing
• Location: US and EU
• Data Processed: Billing information, payment method details (NOT student data)
• Safeguards: PCI DSS Level 1 certified, SOC 2 Type II, GDPR compliant
• Privacy Policy: https://stripe.com/privacy

B.4 Resend Inc.

• Purpose: Transactional email delivery
• Location: US
• Data Processed: Email addresses, notification content
• Safeguards: SOC 2 Type II certified, GDPR compliant, SCCs in place
• Privacy Policy: https://resend.com/legal/privacy-policy

B.5 Wonde Ltd.

• Purpose: School Management Information System (MIS) integration
• Location: UK
• Data Processed: Student data, staff data, class rosters, timetables (when integration enabled)
• Safeguards: UK GDPR compliant, ISO 27001 certified, DfE data standards
• Privacy Policy: https://wonde.com/privacy

---

This Data Processing Agreement was last updated on January 15, 2025.

By using The PE Dept's services for your school or organization, you acknowledge that you have read, understood, and agree to be bound by this Data Processing Agreement.