DATA PROCESSING AGREEMENT
Effective date: [EFFECTIVE_DATE]
Between:
-
[CUSTOMER_LEGAL_NAME] of [CUSTOMER_ADDRESS] (Controller); and
-
TutorCruncher Ltd of The Food Exchange, New Covent Garden Market, Nine Elms, London SW8 5EL (Processor).
Each a party and together the parties.
1. Background
1.1 The parties have entered into [MASTER_AGREEMENT_TITLE] dated [MASTER_AGREEMENT_DATE] (as amended, the Main Agreement) under which the Processor provides the Services (as defined in the Main Agreement).
1.2 In providing the Services, the Processor will process Personal Data on behalf of the Controller. This Agreement sets out the terms required by Article 28 of the UK GDPR (and, where applicable, the EU GDPR) and supplements the Main Agreement.
1.3 If there is a conflict between this Agreement and the Main Agreement regarding the processing of Personal Data, this Agreement prevails to the extent of the conflict.
1.4 This Agreement is incorporated into and forms part of the Main Agreement. By entering into the Main Agreement, placing an order, or otherwise accepting the Services under the Main Agreement, the parties agree to be bound by this Agreement without requiring a separate handwritten or electronic signature block in this template.
2. Definitions
2.1 Capitalised terms in the Main Agreement apply unless defined differently below.
| Term | Meaning |
|---|
| Applicable Law | UK GDPR, the Data Protection Act 2018, and any binding guidance or codes of practice issued by the UK Information Commissioner’s Office (ICO); and, where Processing concerns data subjects in the EEA, the EU GDPR. |
| Personal Data, Processing, Data Subject, Personal Data Breach | As defined in Applicable Law. |
| Subprocessor | A processor engaged by the Processor to process Personal Data on behalf of the Controller. |
| Instructions | The Controller’s documented instructions to process Personal Data, including: (a) the Main Agreement and this Agreement; (b) the Controller’s lawful configuration and use of the Services; and (c) any further written instructions the Controller issues and the Processor accepts. |
3. Duration and subject matter
3.1 This Agreement starts on the Effective Date and continues until termination or expiry of the Main Agreement or until the Processor no longer processes Personal Data on behalf of the Controller, whichever is later.
3.2 Subject matter: provision of the Services involving Processing of Personal Data described in Schedule 1.
4. Details of Processing
4.1 The nature, purpose, duration, types of Personal Data, and categories of Data Subjects are set out in Schedule 1.
4.2 The Processor shall process Personal Data only on documented Instructions unless a requirement of EU or UK law to which the Processor is subject compels otherwise (in which case the Processor shall, to the extent permitted by law, inform the Controller of that requirement before Processing, unless prohibited on important grounds of public interest).
5. Processor obligations
The Processor shall:
5.1 Personnel ensure that persons authorised to process Personal Data are bound by confidentiality obligations or are under an appropriate statutory obligation of confidentiality.
5.2 Security implement appropriate technical and organisational measures to protect Personal Data as described in Schedule 3 and having regard to the state of the art, cost of implementation, and risks to Data Subjects. The Controller acknowledges that security is risk-based and that the measures may evolve.
5.3 Subprocessors
(a) Not engage a Subprocessor without the Controller’s general written authorisation. The Controller grants such authorisation for the Subprocessors listed in Schedule 2 as at the Effective Date.
(b) Notify the Controller of intended changes to Subprocessors (additions or replacements) by (i) updating the subprocessor section of the Processor’s privacy policy at https://tutorcruncher.com/tcai-privacy-policy (or another URL the Processor has communicated to the Controller in writing) at least 30 days before the change takes effect, and (ii) sending notice to the email address held for the Controller’s organisation account where available. Until that page is live or updated for this purpose, the Processor may rely on email-only notice for that period. Urgent changes required for security may use shorter notice; the Processor will inform the Controller as soon as practicable. The Controller may object on reasonable data-protection grounds within 14 days. If the parties cannot resolve the objection within 14 days, the Controller may terminate the affected part of the Services or the Main Agreement in accordance with its terms.
(c) Where the Processor uses a Subprocessor, impose data protection obligations on that Subprocessor that are substantially the same as those in this Agreement (in particular providing sufficient guarantees of security). The Processor remains fully liable to the Controller for the performance of that Subprocessor’s obligations.
5.4 Data Subject rights assist the Controller, by appropriate technical and organisational measures and insofar as possible, in responding to requests from Data Subjects to exercise their rights under Applicable Law (access, rectification, erasure, restriction, portability, objection, and rights related to automated decision-making where applicable). The Processor shall notify the Controller without undue delay if it receives a request directly from a Data Subject unless it is clear how to redirect the request.
5.5 Assistance taking into account the nature of Processing, assist the Controller with data protection impact assessments and prior consultation with supervisory authorities, where required by Applicable Law.
5.6 Breach notification notify the Controller without undue delay after becoming aware of a Personal Data Breach affecting Personal Data processed under this Agreement. The notification shall include, to the extent available: nature of the breach, categories and approximate number of Data Subjects and records concerned, likely consequences, and measures taken or proposed. The Processor shall cooperate with the Controller and document the breach as required by Applicable Law.
5.7 Return and deletion at the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of Services relating to Processing, and delete existing copies unless Applicable Law requires retention (in which case the Processor shall inform the Controller and apply appropriate isolation and protection).
5.8 Information and audit make available to the Controller all information necessary to demonstrate compliance with Article 28 and allow for and contribute to audits and inspections conducted by the Controller or an auditor mandated by the Controller (subject to reasonable notice, confidentiality, and no more than once per 12 months except following a Personal Data Breach or regulatory requirement). Where the Services are multi-tenant, the Processor may satisfy this obligation through third-party certifications, audit reports, or questionnaires in place of on-site audits, unless a supervisory authority requires otherwise.
5.9 Unlawful instructions immediately inform the Controller if, in the Processor’s opinion, an Instruction infringes Applicable Law.
6. Controller obligations
The Controller warrants and shall:
6.1 Process Personal Data in compliance with Applicable Law and have a valid lawful basis (and, for special category data, a valid Article 9 condition where required) for any Processing it instructs, including where it enables or instructs the Processing of lesson recordings, transcripts, or related AI-generated outputs. Where data about children is involved, the Controller remains responsible for ensuring any additional transparency or legal requirements are met.
6.2 Ensure that Instructions are lawful and that the Processor may lawfully carry them out.
6.3 Be responsible for the accuracy, quality, and legitimacy of Personal Data it supplies and for transparency with Data Subjects (including privacy notices).
6.4 If the Controller wishes to use Personal Data for a new purpose that is materially different from the purpose originally communicated to Data Subjects, the Controller shall reassess the lawful basis and transparency requirements for that new purpose and obtain any additional consent or other permission required by Applicable Law before instructing the Processor to support that use.
6.5 Maintain appropriate security of accounts, credentials, and integrations under the Controller’s control.
7. International transfers
7.1 The Processor shall not transfer Personal Data outside the United Kingdom (or, for EEA data subjects, outside the EEA) without ensuring a valid transfer mechanism under Applicable Law (for example UK IDTA, UK Addendum to the EU Standard Contractual Clauses, adequacy regulations, or other approved safeguards).
7.2 The Processor shall ensure Subprocessors outside the UK/EEA are bound by appropriate safeguards. A summary of the Processor’s current operational transfer position is set out in Schedule 4 and may be updated from time to time to reflect the live vendor configuration and available transfer mechanisms.
7.3 Where the Controller requires a controller-specific transfer annex, the parties may replace or supplement Schedule 4 with a deal-specific schedule or addendum.
8. Liability
8.1 Liability for breach of this Agreement is subject to the liability provisions of the Main Agreement, except where Applicable Law imposes non-excludable obligations on the Processor as processor.
8.2 Nothing in this Agreement limits either party’s liability for death or personal injury caused by negligence, fraud, or other liability that cannot be limited under Applicable Law.
9. Miscellaneous
9.1 Entire agreement (DPA scope). This Agreement, together with the Main Agreement and Schedules, constitutes the entire agreement of the parties regarding Processing under Article 28.
9.2 Amendments. Changes to this Agreement shall be in writing (including email between designated contacts) or as set out in the Main Agreement for policy updates that do not reduce protection for Personal Data.
9.3 Governing law and jurisdiction. England and Wales — courts of England and Wales.
9.4 Regulatory correspondence. The Controller is the primary contact for supervisory authorities regarding its role as controller, unless the authority addresses the Processor directly as processor; the parties shall cooperate in good faith.
Schedule 1 — Description of Processing
| Field | Description |
|---|
| Subject matter | Provision of the TutorCruncher AI platform and related services as described in the Main Agreement. |
| Duration | For the term of the Main Agreement and until deletion/return under clause 5.7. |
| Nature of Processing | Collection, storage, organisation, retrieval, consultation, use, disclosure by transmission, alignment, restriction, erasure, destruction, and other operations as required to provide the Services (including AI inference, analytics, email delivery, integrations, and support). |
| Purpose of Processing | To provide the Services to the Controller, including account management, tutoring workflows, online lessons, AI-assisted content, billing, security, product improvement (as permitted by the Main Agreement), and compliance with Processor’s legal obligations. |
| Categories of Data Subjects | Organisation administrators, tutors, students, clients, and other individuals whose data the Controller uploads or connects to the Services. |
| Categories of Personal Data | As described in the Processor’s privacy documentation in force from time to time (including account and profile data, tutoring activity, transcripts and session data where used, AI outputs, feedback, reports, billing data, support and analytics data). Special category data should only be processed where the Controller has a valid condition under Article 9 and documents Instructions accordingly. |
Schedule 2 — Subprocessors (initial list)
Note: Keep this schedule aligned with section 5. Subprocessors in the current TutorCruncher AI privacy policy. Legal names and entities may differ from trade names (for example the contracting entity for Salesforce / Heroku).
| Subprocessor (trade name) | Role (summary) | Current region / transfer note |
|---|
| Salesforce (Heroku) | Application hosting (dynos), Heroku Postgres, and Redis (broker/cache on Heroku, as configured) — per current production deployment | Europe for app hosting and Heroku Postgres. Redis region remains to be confirmed. |
| Amazon Web Services (S3) | File storage (e.g. data exports) | EU West based on current configuration. |
| OpenAI | AI inference | Contracting and DPA position being checked against OpenAI Ireland materials; processing may occur in the EU and/or US depending service terms. |
| Pydantic (Logfire) | Observability (server and browser SDK) | US. |
| Sentry | Error monitoring (server and web) | EU. |
| Stripe | Payments | European contracting entity may apply, but processing may occur in the EU and/or US under Stripe’s DPA and transfer terms. |
| LessonSpace | Virtual classroom, recordings, transcripts | Assumed EU and/or US depending provider configuration. |
| TutorCruncher | B2B integration | Assumed UK / EU unless product configuration requires otherwise. |
| Mailchimp (Mandrill) / Morpheus | Transactional email | US for Mandrill / Mailchimp. |
| Intercom | Customer support | EU workspace configuration, subject to Intercom’s operational exceptions. |
| Mixpanel | Product analytics | EU data residency. |
| Amplitude | Product analytics | EU. |
| Google (Analytics 4, Ads conversion) | Web measurement and advertising | EU and/or US depending service configuration and Google’s infrastructure. |
| Microsoft (Clarity) | UX / session analytics | EU and/or US depending service configuration and Microsoft’s infrastructure. |
| Microsoft (Advertising / Bing Ads) | Paid advertising, conversion tracking, and related tags (for example UET) where used | EU and/or US depending service configuration and Microsoft’s infrastructure. |
| Open Exchange Rates | Currency data (typically non-personal) | Typically not material for personal-data transfers. |
Add or remove rows as production changes. Where a customer requests more detail, provide the applicable legal entity, region, and transfer terms in a customer-facing schedule or register.
Schedule 3 — Technical and organisational measures (summary)
The Processor implements measures appropriate to the risk, including (non-exhaustively):
- Access control: authenticated access to the application and administrative tooling; role-based access controls within the product; least-privilege access for authorised personnel where applicable.
- Encryption in transit: HTTPS / TLS for public web traffic and API traffic; encrypted connections are expected for third-party APIs and integrated services.
- Credential and secret handling: production credentials and API keys are stored outside source control and injected via environment or platform configuration.
- Authentication security: password hashes are stored using modern one-way hashing; session or bearer-token authentication is used for the API; permissions are enforced at route and application level.
- Application and data separation: production data is held in managed cloud services and processed by separate service components (web, worker, dispatcher) according to function.
- Observability and incident response: logging, tracing, and error reporting are used to detect and investigate service issues and suspected incidents; incident escalation and customer notification follow the Processor’s internal procedures and legal obligations.
- Availability and resilience: the service is deployed on managed cloud infrastructure with provider-managed availability features. Backup, redundancy, and disaster-recovery capability depend on the specific production service tier and add-on configuration in use at the time.
- Personnel: personnel with access to Personal Data or production systems are subject to confidentiality obligations and appropriate access controls.
- Subprocessors: Subprocessors are engaged under written terms requiring data protection obligations substantially equivalent to those in this Agreement.
- Data export controls: user data exports are generated for administrative access, stored temporarily in cloud storage, and exposed through time-limited URLs.
This schedule is intended to be accurate without over-claiming. If the Processor later introduces specific certifications, encryption-at-rest commitments, or backup SLAs that it wishes to promise contractually, this schedule should be updated accordingly.
Schedule 4 — International transfer summary
This schedule records the Processor’s current operational understanding of likely processing locations. It is not a substitute for the vendor’s own DPA, privacy documentation, or subprocessor list, but it gives the parties a working summary for UK GDPR purposes.
| Recipient / Importer | Current position | Transfer mechanism / working basis |
|---|
| Salesforce (Heroku) | App hosting and Heroku Postgres in Europe; Redis region still being confirmed. | For EU-hosted app and database processing, the working assumption is no restricted transfer for that processing. If Redis, support, or operational access involves a non-UK / non-EEA country, rely on the vendor’s applicable DPA / transfer terms. |
| Amazon Web Services (S3) | EU West based on current configuration. | For EU-hosted S3 storage, the working assumption is no restricted transfer for that storage path. AWS contractual terms still govern any support or operational access. |
| OpenAI | EU and/or US depending service terms and account structure. | Rely on the applicable OpenAI DPA / service terms for the account in use. For eligible European customers, contracting may be through OpenAI Ireland Ltd. If restricted transfers occur, use the mechanism stated in those terms. |
| Pydantic (Logfire) | US. | Rely on the vendor’s DPA / transfer terms and current subprocessor documentation for UK GDPR transfers. |
| Sentry | EU. | For the EU region, the working assumption is that core event data is region-hosted in the EU. Review the vendor DPA and data-location documentation for any residual US-hosted account, support, or metadata processing. |
| Stripe | EU and/or US. | Rely on Stripe’s DPA and Data Transfers Addendum. Stripe states that non-Americas accounts may contract with Stripe Payments Europe, Limited, while data may still be transferred globally, including to Stripe, LLC in the US. |
| LessonSpace | Assumed EU and/or US. | Until a stricter vendor position is confirmed, rely on the provider’s applicable DPA / transfer terms. |
| TutorCruncher (the business management platform) | Assumed UK / EU. | Working assumption: no restricted transfer where processing remains in the UK / EEA. Confirm the live vendor position if a customer requires more detail. |
| Mailchimp / Mandrill | US. | Rely on Mailchimp’s DPA, with Data Privacy Framework / UK Extension where applicable and SCC fallback commitments if needed. |
| Intercom | EU workspace configuration, with possible operational exceptions. | Rely on Intercom’s DPA and, where applicable, the Regional Data Hosting Addendum. Review for any non-EU support, billing, or metadata processing. |
| Mixpanel | EU data residency. | Working basis: EU data residency plus the Mixpanel DPA for any residual transfer position. Confirm the project remains EU-resident and EU ingestion endpoints are in use. |
| Amplitude | EU. | Working basis: EU region for current deployment. Where any non-EU transfer arises through support or vendor sub-processing, rely on Amplitude’s DPA, including its SCC, UK Addendum, and related transfer commitments. |
| Google Analytics 4 / Google Ads conversion tracking | EU and/or US. | Rely on Google’s applicable Data Processing Terms and transfer materials, including SCC-based terms and any UK / DPF-related position Google documents for these services. |
| Microsoft Clarity / Microsoft Advertising (Bing Ads) | EU and/or US. | Rely on Microsoft’s applicable DPA / licensing terms, including any relevant UK Addendum / SCC position, together with the required consent and cookie controls. |
| Open Exchange Rates | Typically no material personal-data transfer. | Usually not material for transfer-risk analysis unless implementation changes. |
Where the Controller needs a more formal or customer-specific transfer annex, the parties may replace this schedule with a vendor-by-vendor annex including dates, SCC / IDTA references, and links to live DPA materials.