Controller and processor roles
The school or trust is normally the data controller for its pupil, staff, governance and operational data. Schoolgle Limited acts as a data processor when it processes that data to provide the platform.
The DPA is the UK GDPR Article 28 agreement that records Schoolgle's processor obligations and the school's documented instructions.
Template status: for legal/DPO review before signature
This page is a public explanation of the intended DPA structure. It is not legal advice and is not, by itself, a signed data processing agreement. Schools, trusts, local authorities and DPOs should review the current DPA template before relying on it.
What the DPA covers
Processing instructions
Schoolgle processes school data only to provide and support the service, unless otherwise agreed with the school or required by law.
Security measures
Access controls, encryption, audit logs, organisation scoping and supplier controls are documented in the DPA and security pages.
Sub-processors
The DPA links to the public sub-processor list and explains how schools are notified of material changes.
End of service
The DPA covers return, deletion or retention of data at the end of the service, subject to legal and audit requirements.
Article 28 checklist
The DPA template is intended to cover the minimum UK GDPR Article 28 processor clauses. Before signature, the school or trust should check that the final agreement includes:
- Subject matter and duration of processing
- Nature and purpose of processing
- Types of personal data and categories of data subjects
- Controller obligations and documented instructions
- Confidentiality duties for authorised people
- Appropriate technical and organisational security measures
- Sub-processor authorisation and flow-down terms
- Support for data subject rights, security, DPIAs and breach duties
- Deletion, return and retention at the end of service
- Audit, assurance and inspection arrangements
Draft processing schedule
Subject matter
Provision of the Schoolgle platform, including school operations, evidence workflows, compliance tracking, AI-assisted summaries and audit records.
Duration
The term of the school or trust agreement, plus any agreed deletion, return, legal hold or audit-retention period.
Nature and purpose
Hosting, indexing, extracting, summarising, connecting evidence, creating tasks, recording reviews and supporting authorised users.
Data subjects
Authorised school users, staff, governors, contractors, pupils and parents or carers where the school chooses to connect or enter that data.
Personal data types
Account details, roles, contact details, operational records, compliance records, usage logs, evidence metadata and school-controlled document content where connected.
Special category and high-risk data
Not requested by default. Safeguarding, SEND, health, HR, DBS or other sensitive information may appear only where the school controls and connects relevant records.
Breach, deletion and assistance
If Schoolgle becomes aware of a personal data breach affecting school data processed for a school or trust, the DPA should require notification to the controller without undue delay and provide reasonable information to support the controller's UK GDPR assessment.
At the end of service, the DPA should explain how school data is returned, deleted or retained where required for legal, security, accounting or audit reasons. It should also describe how Schoolgle assists with data subject rights, DPIAs and security assessments where relevant to the service.
Request the current DPA template
The public template is being kept under version control and should be reviewed for each school or trust before signature. To request the current DPA pack, contact admin@schoolgle.co.uk, privacy@schoolgle.co.uk or dpo@schoolgle.co.uk.
If your trust or local authority has its own processor terms, send them to Schoolgle for review.