Skip to main content

Data Processing Agreement

Between IB Math Revision (Processor) and the School (Controller) · UK GDPR + EU GDPR aligned · v1.0 · February 2026

How to use this DPA. Schools with a Data Protection Officer (DPO) can review this template as an initial position paper before contract. IB Math Revision is happy to sign it as-is, or to accept the school's standard DPA if provided (subject to review). Where fields are marked [LIKE THIS], the school should complete them on execution.

1. Parties & role

This Data Processing Agreement ("DPA") is entered into between:

This DPA governs the processing of personal data by the Processor on behalf of the Controller in connection with the Controller's licence to use the ibmathrevision.com platform ("the Service"). It supplements — but does not replace — the platform's public Terms of Service (/terms.html) and Privacy Policy (/privacy.html).

2. Subject-matter and duration of processing

The Processor processes personal data solely to deliver the contracted Service (see Section 4) for the duration of the school's licence period, plus a retention tail of 30 days after termination during which the Controller may request data export.

3. Nature and purpose of the processing

The Processor processes personal data to:

4. Categories of data subjects and personal data

Category of data subjectCategories of personal data
Students enrolled by the schoolName (if provided), school email address, class assignments, per-question attempts and scores, streaks, checklist progress, free-text AI-graded submissions.
Teachers & administratorsName, email, role, homework assignments authored, class-management events.

No special-category (Article 9) or Article 10 criminal data is intended to be processed. Free-text AI-graded submissions could theoretically contain such data if a student volunteers it; the Processor treats such content with the same technical safeguards as the rest of the platform but does not solicit or index it.

5. Sub-processors

The Controller authorises the Processor to engage the following sub-processors, each bound by contractual obligations at least equivalent to this DPA:

Sub-processorServiceRegion
Google LLC (Firebase / Cloud Functions / Firestore / Firebase Auth)Application hosting, authentication, database, serverless functionseurope-west1 (Belgium) & europe-west3 (Frankfurt)
Google LLC (Cloud Storage)PDF and asset storageeurope-west
Stripe Payments Europe LimitedCard processing for licence purchasesIreland / EU
Resend Inc.Transactional email delivery (weekly digests, receipts, homework notifications)United States (bound by SCCs — see Section 8)
Google LLC (Gemini API)AI grading and content-generation. Payloads contain student submissions but no name/email; requests are non-retained per Google's terms.United States (bound by SCCs — see Section 8)

The Processor will give the Controller at least 30 days' written notice of any change in sub-processors and will provide the Controller with a reasonable opportunity to object. If the Controller reasonably objects, the parties will discuss in good faith; if unresolved, the Controller may terminate this DPA on written notice.

6. Obligations of the Processor

  1. Process personal data only on documented instructions from the Controller, including the instructions contained in this DPA.
  2. Ensure that persons authorised to process the personal data are subject to appropriate confidentiality obligations.
  3. Take all technical and organisational measures required under Article 32 UK/EU GDPR (see Section 7).
  4. Assist the Controller, taking into account the nature of the processing, in fulfilling data-subject requests (access, rectification, erasure, portability, restriction, objection).
  5. Assist the Controller with data protection impact assessments (DPIAs) and prior consultations with the ICO or lead supervisory authority.
  6. At the choice of the Controller, delete or return all personal data at the end of the Service and delete existing copies, unless retention is required by law.
  7. Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller (reasonable notice; not more than once per year unless required by an incident).
  8. Notify the Controller without undue delay after becoming aware of a personal data breach.

7. Technical and organisational measures (Article 32)

8. International transfers

Where personal data is transferred to a sub-processor outside the UK/EEA (currently Resend Inc. and Google Gemini API), transfers are safeguarded by the European Commission's Standard Contractual Clauses (SCCs, module 3 for processor-to-processor) and, where applicable, the UK International Data Transfer Addendum (IDTA). The Processor has assessed the transfers under the Schrems II framework and applies additional supplementary measures (encryption in transit and at rest, contractual data-minimisation).

9. Data subject rights

Data subjects may exercise their rights by contacting the Controller. The Controller may then instruct the Processor via the mechanisms below. The Processor will action lawful instructions without undue delay:

10. Personal data breach

The Processor will notify the Controller of a personal data breach without undue delay and in any case within 48 hours of becoming aware. The notification will include, so far as available:

11. Return or deletion at end of processing

At the Controller's written choice at the end of the licence, and in any event no later than 30 days after termination, the Processor will either:

  1. Return all personal data processed for the Controller in machine-readable format (JSON); or
  2. Delete all such personal data (including copies) and certify deletion in writing, unless Union or Member State law requires storage.

The Processor may retain aggregated, anonymised statistics that cannot be linked to any identifiable person for legitimate product-improvement purposes.

12. Term, priority, and governing law

This DPA takes effect on the date of the Controller's licence purchase (or the date of last signature below, if executed) and continues for so long as the Processor processes personal data on behalf of the Controller. In the event of any conflict between this DPA and any other agreement between the parties, this DPA prevails to the extent of the conflict, in respect of the processing of personal data. This DPA is governed by the law of England and Wales, with non-exclusive jurisdiction of the English courts, without prejudice to any mandatory forum applicable to the Controller under UK/EU GDPR.

13. Signatures

________________________________________
For the Controller
Name: [full name]
Title: [Head / Data Protection Lead / DPO]
Date: [DD-MM-YYYY]
________________________________________
For the Processor
Name: Peter Bromfield
Title: Founder, IB Math Revision
Date: on execution