Mathsense Data Processing Agreement

This Data Processing Agreement ("Agreement") is entered into between:

• The School or educational institution accessing Mathsense ("Controller"); and
• Christopher Reay, a sole trader operating under the trading name Mathsense, whose principal address is 65 Amherst Road, Fawdon, NE3 2QR ("Processor").

Together referred to as the "Parties".

The Controller uses the Mathsense platform to administer GCSE maths diagnostic assessments for its students. In doing so, the Processor will process personal data on behalf of the Controller. This Agreement sets out the terms on which that processing will occur, as required by Article 28 of the UK GDPR.

The Processor is registered with the ICO as a data controller under registration number ZC152231.

• "UK GDPR" means the UK General Data Protection Regulation as it forms part of the law of England and Wales by virtue of the European Union (Withdrawal) Act 2018
• "Data Protection Law" means the UK GDPR and the Data Protection Act 2018
• "Personal Data" has the meaning given in UK GDPR Article 4
• "Processing" has the meaning given in UK GDPR Article 4
• "Data Subject" means the students whose personal data is processed under this Agreement

4.1 Purpose

The Processor will process Personal Data solely for the purpose of providing the Mathsense diagnostic assessment service to the Controller, including:

• Storing student display names and assessment participation records
• Recording and displaying diagnostic skill results
• Enabling teachers to view class and individual results via the dashboard

4.2 Categories of data subjects

Students enrolled at the Controller's institution who participate in Mathsense assessments.

4.3 Categories of personal data

• Student display name
• Year group (if provided)
• Diagnostic results (skill mastery status)
• Assessment participation records

4.4 Duration

Processing will continue for the duration of the Controller's active subscription to Mathsense, and for up to 30 days thereafter to allow for data export, unless earlier deletion is requested.

The Processor shall:

• Process Personal Data only on the documented instructions of the Controller, as set out in this Agreement and the Mathsense Terms of Service
• Ensure that persons authorised to process the Personal Data are bound by appropriate confidentiality obligations
• Implement appropriate technical and organisational measures to protect Personal Data against unauthorised or unlawful processing, accidental loss, destruction or damage
• Not engage any sub-processor without prior written authorisation from the Controller, except as set out in Schedule 1
• Assist the Controller in responding to Data Subject rights requests, including access, rectification, erasure, and portability requests
• Notify the Controller without undue delay (and in any event within 72 hours) upon becoming aware of a Personal Data breach involving the Controller's data
• Delete or return all Personal Data to the Controller upon termination of this Agreement, at the Controller's choice
• Make available to the Controller all information necessary to demonstrate compliance with this Agreement

The Controller shall:

• Ensure it has a lawful basis for sharing student personal data with the Processor
• Ensure students (and parents where required) are informed about the use of Mathsense, including by reference to the Mathsense Privacy Notice at mathsense.net/privacy
• Only instruct the Processor to process Personal Data in accordance with Data Protection Law
• Be responsible for the accuracy of any personal data provided to the Processor

The Controller authorises the Processor to use the sub-processors listed in Schedule 1. The Processor shall ensure each sub-processor is bound by obligations equivalent to those in this Agreement and shall remain liable to the Controller for the acts or omissions of sub-processors.

The Processor shall provide the Controller with at least 14 days' notice of any intended changes to sub-processors, giving the Controller the opportunity to object.

Some sub-processors may process data outside the UK. Where this occurs, the Processor shall ensure appropriate safeguards are in place in accordance with UK GDPR Chapter V, including the use of UK International Data Transfer Agreements (IDTAs) or equivalent mechanisms.

The Processor implements the following technical and organisational measures:

• Encryption of all data in transit using TLS
• Row-level security policies restricting database access
• Role-based access controls limiting access to personal data
• Incident response procedures for personal data breaches

Where the Controller receives a Data Subject rights request relating to data processed by the Processor, the Processor shall provide reasonable assistance to enable the Controller to respond within the statutory timeframe. The Processor will provide this assistance at no additional cost unless the volume of requests is disproportionate.

The Processor shall, on reasonable notice (not less than 14 days), provide the Controller with information and access reasonably necessary to demonstrate compliance with this Agreement. The Controller may carry out audits no more than once per calendar year unless there are reasonable grounds to suspect non-compliance.

This Agreement shall remain in force for the duration of the Controller's use of Mathsense. Either party may terminate this Agreement on written notice if the other party materially breaches its obligations and fails to remedy that breach within 30 days of written notice.

On termination, the Processor shall, at the Controller's written election, either securely delete or return all Personal Data within 30 days.

This Agreement is governed by the laws of England and Wales. The parties submit to the exclusive jurisdiction of the courts of England and Wales.

Signed on behalf of the Controller:

Signed on behalf of the Processor (Mathsense):

To request a signed copy of this agreement, please contact privacy@mathsense.net.

The following sub-processors are authorised as of the date of this Agreement: