Data Protection Agreement

Recitals
This Data Processing Agreement ("Agreement") is automatically applicable and sets out the terms and conditions under which the Data Processor (the School) shall process personal data upon using TAISK, accessed via the Wonde API. Usage of TAISK signifies the School’s acceptance and adherence to this Agreement, ensuring compliance with the UK’s Data Protection Act 2018, the EU General Data Protection Regulation (GDPR), and other pertinent data protection laws.

​

1. Definitions and Interpretations
In this Agreement, the following terms shall have the meanings ascribed to them below:

• "Data Subjects" refers to individuals whose personal data is processed under this Agreement, encompassing students, staff, and others linked with the School.

• "Processing" encompasses any operation performed on personal data, such as collection, storage, utilisation, and transmission.

2. Data Processing Obligations

• The Data Processor commits to processing Personal Data exclusively for delivering educational services through TAISK.

• The Data Processor shall ensure the trustworthiness of all staff accessing the Personal Data.

• Data shall be processed in concordance with the procedures detailed in Annex 1 of this Agreement.

3. Technical and Organisational Measures

• The Data Processor is obliged to enact measures as delineated in Annex 2, guaranteeing data security, including safeguards against unauthorised or unlawful processing, accidental loss, destruction, or harm.

• Bucephalus Ltd confirms its servers, situated within the United Kingdom, adhere to GDPR stipulations.

4. Rights of Data Subjects

• The Data Processor shall assist the Data Controller in enabling data subjects' rights under the GDPR and applicable legislations.

• The Data Processor must inform the Data Controller if it receives any requests from data subjects regarding their personal data.

​

5. Data Breach Notification

• Upon detecting a personal data breach, the Data Processor is required to inform the Data Controller promptly.

• The notification shall encompass details of the breach, the types and estimated number of data subjects and records impacted, and the anticipated repercussions.

6. Sub-processing

• The Data Processor is prohibited from subcontracting any processing operations performed on behalf of the Data Controller under this Agreement without the Data Controller’s written consent.

7. Audit and Inspection

• The Data Controller reserves the right to conduct audits and inspections to verify adherence to this Agreement and data protection statutes.

8. Indemnification and Liability

• Both parties agree to indemnify one another against all claims, demands, damages, costs, penalties, and liabilities arising from any breach of this Agreement.

9. Duration and Termination

• This Agreement is effective from account creation and will remain in force until terminated by either party with by cancellation of subscription or by written notice.

10. General Terms

• Modifications to this Agreement must be in written form and endorsed by both parties.

• This Agreement shall be governed and construed in accordance with the UK’s Data Protection Act 2018 and the EU GDPR.

​

Data Protection Agreement

Annex 1: Data Processing Details

​

Nature and Purpose of Processing

• Personal data is processed for the purpose of providing administration and support services through TAISK. This includes, but is not limited to, report writing, progress tracking, and educational assessments.

​

Types of Personal Data Processed

• Student Data: Names, age, class, academic records, and learning progress.

• Staff Data: Names, contact details, and professional information.

• Usage Data: Information on how TAISK is used by students and staff.

Categories of Data Subjects

• Students enrolled in the School.

• Teachers and other staff members employed by the School.

Data Processing Activities

• Collection: Gathering data from the School's records to make available to schools via TAISK.

• Storage: Holding data in secure cloud storage provided by AWS RDS databases.

• Access: Data is accessed by authorised personnel of Bucephalus Ltd T/O TAISK and the School for administration and support purposes.

• Analysis: Data is analysed to improve educational content and personalise learning experiences.

• Retention: Data is retained as long as the API is linked or as required by law.

​

Duration of Processing

• Personal data will be processed as long as the Agreement is in force or until the data is no longer needed for its intended purpose.

 

Data Protection Agreement
Annex 2: Technical and Organisational Measures

​

Data Security Measures

• Use of end-to-end encryption for data in transit and at rest.

• Secure cloud storage solutions with AWS RDS databases.

• Regular security audits and penetration testing to identify and mitigate risks.

 

Access Control

• Access to personal data is limited to authorised personnel only.

• Use of strong authentication and access control mechanisms.

• Regular review and update of access rights.

 

Data Integrity and Resilience

• Regular backups of personal data.

• Mechanisms to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services.

 

Incident Response and Management

• Established incident response plan for managing data breaches.

• Regular training for staff on recognising and responding to security incidents.

• Employee Training and Awareness

• Regular data protection and security training for all employees.

• Promoting a culture of data privacy and security within the organisation.

 

Compliance Monitoring

• Regular audits to ensure compliance with data protection laws and policies.

• Documentation and logging of processing activities.

• ICO auditing.

​

​