Data Processing Agreement
For schools and organisations · Last updated: 2 June 2026
1. Parties and roles
This DPA is between Smash Your Exams Education Ltd ("SYE", "we", the Processor), a company registered in England & Wales (company no. 15461413) with its registered office at 42 Hampstead Close, Blyth, NE24 3XE, and the Customer (the school or organisation accepting these terms, the Controller).
For pupil personal data processed through the service, the Customer is the controller and SYE is the processor, processing that data only on the Customer's documented instructions. (Where an individual or teacher signs up directly rather than via a school, SYE is the controller and our Privacy Policy applies instead.)
2. Subject-matter, duration, nature and purpose
- Subject-matter & purpose: providing the SYE Code learning platform — accounts, classes, assignments, saving pupils' code and progress, marking, and AI-assisted help — to the Customer's pupils.
- Duration: for the term of the Customer's licence and until data is returned or deleted under clause 9.
- Nature of processing: collection, storage, organisation, retrieval, use, and erasure as set out in Annex 1.
3. Customer instructions
SYE processes Customer personal data only on the Customer's documented instructions (including this DPA, the Terms, and configuration choices in the product), unless required to do otherwise by law — in which case we will inform the Customer first unless the law forbids it. We will tell the Customer if, in our opinion, an instruction breaches UK GDPR.
4. Confidentiality
We ensure that personnel authorised to process Customer personal data are bound by confidentiality and are trained on their data-protection obligations.
5. Security
We implement appropriate technical and organisational measures to protect Customer personal data, as described in Annex 2, taking into account the state of the art, the costs of implementation, and the risks to data subjects (UK GDPR Article 32).
6. Sub-processors
The Customer gives general authorisation for SYE to engage the sub-processors listed in Annex 3. We impose data-protection obligations on each sub-processor equivalent to those in this DPA, and remain liable for their performance. We will give the Customer reasonable notice of any intended change to sub-processors, and the Customer may object on reasonable data-protection grounds.
7. Assistance to the Customer
- Data-subject rights: taking into account the nature of the processing, we assist the Customer by appropriate technical and organisational measures (including the product's data export and erasure tools) to respond to requests to exercise pupil rights.
- Security, breach notification and DPIAs: we assist the Customer in ensuring compliance with its obligations under Articles 32–36, including data protection impact assessments and prior consultation, taking into account the information available to us.
8. Personal data breaches
We notify the Customer without undue delay (and in any event within 72 hours) after becoming aware of a personal data breach affecting Customer personal data, with the information the Customer reasonably needs to meet its own notification obligations.
9. Return or deletion
On termination of the licence, and at the Customer's choice, we delete or return all Customer personal data and delete existing copies, unless retention is required by law. The product supports Customer-initiated export and erasure at any time. Absent a Customer instruction, data is deleted or anonymised within 6 months of the licence ending.
10. Audit
We make available to the Customer the information reasonably necessary to demonstrate compliance with this DPA, and allow for and contribute to audits, including inspections, conducted by the Customer or its mandated auditor, on reasonable notice and subject to confidentiality.
11. International transfers
Some sub-processors are located outside the UK (see Annex 3). Where Customer personal data is transferred internationally, we rely on appropriate safeguards — Standard Contractual Clauses with the UK International Data Transfer Addendum (IDTA), or an adequacy decision where one applies. We will not transfer Customer personal data outside the UK except under such safeguards.
Annex 1 — Details of the processing
| Item | Detail |
|---|---|
| Categories of data subjects | The Customer's pupils; the Customer's staff who administer accounts. |
| Categories of personal data | Pupil display name, per-school username, password hash, classes/assignments, learning progress, and the code pupils write. Staff: name, email, role. No pupil email is collected. |
| Special category data | None intended or required. Pupils should not enter special-category data into free-text/code fields. |
| Frequency | Continuous, for the duration of the licence. |
| Processing operations | Account provisioning, storing and displaying progress and code, marking, AI-assisted help, and erasure/export on request. |
Annex 2 — Technical and organisational measures
- Passwords stored only as scrypt hashes; pupil accounts hold no email.
- Encryption in transit (HTTPS/TLS); data hosted with reputable cloud providers.
- Access controls and role-based permissions; session tokens with hashed IP addresses.
- Login-attempt rate limiting and an audit log of significant actions.
- Data minimisation by design; analytics are consent-gated and not used to profile pupils.
- Customer-initiated data export and erasure.
Annex 3 — Authorised sub-processors
| Sub-processor | Purpose | Location / safeguard |
|---|---|---|
| Neon | Database hosting (account, learning and school data) | EU/US (SCCs / IDTA as applicable) |
| Vercel | Application hosting and content delivery | US/global (SCCs / IDTA) |
| OpenAI | AI features — receives pupil code + the challenge to generate hints, explanations and marking | United States (SCCs / IDTA) |
| Stripe | Payment and subscription billing (school account holders) | EU/US (SCCs / IDTA) |
| Resend | Transactional email to staff account holders | US (SCCs / IDTA) |
Optional, consent-gated analytics (Google Analytics, PostHog) do not run for pupil accounts.
Questions about this DPA, or to request a signed copy: support@smashyourexams.com.