Data Processing Agreement

Last updated: 15 March 2026

This Data Processing Agreement ('DPA') forms part of the agreement between Chapter Technologies Ltd ('Processor') and the subscribing school or academy trust ('Controller'). It governs the processing of personal data by Chapter Technologies Ltd on behalf of the Controller in connection with the Chapter Schools platform, in accordance with UK GDPR and the Data Protection Act 2018.

1. Definitions

  • 'Controller': The school or academy trust that subscribes to Chapter Schools and determines the purposes and means of processing Student Data.
  • 'Processor': Chapter Technologies Ltd, which processes personal data on behalf of the Controller.
  • 'Personal Data': Any information relating to an identified or identifiable natural person as defined in UK GDPR Article 4.
  • 'Student Data': Personal data relating to students uploaded to or generated within the Platform by the Controller.
  • 'Sub-processor': Any third party engaged by the Processor to process Personal Data on behalf of the Controller.
  • 'Platform': The Chapter Schools web application and associated services.

2. Scope and nature of processing

2.1 Subject matter

The Processor shall process Personal Data as necessary to provide the Chapter Schools platform, including:

  • Storing and displaying student records, career activity, and guidance notes
  • Tracking Gatsby Benchmark evidence on behalf of the school
  • Generating AI-assisted content (lesson plans, worksheets, summaries) using contextual data
  • Sending communications to parents and staff on the Controller's instruction
  • UCAS application tracking for sixth form students (where enabled)
  • Providing reporting and analytics to authorised school staff

2.2 Categories of data subjects

  • Students (including those under 18)
  • School staff (careers leads, teachers, administrators)
  • Parents and guardians

2.3 Categories of personal data

  • Identifiers: names, email addresses, year group, date of birth
  • Career exploration data: interests, goals, activities completed, employer encounters
  • Educational records: guidance session notes, lesson participation, UCAS application data
  • Communication data: email engagement, parent digest interactions
  • Special category data: the Processor does not intentionally process special category data (as defined in UK GDPR Article 9). Controllers should not upload special category data to the Platform.

2.4 Duration

Processing continues for the duration of the subscription and for up to 90 days following termination, during which the Controller may export their data.

3. Controller obligations

The Controller warrants that:

  • It has the appropriate lawful basis under UK GDPR to share Personal Data with the Processor
  • It has provided appropriate privacy notices to data subjects (students, parents, staff)
  • It will only upload data that is necessary and proportionate for the purposes of the Platform
  • It will promptly notify the Processor of any changes to applicable data protection requirements that may affect processing
  • It is responsible for ensuring safeguarding policies are in place regarding the Platform's use with students

4. Processor obligations

The Processor shall:

  • Process Personal Data only on documented instructions from the Controller (these Terms and this DPA constitute such instructions)
  • Ensure that persons authorised to process Personal Data are committed to confidentiality
  • Implement appropriate technical and organisational security measures (see Section 6)
  • Not engage Sub-processors without prior written consent (general consent is given for the Sub-processors listed in Section 5)
  • Assist the Controller in responding to data subject rights requests within the statutory timeframe
  • Notify the Controller of any Personal Data breach within 72 hours of becoming aware of it
  • Delete or return all Personal Data upon termination of the subscription, at the Controller's choice
  • Provide all information necessary to demonstrate compliance with this DPA and allow for audits (with reasonable notice)

5. Sub-processors

The Controller provides general written authorisation for the Processor to use the following Sub-processors:

  • Supabase Inc. — Database hosting and authentication. Data stored in EU (Ireland). supabase.com/privacy
  • Cloudflare Inc. — Application hosting and CDN. EU region deployment. cloudflare.com/privacy
  • Anthropic PBC — AI processing (no persistent student personal data stored). anthropic.com/privacy
  • Resend Inc. — Transactional email delivery. resend.com/legal/privacy-policy

The Processor will notify the Controller of any intended changes to Sub-processors (additions or replacements) with at least 30 days' notice, giving the Controller the opportunity to object.

The Processor shall impose data protection obligations on each Sub-processor equivalent to those in this DPA.

6. Security measures

The Processor implements the following technical and organisational measures:

Technical measures

  • Encryption of all data in transit using TLS 1.2 or higher
  • Encryption of data at rest using AES-256
  • Row-level security (RLS) policies ensuring users can only access their school's data
  • Role-based access control with least-privilege principles
  • Short-lived JWT authentication tokens (1-hour access tokens)
  • HMAC signature verification for webhook integrations
  • Regular dependency security audits

Organisational measures

  • Access to production data limited to authorised Chapter Technologies Ltd staff
  • Staff with data access are subject to confidentiality obligations
  • Incident response procedures for Personal Data breaches
  • Regular review of security practices

7. International transfers

Personal Data is primarily processed within the UK and EU (Supabase EU region, Vercel EU region). Where data is transferred to processors outside the UK/EEA (including Anthropic in the United States), the Processor ensures appropriate safeguards are in place via UK International Data Transfer Agreements (IDTAs) or equivalent mechanisms.

The Processor does not transfer Student Data to Anthropic in identifiable form. Only anonymised or aggregated context is used in AI API calls.

8. Data subject rights assistance

The Processor shall provide the Controller with reasonable assistance in fulfilling data subject rights requests (access, rectification, erasure, restriction, portability, objection). Where a data subject contacts the Processor directly, the Processor will redirect them to the Controller within 5 business days.

9. Data breach notification

In the event of a Personal Data breach involving Controller data, the Processor will:

  • Notify the Controller without undue delay and within 72 hours of becoming aware
  • Provide details of the nature of the breach, categories and approximate number of data subjects affected, and the data records concerned
  • Describe the likely consequences and measures taken or proposed to address the breach

10. Termination and data deletion

Upon termination of the subscription, the Controller may export all data via the Platform's export tools within 30 days of termination. Following this period, all Personal Data will be securely deleted from the Processor's systems and Sub-processors within 60 days, except where the Processor is required to retain data by law (e.g., financial records).

Upon request, the Processor will provide written confirmation of deletion.

11. Governing law

This DPA is governed by the laws of England and Wales and shall be interpreted in accordance with UK GDPR and the Data Protection Act 2018.

12. Contact and signed copies

Schools wishing to receive a countersigned copy of this DPA for their records should contact us at:
Email: hello@chapterschools.com
Subject line: DPA Request — [School Name]

By subscribing to the Chapter Schools platform, the Controller accepts and agrees to the terms of this DPA as incorporated into the Terms of Service.