Data Processing Agreement

For schools and organisations · Last updated: 2 June 2026

This Data Processing Agreement (DPA) applies where a school or organisation (the Customer) uses SYE Code to provide accounts to its pupils. It forms part of, and is governed by, the Terms of Service. A countersigned copy is available on request.

1. Parties and roles

This DPA is between Smash Your Exams Education Ltd ("SYE", "we", the Processor), a company registered in England & Wales (company no. 15461413) with its registered office at 42 Hampstead Close, Blyth, NE24 3XE, and the Customer (the school or organisation accepting these terms, the Controller).

For pupil personal data processed through the service, the Customer is the controller and SYE is the processor, processing that data only on the Customer's documented instructions. (Where an individual or teacher signs up directly rather than via a school, SYE is the controller and our Privacy Policy applies instead.)

2. Subject-matter, duration, nature and purpose

3. Customer instructions

SYE processes Customer personal data only on the Customer's documented instructions (including this DPA, the Terms, and configuration choices in the product), unless required to do otherwise by law — in which case we will inform the Customer first unless the law forbids it. We will tell the Customer if, in our opinion, an instruction breaches UK GDPR.

4. Confidentiality

We ensure that personnel authorised to process Customer personal data are bound by confidentiality and are trained on their data-protection obligations.

5. Security

We implement appropriate technical and organisational measures to protect Customer personal data, as described in Annex 2, taking into account the state of the art, the costs of implementation, and the risks to data subjects (UK GDPR Article 32).

6. Sub-processors

The Customer gives general authorisation for SYE to engage the sub-processors listed in Annex 3. We impose data-protection obligations on each sub-processor equivalent to those in this DPA, and remain liable for their performance. We will give the Customer reasonable notice of any intended change to sub-processors, and the Customer may object on reasonable data-protection grounds.

7. Assistance to the Customer

8. Personal data breaches

We notify the Customer without undue delay (and in any event within 72 hours) after becoming aware of a personal data breach affecting Customer personal data, with the information the Customer reasonably needs to meet its own notification obligations.

9. Return or deletion

On termination of the licence, and at the Customer's choice, we delete or return all Customer personal data and delete existing copies, unless retention is required by law. The product supports Customer-initiated export and erasure at any time. Absent a Customer instruction, data is deleted or anonymised within 6 months of the licence ending.

10. Audit

We make available to the Customer the information reasonably necessary to demonstrate compliance with this DPA, and allow for and contribute to audits, including inspections, conducted by the Customer or its mandated auditor, on reasonable notice and subject to confidentiality.

11. International transfers

Some sub-processors are located outside the UK (see Annex 3). Where Customer personal data is transferred internationally, we rely on appropriate safeguards — Standard Contractual Clauses with the UK International Data Transfer Addendum (IDTA), or an adequacy decision where one applies. We will not transfer Customer personal data outside the UK except under such safeguards.

Annex 1 — Details of the processing

ItemDetail
Categories of data subjectsThe Customer's pupils; the Customer's staff who administer accounts.
Categories of personal dataPupil display name, per-school username, password hash, classes/assignments, learning progress, and the code pupils write. Staff: name, email, role. No pupil email is collected.
Special category dataNone intended or required. Pupils should not enter special-category data into free-text/code fields.
FrequencyContinuous, for the duration of the licence.
Processing operationsAccount provisioning, storing and displaying progress and code, marking, AI-assisted help, and erasure/export on request.

Annex 2 — Technical and organisational measures

Annex 3 — Authorised sub-processors

Sub-processorPurposeLocation / safeguard
NeonDatabase hosting (account, learning and school data)EU/US (SCCs / IDTA as applicable)
VercelApplication hosting and content deliveryUS/global (SCCs / IDTA)
OpenAIAI features — receives pupil code + the challenge to generate hints, explanations and markingUnited States (SCCs / IDTA)
StripePayment and subscription billing (school account holders)EU/US (SCCs / IDTA)
ResendTransactional email to staff account holdersUS (SCCs / IDTA)

Optional, consent-gated analytics (Google Analytics, PostHog) do not run for pupil accounts.

Questions about this DPA, or to request a signed copy: support@smashyourexams.com.