Data Processing Agreement

Ember Learning Ltd (trading as Ember Tutors)

Between Ember Learning Ltd (Data Processor) and the Commissioning Local Authority or Multi-Academy Trust (Data Controller)

Parties

This Data Processing Agreement ('Agreement') is entered into between:

1. The commissioning Local Authority or Multi-Academy Trust whose name and address are set out in the accompanying Service Agreement ('the Controller'); and
2. Ember Learning Ltd, a company registered in England and Wales, company number 17131451, whose registered office is at 52a Spring Grove Road, Hounslow, London, United Kingdom, TW3 4BN, trading as Ember Tutors ('the Processor').

The Controller and the Processor are each a 'Party' and together 'the Parties'.

This Agreement is supplemental to and incorporated into the Service Agreement between the Parties ('the Service Agreement'). In the event of any conflict between this Agreement and the Service Agreement, this Agreement shall prevail in relation to data protection matters.

1. Definitions and Interpretation

1.1 In this Agreement, the following terms shall have the meanings ascribed to them below:

'Applicable Data Protection Law' means the UK General Data Protection Regulation (as retained in UK law by the European Union (Withdrawal) Act 2018) ('UK GDPR'), the Data Protection Act 2018 ('DPA 2018'), and any applicable subordinate legislation or regulatory guidance issued by the Information Commissioner's Office ('ICO'), as amended from time to time.

'Data Breach' means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed by the Processor.

'Data Subject' means a living individual to whom Personal Data relates — in the context of this Agreement, primarily students aged 11 to 16 who are referred by the Controller for tutoring services.

'Personal Data', 'Processing', 'Controller', 'Processor', 'Sub-processor', 'Supervisory Authority', and 'Special Categories of Personal Data' have the meanings given in the UK GDPR.

'Services' means the online small group mathematics and English tutoring services delivered by the Processor to students referred by the Controller, as described in the Service Agreement.

'Sub-processor' means any third party (including self-employed tutoring associates) engaged by the Processor to carry out processing activities in respect of the Personal Data on behalf of the Processor.

1.2 References to clauses are references to clauses of this Agreement unless otherwise stated. Headings are for convenience only and shall not affect interpretation.

2. Scope, Duration, and Nature of Processing

2.1 This Agreement applies to all Processing of Personal Data by the Processor on behalf of the Controller in connection with the Services.

2.2 This Agreement shall come into force on the date of the Service Agreement and shall continue for the duration of the Service Agreement, subject to the termination provisions in Clause 14.

2.3 The nature of the Processing is the provision of online tutoring sessions to referred students, including the creation and retention of session recordings for safeguarding purposes.

2.4 Categories of Personal Data Processed

The Processor processes the following categories of Personal Data in the course of providing the Services:

• Student full name
• Year group and school year
• Name of the referring school (where applicable)
• Session attendance and engagement data (whether a student attended, participated, and any relevant behavioural observations made during a session)
• Session recordings — audio and video recordings of tutoring sessions, created and retained solely for safeguarding purposes

No Special Categories of Personal Data are intentionally processed under this Agreement. The Processor shall notify the Controller immediately if it becomes aware that any Special Category data has been inadvertently processed.

2.5 Data Subjects

Personal Data relates to the following categories of Data Subjects:

• Students aged 11 to 16 years referred for tutoring by the Controller
• Where applicable, members of staff employed by the Controller whose contact details are shared for administrative coordination purposes

2.6 Purposes of Processing

Personal Data is processed for the following purposes only:

• Delivery of online small group tutoring sessions in mathematics and/or English
• Recording of tutoring sessions for safeguarding purposes, as provided in Clause 8
• Monitoring and reporting on student attendance and engagement to the Controller
• Compliance with safeguarding obligations, including referral to statutory agencies where required

3. Obligations of the Processor

3.1 The Processor shall, and shall procure that all persons authorised to process Personal Data shall:

• Process Personal Data only on the documented instructions of the Controller, unless required to do so by Applicable Data Protection Law, in which case the Processor shall notify the Controller of that legal requirement before processing (unless such notification is prohibited on public interest grounds)
• Ensure that persons authorised to process the Personal Data are subject to appropriate obligations of confidentiality, whether by contract or by statute
• Implement and maintain technical and organisational measures to ensure a level of security appropriate to the risks presented by the Processing, as required by Article 32 UK GDPR and as further described in Clause 7
• Not engage any Sub-processor without the prior written consent of the Controller, except as provided in Clause 5
• Assist the Controller, by appropriate technical and organisational measures, in fulfilling its obligations under Applicable Data Protection Law to respond to requests from Data Subjects exercising their rights under Chapters II and III of the UK GDPR
• Assist the Controller in ensuring compliance with its obligations under Articles 32 to 36 of the UK GDPR (security, breach notification, data protection impact assessments, and prior consultation), taking into account the nature of the Processing and the information available to the Processor
• At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of the Services, and delete existing copies of that Personal Data unless Applicable Data Protection Law requires storage of the Personal Data
• Make available to the Controller all information necessary to demonstrate compliance with the obligations set out in Article 28 UK GDPR, and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, providing reasonable prior written notice is given

3.2 The Processor shall promptly inform the Controller if, in its opinion, any instruction given by the Controller infringes Applicable Data Protection Law.

4. Controller's Responsibilities

4.1 The Controller confirms and warrants that:

• It has identified and documented a lawful basis for the Processing under Article 6 UK GDPR and, where applicable, Article 9 UK GDPR
• It has obtained or will obtain all necessary consents from parents or carers (or from students aged 13 and over where appropriate) for the referral of students to the Processor and for the Processing described in this Agreement, prior to referring any student to the Processor
• It is satisfied that the Processing described in this Agreement is consistent with its Privacy Notice(s)
• It has the authority to enter into this Agreement and to give Processing instructions to the Processor on the terms herein

5. Sub-processors

5.1 The Controller provides general written authorisation for the Processor to engage Sub-processors, subject to the conditions set out in this Clause 5.

5.2 The Processor currently engages the following categories of Sub-processor in connection with the Services:

• Self-employed tutoring associates: individuals engaged by the Processor on a self-employed basis to deliver tutoring sessions. Associates access student names and session attendance data in the course of delivering sessions, and are subject to contractual obligations equivalent in substance to those imposed on the Processor by this Agreement
• Online platform provider: Vedamo (vedamo.com), a virtual classroom platform operated by Vedamo Ltd, headquartered within the EEA. Sessions are delivered and recorded via the Vedamo platform. A data processing agreement with Vedamo should be confirmed before first session delivery.

5.3 The Processor shall maintain a current list of Sub-processors and shall notify the Controller in writing of any intended changes to Sub-processors (additions or replacements) no fewer than 14 days prior to the change taking effect. The Controller may object to any new Sub-processor within 10 days of notification on reasonable data protection grounds. If the Parties cannot resolve such objection, either Party may terminate the Service Agreement on reasonable notice.

5.4 Where the Processor engages a Sub-processor, the Processor shall impose data protection obligations on that Sub-processor that are no less onerous than those set out in this Agreement, by way of written contract. The Processor shall remain fully liable to the Controller for the acts and omissions of its Sub-processors.

6. Data Subject Rights

6.1 The Processor shall, as soon as reasonably practicable and in any event within five (5) working days, notify the Controller of any request received directly from a Data Subject in relation to the exercise of their rights under Applicable Data Protection Law.

6.2 The Processor shall not respond to any Data Subject request without the prior written consent of the Controller, except to inform the Data Subject that their request has been passed to the Controller.

6.3 The Processor shall provide the Controller with all reasonable co-operation and assistance in responding to Data Subject requests, including providing access to relevant records within the timescales reasonably required by the Controller.

7. Technical and Organisational Security Measures

7.1 The Processor shall implement and maintain appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, and unauthorised disclosure or access. These measures include, as a minimum:

• Encryption of session recordings at rest and in transit using industry-standard protocols
• Access controls ensuring that session recordings are accessible only to the Designated Safeguarding Lead (DSL) and Deputy DSL, as further described in Clause 8
• Password-protected and, where practicable, multi-factor authentication access to all systems processing Personal Data
• Regular review of access permissions and removal of access where no longer required
• Annual data protection training for all personnel who process Personal Data
• A process for identifying and managing data protection risks

7.2 The Processor shall not make material changes to its security measures without prior notification to the Controller where such changes could adversely affect the level of protection provided to Personal Data.

8. Session Recordings

8.1 The Processor records tutoring sessions ('Session Recordings') for safeguarding purposes only, in accordance with its Child Protection and Safeguarding Policy (aligned to Keeping Children Safe in Education 2025) and its Session Recording Policy.

8.2 Session Recordings are processed exclusively for the following safeguarding purpose: to enable review of session content in the event that a safeguarding concern arises involving a student or associate, and to support any subsequent referral to statutory safeguarding authorities.

8.3 Access to Session Recordings is strictly limited to:

• The Designated Safeguarding Lead: Jack Bradley
• The Deputy Designated Safeguarding Lead: Mahesh De Zoysa
• Any statutory body (including the police or children's social care) to which disclosure is legally required or authorised

8.4 Session Recordings shall not be used for quality assurance, training, research, marketing, or any other purpose without the prior written agreement of the Controller.

8.5 Session Recordings are stored in encrypted, access-controlled cloud or server storage. The Processor shall ensure that access controls are reviewed no less than annually.

8.6 Retention Period for Session Recordings

Session recordings shall be retained for 12 months from the date of recording, after which they shall be securely deleted. If a safeguarding concern has been raised in respect of a particular session, that recording shall be retained for the duration of any investigation or legal proceedings and for a minimum of 6 months following their conclusion, or as directed by the relevant statutory authority, whichever is the longer.

8.7 At the end of the applicable retention period, Session Recordings shall be permanently and securely deleted by the Processor. A deletion log shall be maintained recording: the date of deletion, the session reference (date, group, and subject), and the name of the individual who performed the deletion. The deletion log shall be retained for five (5) years.

8.8 On request, the Processor shall provide the Controller with confirmation of deletion of Session Recordings relating to the Controller's referred students.

9. Data Breach Notification

9.1 The Processor shall notify the Controller without undue delay, and in any event within 24 hours of becoming aware, of any actual or reasonably suspected Personal Data Breach affecting Personal Data processed under this Agreement.

9.2 The notification shall include (to the extent reasonably available at the time):

• A description of the nature of the Personal Data Breach, including, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned
• The name and contact details of the Processor's Data Protection Officer or other relevant contact point from whom more information can be obtained
• A description of the likely consequences of the Personal Data Breach
• A description of the measures taken or proposed to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects

9.3 Where all required information is not available at the time of initial notification, the Processor shall provide such information in phases without undue delay.

9.4 The Processor shall co-operate fully with the Controller and provide all reasonable assistance to enable the Controller to fulfil its obligation to notify the ICO within 72 hours of becoming aware of the Breach, where required by Article 33 UK GDPR.

9.5 The Processor shall not notify any Data Subject or any third party (including the ICO) of a Personal Data Breach without the prior written consent of the Controller, except where required to do so by Applicable Data Protection Law.

10. Data Transfers

10.1 The Processor shall not transfer Personal Data outside the United Kingdom or the European Economic Area without the prior written consent of the Controller and the implementation of appropriate transfer safeguards as required by Chapter V of the UK GDPR.

10.2 All Personal Data processed under this Agreement is, by default, stored and processed within the United Kingdom.

Vedamo processes and stores session data within the EEA. No transfer of personal data outside the UK or EEA is anticipated. This should be confirmed in the data processing agreement with Vedamo before first session delivery.

11. Records of Processing Activities

11.1 The Processor shall maintain a record of all categories of processing activities carried out on behalf of the Controller in accordance with Article 30(2) UK GDPR and shall make that record available to the Controller on request.

12. Deletion and Return of Personal Data on Termination

12.1 Upon expiry or termination of the Service Agreement (for any reason), or upon written request from the Controller at any time, the Processor shall:

• Cease all Processing of the Controller's Personal Data within five (5) working days
• At the Controller's election, either: (a) securely return all Personal Data to the Controller in a commonly used, machine-readable format; or (b) securely delete all Personal Data (subject to any legally required retention obligations)
• Provide the Controller with written confirmation of deletion or return within 30 days of the termination or request date

12.2 Notwithstanding the above, the Processor may retain Session Recordings for the remainder of their applicable retention period as described in Clause 8.6, subject to the access restrictions and security measures in this Agreement remaining in force during any such retention period. Session Recordings shall not be retained beyond the end of their retention period.

12.3 The Processor shall procure that all Sub-processors comply with equivalent obligations on termination.

13. Liability and Indemnity

13.1 The Processor shall be liable to the Controller for any losses or damages incurred by the Controller arising directly from the Processor's breach of its obligations under this Agreement or under Applicable Data Protection Law.

13.2 Each Party shall indemnify and hold harmless the other Party against any claim brought by a Data Subject or any regulatory authority arising from that Party's breach of Applicable Data Protection Law, to the extent that such claim arises from the indemnifying Party's act or omission.

13.3 Nothing in this Agreement shall limit or exclude either Party's liability: (a) for death or personal injury caused by negligence; (b) for fraud or fraudulent misrepresentation; or (c) for any liability which cannot be excluded or limited by law.

The Processor's liability under this Agreement shall not exceed the total fees paid by the Controller to the Processor in the 12 months preceding the claim giving rise to the liability.

14. Termination

14.1 Either Party may terminate this Agreement immediately on written notice if the other Party:

• Commits a material breach of this Agreement that is incapable of remedy
• Commits a material breach of this Agreement that is capable of remedy and fails to remedy that breach within 14 days of written notice requiring it to do so
• Enters into administration, receivership, liquidation, or any analogous insolvency proceeding

14.2 Termination of this Agreement shall not affect any rights or obligations which have accrued prior to the date of termination.

14.3 The obligations in Clauses 8 (Session Recordings), 12 (Deletion and Return), and 13 (Liability) shall survive termination of this Agreement.

15. Governing Law and Jurisdiction

15.1 This Agreement and any dispute or claim arising out of or in connection with it shall be governed by and construed in accordance with the law of England and Wales.

15.2 The Parties irrevocably agree that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with this Agreement.

16. Execution

This Agreement may be executed in counterparts, each of which shall constitute an original. A signed copy transmitted by email shall be treated as an original for all purposes.

Schedule 1 — Summary of Processing Details

The following table summarises the key processing details for the purposes of Article 28(3) UK GDPR.