How to use this DPA. Schools with a Data Protection Officer (DPO) can review this template as an initial position paper before contract. IB Math Revision is happy to sign it as-is, or to accept the school's standard DPA if provided (subject to review). Where fields are marked [LIKE THIS], the school should complete them on execution.
1. Parties & role
This Data Processing Agreement ("DPA") is entered into between:
- The Controller — [School legal name, address, ICO/DPA registration number], acting as data controller in relation to student and staff personal data processed via IB Math Revision.
- The Processor — Peter Bromfield trading as IB Math Revision, registered address: [registered address], contact: pbromfield@ibmathrevision.com, acting as data processor.
This DPA governs the processing of personal data by the Processor on behalf of the Controller in connection with the Controller's licence to use the ibmathrevision.com platform ("the Service"). It supplements — but does not replace — the platform's public Terms of Service (/terms.html) and Privacy Policy (/privacy.html).
2. Subject-matter and duration of processing
The Processor processes personal data solely to deliver the contracted Service (see Section 4) for the duration of the school's licence period, plus a retention tail of 30 days after termination during which the Controller may request data export.
3. Nature and purpose of the processing
The Processor processes personal data to:
- Authenticate students, teachers, and administrators.
- Record and display each learner's own progress (attempts, scores, streaks, checklist ticks, AI-graded submissions).
- Enable teachers to view aggregate class progress and assign homework.
- Send transactional emails (weekly digests, homework notifications, receipts).
- Detect abuse and enforce rate limits.
4. Categories of data subjects and personal data
| Category of data subject | Categories of personal data |
| Students enrolled by the school | Name (if provided), school email address, class assignments, per-question attempts and scores, streaks, checklist progress, free-text AI-graded submissions. |
| Teachers & administrators | Name, email, role, homework assignments authored, class-management events. |
No special-category (Article 9) or Article 10 criminal data is intended to be processed. Free-text AI-graded submissions could theoretically contain such data if a student volunteers it; the Processor treats such content with the same technical safeguards as the rest of the platform but does not solicit or index it.
5. Sub-processors
The Controller authorises the Processor to engage the following sub-processors, each bound by contractual obligations at least equivalent to this DPA:
| Sub-processor | Service | Region |
| Google LLC (Firebase / Cloud Functions / Firestore / Firebase Auth) | Application hosting, authentication, database, serverless functions | europe-west1 (Belgium) & europe-west3 (Frankfurt) |
| Google LLC (Cloud Storage) | PDF and asset storage | europe-west |
| Stripe Payments Europe Limited | Card processing for licence purchases | Ireland / EU |
| Resend Inc. | Transactional email delivery (weekly digests, receipts, homework notifications) | United States (bound by SCCs — see Section 8) |
| Google LLC (Gemini API) | AI grading and content-generation. Payloads contain student submissions but no name/email; requests are non-retained per Google's terms. | United States (bound by SCCs — see Section 8) |
The Processor will give the Controller at least 30 days' written notice of any change in sub-processors and will provide the Controller with a reasonable opportunity to object. If the Controller reasonably objects, the parties will discuss in good faith; if unresolved, the Controller may terminate this DPA on written notice.
6. Obligations of the Processor
- Process personal data only on documented instructions from the Controller, including the instructions contained in this DPA.
- Ensure that persons authorised to process the personal data are subject to appropriate confidentiality obligations.
- Take all technical and organisational measures required under Article 32 UK/EU GDPR (see Section 7).
- Assist the Controller, taking into account the nature of the processing, in fulfilling data-subject requests (access, rectification, erasure, portability, restriction, objection).
- Assist the Controller with data protection impact assessments (DPIAs) and prior consultations with the ICO or lead supervisory authority.
- At the choice of the Controller, delete or return all personal data at the end of the Service and delete existing copies, unless retention is required by law.
- Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller (reasonable notice; not more than once per year unless required by an incident).
- Notify the Controller without undue delay after becoming aware of a personal data breach.
7. Technical and organisational measures (Article 32)
- Encryption in transit — TLS 1.2+ on every endpoint; HSTS enforced on the primary domain.
- Encryption at rest — Firestore documents and Cloud Storage objects are encrypted at rest using Google-managed keys.
- Access control — Firestore Security Rules restrict reads and writes to the authenticated user's own documents; owner/school-admin escalation is enforced server-side in Cloud Functions, not on the client.
- Least privilege — no long-lived admin credentials are stored on any personal device; service-account keys are rotated on a documented cadence.
- Backups — daily Firestore automatic backups retained for 30 days.
- Logging — access to admin functions is logged with the actor email and timestamp; retained for at least 12 months.
- Rate limiting & abuse controls — per-user quotas on write endpoints; PDF download and AI-grading endpoints are quota-capped and monitored for anomalies.
- Vulnerability management — dependencies are audited on every build; security patches are applied within 14 days of stable release.
- Personnel — the platform is currently operated by a single named individual (P. Bromfield) subject to UK GDPR obligations as controller-processor-in-one; any future personnel will be under confidentiality contracts.
8. International transfers
Where personal data is transferred to a sub-processor outside the UK/EEA (currently Resend Inc. and Google Gemini API), transfers are safeguarded by the European Commission's Standard Contractual Clauses (SCCs, module 3 for processor-to-processor) and, where applicable, the UK International Data Transfer Addendum (IDTA). The Processor has assessed the transfers under the Schrems II framework and applies additional supplementary measures (encryption in transit and at rest, contractual data-minimisation).
9. Data subject rights
Data subjects may exercise their rights by contacting the Controller. The Controller may then instruct the Processor via the mechanisms below. The Processor will action lawful instructions without undue delay:
- Access / portability — export in JSON on written request.
- Rectification — direct edit via the student's own account or by admin escalation on the Controller's instruction.
- Erasure — deletion of the student's account and all associated Firestore documents within 30 days of instruction. AI-grading submissions are erased on the same schedule; sub-processor Gemini payloads are non-retained per Google's API terms.
- Restriction / objection — the school may pause a student's access via the class-code management interface at any time.
10. Personal data breach
The Processor will notify the Controller of a personal data breach without undue delay and in any case within 48 hours of becoming aware. The notification will include, so far as available:
- The nature of the breach, categories and approximate number of data subjects and records affected.
- The likely consequences of the breach.
- Measures taken or proposed to address the breach and mitigate its adverse effects.
- The contact point for further information.
11. Return or deletion at end of processing
At the Controller's written choice at the end of the licence, and in any event no later than 30 days after termination, the Processor will either:
- Return all personal data processed for the Controller in machine-readable format (JSON); or
- Delete all such personal data (including copies) and certify deletion in writing, unless Union or Member State law requires storage.
The Processor may retain aggregated, anonymised statistics that cannot be linked to any identifiable person for legitimate product-improvement purposes.
12. Term, priority, and governing law
This DPA takes effect on the date of the Controller's licence purchase (or the date of last signature below, if executed) and continues for so long as the Processor processes personal data on behalf of the Controller. In the event of any conflict between this DPA and any other agreement between the parties, this DPA prevails to the extent of the conflict, in respect of the processing of personal data. This DPA is governed by the law of England and Wales, with non-exclusive jurisdiction of the English courts, without prejudice to any mandatory forum applicable to the Controller under UK/EU GDPR.
13. Signatures
________________________________________
For the Controller
Name: [full name]
Title: [Head / Data Protection Lead / DPO]
Date: [DD-MM-YYYY]
________________________________________
For the Processor
Name: Peter Bromfield
Title: Founder, IB Math Revision
Date: on execution