Academic Intelligence
Data Processing Agreement
Version: 1.0
Effective date: 12 May 2026
Website/service: checkitquick.academicintelligence.co.uk
Processor: Academic Intelligence Ltd
Registered office: 60 Viceroy Court, 36 Dingwall Road, Croydon, England, CR0 2NG
Company number: 17204358 (Companies House)
Processor contact: [email protected]
Controller: The school, academy trust, college or other educational organisation using the Service
Controller contact: The authorised administrator or representative of the Controller
1. Background
1.1 This Data Processing Agreement, referred to as the Agreement, forms part of the agreement between the Controller and the Processor for the use of the website and related services available at checkitquick.academicintelligence.co.uk, referred to as the Service.
1.2 The Controller uses iSAMS as a school management information system and MySchoolPortal for single sign-on and/or parent access. The Service enables authorised users to view, check, validate, submit and/or update certain parent and pupil information held by the Controller, and to write approved changes back to the Controller’s iSAMS database.
1.3 The Controller determines the purposes and means of the processing of personal data. The Processor processes personal data only on behalf of, and under the documented instructions of, the Controller.
1.4 The parties intend this Agreement to satisfy the requirements of Article 28 of the UK GDPR and applicable UK data protection law.
2. Definitions
In this Agreement:
- Applicable Data Protection Law means the UK GDPR, the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003 where applicable, and any other applicable UK data protection or privacy law.
- Controller means the school, academy trust, college or other educational organisation that determines the purposes and means of processing personal data through the Service.
- Processor means Academic Intelligence Ltd, which processes personal data on behalf of the Controller through the Service.
- Data Subject means an identified or identifiable natural person whose personal data is processed through the Service, including pupils, parents, guardians, carers, school staff and authorised users.
- Personal Data has the meaning given in Applicable Data Protection Law.
- Processing has the meaning given in Applicable Data Protection Law and includes accessing, viewing, transmitting, validating, updating, storing, deleting and otherwise using personal data.
- Restricted Transfer means a transfer of personal data outside the United Kingdom that is restricted under Applicable Data Protection Law.
- Service means the website, software, APIs, integrations, administration portal and associated services provided through checkitquick.academicintelligence.co.uk.
- Subprocessor means any third party appointed by the Processor to process personal data on behalf of the Controller in connection with the Service.
- UK GDPR means Regulation (EU) 2016/679 as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018, as amended.
3. Roles of the Parties
3.1 The parties agree that, for the personal data processed through the Service:
- a. the Controller is the data controller; and
- b. the Processor is the data processor.
3.2 The Processor shall not determine the purposes for which parent, pupil or school personal data is processed through the Service.
3.3 The Processor shall not sell personal data, use it for unrelated marketing, create cross-school profiles, train artificial intelligence models using Controller personal data, or use the personal data for any purpose other than providing, securing, supporting, maintaining and improving the Service in accordance with this Agreement and the Controller’s documented instructions.
3.4 The Processor may process limited account, billing, security, support and business contact information as an independent controller where necessary for its own legitimate business administration, legal compliance, accounting, security and customer relationship purposes. Such processing is outside the scope of this Agreement and shall be described in the Processor’s privacy notice.
4. Subject Matter, Duration, Nature and Purpose of Processing
4.1 The subject matter, duration, nature and purpose of the processing are set out in Schedule 1.
4.2 The categories of data subjects and types of personal data are set out in Schedule 1.
4.3 The technical and organisational security measures are set out in Schedule 2.
4.4 The authorised subprocessors are set out in Schedule 3.
5. Controller Instructions
5.1 The Processor shall process personal data only on documented instructions from the Controller, unless required to do so by UK law. The Controller’s documented instructions include:
- a. this Agreement;
- b. the main service agreement, order form or online terms agreed between the parties;
- c. configuration choices made by the Controller’s authorised administrators;
- d. API permissions, iSAMS access permissions and MySchoolPortal SSO settings made available by the Controller; and
- e. written instructions provided by the Controller to the Processor.
5.2 If the Processor is required by law to process personal data otherwise than in accordance with the Controller’s instructions, the Processor shall inform the Controller before processing, unless the law prohibits such notice.
5.3 The Processor shall promptly inform the Controller if, in the Processor’s reasonable opinion, an instruction infringes Applicable Data Protection Law.
5.4 The Controller is responsible for ensuring that:
- a. it has a lawful basis for the processing;
- b. it has provided any necessary privacy information to data subjects;
- c. its use of the Service is lawful and proportionate;
- d. the personal data made available through iSAMS, MySchoolPortal or any other system is accurate and lawfully held;
- e. the authorised administrator has authority to configure the Service and enter API credentials; and
- f. the permissions granted to the Service are appropriate and not excessive.
6. Confidentiality
6.1 The Processor shall ensure that persons authorised to process personal data are subject to appropriate confidentiality obligations.
6.2 The Processor shall restrict access to personal data to personnel, contractors and subprocessors who need access to provide, secure, support or maintain the Service.
6.3 The Processor shall ensure that personnel with access to personal data receive appropriate instructions regarding confidentiality, security and data protection.
7. Security Measures
7.1 The Processor shall implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access.
7.2 The measures shall take account of the nature of the personal data, the risks to data subjects, the state of the art, implementation costs, and the nature, scope, context and purpose of processing.
7.3 The Processor’s current technical and organisational measures include the measures listed in Schedule 2.
7.4 The Processor shall pay particular attention to the protection of API keys, API secrets, authentication tokens, SSO configuration values and other credentials used to connect the Service to iSAMS, MySchoolPortal or related systems.
7.5 The Processor shall not display full API secrets to school administrators after initial entry, except where technically necessary and expressly authorised.
7.6 The Processor shall use encryption in transit for connections to the Service using HTTPS/TLS.
7.7 The Processor shall use appropriate encryption, secret management or equivalent protection for stored API keys and secrets.
7.8 The Controller acknowledges that the security of the Service also depends on the Controller:
- a. issuing API credentials only to authorised users and systems;
- b. using appropriate iSAMS and MySchoolPortal permissions;
- c. disabling access when no longer required;
- d. maintaining secure administrator accounts;
- e. enabling multi-factor authentication where available; and
- f. promptly notifying the Processor of suspected compromise.
8. API Keys, Secrets and Credentials
8.1 The Controller may provide or cause an authorised administrator to input API keys, API secrets, SSO metadata, client identifiers, client secrets or other credentials required for the Service to operate.
8.2 The Processor shall use such credentials only to provide, secure, test, troubleshoot and maintain the Service for the Controller.
8.3 The Processor shall not use the Controller’s credentials to access, view, modify, extract or process personal data except where necessary to provide the Service or where instructed by the Controller.
8.4 The Controller remains responsible for the creation, permissioning, rotation, revocation and governance of credentials issued from iSAMS, MySchoolPortal or other third-party systems, except where the Processor has expressly agreed otherwise in writing.
8.5 On termination or written request, the Processor shall delete or disable stored credentials relating to the Controller, unless retention is required by law or for legitimate security, dispute or audit purposes.
9. No Persistent Storage of Parent and Pupil Records
9.1 The Service is designed so that parent and pupil information obtained from the Controller’s iSAMS database, MySchoolPortal SSO process or related school systems is not retained as a permanent copy by the Processor after the processing session, except as expressly described in this Agreement.
9.2 The Processor may temporarily process parent and pupil personal data in memory, application workflows, secure transmission, temporary queues, error handling processes, logs or audit records where necessary for the Service to function.
9.3 The Processor may retain limited records necessary for security, debugging, fraud prevention, support, audit, transaction integrity and evidence of changes submitted through the Service.
9.4 Such retained records should, where reasonably practicable, avoid storing full parent or pupil records and should be limited to the minimum information necessary for the relevant purpose.
9.5 Where operational logs contain personal data, the Processor shall protect them using appropriate access controls and retention limits.
10. Subprocessors
10.1 The Controller gives the Processor general authorisation to appoint subprocessors for the purposes of providing, hosting, securing, monitoring, supporting and maintaining the Service.
10.2 The Processor shall maintain a list of subprocessors in Schedule 3 or in an online subprocessor list made available to the Controller (Subprocessor list).
10.3 The Processor shall ensure that each subprocessor is bound by a written contract imposing data protection obligations that provide an equivalent level of protection to those required by this Agreement.
10.4 The Processor shall remain responsible to the Controller for the performance of its subprocessors’ data protection obligations.
10.5 The Processor shall notify the Controller of any intended material change to subprocessors. Notice may be given by email, dashboard notice, website notice, contractual notice or other reasonable method.
10.6 The Controller may object to a new subprocessor on reasonable data protection grounds within 14 days of receiving notice.
10.7 If the Controller objects, the parties shall discuss the objection in good faith. If no reasonable solution is available, the Controller may terminate the affected Service.
11. International Transfers
11.1 The Processor shall not make a Restricted Transfer unless it complies with Applicable Data Protection Law.
11.2 As at the effective date of this Agreement, the Processor hosts the Service application on OVHcloud VPS infrastructure (OpenStack region os-uk2, London, United Kingdom). The Processor uses Neon for the PostgreSQL database; Neon provisions compute for our database in AWS Europe West 2 (London), United Kingdom.
11.3 The Processor shall use reasonable efforts to ensure that parent and pupil personal data processed through the core Service is hosted in the United Kingdom unless otherwise agreed with the Controller.
11.4 The Controller acknowledges that some subprocessors, support services, diagnostics, security tools, email providers or cloud infrastructure providers may involve access from, or transfer to, countries outside the United Kingdom.
11.5 Where the Processor makes a Restricted Transfer, the Processor shall ensure that an appropriate transfer mechanism is in place, such as:
- a. UK adequacy regulations;
- b. the UK International Data Transfer Agreement;
- c. the UK Addendum to the EU Standard Contractual Clauses; or
- d. another lawful transfer mechanism under Applicable Data Protection Law.
11.6 The Processor shall provide reasonable information to the Controller about Restricted Transfers on request.
12. Assistance with Data Subject Rights
12.1 Taking into account the nature of the processing, the Processor shall provide reasonable assistance to the Controller in responding to requests from data subjects exercising their rights under Applicable Data Protection Law.
12.2 Such rights may include rights of access, rectification, erasure, restriction, objection, portability, and rights relating to automated decision-making, where applicable.
12.3 If the Processor receives a request directly from a data subject relating to Controller personal data, the Processor shall not respond substantively unless authorised by the Controller or required by law.
12.4 The Processor shall, where reasonably possible, forward the request to the Controller or direct the data subject to contact the Controller.
12.5 The Controller is responsible for determining whether and how to respond to any data subject request.
13. Assistance with Security, DPIAs and Prior Consultation
13.1 Taking into account the nature of the processing and the information available to the Processor, the Processor shall provide reasonable assistance to the Controller with:
- a. security obligations under Applicable Data Protection Law;
- b. personal data breach notifications;
- c. data protection impact assessments; and
- d. prior consultation with the Information Commissioner’s Office where required.
13.2 The Processor may provide such assistance through documentation, security summaries, data flow information, support responses, technical explanations, audit information or other reasonable means.
13.3 The Processor may charge reasonable fees for assistance that goes beyond ordinary support, unless the assistance is required because of the Processor’s breach of this Agreement.
14. Personal Data Breach
14.1 The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach affecting Controller personal data.
14.2 The notification shall include, where reasonably available:
- a. a description of the nature of the breach;
- b. the categories and approximate number of affected data subjects;
- c. the categories and approximate number of affected records;
- d. likely consequences of the breach;
- e. measures taken or proposed to address the breach; and
- f. contact details for further information.
14.3 The Processor may provide the information in phases where not all information is available at the same time.
14.4 The Processor shall take reasonable steps to contain, investigate and mitigate the breach.
14.5 The Controller is responsible for deciding whether to notify the Information Commissioner’s Office, data subjects, parents, pupils, staff, regulators or other parties, unless Applicable Data Protection Law requires the Processor to notify directly.
14.6 The Processor shall not make public statements identifying the Controller in connection with a personal data breach without the Controller’s prior written agreement, unless required by law.
15. Deletion or Return of Personal Data
15.1 On termination of the Service, expiry of the agreement, or written request from the Controller, the Processor shall delete or return Controller personal data, at the Controller’s choice, unless UK law requires continued storage.
15.2 Because the Service is designed not to retain a permanent copy of parent and pupil records, deletion will usually involve deletion or disabling of:
- a. school account configuration;
- b. stored API keys and secrets;
- c. SSO configuration;
- d. school-specific settings;
- e. cached or temporary data, where present;
- f. support records, where deletion is lawful and technically feasible; and
- g. logs or audit records, subject to retention requirements.
15.3 The Processor may retain limited records where necessary for:
- a. legal compliance;
- b. financial records;
- c. dispute resolution;
- d. security monitoring;
- e. fraud prevention;
- f. audit trails;
- g. backup integrity; or
- h. establishment, exercise or defence of legal claims.
15.4 Any retained personal data shall remain subject to this Agreement and shall be securely deleted when no longer required.
15.5 Backup copies shall be deleted in accordance with the Processor’s normal backup retention cycle, provided that such copies are protected from ordinary access and are not restored except where necessary for legitimate business continuity, security or legal purposes.
16. Audit and Compliance Information
16.1 The Processor shall make available to the Controller information reasonably necessary to demonstrate compliance with this Agreement.
16.2 The Processor may satisfy this obligation by providing:
- a. this Agreement;
- b. security documentation;
- c. subprocessor information;
- d. data flow summaries;
- e. hosting information;
- f. responses to reasonable security questionnaires;
- g. relevant certifications, if available; or
- h. written explanations of controls.
16.3 The Controller may request an audit where reasonably necessary to verify compliance with this Agreement.
16.4 Audits shall be:
- a. subject to reasonable prior written notice;
- b. conducted during normal business hours;
- c. limited to systems, records and personnel relevant to Controller personal data;
- d. conducted in a way that does not compromise the security, confidentiality or availability of the Service or other customers’ data; and
- e. subject to appropriate confidentiality obligations.
16.5 The Processor may refuse or limit access to information that would compromise security, confidentiality, trade secrets, other customers’ data or legal privilege.
16.6 The Controller shall bear its own audit costs and shall reimburse the Processor for reasonable costs incurred in supporting audits, unless the audit reveals a material breach by the Processor.
17. Accuracy and Data Quality
17.1 The Controller is responsible for the accuracy, quality and lawfulness of personal data held in iSAMS, MySchoolPortal and other Controller systems.
17.2 The Processor is not responsible for inaccurate source data provided by the Controller or third-party systems.
17.3 Where the Service enables parents, guardians, carers or authorised users to submit corrections or updates, the Controller remains responsible for deciding whether to accept, reject, verify or rely on those updates.
18. Children’s Data and School Context
18.1 The parties acknowledge that the Service may process personal data relating to children and young people.
18.2 The Processor shall process such data only for the purposes of providing the Service to the Controller.
18.3 The Processor shall not use pupil personal data for advertising, behavioural profiling, unrelated analytics, sale, data broking or unrelated product development.
18.4 The Controller is responsible for ensuring that its use of the Service is compatible with its responsibilities to pupils, parents, guardians, carers, staff and other data subjects.
19. Support Access
19.1 The Processor’s personnel may access Controller personal data only where necessary to:
- a. provide technical support;
- b. investigate faults;
- c. maintain security;
- d. prevent misuse;
- e. verify system behaviour;
- f. comply with law; or
- g. act on the Controller’s documented instructions.
19.2 Support access shall be restricted to authorised personnel and shall be subject to confidentiality obligations.
19.3 Where reasonably practicable, the Processor shall use test, anonymised, pseudonymised or minimal data for troubleshooting.
20. Logging and Audit Trails
20.1 The Processor may generate logs and audit trails relating to use of the Service.
20.2 Logs may include:
- a. timestamps;
- b. school identifiers;
- c. administrator identifiers;
- d. parent or user identifiers;
- e. IP addresses;
- f. browser or device information;
- g. API request metadata;
- h. change-submission metadata;
- i. success and error responses; and
- j. security events.
20.3 Logs should not intentionally store full copies of parent or pupil records unless necessary for the Service, troubleshooting, security or audit purposes.
20.4 The Processor shall apply reasonable retention periods to logs and restrict access to authorised personnel.
21. Service Changes
21.1 The Processor may update the Service from time to time.
21.2 The Processor shall not materially reduce the level of protection for Controller personal data without notifying the Controller.
21.3 Where a Service change materially affects the nature, scope or risk of processing, the Processor shall provide reasonable information to assist the Controller in assessing the change.
22. Records of Processing
22.1 The Processor shall maintain records of processing activities where required by Applicable Data Protection Law.
22.2 The Controller shall maintain its own records of processing activities where required by Applicable Data Protection Law.
23. Liability
23.1 Each party shall be liable for its own breaches of this Agreement and Applicable Data Protection Law.
23.2 Nothing in this Agreement excludes or limits liability where such exclusion or limitation is not permitted by law.
23.3 Subject to clause 23.2, the Processor’s liability under this Agreement shall be subject to the liability limits and exclusions in the main service agreement between the parties.
23.4 If there is no separate written service agreement, the Processor’s total aggregate liability arising out of or in connection with this Agreement shall not exceed the total fees paid by the Controller to the Processor in the 12 months before the event giving rise to liability.
23.5 The Processor shall not be liable for loss, damage or claims arising from:
- a. the Controller’s unlawful instructions;
- b. inaccurate data in the Controller’s systems;
- c. excessive permissions granted by the Controller;
- d. compromised Controller administrator accounts;
- e. third-party systems outside the Processor’s control;
- f. failure by the Controller to rotate or revoke credentials; or
- g. use of the Service contrary to documentation or instructions.
24. Order of Precedence
24.1 If there is a conflict between this Agreement and any other agreement between the parties, this Agreement shall take precedence in relation to the processing of personal data as a processor.
24.2 Commercial terms, payment terms, service descriptions and liability provisions in the main service agreement shall continue to apply unless they conflict with this Agreement.
25. Term and Termination
25.1 This Agreement starts on the effective date or the date the Controller first uses the Service, whichever is earlier.
25.2 This Agreement continues for as long as the Processor processes personal data on behalf of the Controller.
25.3 Termination of the main service agreement shall automatically terminate this Agreement, except for clauses that by their nature should continue, including confidentiality, deletion, audit, liability and retained data obligations.
26. Notices
26.1 Notices under this Agreement shall be sent by email or other agreed written method.
26.2 Notices to the Processor shall be sent to: [email protected].
26.3 Notices to the Controller shall be sent to the email address provided by the Controller’s authorised administrator or other nominated contact.
27. Governing Law and Jurisdiction
27.1 This Agreement is governed by the laws of England and Wales.
27.2 The courts of England and Wales shall have exclusive jurisdiction over disputes arising out of or in connection with this Agreement.
Schedule 1 — Processing Details
1. Subject Matter of Processing
The Processor provides a website and related software service that allows authorised school administrators, parents, guardians, carers or other authorised users to access, check, validate, submit and/or update information held by the Controller in iSAMS and/or accessed through MySchoolPortal single sign-on.
The Service may write approved changes back to the Controller’s iSAMS database.
2. Duration of Processing
The Processor shall process personal data for the duration of the Controller’s use of the Service and thereafter only as necessary for deletion, backup expiry, legal compliance, dispute resolution, security, audit or other legitimate retention purposes described in this Agreement.
3. Nature of Processing
The processing may include:
- a. receiving personal data from iSAMS, MySchoolPortal or other Controller systems;
- b. displaying relevant personal data to authorised users;
- c. validating submitted updates;
- d. transmitting changes to iSAMS;
- e. authenticating or authorising users through MySchoolPortal SSO;
- f. storing school configuration settings;
- g. storing API keys, secrets and integration credentials;
- h. logging security, diagnostic and audit events;
- i. providing technical support;
- j. maintaining and securing the Service;
- k. troubleshooting errors; and
- l. deleting or disabling data on termination.
4. Purpose of Processing
The purpose of processing is to provide the Service to the Controller, including:
- a. enabling parents, guardians or authorised users to view or check school-held information;
- b. enabling submission of corrections or updates;
- c. enabling authorised changes to be written to iSAMS;
- d. supporting MySchoolPortal single sign-on;
- e. administering school access to the Service;
- f. maintaining security and integrity;
- g. supporting the Controller; and
- h. complying with legal and contractual obligations.
5. Categories of Data Subjects
The personal data may relate to:
- a. pupils;
- b. former pupils where held in iSAMS and made available by the Controller;
- c. parents;
- d. guardians;
- e. carers;
- f. emergency contacts;
- g. school staff;
- h. school administrators;
- i. MySchoolPortal users; and
- j. other individuals whose details are held in the Controller’s school systems and made available through the Service.
6. Types of Personal Data
The personal data may include:
- a. names;
- b. addresses;
- c. telephone numbers;
- d. email addresses;
- e. parent, guardian, carer and family relationship details;
- f. pupil identifiers;
- g. school identifiers;
- h. year group, form, house or class information;
- i. contact preferences;
- j. emergency contact details;
- k. medical or welfare flags where made available by the Controller;
- l. dietary, accessibility or support information where made available by the Controller;
- m. authentication identifiers;
- n. MySchoolPortal SSO claims or identifiers;
- o. administrator account details;
- p. IP addresses;
- q. device, browser and session metadata;
- r. audit logs and change records;
- s. API keys, API secrets, tokens and configuration credentials; and
- t. any other personal data the Controller makes available through the relevant iSAMS or MySchoolPortal configuration.
7. Special Category Data
The Service is not intended to process special category data except where such data is made available by the Controller through iSAMS, MySchoolPortal or related systems.
Special category data may include health, medical, dietary, disability, safeguarding or welfare information if configured or exposed by the Controller.
The Controller is responsible for ensuring that any special category data made available to the Service is necessary, proportionate and lawful.
8. Criminal Offence Data
The Service is not intended to process criminal offence data. The Controller shall not intentionally make criminal offence data available through the Service unless agreed in writing and supported by an appropriate lawful basis and condition under Applicable Data Protection Law.
9. Data Location
The Service application is hosted on OVHcloud VPS infrastructure (OpenStack region os-uk2, London, United Kingdom). The PostgreSQL database is provided by Neon with compute in AWS Europe West 2 (London), United Kingdom, unless otherwise notified to the Controller.
Schedule 2 — Technical and Organisational Measures
The Processor shall maintain appropriate technical and organisational measures, which may include the following.
1. Hosting and Infrastructure
- a. Application hosted on OVHcloud VPS (OpenStack region os-uk2, London, United Kingdom).
- b. Database hosted with Neon (AWS Europe West 2 (London), United Kingdom).
- c. Use of reputable cloud or hosting providers.
- d. Separation of production and development environments where reasonably practicable.
- e. Regular system maintenance and security updates.
2. Encryption and Transmission Security
- a. HTTPS/TLS for browser connections to the Service.
- b. Secure API communication where supported by iSAMS, MySchoolPortal and other integrated systems.
- c. Encryption, secret management or equivalent protection for stored API keys and secrets.
- d. Protection of authentication cookies and tokens using appropriate security settings where technically possible.
3. Access Control
- a. Access limited to authorised users.
- b. School administrators manage school-level configuration.
- c. Personnel access limited to those with a business need.
- d. Use of strong passwords or federated login where available.
- e. Support for role-based or permission-based access where implemented.
- f. Removal or disabling of access when no longer required.
4. Credential Protection
- a. API keys and secrets stored securely.
- b. Credentials not intentionally exposed in logs.
- c. Full secrets not displayed after saving where technically feasible.
- d. Credentials deleted or disabled on termination or request, subject to lawful retention.
- e. Administrative access restricted to authorised personnel.
5. Logging and Monitoring
- a. Security and application logs maintained for operational purposes.
- b. Logs protected against unauthorised access.
- c. Logs retained for a limited period appropriate to security and support needs.
- d. Monitoring for errors, misuse, suspicious activity and system availability where available.
6. Data Minimisation
- a. No intended permanent copy of parent or pupil records stored by the Service.
- b. Temporary processing limited to what is necessary to provide the Service.
- c. Operational logs limited where reasonably practicable.
- d. Support access limited to what is necessary.
7. Backup and Recovery
- a. Backups maintained where appropriate for service continuity.
- b. Backups protected against unauthorised access.
- c. Backup retention limited in accordance with operational requirements.
- d. Restoration procedures used where necessary for business continuity or incident recovery.
8. Personnel Security
- a. Confidentiality obligations for personnel with access to personal data.
- b. Access limited to personnel who require it.
- c. Appropriate data protection and security instructions.
- d. Access reviewed or revoked when no longer required.
9. Incident Management
- a. Process for identifying and investigating security incidents.
- b. Process for notifying Controllers of personal data breaches.
- c. Remediation and mitigation steps taken where appropriate.
- d. Records kept of relevant incidents.
10. Tenant Separation
- a. School accounts logically separated.
- b. School configuration data restricted to the relevant school account.
- c. Reasonable steps taken to prevent one school accessing another school’s data.
11. Development Security
- a. Reasonable secure development practices.
- b. Testing of material changes before production release where practicable.
- c. Dependency and framework updates where appropriate.
- d. Avoidance of production personal data in development where reasonably practicable.
Schedule 3 — Authorised Subprocessors
The Controller authorises the Processor to use the following subprocessors. Controller-directed systems: iSAMS and MySchoolPortal are not appointed by the Processor as subprocessors in the ordinary sense; they are school-selected systems described below only for transparency because the Service connects using the Controller’s credentials.
| Subprocessor | Purpose | Location / Region | Data processed |
|---|---|---|---|
| OVHcloud | VPS hosting: application runtime, networking, backups where configured on this infrastructure | OpenStack os-uk2, London (UK) | Service data, configuration, logs, credentials, transient parent/pupil data |
| Neon | Managed PostgreSQL database | AWS Europe West 2 (London), United Kingdom | Service data, configuration, logs metadata as stored in the database |
| Brevo | Transactional email delivery (service notifications and operational messages where enabled) | Primarily EU; per Brevo’s documentation and data protection terms | Recipient addresses, message content and send metadata needed to deliver email |
| Zoho (Zoho Mail) | Business webmail for company correspondence and support | Per Zoho’s documentation; appropriate transfer mechanisms where applicable | Email message content and headers, mailbox contacts and operational correspondence that may include personal data |
| Stripe (Stripe Payments Europe, Ltd and related Stripe entities) | Subscription payment processing (where the Controller or its organisation pays via Stripe) | Per Stripe’s documentation; appropriate transfer mechanisms where applicable | Billing contact and transaction-related data |
| Google LLC (Google) | Google Sign-In authentication for school staff administrator accounts where enabled | Global Google infrastructure; contractual transfer tools per Google documentation | Google account identifier, name, email from the profile used to sign in |
| GitHub, Inc. | Source control and CI/CD (code and metadata; production pupil databases are not stored in repositories) | Primarily United States; GitHub DPA / standard contractual terms | Code, workflow metadata; not intended to contain pupil records |
| iSAMS (school’s MIS; legal entity per Controller contract) | Controller-directed MIS integration (not an ordinary Processor subprocessor) | As between the Controller and its vendor | As exposed by the Controller through iSAMS API permissions |
| MySchoolPortal (legal entity per Controller contract) | Controller-directed SSO/portal integration (not an ordinary Processor subprocessor) | As between the Controller and its vendor | Identity and SSO claims as configured by the Controller |
Further categories of providers may be described in the Subprocessor list. If a listed provider is not used for your deployment, it may not apply; material changes are notified as set out in section 10.
Schedule 4 — Controller Instructions
The Controller instructs the Processor to:
- connect to the Controller’s iSAMS database/API using credentials provided or authorised by the Controller;
- connect to MySchoolPortal SSO using configuration provided or authorised by the Controller;
- retrieve, display, validate and transmit personal data only as necessary to provide the Service;
- write approved changes back to iSAMS where configured;
- store API keys, secrets, SSO settings and configuration values required for the Service;
- maintain reasonable logs and audit records for security, support and integrity;
- provide support and troubleshooting;
- secure, maintain and improve the Service;
- delete or disable Controller configuration and credentials on termination or request, subject to lawful retention; and
- otherwise process personal data only as necessary to provide the Service or comply with lawful instructions.
Schedule 5 — Retention
| Data category | Typical retention |
|---|---|
| Parent/pupil records retrieved from iSAMS | Not intended to be permanently stored; processed transiently during use of the Service |
| Submitted changes | Retained only as necessary for transmission, confirmation, audit, support or dispute handling |
| API keys/secrets | Retained while the Controller uses the Service; deleted or disabled on termination/request unless lawful retention applies |
| School configuration | Retained while the Controller uses the Service; deleted after termination subject to backup/legal retention |
| Admin account details | Retained while account is active and for a reasonable period after termination |
| Security/application logs | Typically between 30 and 180 days unless a longer period is temporarily needed for a security investigation |
| Support records | Typically 12 to 24 months unless deletion is requested earlier and is lawful |
| Backups | Retained according to the backup rotation cycle (typically up to approximately 90 days unless operational needs require otherwise) |
| Billing/contact records | Retained as required for accounting, tax, legal and business records |
Schedule 6 — School Customer Acceptance Wording
By enabling or using checkitquick.academicintelligence.co.uk for your school, you confirm that you are authorised to act on behalf of the school, academy trust or educational organisation. You agree that the school is the Controller and Academic Intelligence Ltd is the Processor for the personal data processed through the Service. You confirm that the school instructs the Processor to process personal data in accordance with this Data Processing Agreement, the Service terms, and the configuration choices made by the school’s authorised administrators.
Last updated: 12 May 2026.