Data Processing Agreement

Last updated: 21 March 2026 | Version 1.0

This Data Processing Agreement ("DPA") forms part of the Snapshot Education Terms of Service and governs the processing of personal data by Jack Flanagan trading as Snapshot Education ("Data Processor") on behalf of educational institutions ("Data Controller").

Key Point: Under UK GDPR, the educational institution (school/MAT/LA) is the Data Controller and Snapshot Education is the Data Processor.

1. Definitions

  • Data Controller: The educational institution that determines the purposes and means of processing personal data
  • Data Processor: Jack Flanagan trading as Snapshot Education
  • Data Subject: Pupils, parents, staff, and other individuals whose personal data is processed
  • Personal Data: Any information relating to identified or identifiable individuals
  • Special Category Data: Personal data revealing racial/ethnic origin, political opinions, religious beliefs, health data, or data concerning a person's sex life or sexual orientation
  • Processing: Any operation performed on personal data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
  • Service: The Snapshot SEND profiling service

2. Subject Matter and Duration

Subject Matter: Processing of personal data necessary to provide the Snapshot profiling service.

Duration: This DPA remains in effect for the duration of the Data Controller's use of the Service and for 90 days following termination to facilitate data return and deletion.

3. Nature and Purpose of Processing

Types of Personal Data Processed:

  • Student names and identification numbers
  • Date of birth and age information
  • Academic performance and assessment data
  • Special educational needs information and diagnoses
  • Assessment observations and professional notes
  • Attendance and behavioral records
  • Contact information for parents/guardians
  • Progress tracking and historical data
  • Any other data voluntarily input by the Data Controller

Categories of Data Subjects:

  • Pupils and learners
  • Parents and guardians
  • Teaching and support staff
  • Other education professionals

Purposes of Processing:

  • To provide SEND profiling and analysis services
  • To generate assessment reports and educational insights
  • To track student progress and development over time
  • To support educational planning and intervention strategies
  • To maintain service functionality, security, and improvement
  • To provide user account management and support
  • To generate analytics and service usage reports (anonymized only)

4. Data Processor Obligations

Processing Instructions

The Data Processor shall only process personal data:

  • Following documented instructions from the Data Controller
  • For the specific purposes outlined in this DPA
  • In compliance with applicable data protection laws (UK GDPR, DPA 2018)
  • With appropriate technical and organisational security measures

Confidentiality

  • All personnel with access to personal data are bound by written confidentiality obligations
  • Personal data shall not be disclosed to unauthorized third parties
  • Confidentiality obligations survive termination of this agreement
  • Staff training on data protection is provided and documented

Security Measures

The Data Processor implements appropriate technical and organisational security measures including:

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
  • Role-based access controls with principle of least privilege
  • Regular security testing, penetration testing, and vulnerability assessments
  • Secure data centers with physical security controls (ISO 27001 certified where possible)
  • Incident response procedures and breach notification protocols
  • Regular security awareness training for all personnel
  • Data minimisation principles in system design
  • Secure backup and disaster recovery procedures

5. Data Subject Rights

The Data Processor shall assist the Data Controller in fulfilling data subject rights requests within applicable timeframes:

  • Right to access personal data (Article 15 UK GDPR)
  • Right to rectification of inaccurate data (Article 16)
  • Right to erasure/right to be forgotten (Article 17)
  • Right to restriction of processing (Article 18)
  • Right to data portability (Article 20)
  • Right to object to processing (Article 21)
  • Rights related to automated decision making and profiling (Article 22)

The Data Processor shall:

  • Provide necessary technical and organisational assistance
  • Respond to requests within the timeframe required by UK GDPR
  • Maintain records of data subject rights requests and responses
  • Not charge for reasonable assistance provided

6. Sub-processing

Authorisation

The Data Processor may engage sub-processors with prior written consent from the Data Controller. Consent shall not be unreasonably withheld.

Current Sub-processors:

  • Cloud hosting providers (Vercel Inc. - UK/EU servers)
  • Database service providers (Supabase - UK/EU servers)
  • Payment processing (Stripe - UK/EU servers)
  • Email communication services (Resend - UK/EU servers)
  • Analytics services (Plausible - anonymized data only, UK/EU servers)

Sub-processor Obligations:

  • Ensure sub-processors provide equivalent data protection commitments
  • Remain fully liable for sub-processor compliance
  • Maintain an up-to-date list of approved sub-processors
  • Notify Data Controller of any intended addition or replacement of sub-processors
  • Obtain written contracts with sub-processors containing data protection obligations

7. Data Breach Notification

The Data Processor shall:

  • Notify the Data Controller without undue delay (and where feasible, within 72 hours) upon becoming aware of a personal data breach
  • Provide sufficient information to assess the breach impact, including:
    • Nature of the breach
    • Categories and approximate number of data subjects affected
    • Categories and approximate number of personal data records affected
    • Likely consequences of the breach
    • Measures taken or proposed to address the breach
  • Cooperate fully with the Data Controller in breach response and notification to authorities
  • Document all personal data breaches and response actions
  • Maintain a breach register and make available to Data Controller upon request

8. Data Return and Deletion

Upon termination or expiry of this agreement:

  • The Data Processor shall return all personal data to the Data Controller in a commonly used, machine-readable format
  • At the Data Controller's choice, the Data Processor shall securely delete all personal data
  • Deletion shall be verified and confirmed in writing to the Data Controller
  • The Data Processor may retain anonymized data for service improvement purposes
  • Data retention period: 90 days post-termination for return/export, then permanent deletion
  • Certificates of deletion shall be provided upon request

9. Audit and Compliance

Audit Rights

  • The Data Processor shall make available all information necessary to demonstrate compliance with this DPA
  • The Data Controller may conduct audits with reasonable notice (minimum 30 days)
  • Audits may be conducted by the Data Controller or their designated representatives
  • The Data Processor shall provide reasonable assistance during audits

Compliance Documentation

  • Maintain comprehensive records of processing activities
  • Provide regular compliance reports (at least annually)
  • Cooperate with any regulatory investigations or inquiries
  • Conduct regular compliance reviews and risk assessments
  • Maintain data protection impact assessments where required

10. International Data Transfers

All primary personal data processing occurs within the United Kingdom and European Union.

If international transfers are required, appropriate safeguards shall be implemented:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Binding Corporate Rules where applicable
  • Adequacy decisions where available
  • Additional safeguards to ensure equivalent protection

11. Educational Institution Specific Provisions

Multi-Academy Trusts

  • Data sharing between schools within a MAT requires appropriate consent
  • Each school remains responsible for compliance with their data protection obligations
  • MAT-level accounts may access aggregated, anonymized data across schools

Local Authorities

  • LA accounts must comply with additional public sector requirements
  • Data processing must align with LA data sharing agreements and policies
  • Additional security controls may be implemented for LA accounts

Special Category Data

  • Enhanced security measures for special category data
  • Explicit consent requirements where applicable
  • Additional documentation for processing special category data
  • Restricted access to special category data within the Data Processor organisation

12. Contact Information

Data Protection Officer

General Data Protection Inquiries

13. General Provisions

Governing Law

This DPA is governed by the laws of England and Wales.

Amendments

Any amendments to this DPA must be in writing and signed by both parties.

Severability

If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.

Entire Agreement

This DPA, together with the Terms of Service, constitutes the entire agreement between the parties regarding data processing.

Third Party Rights

No third party shall have any rights to enforce this DPA under the Contracts (Rights of Third Parties) Act 1999.

This DPA is designed to comply with UK GDPR requirements and ICO guidelines. Educational institutions should review this agreement with their legal and data protection teams before implementation. This document forms part of the overall Snapshot service agreement.