Contents
- Parties and Definitions
- Purpose and Scope of Processing
- Data Processed
- Data Explicitly Not Processed
- AI Processing Disclosure
- Sub-Processors
- Security Measures
- Data Retention and Deletion
- Data Subject Rights
- Breach Notification
- International Data Transfers
- Controller Obligations
- Term and Termination
- Contact
1Parties and Definitions
This Data Processing Agreement ("DPA") is entered into between:
| Data Controller ("the Controller") | The school, trust, local authority, or diocese that creates an account and uses the GAF platform tools. |
| Data Processor ("the Processor") | Joshua Mangas, trading as The School Governance Assurance Framework, operator of governanceassurance.co.uk. |
This DPA supplements the Terms and Conditions and Privacy Policy and is incorporated by reference when the Controller accepts the terms during account onboarding.
For the purposes of this agreement, "personal data", "processing", "data subject", "data breach", and "sub-processor" have the meanings given in UK GDPR.
2Purpose and Scope of Processing
The Processor processes data on behalf of the Controller solely for the purpose of delivering the GAF platform tools. The processing activities for each tool are as follows:
Free Tools (no login required)
- Board Assurance Audit — governance self-assessment responses and evidence notes against 54 framework elements
- Website Check — school website URL and instant compliance scan results
Membership Tools
- Website Assurance — school website crawl data, page content analysis, compliance findings, and termly scores
- Board Intelligence Report — aggregation of publicly available data from GIAS, Ofsted, Companies House, and DfE with school context to generate governance intelligence reports
- Meeting Agendas — meeting type selection and framework element mapping to generate structured agenda items
- School Progress Assurance — SIP document upload, AI priority extraction, governor name assignments, and visit report generation
- Statutory Assurance — governor name assignments to 11 statutory monitoring roles and visit report generation
- Headteacher Report — termly data entry (attendance, exclusions, staffing, budget, SIP progress, safeguarding)
General Processing
- Storing generated documents and reports for download by the Controller
- Maintaining an audit trail of processing status across all tools
- User authentication and account administration
- Payment processing for membership subscriptions
The Board Intelligence Report ingests publicly available data from GIAS, Ofsted, Companies House, and DfE to generate governance intelligence reports. This publicly available data is not personal data but is disclosed here for transparency.
The Processor shall not process personal data for any purpose other than those specified above, unless required to do so by UK law.
3Data Processed
The following categories of data are processed through the GAF platform:
Account Data
- Email address (for authentication)
- Organisation name and type
- Contact name
School and Governance Data
- School name, phase, and postcode
- Headteacher name
- Chair of Governors name
- Governor names, roles, and statutory monitoring assignments
- Academic year
- Strategic priorities and improvement targets (from SIP upload)
- Named priority leads (typically senior leaders)
- School vision statement
- Governance self-assessment responses and evidence notes (Board Assurance Audit)
- School website URL and compliance scan results (Website Check, Website Assurance)
- Termly aggregate school data: attendance rates, exclusion numbers, staffing, budget, SIP progress, safeguarding (Headteacher Report)
Processing Data
- Uploaded file metadata (name, size, upload timestamp)
- Processing status and timestamps
- Generated document and report file paths
- Website crawl data and page content analysis (Website Assurance)
- Meeting agenda selections and framework element mappings
4Data Explicitly Not Processed
The GAF platform is not designed to process, and the Controller must not upload documents containing:
- Pupil data — no names, attainment data, SEN information, or any data identifiable to individual pupils
- Staff personal data — beyond the names of senior leaders referenced in strategic priorities
- Special category data — no health data, ethnicity data, religious beliefs, or trade union membership
- Financial data — no bank details, salary information, or budget figures identifiable to individuals
If a SIP contains such data, the Controller is responsible for redacting it before upload. The Processor does not systematically screen for such data but will delete any inadvertently processed special category data upon discovery or notification.
5AI Processing Disclosure
Uploaded SIP documents are processed using Anthropic Claude, a large language model (LLM), to extract structured data. This processing involves:
- The text content of the uploaded SIP is sent to the Anthropic API for analysis
- The AI extracts school identity, strategic priorities, improvement targets, and governance structure into a structured format
- The extracted data is then used to generate governance documents
Anthropic's Data Handling
- Anthropic does not use data submitted via the API to train its models
- API inputs and outputs are retained by Anthropic for up to 30 days for trust and safety purposes, then deleted
- Anthropic is SOC 2 Type II certified
- Full details: Anthropic Privacy Policy
No pupil or staff personal data should be included in uploaded SIPs. The AI processes school-level strategic information only.
6Sub-Processors
The Processor engages the following sub-processors to deliver the service:
| Sub-Processor | Purpose | Data Location |
|---|---|---|
| Anthropic | AI processing of SIP text for data extraction | United States (API processing; data not retained beyond 30 days) |
| Supabase | Database hosting, file storage, authentication | European Union |
| Vercel | Application hosting and serverless functions | London (lhr1) region |
| Cloudflare | CDN, DNS, DDoS protection for the marketing site | Global edge network (no persistent data storage) |
| Resend | Transactional email delivery (account notifications, one-time codes) | United States (with EU processing) |
| OAuth identity provider for user authentication | United States / Global | |
| Microsoft | OAuth identity provider for user authentication | United States / Global |
| Stripe | Payment processing and subscription management | United States (with EU processing) |
| EmailJS | Contact form email delivery (marketing site only) | European Union |
| Google Fonts | Typography delivery for the marketing site | Global CDN |
The Processor will notify the Controller of any intended changes to sub-processors, giving the Controller the opportunity to object. The Processor ensures that all sub-processors are bound by data protection obligations no less protective than those in this DPA.
7Security Measures
The Processor implements the following technical and organisational measures:
Technical Measures
- Encryption in transit: All data transmitted over TLS 1.2 or higher (HTTPS enforced)
- Encryption at rest: Database and file storage encrypted using Supabase managed encryption (AES-256)
- Tenant isolation: Row-level security (RLS) policies ensure organisations can only access their own data
- Authentication: Passwordless authentication via OAuth (Google, Microsoft) or email one-time codes — no passwords stored
- API security: All API endpoints authenticated with session tokens; service role keys used server-side only
- HSTS: HTTP Strict Transport Security headers enforced
Organisational Measures
- Access to production systems is restricted to the Data Processor (Governance Assurance / Joshua Mangas)
- Security logging and monitoring of all system access
- Regular review of access controls and security configurations
- Privacy by design applied to all feature development
8Data Retention and Deletion
| Data Type | Retention Period |
|---|---|
| All tool data (audit responses, uploaded SIPs, extracted school data, generated documents and reports, website scan results, governor assignments, headteacher report data) | Retained for the duration of active use plus 2 years. Deleted within 30 days of account closure or deletion request if the retention period has elapsed. |
| Payment records | Retained for 7 years as required by HMRC, then deleted. |
| Account data | Deleted within 30 days of account closure request. |
| Processing logs | 90 days, then automatically purged. |
| Anthropic API logs | Up to 30 days (managed by Anthropic), then deleted. |
The Controller may request deletion of all their data at any time by contacting info@governanceassurance.co.uk. The Processor will complete deletion within 30 days and confirm in writing.
9Data Subject Rights
The Processor will assist the Controller in responding to data subject access requests (DSARs) and other rights under UK GDPR, including:
- Right of access — export of all data held for the Controller's organisation
- Right to rectification — correction of inaccurate data
- Right to erasure — deletion of data upon request
- Right to data portability — export in machine-readable format (JSON or CSV)
- Right to restrict processing — suspension of processing upon request
The Processor will respond to Controller requests for assistance within 5 working days.
10Breach Notification
In the event of a personal data breach, the Processor will:
- Notify the Controller within 72 hours of becoming aware of the breach
- Provide full details of the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach
- Cooperate with the Controller in notifying the ICO and affected data subjects where required under UK GDPR Articles 33 and 34
- Document the breach and remediation steps taken
Breach notifications will be sent to the email address registered on the Controller's account.
11International Data Transfers
The primary data storage (Supabase) is located within the European Union. Application hosting (Vercel) is configured to the London region.
The Anthropic API processes SIP text in the United States. This transfer is covered by:
- Anthropic's Standard Contractual Clauses (SCCs) for international data transfers
- Anthropic's SOC 2 Type II certification and enterprise security practices
- The transient nature of the processing — data is processed and returned; not stored beyond the 30-day trust and safety retention window
Resend (transactional email) and Stripe (payment processing) are US-based with EU processing capabilities. Google and Microsoft process OAuth authentication data globally. These transfers are covered by each provider's Standard Contractual Clauses and data processing agreements.
12Controller Obligations
The Controller agrees to:
- Ensure they have lawful authority to upload SIP data to the platform
- Redact any pupil data, staff personal data, or special category data from SIPs before upload
- Inform relevant data subjects (e.g. named priority leads, headteacher, chair) that their names may be processed through the platform
- Keep account credentials secure and not share login access with unauthorised individuals
- Notify the Processor promptly of any data breach involving data processed through the platform
- Comply with their own obligations under UK GDPR as Data Controller
13Term and Termination
This DPA is effective from the date the Controller accepts it during onboarding and remains in effect for the duration of the service agreement.
Upon termination:
- The Controller may request export of all their data in machine-readable format
- The Processor will delete all Controller data within 30 days of account closure
- The Processor will provide written confirmation of deletion upon request
Obligations relating to data security, breach notification, and confidentiality survive termination.
14Contact
Data Processing Queries
For questions about this Data Processing Agreement, to request data export or deletion, or to report a data breach:
Email: info@governanceassurance.co.uk
Data Processor: Governance Assurance / Joshua Mangas
Website: governanceassurance.co.uk