Data Processing Addendum

1. Introduction

This Data Processing Addendum ("DPA") supplements the Terms of Service and applies to School and Department plans where the organisation acts as a data controller and Schooly (operated by Actilynk Ltd, a company registered in England and Wales (company number 12475434), with registered office at 8 Lewis Road, Swanscombe, Kent, DA10 0JH) acts as a data processor.

This DPA is entered into in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Definitions

• Controller: The school or department subscribing to the Service
• Processor: Actilynk Ltd, operating the Schooly platform
• Data Subjects: Students and teachers whose data is processed
• Personal Data: Any information relating to an identified or identifiable data subject

3. Scope and Purpose of Processing

3.1 Categories of Data Subjects

• Students enrolled in classes managed through the Service
• Teachers and administrators using the Service

3.2 Types of Personal Data

• Names and email addresses
• Dates of birth (for age verification)
• Exam answers and practice responses
• Assessment results and marks
• Progress and performance data

3.3 Purpose of Processing

Personal data is processed solely to:

• Provide AI-powered marking and feedback
• Track student progress and generate analytics
• Enable class and assessment management
• Process subscription billing

4. Processor Obligations

Actilynk Ltd shall:

• Process personal data only on documented instructions from the Controller
• Ensure that persons authorised to process personal data are bound by confidentiality
• Implement appropriate technical and organisational security measures
• Not engage another processor without prior written authorisation from the Controller
• Assist the Controller in responding to data subject requests
• Delete or return all personal data upon termination of the Service, at the Controller's choice
• Make available all information necessary to demonstrate compliance

5. Sub-processors

5.1 Current Sub-processors

5.2 Changes to Sub-processors

We will notify the Controller at least 30 days before adding or replacing a sub-processor, giving the Controller the opportunity to object.

6. Security Measures

We implement the following security measures:

• Encryption at rest (AES-256) and in transit (TLS 1.2+)
• Role-based access control with principle of least privilege
• Regular security assessments
• Secure development practices
• Automated backups with encryption
• Incident detection and response procedures

7. Data Breach Notification

In the event of a personal data breach, Actilynk Ltd shall:

• Notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach
• Provide details of the nature of the breach, categories of data affected, and measures taken
• Cooperate with the Controller in meeting their notification obligations to the ICO and data subjects

8. Data Subject Rights

Actilynk Ltd shall assist the Controller in responding to requests from data subjects to exercise their rights under UK GDPR, including:

• Right of access
• Right to rectification
• Right to erasure
• Right to data portability
• Right to object

9. Data Return and Deletion

Upon termination of the Service:

• The Controller may request export of all personal data in a machine-readable format
• Actilynk Ltd will delete all personal data within 30 days of termination, unless retention is required by law
• A certificate of deletion will be provided upon request

10. Audit Rights

The Controller has the right to:

• Request information demonstrating compliance with this DPA
• Conduct or commission audits, with reasonable notice
• Access relevant compliance documentation

11. Liability

Each party's liability under this DPA is subject to the limitations set out in the Terms of Service.

12. Duration

This DPA remains in effect for the duration of the Service agreement and until all personal data has been deleted or returned.

13. Contact

For questions about this DPA, contact [email protected].