Data Processing Agreement

1. Parties

This Data Processing Agreement ('Agreement') is entered into between:

Together referred to as 'the Parties'. This Agreement forms part of, and supplements, the Terms and Conditions agreed between the Parties upon the School's subscription to AttendTrack. In the event of conflict between this Agreement and the Terms and Conditions, this Agreement shall take precedence with respect to data protection matters.

2. Definitions

In this Agreement, the following terms have the meanings given in UK GDPR and the Data Protection Act 2018 unless otherwise specified:

• 'Personal Data' — any information relating to an identified or identifiable natural person
• 'Processing' — any operation performed on Personal Data
• 'Data Controller' — the entity that determines the purposes and means of Processing
• 'Data Processor' — the entity that Processes Personal Data on behalf of the Controller
• 'Data Subject' — the individual to whom Personal Data relates
• 'Sub-processor' — any third party engaged by AttendTrack to Process Personal Data
• 'UK GDPR' — the UK General Data Protection Regulation as retained in UK law

3. Subject Matter and Nature of Processing

4. Obligations of AttendTrack (Data Processor)

AttendTrack shall:

• Process Personal Data only on documented instructions from the School, unless required to do so by applicable law
• Ensure that all persons authorised to process Personal Data are subject to appropriate confidentiality obligations
• Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk
• Not engage any Sub-processor without the School's prior written consent, or as specified in Schedule 1 of this Agreement
• Assist the School in fulfilling its obligations to respond to Data Subject rights requests
• Notify the School without undue delay (and in any event within 72 hours) upon becoming aware of a personal data breach
• Delete or return all Personal Data to the School upon termination of the Agreement, as instructed by the School
• Make available to the School all information necessary to demonstrate compliance with this Agreement
• Not transfer Personal Data outside the UK without appropriate safeguards in place

5. Obligations of the School (Data Controller)

The School shall:

• Ensure there is a valid lawful basis for processing Personal Data through AttendTrack
• Provide AttendTrack with clear and lawful instructions for processing
• Ensure that Data Subjects (or their parents/guardians where the Data Subject is a minor) have been informed of the processing through the School's own Privacy Notice
• Not instruct AttendTrack to process Personal Data in a manner that would violate applicable law
• Notify AttendTrack promptly of any Data Subject rights requests received that relate to data processed through AttendTrack

6. Sub-processors

The School hereby grants general consent to AttendTrack to engage the Sub-processors listed in Schedule 1 of this Agreement. AttendTrack shall:

• Inform the School of any intended changes to Sub-processors, providing the School with an opportunity to object
• Impose equivalent data protection obligations on all Sub-processors by way of written contract
• Remain fully liable to the School for the acts and omissions of any Sub-processor

7. International Data Transfers

Personal Data processed through AttendTrack may be transferred to and stored in the United States of America via the following Sub-processors:

• Abacus.AI — platform hosting and AI processing infrastructure (US-based servers)
• Twilio — voicemail reception, audio storage, and transcription processing (US-based servers)

AttendTrack relies on the following safeguards for all international transfers:

• Standard Contractual Clauses (SCCs) approved by the UK ICO
• UK International Data Transfer Agreement (IDTA) where applicable

By signing this Agreement, the School acknowledges and approves these international transfers subject to the safeguards described above.

8. Security

AttendTrack implements the following technical and organisational security measures:

• HTTPS/TLS encryption for all data in transit
• Access control and role-based permissions
• Secure credential management
• Infrastructure security as maintained by Abacus.AI, including physical and logical security controls
• Incident response procedures as set out in AttendTrack's Incident Response and Notification Policy

9. Data Breach Notification

In the event of a personal data breach affecting data processed under this Agreement, AttendTrack shall notify the School without undue delay and in any event within 72 hours of becoming aware. Notification shall include the information specified in AttendTrack's Incident Response and Notification Policy.

The School acknowledges that it, as Data Controller, is responsible for assessing whether the breach must be reported to the ICO and/or affected Data Subjects.

10. Data Subject Rights

AttendTrack shall assist the School in responding to Data Subject rights requests by:

• Providing access to Personal Data held in the platform upon request
• Enabling correction or deletion of data as instructed by the School
• Providing data exports in a machine-readable format where technically feasible

The School is responsible for responding to Data Subjects directly and within statutory timeframes (one calendar month under UK GDPR).

11. Audit Rights

The School may request, no more than once per calendar year, evidence of AttendTrack's compliance with this Agreement. AttendTrack shall provide written information sufficient to demonstrate compliance, including details of technical and organisational measures in place.

12. Term and Termination

This Agreement shall remain in force for the duration of the School's subscription to AttendTrack.

Upon expiry or termination of the subscription:

• AttendTrack shall cease all processing of the School's Personal Data
• At the School's election, AttendTrack shall either delete or return all Personal Data within 30 days
• Confirmation of deletion or return shall be provided to the School in writing
• AttendTrack may retain data only where required to do so by applicable law

13. Liability

Each Party's liability to the other under this Agreement is subject to the limitations and exclusions set out in the AttendTrack Terms and Conditions, to the extent permitted by applicable law.

Nothing in this Agreement limits either Party's liability for breach of UK GDPR obligations that cannot lawfully be limited.

14. Governing Law

This Agreement shall be governed by and construed in accordance with the laws of England and Wales. Any disputes arising shall be subject to the exclusive jurisdiction of the courts of England and Wales.

15. Signatures

By signing below (or by accepting the AttendTrack Terms and Conditions online), the Parties agree to be bound by this Data Processing Agreement.

Schedule 1 — Approved Sub-processors

The following Sub-processors are approved by the School under Clause 6 of this Agreement:

AttendTrack will notify the School of any proposed changes to this list of Sub-processors and allow a reasonable period to object before the change takes effect.

Contact