Legal

Data Processing Agreement

This Data Processing Agreement establishes the responsibilities between schools (Data Controllers) and Moodly (Data Processor) under UK GDPR Article 28.

Effective Date: 11 February 2025Version: 1.0

1. Parties and Definitions

This Data Processing Agreement ('DPA') is entered into between the educational institution that has agreed to our Terms and Conditions ('Controller', 'School', 'you') and Mr G Education Ltd, company number 14557194, registered in the United Kingdom ('Processor', 'Moodly', 'we', 'us').

This DPA forms part of the Terms and Conditions and governs the processing of personal data by the Processor on behalf of the Controller when using the Moodly platform.

1.1 Definitions

  • 'Personal Data' means any information relating to an identified or identifiable natural person, as defined in UK GDPR Article 4(1).
  • 'Special Category Data' means personal data revealing racial or ethnic origin, health data, and data concerning a person's mental or emotional state, as defined in UK GDPR Article 9.
  • 'Processing' means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
  • 'Data Subject' means the individual to whom the Personal Data relates, including students and staff.
  • 'Sub-processor' means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
  • 'Data Breach' means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
  • 'UK GDPR' means the General Data Protection Regulation as incorporated into UK law by the Data Protection Act 2018 and the European Union (Withdrawal) Act 2018.

1.2 Roles

  • The School acts as the Data Controller, determining the purposes and means of processing student and staff personal data.
  • Mr G Education Ltd acts as the Data Processor, processing personal data only on behalf of and under the instructions of the Controller.
  • The Controller retains overall responsibility for compliance with data protection law in relation to the personal data processed through Moodly.

2. Subject Matter and Duration

2.1 Purpose of Processing

  • The Processor processes Personal Data solely for the purpose of providing the Moodly student emotional wellbeing monitoring platform to the Controller.
  • Processing activities include: storing and displaying student check-in data, generating wellbeing analytics, facilitating welfare escalations, enabling staff access to relevant data, and providing AI-assisted guidance (without sharing identifiable student data).

2.2 Duration

  • This DPA remains in effect for the duration of the Controller's subscription to Moodly.
  • Upon termination of the subscription, the provisions of Section 10 (Termination and Data Return) shall apply.
  • Certain obligations under this DPA, particularly those relating to confidentiality and data security, shall survive termination.

2.3 Processing Scope

  • The nature, scope, and specific categories of personal data processed are set out in Schedule 1 (Data Processing Details) at the end of this document.
  • Processing shall be limited to what is necessary for the purposes specified and shall not exceed the scope of the Controller's documented instructions.

3. Processor Obligations

The Processor shall comply with the following obligations in accordance with UK GDPR Article 28(3):

3.1 Processing on Instructions

  • Process Personal Data only on documented instructions from the Controller, including with regard to transfers to third countries, unless required by law.
  • Inform the Controller immediately if, in the Processor's opinion, an instruction infringes UK GDPR or other data protection provisions.
  • Not process Personal Data for any purpose other than providing the Moodly service as set out in these Terms.

3.2 Confidentiality

  • Ensure that all persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  • Limit access to Personal Data to those employees and contractors who need access for the purposes of performing the service.

3.3 Security Measures

  • Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as detailed in Schedule 2 (Security Measures).
  • Regularly test, assess, and evaluate the effectiveness of security measures.
  • Maintain documented security policies and procedures.

3.4 Sub-processors

  • Not engage another processor (Sub-processor) without prior specific or general written authorisation of the Controller.
  • Where general written authorisation has been given, inform the Controller of any intended changes concerning the addition or replacement of Sub-processors, giving the Controller the opportunity to object.
  • Ensure that Sub-processors are bound by the same data protection obligations as set out in this DPA.
  • Remain fully liable to the Controller for the performance of Sub-processor obligations.
  • Current Sub-processors are listed in Schedule 3 (Sub-processors).

3.5 Assistance with Data Subject Rights

  • Assist the Controller, by appropriate technical and organisational measures, in fulfilling the Controller's obligation to respond to requests from Data Subjects exercising their rights under UK GDPR.
  • Promptly notify the Controller of any Data Subject request received directly by the Processor.
  • Not respond directly to Data Subject requests without the Controller's authorisation, except to direct the Data Subject to the Controller.

3.6 Assistance with Compliance

  • Assist the Controller in ensuring compliance with obligations under UK GDPR Articles 32-36, taking into account the nature of processing and information available to the Processor.
  • This includes assistance with security of processing, notification of data breaches, data protection impact assessments, and prior consultation with supervisory authorities where required.

4. Security Measures

The Processor implements the following technical and organisational security measures to protect Personal Data:

4.1 Encryption

  • All data in transit is encrypted using TLS 1.2 or higher.
  • All data at rest is encrypted using AES-256 encryption or equivalent.
  • Encryption keys are managed securely and rotated regularly.

4.2 Access Controls

  • Role-based access controls ensure staff only access data relevant to their role and permissions.
  • Strong authentication requirements for all user accounts.
  • Regular review and audit of access permissions.
  • Automatic session timeouts and account lockout policies.

4.3 Infrastructure Security

  • Hosting on enterprise-grade cloud infrastructure with ISO 27001 certification.
  • Network security including firewalls, intrusion detection, and DDoS protection.
  • Regular vulnerability scanning and penetration testing.
  • Automated backup and disaster recovery procedures.

4.4 Operational Security

  • Security awareness training for all personnel with access to Personal Data.
  • Incident response procedures for security events.
  • Secure development practices including code review and testing.
  • Regular security assessments and continuous improvement.

5. Sub-processors

The Controller provides general authorisation for the Processor to engage Sub-processors, subject to the following conditions:

5.1 Authorisation and Notification

  • The Processor shall maintain an up-to-date list of Sub-processors in Schedule 3.
  • The Processor shall notify the Controller at least 14 days in advance of any intended addition or replacement of Sub-processors.
  • Notification shall be provided via email to the Controller's registered administrator.

5.2 Objection Rights

  • The Controller may object to the appointment of a new Sub-processor within 14 days of notification, provided such objection is based on reasonable grounds relating to data protection.
  • If the Controller objects, the parties shall discuss the concerns in good faith. If no resolution is reached, the Controller may terminate the affected services.

5.3 Sub-processor Obligations

  • The Processor shall ensure that each Sub-processor is bound by data protection obligations no less protective than those in this DPA.
  • The Processor shall conduct due diligence on Sub-processors' ability to meet these obligations.
  • The Processor remains fully liable for Sub-processor compliance.

5.4 Current Sub-processors

  • Cloud Infrastructure: Google Cloud Platform and Microsoft Azure (UK/EEA data centres) - hosting and data storage.
  • Payment Processing: Stripe - subscription payments only, no student data processed.
  • Email Communications: Brevo - system notifications and communications.
  • AI Services: Third-party AI providers - query processing only, no identifiable student data transmitted.
  • A complete list with locations is provided in Schedule 3.

6. International Transfers

6.1 Primary Storage

  • Personal Data is primarily stored and processed within the United Kingdom and European Economic Area.
  • The Processor's primary cloud infrastructure is located in UK and EEA data centres.

6.2 Transfer Safeguards

  • Where Personal Data is transferred outside the UK/EEA, the Processor ensures appropriate safeguards are in place as required by UK GDPR Chapter V.
  • Safeguards may include: UK adequacy regulations, Standard Contractual Clauses (SCCs), and supplementary technical measures.
  • The Processor shall inform the Controller of any transfers and the safeguards applied.

6.3 Restricted Transfers

  • No identifiable student data is transferred to countries without adequate data protection.
  • AI query processing is designed to exclude identifiable student information.

7. Data Subject Rights

Data Subjects (students, parents/guardians, and staff) have rights under UK GDPR which the Controller is responsible for fulfilling:

7.1 Rights

  • Right of access (Article 15)
  • Right to rectification (Article 16)
  • Right to erasure (Article 17)
  • Right to restriction of processing (Article 18)
  • Right to data portability (Article 20)
  • Right to object (Article 21)
  • Rights related to automated decision-making (Article 22)

7.2 Controller Responsibility

  • The Controller is responsible for responding to Data Subject requests in accordance with UK GDPR timescales (one month, extendable).
  • For school platform data, Data Subjects should contact the School directly to exercise their rights.
  • Parents/guardians may exercise rights on behalf of their children in accordance with the School's policies.

7.3 Processor Assistance

  • The Processor shall provide the Controller with appropriate technical and organisational assistance to fulfil Data Subject requests.
  • This includes: providing data exports, facilitating rectification, implementing erasure requests, and restricting processing where required.
  • The Processor shall respond to Controller assistance requests without undue delay.

8. Data Breach Procedures

8.1 Notification Timeline

  • The Processor shall notify the Controller of any Data Breach without undue delay, and in any event within 24 hours of becoming aware of the breach.
  • Notification shall be sent to the Controller's registered administrator via email and, where appropriate, via the platform.

8.2 Information Provided

  • The nature of the Data Breach, including categories and approximate number of Data Subjects and records concerned.
  • Name and contact details of the Processor's data protection contact.
  • Likely consequences of the Data Breach.
  • Measures taken or proposed to address the breach and mitigate its effects.
  • If not all information is available immediately, it shall be provided in phases without undue delay.

8.3 Cooperation

  • The Processor shall cooperate with the Controller in investigating and remediating the Data Breach.
  • The Processor shall assist the Controller in meeting its own breach notification obligations to the ICO and affected Data Subjects.
  • The Processor shall document all Data Breaches, including facts, effects, and remedial action taken.

8.4 Controller Obligations

  • The Controller is responsible for assessing whether the breach requires notification to the ICO (within 72 hours) and to affected Data Subjects.
  • The Controller shall coordinate any communications to Data Subjects or regulatory authorities.

9. Audit Rights

9.1 Controller Audit Rights

  • The Controller has the right to audit the Processor's compliance with this DPA.
  • Audits may be conducted by the Controller directly or by an independent auditor appointed by the Controller.
  • The Controller shall provide reasonable notice (minimum 30 days) of any audit request.

9.2 Audit Scope

  • Audits may cover: security measures, processing activities, Sub-processor management, and compliance with this DPA.
  • Audits shall be conducted during normal business hours and shall not unreasonably disrupt the Processor's operations.
  • The Controller shall bear its own costs of conducting audits.

9.3 Third-Party Certifications

  • The Processor may satisfy audit requests by providing relevant third-party audit reports, certifications, or attestations.
  • This may include SOC 2 reports, ISO 27001 certifications, or penetration testing summaries.
  • The Controller may still request additional information or on-site audit where reasonably justified.

9.4 Confidentiality

  • Audit results and any information obtained through audits shall be treated as confidential.
  • Auditors shall be bound by appropriate confidentiality obligations.

10. Termination and Data Return

10.1 Data Export Period

  • Upon termination of the subscription, the Controller may request export of their Personal Data within 30 days.
  • The Processor shall provide data in a commonly used, machine-readable format (e.g., CSV, JSON).
  • Export requests should be made via the platform or by contacting info@moodly.education.

10.2 Data Deletion

  • Following the 30-day export period, the Processor shall delete all Personal Data unless retention is required by law.
  • Upon request, the Processor shall provide written confirmation of deletion.
  • Deletion includes removal from active systems and, within a reasonable timeframe, from backup systems.

10.3 Exceptions

  • The Processor may retain Personal Data where required by applicable law or regulatory requirement.
  • Anonymised, aggregated data that cannot be linked to individuals may be retained for service improvement purposes.
  • The Processor shall inform the Controller of any legally required retention.

11. Liability

11.1 General Liability

  • Liability under this DPA is subject to the limitations and exclusions set out in the Terms and Conditions.
  • Each party shall be liable for any damage caused by processing that infringes UK GDPR, in accordance with Article 82.

11.2 Processor Liability

  • The Processor shall be liable for damage caused by processing only where it has not complied with obligations specifically directed to processors under UK GDPR, or where it has acted outside or contrary to the Controller's lawful instructions.

11.3 Indemnification

  • Each party shall indemnify the other against any costs, claims, damages, or expenses arising from its breach of this DPA or UK GDPR.
  • The indemnifying party shall have the right to control the defence of any claim, provided it does not settle without the other party's consent where such settlement would adversely affect the other party.

12. General Provisions

12.1 Precedence

  • In the event of any conflict between this DPA and the Terms and Conditions, this DPA shall prevail with respect to data protection matters.
  • This DPA supplements and does not replace the Terms and Conditions.

12.2 Amendments

  • This DPA may be updated to reflect changes in law, regulatory guidance, or processing activities.
  • Material changes will be notified to Controllers via email.
  • Continued use of the service following notification constitutes acceptance of amendments.

12.3 Governing Law

  • This DPA is governed by the laws of England and Wales.
  • Any disputes shall be subject to the exclusive jurisdiction of the courts of England and Wales.

12.4 Signed Copies

  • Schools may request a signed copy of this DPA by contacting info@moodly.education.
  • The signed version shall incorporate these terms by reference.

Schedule 1: Data Processing Details

This schedule describes the personal data processed under this DPA:

Data Subjects

  • Students (including minors of all ages within the School)
  • School staff (teachers, administrators, welfare officers, and other authorised personnel)

Student Personal Data

  • Name and class/year group assignment
  • Check-in data: emoji selections representing emotional state, timestamps, and optional notes
  • Affirmations and peer recognition messages
  • Survey responses
  • Demographic data provided by the School (e.g., gender, ethnicity, free school meal status) for analytics
  • PIN credentials for Learner App access

Staff Personal Data

  • Name and email address
  • Role and permission level within the School
  • Activity logs within the platform
  • Notes and comments on student welfare
  • AI Assistant query history

Special Category Data

  • Children's emotional and mental wellbeing states (derived from check-in responses)
  • Health-related indicators where voluntarily disclosed by students in notes
  • Demographic data where categorised as special category (e.g., ethnicity)

Lawful Basis for Special Category Data

  • Processing is necessary for reasons of substantial public interest under UK GDPR Article 9(2)(g).
  • Specifically, safeguarding of children and individuals at risk under Schedule 1, Part 2, Paragraph 18 of the Data Protection Act 2018.

Retention Periods

  • Free tier: Classroom data retained until user creates a new class (previous class data replaced).
  • Paid tiers: Classroom data deleted 7 days after School deletes the class within the application.
  • Staff activity logs: Retained for 12 months.
  • Post-termination: 30-day export window, then deletion (subject to legal requirements).
  • Anonymised data: May be retained indefinitely for research and service improvement.

Schedule 2: Security Measures

The Processor maintains the following security measures:

Technical Measures

  • Encryption: TLS 1.2+ for data in transit; AES-256 for data at rest
  • Access Control: Role-based permissions, strong authentication, session management
  • Network Security: Firewalls, intrusion detection, DDoS protection
  • Application Security: Secure development lifecycle, code review, vulnerability scanning
  • Monitoring: Security event logging, anomaly detection, alerting
  • Backup: Automated encrypted backups, tested recovery procedures

Organisational Measures

  • Personnel: Background checks, confidentiality agreements, security training
  • Access Management: Least privilege principle, regular access reviews
  • Incident Response: Documented procedures, trained response team
  • Vendor Management: Due diligence on Sub-processors, contractual obligations
  • Continuous Improvement: Regular security assessments, policy updates

Schedule 3: Sub-processors

The following Sub-processors are authorised as of the effective date:

Cloud Infrastructure

  • Google Cloud Platform — Location: UK/EEA — Purpose: Cloud hosting, data storage, and infrastructure services
  • Microsoft Azure — Location: UK/EEA — Purpose: Cloud hosting and infrastructure services

Payment Processing

  • Stripe — Location: USA (with EU/UK data processing) — Purpose: Subscription payment processing (no student personal data processed)

Communications

  • Brevo (formerly Sendinblue) — Location: EU — Purpose: Email communications and notifications

Analytics

  • PostHog — Location: EU — Purpose: Product analytics and user experience improvement (anonymised data)

AI Services

  • Third-party AI providers — Location: Various (with appropriate safeguards) — Purpose: AI Assistant query processing (no identifiable student data transmitted; queries are processed without personal identifiers)

Updates

  • This list is current as of the effective date. Controllers will be notified of changes in accordance with Section 5.1.

13. Contact Information

For questions about this Data Processing Agreement, please contact:

Email: info@moodly.education

Website: moodly.education

Mr G Education Ltd is registered with the Information Commissioner's Office (ICO) under registration number ZB526873.

Document Version: 1.0

Last Reviewed: 11 February 2025

Next Scheduled Review: 11 February 2026

Published by: Mr G Education Ltd

ICO Registration: ZB526873

Company Number: 14557194

Related Policies

This DPA forms part of our Terms and Conditions. Please also review our Privacy Policy for details on how we handle personal data.

Terms of Service →Privacy Policy →Contact Us →