This agreement governs how Ember Learning Ltd (trading as Ember Tutors), acting as Data Processor, handles personal data on behalf of the commissioning Local Authority, Multi-Academy Trust, or school (the Data Controller) under UK GDPR and the Data Protection Act 2018.
1. Scope and Nature of Processing
The agreement covers all processing carried out in connection with the delivery of online tutoring sessions to referred students. It remains in force for the duration of the accompanying Service Agreement. Categories of personal data processed include student names, year groups, attendance and engagement records, and session recordings created solely for safeguarding purposes.
Where provided by the Controller, special category data may also be processed, including Education, Health and Care Plans (EHCPs), health and disability information, and safeguarding records. The lawful basis for special category processing is Article 9(2)(g) UK GDPR (substantial public interest), supported by DPA 2018 Schedule 1 provisions for safeguarding of children.
2. Processor Obligations
Ember Tutors processes personal data only on the documented instructions of the Controller. All authorised personnel are bound by appropriate confidentiality obligations. The Processor maintains technical and organisational security measures in line with Article 32 UK GDPR, including encryption, access controls, multi-factor authentication, and annual data protection training.
3. Sub-processors
The Controller provides general written authorisation for sub-processor use. Current sub-processors include self-employed tutoring associates, Digital Samba (video platform, EEA), Supabase (database, EU), Resend (email, EU), and Vercel (hosting, US — Standard Contractual Clauses in place). The Processor notifies the Controller at least 14 days before any sub-processor change, and the Controller may object on reasonable data protection grounds.
4. Session Recordings
Tutoring sessions are recorded exclusively for safeguarding purposes. Access is strictly limited to the Designated Safeguarding Lead, the Deputy DSL, and any statutory body to which disclosure is legally required. Recordings are retained for 12 months, or longer where a safeguarding concern is under investigation. They are never used for quality assurance, training, or marketing without the Controller's written agreement.
5. Data Breach Notification
The Processor will notify the Controller within 24 hours of becoming aware of any actual or suspected personal data breach. Full cooperation is provided to enable the Controller to meet its 72-hour ICO notification obligation under Article 33 UK GDPR.
6. International Transfers
Personal data is not transferred outside the UK or EEA without the Controller's prior written consent. Where US-based sub-processors are used, Standard Contractual Clauses are in place to provide equivalent protection.
7. Termination and Data Return
On termination of the Service Agreement, the Processor ceases all processing within five working days and, at the Controller's election, securely returns or deletes all personal data. Written confirmation of deletion or return is provided within 30 days. Liability is capped at the total fees paid in the preceding 12 months.
8. Governing Law
This agreement is governed by the laws of England and Wales, with exclusive jurisdiction in the courts of England and Wales.
The full policy document is available on request. Contact hello@embertutors.co.uk.