Data Processing Agreement
Version: Draft ยท March 2026
Published for Transparency
โ ๏ธ
Important โ Not Currently in Force
Arcademy is not yet a registered company and is not currently trading. This Data Processing Agreement is published as a draft for transparency only โ it is not currently active or enforceable.
No formal school partnerships or data processing relationships exist at this time. The platform is available for open evaluation and testing purposes only.
When Arcademy begins trading and enters into formal agreements with schools, a signed version of this DPA (updated with registered company details) will be required before any school data is processed.
Parties to this Agreement (Draft)
Data Controller (the School)
The school or educational institution that enters into a formal licence agreement with Arcademy once the platform is trading.
Referred to in this agreement as "the Controller"
Data Processor (Arcademy)
Arcademy (operator details to be inserted upon company registration)
Referred to in this agreement as "the Processor"
This Data Processing Agreement ("DPA") sets out the terms on which the Processor will process personal data on behalf of the Controller in accordance with UK GDPR Article 28. This document is a draft published for school review and evaluation purposes. It will be finalised and signed when Arcademy enters commercial operation.
Schedule A โ Details of Processing
| Element | Details |
|---|
| Subject matter | Provision of educational gaming software to schools |
| Duration | For the term of the school's licence, plus 30 days for deletion |
| Nature of processing | Collection, storage, retrieval, and deletion of student game progress data |
| Purpose | Enabling students to log in, play educational games, earn badges, and track learning progress |
| Type of personal data | Pseudonymous alias, hashed 4-digit PIN, avatar, XP, belt rank, game session statistics, badges earned, last active timestamp |
| Categories of data subjects | Students (children under 18) enrolled in the school's classes on the platform. Teachers employed by the school. |
| Special category data | None processed |
1. Obligations of the Processor
The Processor shall:
- 1.1 Process personal data only on documented instructions from the Controller, except where required by law.
- 1.2 Ensure that all personnel authorised to process personal data are subject to confidentiality obligations.
- 1.3 Implement and maintain appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access โ as set out in Clause 4.
- 1.4 Not engage any sub-processor without prior written authorisation from the Controller, except for those listed in Schedule B, which the Controller authorises by entering into this agreement.
- 1.5 Assist the Controller in responding to data subject rights requests within the timescales required by UK GDPR.
- 1.6 Assist the Controller in ensuring compliance with UK GDPR obligations regarding security, breach notification, data protection impact assessments, and prior consultation.
- 1.7 At the Controller's choice, delete or return all personal data upon termination of the Service, and delete existing copies unless required by law to retain them.
- 1.8 Make available all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits conducted by the Controller or a mandated auditor, on reasonable written notice of not less than 14 days.
2. Obligations of the Controller (School)
The Controller shall:
- 2.1 Ensure it has a lawful basis for providing student data to the Processor for the purposes described in Schedule A.
- 2.2 Ensure that students' parents or guardians have been made aware of the use of Arcademy in line with the school's own privacy notice.
- 2.3 Only instruct the Processor to process data in a manner consistent with UK GDPR.
- 2.4 Be responsible for the accuracy of personal data submitted to the platform.
- 2.5 Ensure that student aliases entered into the system do not include the student's real name.
- 2.6 Promptly notify the Processor if it becomes aware of any data breach or suspected security incident.
3. Sub-Processors
The Processor is authorised to use the sub-processors listed in Schedule B. The Processor shall impose equivalent data protection obligations on sub-processors and shall remain fully liable to the Controller for the performance of sub-processors' obligations.
The Processor shall notify the Controller of any intended changes to sub-processors by updating Schedule B on the Arcademy website. The Controller may object within 14 days of notification. If the Processor cannot accommodate the objection, the Controller may terminate the agreement.
4. Technical and Organisational Security Measures
The Processor has implemented the following measures, which shall be maintained for the duration of this agreement:
Access Controls
- Student data is accessible only via authenticated session tokens (8-hour expiry)
- Row-level security ensures students can only access their own records
- Teacher access is authenticated via industry-standard email/password authentication
- Teachers can only access data from their own school
Encryption
- All data in transit is encrypted via TLS 1.2 or higher (HTTPS)
- All data at rest is encrypted by the infrastructure provider (AES-256)
- Student PINs are stored as bcrypt hashes (cost factor 8) โ plain PINs are never retained
Pseudonymisation
- Students are identified only by pseudonymous aliases. Real names are not collected or stored.
Resilience and Recovery
- Data is hosted on Supabase (AWS eu-west-2) with automated backups
- The platform has the ability to restore availability following a technical incident
Breach Response
- The Processor will notify the Controller without undue delay (and within 72 hours where feasible) upon becoming aware of a personal data breach
- Notification will include the nature of the breach, data affected, likely consequences, and remediation steps taken
5. Data Subject Rights
Because student records use pseudonymous aliases rather than real names, the Processor cannot directly identify a specific child without assistance from the Controller. The process for data subject rights requests is therefore:
- The school receives a request from a parent, guardian, or student.
- The school identifies the relevant student alias in the Arcademy Teacher Dashboard.
- The school emails [YOUR EMAIL] with the request and the relevant alias and class code.
- The Processor will fulfil the request (access, deletion, portability) within 14 days.
6. International Data Transfers
Personal data is stored and processed in the European Union (AWS eu-west-2, Ireland). Content delivery may route through Netlify edge nodes globally; however, no personal data is stored on edge nodes.
Where any transfer outside the UK or EEA occurs, the Processor will ensure an appropriate transfer mechanism is in place (such as Standard Contractual Clauses or UK adequacy regulations).
7. Duration and Termination
7.1 This DPA remains in force for the duration of the licence agreement between the parties.
7.2 Upon expiry or termination of the licence agreement, the Processor shall, within 30 days, securely delete all personal data processed under this DPA unless the Controller requests a data export, or the Processor is required by law to retain the data.
7.3 The Controller may request a full export of their school's data at any time by contacting [YOUR EMAIL]. Data will be provided in CSV format within 14 days.
Schedule B โ Authorised Sub-Processors
| Sub-processor | Country | Purpose | Website |
|---|
| Supabase Inc. |
USA (data stored EU) |
Database hosting, authentication, and real-time services. Data stored in AWS eu-west-2 (Ireland). |
supabase.com/privacy |
| Netlify Inc. |
USA (CDN global) |
Static website hosting and content delivery. No personal data stored at edge nodes. |
netlify.com/privacy |
Last updated: March 2026. The Controller will be notified of any changes to this schedule.
Signatures
By signing below, both parties agree to the terms of this Data Processing Agreement. This DPA may be signed electronically.
FOR THE PROCESSOR โ Arcademy
Signature
Name
Title
Date
FOR THE CONTROLLER โ School
Signature
Name
Title / Role
School Name
Date
Arcademy Data Processing Agreement ยท v1.0 ยท March 2026 ยท โ Privacy Policy