School Data Processing Addendum

Draft for procurement and DPO review. This page summarises the terms StudyVector expects to include in a school or college data-processing addendum. It should be checked and signed as part of the actual school contract.

1. Parties and roles

The school, college, trust, or local authority is normally the controller for learner data it provides or instructs StudyVector to process. StudyVector acts as a processor for that school-controlled learner data. StudyVector may remain an independent controller for direct student accounts, billing records, website analytics where consented, and its own security/support operations.

2. Processing details

• Subject matter: exam-practice, homework, progress reporting, intervention workflows, and school-managed access to StudyVector.
• Duration: the school trial, licence, or services agreement, plus any agreed wind-down and retention period.
• Nature and purpose: hosting learner accounts, recording answers and progress, providing feedback, showing teacher dashboards, and supporting access/security.
• Data subjects: students, teachers, school administrators, parents/guardians where invited, and school procurement contacts.
• Data categories: account identifiers, email or school ID, class/group membership, subjects, boards, answers, attempts, marks, mastery/progress signals, homework records, support messages, and technical logs.

3. School instructions

StudyVector processes school-controlled personal data only on documented school instructions, including the written contract, this addendum, agreed support requests, and lawful configuration choices made by authorised school staff.

4. Security measures

• Role-based access controls and row-level security for learner records.
• Service-role credentials kept server-side only.
• HTTPS in transit and provider-level encryption at rest where supported by hosting/database providers.
• Private storage for uploaded files and best-effort storage cleanup during deletion workflows.
• Rate limiting on public enquiry routes and restricted admin access for operational tooling.
• Optional analytics consent gating and avoidance of answer text, uploaded files, or form messages in optional analytics.

5. Subprocessors

Current and optional providers are listed in the Subprocessor List. StudyVector will keep written terms with providers that process personal data and will give notice of material new subprocessors where the school contract requires it.

6. Data rights, deletion, and return

StudyVector will help the school respond to subject access, correction, export, deletion, restriction, and objection requests for school-managed accounts. At the end of the contract, StudyVector will return, delete, or anonymise school-controlled personal data as instructed, unless law or a documented legal basis requires limited retention.

7. Security incidents

StudyVector will notify the nominated school contact without undue delay after becoming aware of a personal-data breach affecting school-controlled learner data, and will provide reasonable information to help the school meet its own notification obligations.

8. Audit and assistance

StudyVector will provide reasonable information needed to demonstrate compliance with this addendum, including relevant policy summaries, subprocessor information, and security-control descriptions. On-site audits should be scoped, proportionate, and subject to confidentiality and security limits.

9. International transfers

Where providers process data outside the UK or EEA, StudyVector will rely on appropriate transfer safeguards, such as UK IDTA terms, standard contractual clauses, or provider-level transfer mechanisms where applicable.

10. Contacts and contract details

Privacy contact: privacy@studyvector.co.uk. School procurement contact: hello@studyvector.co.uk.

Company details requiring school contract insertion: registered company number, registered office, VAT status, and invoice trading entity. These are tracked internally and must be verified before signature.