# DATA PROCESSING AGREEMENT

**Between:**

**[SCHOOL/ORGANISATION NAME]** ("Data Controller" or "Customer")
Address: [SCHOOL ADDRESS]
Contact: [SCHOOL EMAIL]

**AND**

**Simon Sharp, operating as Wild Schooling** ("Data Processor" or "Service Provider")
Address: 10 Bellingham Drive, Reigate, Surrey, RH2 9BB
Email: support@wild-schooling.com
ICO Registration: C1790660

**Effective Date:** [DATE]

---

## 1. DEFINITIONS AND INTERPRETATION

**1.1** In this Agreement, the following terms shall have the meanings set out below:

- **"Data Protection Laws"** means all applicable laws relating to data protection, privacy, and security including the UK GDPR, Data Protection Act 2018, and any successor legislation.
- **"UK GDPR"** means the UK General Data Protection Regulation.
- **"Personal Data"** has the meaning given in the UK GDPR.
- **"Data Subject"** means an identified or identifiable natural person as defined in the UK GDPR.
- **"Processing"** has the meaning given in the UK GDPR.
- **"Services"** means the Wild Schooling products and services including but not limited to: ReadingFluency, MathsFluency, Wild Books, Wild Assessment, WildWelcome, and WildWonders.
- **"Sub-processor"** means any third party appointed by the Data Processor to process Personal Data on behalf of the Data Controller.

**1.2** References to clauses and schedules are to clauses of and schedules to this Agreement.

---

## 2. PURPOSE AND SCOPE

**2.1** This Agreement sets out the terms on which the Data Processor will process Personal Data on behalf of the Data Controller when providing the Services.

**2.2** This Agreement applies to all Personal Data processed by the Data Processor in connection with the provision of the Services.

**2.3** The Data Controller is a data controller for the purposes of the Data Protection Laws and the Data Processor is a data processor for the purposes of the Data Protection Laws.

**2.4** This Agreement supplements and forms part of the Terms of Service between the parties.

---

## 3. PROCESSING OF PERSONAL DATA

**3.1 Subject Matter and Duration**

The subject matter and duration of the Processing are set out in **Schedule 1** (Processing Details).

**3.2 Nature and Purpose of Processing**

The Data Processor shall process Personal Data only:
- (a) on documented instructions from the Data Controller, unless required to do so by UK law;
- (b) for the purpose of providing the Services;
- (c) in accordance with this Agreement and the Data Protection Laws.

**3.3 Types of Personal Data**

The types of Personal Data to be processed are set out in **Schedule 1** (Processing Details).

**3.4 Categories of Data Subjects**

The categories of Data Subjects are set out in **Schedule 1** (Processing Details).

---

## 4. DATA PROCESSOR OBLIGATIONS

**4.1 Compliance with Laws**

The Data Processor shall:
- (a) comply with all applicable Data Protection Laws;
- (b) process Personal Data only on documented instructions from the Data Controller;
- (c) not process Personal Data for any purpose other than providing the Services.

**4.2 Confidentiality**

The Data Processor shall:
- (a) ensure that persons authorised to process Personal Data are subject to a duty of confidentiality;
- (b) maintain the confidentiality of all Personal Data;
- (c) not disclose Personal Data to third parties without the Data Controller's prior written consent, except as required by law.

**4.3 Technical and Organisational Measures**

The Data Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as set out in **Schedule 2** (Security Measures).

**4.4 Staff Training**

The Data Processor shall ensure that all staff who have access to Personal Data are appropriately trained in data protection and security.

---

## 5. SUB-PROCESSORS

**5.1 Authorised Sub-processors**

The Data Controller provides general authorisation for the Data Processor to engage Sub-processors, subject to the following conditions:
- (a) The Data Processor maintains a current list of Sub-processors (see **Schedule 3**);
- (b) The Data Processor ensures Sub-processors are bound by data protection obligations equivalent to those in this Agreement;
- (c) The Data Processor remains fully liable for the acts and omissions of any Sub-processor.

**5.2 Changes to Sub-processors**

The Data Processor shall:
- (a) inform the Data Controller of any intended changes to Sub-processors at least 30 days in advance;
- (b) give the Data Controller the opportunity to object to such changes;
- (c) if the Data Controller objects on reasonable grounds, work with the Data Controller to find a resolution or allow termination of the relevant Service.

**5.3 Current Sub-processors**

The current Sub-processors are listed in **Schedule 3** (Sub-processors).

---

## 6. DATA SUBJECT RIGHTS

**6.1 Assistance with Data Subject Requests**

The Data Processor shall:
- (a) provide reasonable assistance to the Data Controller to respond to requests from Data Subjects exercising their rights under Data Protection Laws;
- (b) notify the Data Controller without undue delay if it receives a request from a Data Subject;
- (c) not respond to such requests directly without the Data Controller's prior written authorisation.

**6.2 Data Subject Rights**

The Data Processor shall assist the Data Controller in ensuring compliance with the Data Controller's obligations to respond to requests to exercise Data Subject rights, including:
- Right of access (Article 15 UK GDPR)
- Right to rectification (Article 16 UK GDPR)
- Right to erasure (Article 17 UK GDPR)
- Right to restriction of processing (Article 18 UK GDPR)
- Right to data portability (Article 20 UK GDPR)
- Right to object (Article 21 UK GDPR)

---

## 7. DATA SECURITY AND BREACH NOTIFICATION

**7.1 Security Measures**

The Data Processor shall implement and maintain the security measures set out in **Schedule 2** (Security Measures).

**7.2 Personal Data Breach Notification**

In the event of a Personal Data Breach, the Data Processor shall:
- (a) notify the Data Controller without undue delay and in any event within 24 hours of becoming aware of the breach;
- (b) provide the Data Controller with sufficient information to enable it to meet any obligations to report or inform Data Subjects of the breach;
- (c) provide details of:
  - the nature of the breach;
  - the categories and approximate number of Data Subjects and Personal Data records concerned;
  - the likely consequences of the breach;
  - the measures taken or proposed to address the breach and mitigate its effects;
- (d) cooperate with the Data Controller and take reasonable steps to remediate the breach.

**7.3 Breach Investigation**

The Data Processor shall investigate the cause of the breach and take steps to prevent recurrence.

---

## 8. DATA PROTECTION IMPACT ASSESSMENTS AND CONSULTATION

**8.1** The Data Processor shall provide reasonable assistance to the Data Controller in ensuring compliance with:
- (a) the Data Controller's obligation to carry out data protection impact assessments (Article 35 UK GDPR);
- (b) the Data Controller's obligation to consult with the supervisory authority (Article 36 UK GDPR).

---

## 9. INTERNATIONAL DATA TRANSFERS

**9.1 Location of Processing**

Personal Data shall be processed within the United Kingdom and European Economic Area unless otherwise agreed in writing.

**9.2 Transfers Outside UK/EEA**

If Personal Data is to be transferred to a country outside the UK or EEA:
- (a) the Data Processor shall notify the Data Controller in advance;
- (b) the transfer shall be subject to appropriate safeguards as required by Data Protection Laws;
- (c) such safeguards may include Standard Contractual Clauses approved by the UK Information Commissioner's Office.

**9.3 Current Data Locations**

The current locations where Personal Data may be processed are set out in **Schedule 3** (Sub-processors).

---

## 10. AUDIT AND INSPECTION RIGHTS

**10.1 Records and Information**

The Data Processor shall:
- (a) maintain records of all Processing activities carried out on behalf of the Data Controller;
- (b) make such records available to the Data Controller on request;
- (c) provide the Data Controller with all information necessary to demonstrate compliance with this Agreement.

**10.2 Audits**

The Data Controller may:
- (a) conduct audits, including inspections, of the Data Processor's Processing activities;
- (b) appoint a third party auditor to conduct such audits on its behalf;
- (c) conduct such audits during normal business hours with reasonable notice (except in the event of an emergency or breach).

**10.3 Cooperation**

The Data Processor shall cooperate with and assist the Data Controller (or its appointed auditor) in conducting any such audit.

---

## 11. RETURN AND DELETION OF PERSONAL DATA

**11.1 On Termination**

On termination or expiry of the Services, the Data Processor shall (at the Data Controller's election):
- (a) return all Personal Data to the Data Controller; and/or
- (b) securely delete or destroy all Personal Data.

**11.2 Retention for Legal Compliance**

The Data Processor may retain Personal Data to the extent required by applicable law, provided that it ensures the confidentiality of such Personal Data and processes it only as necessary to comply with legal obligations.

**11.3 Certification of Deletion**

The Data Processor shall provide written certification to the Data Controller that all Personal Data has been returned or deleted in accordance with this clause.

---

## 12. LIABILITY AND INDEMNITY

**12.1 Liability**

Each party's liability under this Agreement is subject to the limitations and exclusions set out in the Terms of Service.

**12.2 Processor Liability**

The Data Processor shall be liable for damage caused by Processing only where it has:
- (a) not complied with obligations specifically directed to processors under Data Protection Laws; or
- (b) acted outside or contrary to lawful instructions from the Data Controller.

**12.3 Indemnity**

The Data Processor shall indemnify and keep indemnified the Data Controller against all losses, claims, damages, liabilities, fines, costs and expenses (including legal fees) arising from any breach by the Data Processor of its obligations under this Agreement or Data Protection Laws.

---

## 13. TERM AND TERMINATION

**13.1 Term**

This Agreement shall commence on the Effective Date and continue for as long as the Data Processor processes Personal Data on behalf of the Data Controller.

**13.2 Termination**

Either party may terminate this Agreement:
- (a) if the other party commits a material breach and fails to remedy it within 30 days of written notice;
- (b) immediately if the other party becomes insolvent or enters administration.

**13.3 Effect of Termination**

On termination:
- (a) the Data Processor shall cease all Processing of Personal Data;
- (b) the Data Processor shall return or delete Personal Data in accordance with Clause 11;
- (c) the provisions of this Agreement that are expressed or intended to survive termination shall remain in full force and effect.

---

## 14. GENERAL PROVISIONS

**14.1 Governing Law**

This Agreement shall be governed by and construed in accordance with the laws of England and Wales.

**14.2 Jurisdiction**

The courts of England and Wales shall have exclusive jurisdiction to settle any dispute arising out of or in connection with this Agreement.

**14.3 Notices**

All notices under this Agreement shall be in writing and sent to:

**Data Controller:**
[SCHOOL NAME]
[SCHOOL ADDRESS]
Email: [SCHOOL EMAIL]

**Data Processor:**
Simon Sharp, operating as Wild Schooling
10 Bellingham Drive, Reigate, Surrey, RH2 9BB
Email: support@wild-schooling.com

**14.4 Entire Agreement**

This Agreement, together with the Terms of Service and Privacy Policy, constitutes the entire agreement between the parties regarding the Processing of Personal Data.

**14.5 Amendments**

No amendment to this Agreement shall be effective unless made in writing and signed by both parties.

**14.6 Severability**

If any provision of this Agreement is held to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.

---

## SIGNATURES

**FOR THE DATA CONTROLLER:**

Signed: ___________________________
Name: ___________________________
Position: ___________________________
Date: ___________________________

**FOR THE DATA PROCESSOR:**

Signed: ___________________________
Name: Simon Sharp
Position: Director, Wild Schooling
Date: ___________________________

---

# SCHEDULE 1: PROCESSING DETAILS

## Subject Matter of Processing

The provision of educational software and services including assessment tools, progress tracking, curriculum support, and school management features.

## Duration of Processing

For the duration of the subscription to the Services, plus any retention period required by law or agreed by the parties.

## Nature and Purpose of Processing

To enable the Data Controller to:
- Assess student learning and progress
- Track curriculum coverage
- Generate educational reports and analytics
- Manage classroom and school operations
- Support educational decision-making

## Types of Personal Data

### Student Personal Data:
- Full name
- Gender
- Date of birth or age
- Year group/class
- Unique student identifier (where applicable)
- Special Educational Needs (SEN) status
- Pupil Premium status
- English as an Additional Language (EAL) status
- Assessment results and scores
- Progress tracking data
- Attendance records (if using WildWelcome)
- Engagement and usage data

### Teacher/Staff Personal Data:
- Full name
- Email address
- Job title/role
- School/organisation affiliation
- Usage and activity data

### Parent/Guardian Personal Data (where applicable):
- Name
- Email address
- Relationship to student

### Visitor Personal Data (if using WildWelcome):
- Name
- Organisation
- Purpose of visit
- Entry/exit timestamps

## Categories of Data Subjects

- Students (aged 4-18)
- Teachers and school staff
- School administrators
- Parents and guardians (where applicable)
- Visitors to school premises (if using WildWelcome)

## Processing Operations

- Collection
- Recording
- Organisation
- Storage
- Retrieval
- Use
- Analysis
- Disclosure by transmission
- Deletion or destruction

---

# SCHEDULE 2: SECURITY MEASURES

The Data Processor shall implement and maintain the following technical and organisational security measures:

## Technical Measures

### 1. Encryption
- All Personal Data transmitted over public networks is encrypted using TLS 1.2 or higher
- Personal Data at rest is encrypted using industry-standard encryption (AES-256 or equivalent)
- Database connections use SSL/TLS encryption
- Password storage uses secure hashing (bcrypt with minimum 12 rounds)

### 2. Access Controls
- Multi-factor authentication for administrative access
- Role-based access control (RBAC)
- Principle of least privilege enforced
- Regular access reviews and revocation procedures
- Secure password requirements (minimum 12 characters, complexity rules)

### 3. Network Security
- Firewalls protecting all systems
- Intrusion detection and prevention systems
- Regular security updates and patches
- Network segmentation where appropriate
- DDoS protection

### 4. Application Security
- Security headers (HSTS, CSP, X-Frame-Options, etc.)
- Protection against OWASP Top 10 vulnerabilities
- Input validation and sanitisation
- CSRF protection
- Regular security testing and vulnerability scanning

### 5. Monitoring and Logging
- Security event logging
- Failed login attempt tracking
- Anomaly detection
- Regular log review and analysis
- Audit trails for data access

## Organisational Measures

### 1. Data Minimisation
- Collection of only necessary Personal Data
- Regular review of data retention
- Automated deletion of data no longer required

### 2. Staff Security
- Background checks for staff with access to Personal Data
- Confidentiality agreements for all staff
- Regular security awareness training
- Clear data protection policies and procedures

### 3. Incident Response
- Documented incident response plan
- Designated data protection officer or contact
- Breach notification procedures (24-hour notification to Data Controller)
- Regular incident response drills

### 4. Business Continuity
- Daily encrypted backups
- Off-site backup storage
- Disaster recovery plan
- Regular backup testing

### 5. Vendor Management
- Due diligence on Sub-processors
- Data Processing Agreements with all Sub-processors
- Regular security reviews of Sub-processors

### 6. Physical Security
- Secure data centre facilities (ISO 27001 certified hosting providers)
- Access controls to physical premises
- Equipment disposal procedures

### 7. Data Protection by Design
- Privacy considerations in product development
- Privacy impact assessments for new features
- Regular security reviews and updates

---

# SCHEDULE 3: SUB-PROCESSORS

The Data Processor currently uses the following Sub-processors:

## 1. Vercel Inc.
**Purpose:** Hosting and content delivery
**Location:** United States (with EU data residency options)
**Security Certifications:** ISO 27001, SOC 2 Type II
**Data Transfer Mechanism:** EU-US Data Privacy Framework, Standard Contractual Clauses
**Website:** https://vercel.com/legal/privacy-policy

## 2. Stripe, Inc.
**Purpose:** Payment processing
**Location:** United States and Ireland
**Security Certifications:** PCI DSS Level 1, ISO 27001, SOC 2 Type II
**Data Transfer Mechanism:** EU-US Data Privacy Framework, Standard Contractual Clauses
**Data Processed:** Payment card details, billing information, transaction history
**Website:** https://stripe.com/gb/privacy

## 3. Supabase Inc.
**Purpose:** Database hosting and management (PostgreSQL)
**Location:** EU region (with UK data residency options available)
**Security Certifications:** SOC 2 Type II, ISO 27001 (in progress), HIPAA compliant infrastructure
**Data Transfer Mechanism:** EU hosting (no international transfers when using EU region)
**Data Processed:** All Personal Data stored in application databases (student data, teacher accounts, assessment results)
**Website:** https://supabase.com/privacy

## 4. [Email Service Provider - To be confirmed]
**Purpose:** Transactional emails (account notifications, password resets)
**Location:** [To be confirmed]
**Security Certifications:** [To be confirmed]
**Data Processed:** Email addresses, message content

## 5. [Analytics Service - If applicable]
**Purpose:** Usage analytics (optional, with consent)
**Location:** [To be confirmed]
**Security Certifications:** [To be confirmed]
**Note:** Analytics cookies are only used with explicit user consent

---

## Sub-processor Changes

The Data Processor will notify the Data Controller at least 30 days before:
- Adding new Sub-processors
- Changing existing Sub-processors
- Making material changes to Sub-processor arrangements

The Data Controller may object to any Sub-processor change on reasonable grounds relating to data protection.

---

# APPENDIX: DATA CONTROLLER CONTACT FORM

**To be completed by the Data Controller (School/Organisation)**

## Organisation Details

**Legal Name:** _______________________________________

**Trading Name (if different):** _______________________________________

**Address:**
_______________________________________
_______________________________________
_______________________________________
**Postcode:** _______________________________________

**ICO Registration Number (if applicable):** _______________________________________

## Primary Contact

**Name:** _______________________________________

**Position/Role:** _______________________________________

**Email:** _______________________________________

**Telephone:** _______________________________________

## Data Protection Officer (if appointed)

**Name:** _______________________________________

**Email:** _______________________________________

**Telephone:** _______________________________________

## Services Subscribed To

Please tick all that apply:
- [ ] ReadingFluency
- [ ] MathsFluency
- [ ] Wild Books
- [ ] Wild Assessment
- [ ] WildWelcome
- [ ] WildWonders

## Estimated Numbers

**Approximate number of students:** _______________________________________

**Approximate number of staff users:** _______________________________________

## Signature

**Signed:** _______________________________________

**Print Name:** _______________________________________

**Position:** _______________________________________

**Date:** _______________________________________

---

**END OF DATA PROCESSING AGREEMENT**

---

## How to Use This Template

1. **Review with Legal Counsel:** This template should be reviewed by qualified legal counsel to ensure it meets your specific requirements and complies with all applicable laws.

2. **Complete Appendix:** The Data Controller should complete the contact form in the Appendix.

3. **Review Schedules:** Both parties should review and agree to the details in Schedules 1-3, particularly the list of Sub-processors.

4. **Execute Agreement:** Both parties should sign two copies of the completed agreement.

5. **Retain Copies:** Each party should retain a signed copy for their records.

6. **Review Annually:** This agreement should be reviewed at least annually and updated as necessary.

## Need Assistance?

For questions about this Data Processing Agreement, please contact:
**Email:** support@wild-schooling.com
**Subject:** DPA Query - [Your Organisation Name]

---

**Document Version:** 1.0
**Last Updated:** December 26, 2025
**Next Review Date:** December 26, 2026