Data Processing Agreement

1. Scope and Application

(a) Data Subject to This DPA

This DPA governs the processing of personal data related to:

• Customer account information (staff names, work email addresses)
• Account credentials (hashed passwords)
• Platform usage data and analytics
• Tool usage tracking for service improvement
• Export transaction records (date/time only)

(b) No Learner Data Processing

Critical Limitation: ALN Made Simple is designed as a professional planning tool and explicitly prohibits users from entering personally identifiable learner information. The platform does not process, store, or have access to:

• Learner names, dates of birth, or unique identifiers
• School names or educational institution identifiers
• Assessment results linked to identifiable individuals
• Any other sensitive educational data concerning specific learners

User-Generated Content Processing: When users utilise AI-powered tools, their planning inputs transit through ALN Made Simple's API infrastructure and are forwarded to OpenAI (Sub-processor) for AI content generation via secure API. AI-generated outputs are returned to the user's browser and stored exclusively in browser localStorage. ALN Made Simple does not persist user-generated prompts or AI outputs in its database after API response delivery. OpenAI may retain API requests for up to 30 days for abuse and safety monitoring in accordance with OpenAI's Data Processing Addendum, after which data is deleted. The Customer is solely responsible for ensuring that all inputs are fully anonymised, comply with the prohibition on entering personally identifiable learner data, and meet any learner data protection obligations under applicable law.

2. Definitions

In this DPA, the following terms have the meanings set out below:

• Data Protection Legislation: UK GDPR, Data Protection Act 2018, and any applicable laws relating to the processing of personal data and privacy, as amended from time to time.
• Controller, Processor, Data Subject, Personal Data, Processing: have the meanings given in UK GDPR.
• Sub-processor: any third party engaged by the Processor to process personal data on behalf of the Controller.
• Personal Data Breach: a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
• Customer Personal Data: personal data described in Section 1(a) that the Processor processes on behalf of the Controller.

3. Processor Obligations (UK GDPR Article 28)

(a) Processing Instructions

The Processor shall process Customer Personal Data only on documented instructions from the Controller, which are set out in this DPA and the Terms and Conditions. The Processor shall:

• Process Customer Personal Data solely to provide the ALN Made Simple platform services
• Not process Customer Personal Data for any other purpose without the Controller's prior written consent
• Immediately inform the Controller if, in the Processor's opinion, an instruction infringes Data Protection Legislation

(b) Lawful Basis and Compliance

The Controller warrants that it has a lawful basis under Data Protection Legislation for providing Customer Personal Data to the Processor and for the Processor's processing activities described in this DPA. The Processor shall comply with all applicable Data Protection Legislation in processing Customer Personal Data.

(c) Confidentiality of Personnel

The Processor shall ensure that all personnel authorised to process Customer Personal Data are subject to obligations of confidentiality, whether by contract or statutory duty, and receive appropriate training on Data Protection Legislation.

(d) Security Measures

The Processor implements appropriate technical and organisational measures to protect Customer Personal Data, including:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
• Password hashing using industry-standard bcrypt algorithm
• Secure authentication via NextAuth.js with session management
• Regular security monitoring, vulnerability scanning, and patching
• Access controls limiting personnel access to Customer Personal Data on a need-to-know basis
• Regular backups with encryption and disaster recovery procedures
• Annual penetration testing and security audits

(e) Sub-processor Engagement

The Controller provides general authorisation for the Processor to engage Sub-processors listed in Section 5. The Processor shall:

• Impose the same data protection obligations on Sub-processors as set out in this DPA
• Remain fully liable to the Controller for Sub-processor performance
• Provide at least 30 days' notice of any intended changes to Sub-processors (addition or replacement) by updating this page and notifying Customers via email
• Allow the Controller to object to new Sub-processors within 14 days of notification

(f) Assistance with Data Subject Rights

The Processor shall, taking into account the nature of processing, assist the Controller by appropriate technical and organisational measures in fulfilling the Controller's obligation to respond to data subject rights requests under UK GDPR Chapter III, including access, rectification, erasure, data portability, restriction, and objection rights. The Processor shall respond to Controller requests for assistance within 14 days.

(g) Assistance with DPIAs and Prior Consultation

The Processor shall assist the Controller in ensuring compliance with UK GDPR obligations concerning Data Protection Impact Assessments (Article 35) and prior consultation with supervisory authorities (Article 36), taking into account the nature of processing and information available to the Processor. The Processor shall provide necessary technical and organisational information within 30 days of Controller request.

(h) Deletion or Return of Personal Data

Upon termination of the Terms and Conditions, the Processor shall, at the Controller's choice, delete or return all Customer Personal Data to the Controller within 30 days, and delete existing copies unless Data Protection Legislation or other applicable law requires storage. The Processor shall certify completion of deletion or return in writing upon Controller request.

Note: User-generated content stored in browser localStorage is not subject to this obligation, as it remains under the Controller's exclusive control and is never transmitted to the Processor's servers.

(i) Audit and Inspection Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with UK GDPR Article 28 and this DPA. The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to:

• Reasonable advance written notice (at least 30 days, except in the case of a suspected Personal Data Breach)
• Audit frequency limited to once per calendar year unless required by a supervisory authority
• Execution of a mutual non-disclosure agreement by the Controller or auditor
• Audits conducted during normal business hours and in a manner that minimises disruption to the Processor's operations
• Controller bears all reasonable costs incurred by the Processor in facilitating audits beyond one per year

4. Data Processing Details

(a) Nature and Purpose of Processing

• To provide access to AI-powered educational planning tools
• To manage user accounts and subscriptions
• To process payments securely via third-party Sub-processors
• To improve platform functionality and user experience through analytics
• To provide customer support and respond to user inquiries

(b) Categories of Personal Data

• Contact details: staff names, work email addresses
• Account credentials: hashed passwords (bcrypt)
• Payment information: processed by Stripe Sub-processor, not stored by Processor
• Usage analytics: pages visited, tools accessed, feature usage, timestamps
• Export records: date, time, and type of Google Drive exports (no content stored)

(c) Categories of Data Subjects

• Educational professionals (ALN Coordinators, teachers, teaching assistants)
• School administrators and authorised staff

(d) Duration of Processing

Customer Personal Data is retained while the account remains active. Upon account deletion or termination, personal data is securely deleted within 30 days, except where retention is required by law (e.g., payment records for accounting and tax purposes under UK law, retained for 7 years from end of relevant financial year).

(e) Data Storage Location and Transfers

Customer Personal Data is stored using UK or EEA-based infrastructure where possible. Where transfers outside the UK or EEA occur (as detailed in Section 5), appropriate safeguards are implemented in accordance with UK GDPR Chapter V, including UK Addendum to EU Standard Contractual Clauses.

5. Sub-processors and Third-Party Services

(a) Authorised Sub-processors

The Controller authorises the Processor to engage the following Sub-processors to process Customer Personal Data:

(b) Independent Third-Party Controllers

The following services are not Sub-processors engaged by ALN Made Simple. These are independent controllers that process personal data directly with users under their own terms:

Sub-processor Change Notification: The Processor will notify the Controller of any intended changes to Sub-processors (addition or replacement) by updating this page and sending email notification to the Controller's account email address at least 30 days in advance. The Controller may object to new Sub-processors by contacting info@alnmadesimple.co.uk within 14 days of notification.

6. Personal Data Breach Notification

In accordance with UK GDPR Article 28(3)(f), the Processor shall notify the Controller without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data. The Processor commits to:

• Notify the Controller without undue delay upon becoming aware of the breach, and where feasible, within 72 hours of awareness
• Provide the following information in the notification (to the extent available):
• Nature of the breach, including categories and approximate number of data subjects and personal data records affected
• Name and contact details of the Processor's data protection contact point
• Likely consequences of the Personal Data Breach
• Measures taken or proposed to address the breach, including measures to mitigate possible adverse effects
• Provide reasonable assistance to the Controller in notifying the Information Commissioner's Office (ICO) and affected data subjects, where required under UK GDPR
• Cooperate with the Controller in investigating and remedying the breach
• Document the breach, including facts, effects, and remedial actions taken, in accordance with UK GDPR Article 33(5)

7. International Data Transfers

Where Customer Personal Data is transferred outside the UK or EEA to Sub-processors (as detailed in Section 5), the Processor ensures that appropriate safeguards are in place in accordance with UK GDPR Chapter V, including:

• UK Addendum to EU Standard Contractual Clauses (UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses)
• Adequacy decisions issued by the UK Government under UK GDPR Article 45
• Binding Corporate Rules or approved certification mechanisms where applicable

The Processor shall not transfer Customer Personal Data outside the UK or EEA unless such safeguards are in place and compliant with Data Protection Legislation.

8. Controller Responsibilities

The Controller acknowledges and agrees to:

• Lawful Processing: Have a lawful basis under Data Protection Legislation for providing Customer Personal Data to the Processor and for the processing activities described in this DPA
• No Learner Data: Ensure that no personally identifiable learner information is entered into ALN Made Simple tools, in accordance with the platform's terms of use
• Data Accuracy: Ensure that Customer Personal Data provided to the Processor is accurate and up to date
• Third-Party Exports: Understand that content exported to third-party services (e.g., Google Drive) is subject to those services' privacy policies, and ensure compliance with organisational data protection policies before exporting
• Staff Instructions: Provide appropriate instructions and training to staff using ALN Made Simple to ensure compliance with this DPA and Data Protection Legislation
• Indemnification: Indemnify and hold harmless the Processor against claims, liabilities, costs, and expenses arising from the Controller's breach of this DPA, including unauthorised entry of personally identifiable learner data

9. Liability

Each party's liability under this DPA shall be subject to the limitation of liability provisions set out in the Terms and Conditions. Nothing in this DPA shall limit or exclude either party's liability for:

• Death or personal injury caused by negligence
• Fraud or fraudulent misrepresentation
• Any liability that cannot be limited or excluded under applicable law

The Processor shall be liable to the Controller for any breach of this DPA. Where the Processor engages a Sub-processor, the Processor shall remain fully liable to the Controller for the performance of the Sub-processor's obligations.

10. Term and Termination

This DPA shall commence on the effective date and remain in force for the duration of the Terms and Conditions or until all Customer Personal Data is deleted or returned, whichever is later.

Upon termination of the Terms and Conditions for any reason, the Processor shall, in accordance with Section 3(h) and at the Controller's written election, delete or return all Customer Personal Data within 30 days. The Processor shall certify in writing to the Controller that this has been completed, including confirmation that Sub-processors have also deleted or returned Customer Personal Data.

The obligations in Sections 3(c) (Confidentiality), 3(i) (Audit Rights), and Section 9 (Liability) shall survive termination of this DPA.

11. Amendments

The Processor may update this DPA from time to time to reflect changes in services, Sub-processors, or legal requirements. Material changes will be notified to the Controller via email to the account email address and by prominent notice on the platform at least 30 days before taking effect.

If the Controller objects to material changes, the Controller may terminate the Terms and Conditions by providing written notice within 30 days of the change notification. Continued use of ALN Made Simple after the 30-day notice period constitutes acceptance of the updated DPA.

12. Governing Law and Jurisdiction

This DPA shall be governed by and construed in accordance with the laws of England and Wales. Any disputes arising from this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales.

13. Contact and Data Protection Officer

For questions about this Data Processing Agreement, to exercise data subject rights, or to report a Personal Data Breach, please contact:

We aim to respond to all data protection inquiries within 5 business days and to fulfill data subject rights requests within one month in accordance with UK GDPR Article 12.