Version 2026-06-3 (June 2026)
This is the standard agreement. Schools sign a copy (with their name completed) in-app before any student data is added.
Data Processing Agreement
This Data Processing Agreement ("DPA") is entered into between:
(1) the School ("the School"); and
(2) PAG Tracker ("the Processor"),
(each a "Party" and together the "Parties").
This DPA supplements and forms part of the agreement between the Parties for the Processor's provision of the PAG Tracker platform (the "Services") and is accepted via the Processor's online process (the "Main Agreement"). Where this DPA conflicts with the Main Agreement on data protection matters, this DPA prevails. This DPA is intended to satisfy the requirement in Article 28(3) UK GDPR for a written contract governing the Processor's processing of Personal Data on the School's behalf.
1. Definitions
"Data Protection Law" means the UK GDPR (as defined in section 3(10) of the Data Protection Act 2018), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003, in each case as amended from time to time (including by the Data (Use and Access) Act 2025), together with applicable guidance and codes of practice issued by the Information Commissioner. Terms such as Personal Data, Processing, Controller, Processor, Data Subject, Personal Data Breach and Special Category Data have the meaning given in Data Protection Law.
"Pupil Data" means the Personal Data described in Schedule 1 relating to pupils of the School, including their identifying details, the science subject and cohort they are enrolled in, and their practical-assessment results. "Staff Data" means Personal Data relating to teachers and staff who use the Services (account and administration details in Schedule 1). "Sub-processor" means any third party engaged by the Processor to process Personal Data, as listed in Schedule 2.
2. Roles of the parties
2.1 The School is the Controller of Pupil Data and Staff Data processed through the Services. The Processor is the Processor of that data.
2.2 The Processor acts as an independent Controller only in respect of: (a) the limited account and contact data it uses to administer its own customer relationship with the School; and (b) infrastructure and operational security logs it maintains solely to meet its own legal and security obligations, where those logs do not contain Pupil Data. Service audit logs described in Schedule 1 (recording actions taken by staff in the Services) are processed by the Processor on the School's instructions as part of providing the Services, even where those logs relate in substance to Pupil Data (for example, which pupil's assessment result was recorded, by whom and when).
2.3 The School is responsible for ensuring it has a lawful basis under Article 6 UK GDPR and for providing required privacy information to pupils, parents and staff.
2.4 The Processor shall process Personal Data only on the documented instructions of the School (including as to international transfers), as set out in this DPA, unless required to do otherwise by UK law (in which case it will inform the School first unless the law prohibits this).
2.5 The Processor shall immediately inform the School if, in its opinion, an instruction infringes Data Protection Law.
3. Subject matter, nature and duration
3.1 Subject matter. The Processor processes Personal Data to provide the Services: an online platform through which School staff record and track pupils' progress in A Level Science Practical Assessment Group (PAG) activities, including outcomes against the Common Practical Assessment Criteria (CPAC) for Chemistry, Biology and Physics, and produce analytics and reports for the School's own educational purposes.
3.2 Nature. Collection, recording, storage, organisation, retrieval, use, export, restriction, erasure and deletion of the data in Schedule 1, by automated means.
3.3 Duration. Processing begins when the School first submits Personal Data and continues for the term of the Main Agreement, ending in accordance with Clause 11, subject to the retention periods in Schedule 1.
3.4 Data Subjects. Pupils enrolled in cohorts/classes using the Services; teachers and staff with accounts.
3.6 Children's data. Pupil Data relates to children aged 16–18 (A Level students) and merits specific protection under the UK GDPR (Recital 38) and the Information Commissioner's guidance. The Processor shall have regard to that heightened sensitivity throughout.
3.7 No Special Category Data. The Services are not designed to process Special Category Data (Article 9) or criminal-offence data (Article 10) and none is processed under this DPA. Pupils' practical-assessment results are Personal Data but are not Special Category Data.
4. Processor obligations
The Processor shall: (a) process Personal Data only as necessary to provide the Services and on the School's documented instructions; (b) ensure persons authorised to process Personal Data are under a binding duty of confidentiality; (c) implement and maintain the technical and organisational measures in Schedule 3 (Article 32 UK GDPR) and not materially reduce them without the School's agreement; (d) assist the School, by appropriate measures, to respond to Data Subject rights requests (Chapter III); (e) assist the School with its obligations under Articles 32–36 (security, breach notification, DPIAs), taking into account the information available to the Processor; (f) make available information necessary to demonstrate compliance with Article 28 and allow for and contribute to audits (Clause 9); (g) notify the School without undue delay if an instruction appears unlawful; and (h) not engage a Sub-processor except in accordance with Clause 8.
4.2 Data location and international transfers. Pupil Data is hosted and stored within the United Kingdom (in the Processor's database hosted by Supabase in its London (UK) region under a data processing agreement, and processed by application hosting in the UK / London region). Sub-processors operating from outside the UK (Schedule 2) do not receive Pupil Data. The Processor shall not relocate hosting of Pupil Data outside the UK without the School's prior written consent. Any transfer to, or access from, outside the UK is subject to appropriate safeguards under Chapter V UK GDPR (the UK-US data bridge where applicable, or an IDTA / UK Addendum with a transfer risk assessment).
5. Data minimisation
The Services are designed to require only the minimum Pupil Data necessary. The School should not submit Pupil Data beyond that described in Schedule 1, and the Services remain functional where the School uses a minimal identifier (e.g. an internal label) instead of a full name.
6. Security of processing
The Processor shall implement the measures in Schedule 3, which the Parties agree are appropriate to the risk, having regard to the state of the art, the nature of processing, and the fact that the data relates to children. Measures may be improved but not weakened; the Processor will notify the School of material changes and confirm the measures' continued operation at least annually.
7. Personal Data Breach
The Processor shall notify the School without undue delay, and in any event within 48 hours, of becoming aware of a Personal Data Breach affecting Personal Data processed under this DPA, with the information required by Article 33(3) so far as available, and shall cooperate in investigation, mitigation and remediation. The obligation to notify the Information Commissioner (within 72 hours where required) and affected individuals rests with the School as Controller.
8. Sub-processors
The School gives general written authorisation for the Sub-processors listed in Schedule 2. The Processor shall give at least 30 days' notice of any intended addition or replacement, during which the School may object on reasonable data protection grounds (and, failing resolution, terminate the affected Services). Each Sub-processor is bound by terms offering equivalent protection, and any Sub-processor outside the UK is subject to Chapter V safeguards. The Processor remains fully liable for its Sub-processors.
9. Audit and inspection
On reasonable request (normally once per 12 months, or without delay where a breach or material non-compliance is reasonably suspected), the Processor shall provide information necessary to demonstrate compliance (including a summary of Schedule 3 measures, relevant certifications/reports, a record of access to identifiable Pupil Data by Processor personnel to the extent maintained, and current Sub-processor details), and shall allow for and contribute to audits subject to reasonable confidentiality and minimal disruption.
10. Data Subject rights
The Processor shall promptly forward any request received directly from a Data Subject (or a parent/guardian) and shall not respond itself except on the School's documented instruction. The Services provide functionality to export, rectify and erase an individual's data so the School can give effect to those rights.
11. Deletion and return of data
On termination, the Processor shall (at the School's election) delete or return all Personal Data and delete existing copies within 30 days, unless UK law requires retention (in which case it will inform the School and continue to protect the data). During the term, Pupil Data is retained per Schedule 1 and subject to automated deletion on expiry. The Processor shall confirm deletion in writing.
12. Liability
Liability under this DPA is subject to the limitations and exclusions in the Main Agreement, save for liabilities that cannot lawfully be limited (death/personal injury from negligence, fraud, etc.). Each Party is responsible for its own compliance with Data Protection Law and indemnifies the other for losses arising from its own breach, subject to those limits.
13. Term and termination
This DPA takes effect on acceptance and continues while the Processor processes Personal Data on the School's behalf. The School may terminate on written notice if the Processor materially breaches this DPA and (where remediable) fails to remedy within 30 days.
14. General
This DPA is governed by the laws of England and Wales and subject to the exclusive jurisdiction of its courts, without restricting the jurisdiction of the Information Commissioner's Office. If any provision is unenforceable, the remainder continues. Neither Party may assign without consent, save that the Processor may assign on a sale of its business to an assignee bound by these terms.
15. Data protection contact
The Processor's contact for data protection matters is privacy@pag-tracker.com. The School's contacts are those it provides on acceptance and may update by notice.
Schedule 1 — Personal Data processed
Pupil Data: forename; surname; School-assigned pupil reference / student ID (each stored encrypted at the application layer); class/group; cohort, year group and science subject (Chemistry, Biology or Physics) and academic year; and practical-assessment results (Pass / Fail / Absent for each PAG and CPAC subskill, with the date and the member of staff who recorded it). No date of birth, address, contact details, parental details, free-text commentary, health, biometric or SEN data is processed.
Staff Data: name; school email address; role (teacher/administrator); authentication/verification data (via Supabase Auth).
Service audit logs (Processor on the School's instructions): records of actions taken in the Services (such as creating, updating, exporting or deleting pupil or assessment records), including the acting user, timestamp, IP address and user-agent. These logs may relate in substance to Pupil Data and are processed to provide the Services and to support the School's accountability obligations.
Processor operational security logs (Processor as Controller): infrastructure and security telemetry maintained solely for the Processor's own legal and security obligations, where these do not contain Pupil Data.
Retention: Pupil Data for up to 5 years after the pupil leaves the relevant cohort (or as the School instructs), then permanently deleted by an automated process; Staff Data while active plus up to 1 year; audit and data-subject-request records up to 7 years.
Schedule 2 — Sub-processors
- Supabase, Inc. — database hosting and authentication. Hosts all application data including Pupil Data in its London (UK) region; the encrypted pupil identifier fields are stored as ciphertext only and cannot be decrypted by Supabase.
- Vercel, Inc. — application hosting/compute (London
lhr1region) and aggregate, cookieless performance analytics (Speed Insights, which does not receive pupil records). - Resend — transactional email (verification, password reset, notifications). Staff names and email addresses only; no Pupil Data.
- OpenAI — at sign-up only, suggests an institution name from the School's email domain. Only the email domain string is sent; no Pupil Data or other Personal Data.
Schedule 3 — Technical and organisational measures
- Application-layer encryption of pupil forename, surname and reference using AES-256-GCM, with keys held only in the hosting environment (never in the database) and keyed blind indexes for search — so the database provider sees only ciphertext for these fields.
- Encryption in transit and at rest (TLS for all transport; provider encryption at rest; HSTS and a restrictive Content-Security-Policy).
- Access control by role in the application, enforced as defence-in-depth by PostgreSQL Row-Level Security at the database layer (enabled in production and testing).
- Audit logging of actions on records (actor, timestamp, IP, user-agent).
- Processor personnel access on a need-to-know basis under confidentiality.
- Data residency in the UK; encrypted backups and high-availability hosting; automated retention/deletion; and at least annual review of these measures.
16. Acceptance and pre-condition to processing Pupil Data
This DPA is accepted on behalf of the School by an Authorised Signatory — an individual who holds authority to bind the School in respect of data protection matters (for example the Headteacher or Principal, the Chief Executive or Accounting Officer of a multi-academy trust, or the School's Data Protection Officer or a member of the senior leadership team with delegated authority). Acceptance is recorded electronically (capturing the signatory's name, role, email and the date and time).
the School must not submit, and the Processor will not enable the School to submit, any Pupil Data (including the creation of any cohort or the import of any pupils) until this DPA has been accepted by an Authorised Signatory.