Contents
- Parties and Definitions
- Purpose and Scope of Processing
- Data Processed
- Data Explicitly Not Processed
- AI Processing Disclosure
- Sub-Processors
- Security Measures
- Data Retention and Deletion
- Data Subject Rights
- Breach Notification
- International Data Transfers
- Controller Obligations
- Term and Termination
- Contact
1Parties and Definitions
This Data Processing Agreement ("DPA") is entered into between:
| Data Controller ("the Controller") | The school, trust, local authority, or diocese that creates an account and uses the SGAF platform tools. |
| Data Processor ("the Processor") | Joshua Mangas, trading as The School Governance Assurance Framework, operator of governanceassurance.co.uk. |
This DPA supplements the Terms and Conditions and Privacy Policy and is incorporated by reference when the Controller accepts the terms during account onboarding.
For the purposes of this agreement, "personal data", "processing", "data subject", "data breach", and "sub-processor" have the meanings given in UK GDPR.
2Purpose and Scope of Processing
The Processor processes data on behalf of the Controller solely for the purpose of delivering the SGAF platform tools. The processing activities for each tool are as follows:
Free Tools
- Quality Standard: governance self-assessment responses and evidence notes against every framework element
- Website Check: school website URL and instant compliance scan results
- AI Readiness Audit: self-assessment of AI adoption readiness across governance, curriculum, and safeguarding
- Faith Inspection Readiness: CES and SIAMS readiness self-assessment with generated action plans
- School Data Check: URN-based lookup of published DfE data for governance intelligence
Membership Tools
- Website Compliance: school website crawl data, page content analysis, compliance findings, and termly scores
- Board Intelligence Report: aggregation of publicly available data from GIAS, Ofsted, Companies House, and DfE with school context to generate governance intelligence reports
- Meeting Agendas: meeting type selection and framework element mapping to generate structured agenda items
- School Improvement: SIP document upload, AI priority extraction, governor name assignments, and visit report generation
- Statutory & Core: governor name assignments to the full set of statutory monitoring roles and visit report generation
- Headteacher Report: termly data entry (attendance, exclusions, staffing, budget, SIP progress, safeguarding)
- CES Assurance: Catholic governance monitoring against the CES handbook requirements with visit records and monitoring plans
- SIAMS Assurance: Church of England governance monitoring against the SIAMS inspection strands with visit records and monitoring plans
- Trust Dashboard: multi-academy trust aggregated governance data, heatmap view, and trust-level reporting
- Agenda Builder: interactive meeting agenda generation mapped to framework elements with DOCX download
General Processing
- Storing generated documents and reports for download by the Controller
- Maintaining an audit trail of processing status across all tools
- User authentication and account administration
- Payment processing for membership subscriptions
The Board Intelligence Report ingests publicly available data from GIAS, Ofsted, Companies House, and DfE to generate governance intelligence reports. This publicly available data is not personal data but is disclosed here for transparency.
The Processor shall not process personal data for any purpose other than those specified above, unless required to do so by UK law.
3Data Processed
The following categories of data are processed through the SGAF platform:
Account Data
- Email address (for authentication)
- Organisation name and type
- Contact name
School and Governance Data
- School name, phase, and postcode
- Headteacher name
- Chair of Governors name
- Governor names, roles, and statutory monitoring assignments
- Academic year
- Strategic priorities and improvement targets (from SIP upload)
- Named priority leads (typically senior leaders)
- School vision statement
- Governance self-assessment responses and evidence notes (Quality Standard)
- School website URL and compliance scan results (Website Check, Website Compliance)
- Termly aggregate school data: attendance rates, exclusion numbers, staffing, budget, SIP progress, safeguarding (Headteacher Report)
- CES module responses across 12 Catholic governance standards (CES Assurance)
- SIAMS module responses across 10 Church of England inspection strands (SIAMS Assurance)
- Faith readiness self-assessment answers and generated action plans (Faith Inspection Readiness)
- Trust-level aggregated governance data and heatmap views (Trust Dashboard)
- Agenda Builder meeting type selections and generated agenda content
- School URN and retrieved published DfE data (School Data Check)
Processing Data
- Uploaded file metadata (name, size, upload timestamp)
- Processing status and timestamps
- Generated document and report file paths
- Website crawl data and page content analysis (Website Compliance)
- Meeting agenda selections and framework element mappings
4Data Explicitly Not Processed
The SGAF platform is not designed to process, and the Controller must not upload documents containing:
- Pupil data: no names, attainment data, SEN information, or any data identifiable to individual pupils
- Staff personal data: beyond the names of senior leaders referenced in strategic priorities
- Special category data: no health data, ethnicity data, religious beliefs, or trade union membership
- Financial data: no bank details, salary information, or budget figures identifiable to individuals
If a SIP contains such data, the Controller is responsible for redacting it before upload. The Processor does not systematically screen for such data but will delete any inadvertently processed special category data upon discovery or notification.
5AI Processing Disclosure
Documents and governance data are processed using AI inference provided by our AI sub-processor through a private API. This processing involves:
- School Improvement Plan documents are sent to the API for priority extraction and structured analysis
- School website content is analysed for DfE statutory compliance assessment (Website Compliance)
- Governance data is processed to generate Board Intelligence Report narratives and recommendations
- Faith readiness self-assessment answers are scored and used to generate action plans
- Meeting agenda items are generated from framework element mappings (Agenda Builder)
- Extracted and generated data is stored in the database for the Controller's use
AI provider data handling
- The Controller's data is never used to train any AI model
- API inputs and outputs are retained by the provider typically no more than 30 days for trust-and-safety purposes, then deleted
- The provider holds recognised independent security certification (currently SOC 2 Type II) and processes data under appropriate UK transfer safeguards (the IDTA or the EU SCCs with the UK Addendum)
- The AI provider is named in Schedule 2 (Approved Sub-Processors) of the signed Data Processing Agreement and is available on request from info@governanceassurance.co.uk
No pupil or staff personal data should be included in uploaded SIPs. The AI processes school-level strategic information only.
Special category data
The faith governance tools (CES Assurance, SIAMS Assurance, Faith Inspection Readiness) process data about a school's readiness for faith-based inspections. This data relates to institutional governance arrangements, not to the religious beliefs of individual data subjects. The Processor does not process special category data as defined by UK GDPR Article 9.
Data Protection Impact Assessment
The Processor has conducted a Data Protection Impact Assessment (DPIA) covering all AI processing activities described in this DPA. A copy of the DPIA is available on request from info@governanceassurance.co.uk.
6Sub-Processors
The Processor engages a small number of sub-processors to deliver the service, in the following categories:
| Category | Purpose | Data Location |
|---|---|---|
| AI processing | Inference for document analysis, compliance assessment, report generation, and governance scoring | United States (API processing; data typically not retained beyond 30 days; never used for model training) |
| Cloud database and authentication | Database hosting, file storage, sign-in | European Union |
| Application and website hosting / CDN | Application hosting and serverless functions; CDN and DDoS protection for the marketing site | EU (London region) / global edge network |
| Transactional email delivery | Account notifications and one-time codes | United States (with EU processing) |
| Identity providers (OAuth) | Optional sign-in with a Google or Microsoft account | United States / Global |
| Payment link processing | Invoice payment (Controller redirected to an FCA-authorised provider's hosted page) | United Kingdom / EU |
| Marketing-site services | Contact-form email delivery (marketing site only; fonts are self-hosted) | Global |
The current, named sub-processors behind each category, with their roles and data-processing locations, are set out in Schedule 2 (Approved Sub-Processors) of the signed Data Processing Agreement provided to the Controller, and are available on request from info@governanceassurance.co.uk. The Processor will notify the Controller of any intended change to its sub-processors, giving the Controller at least 14 days to object before the change takes effect, and ensures that all sub-processors are bound by data protection obligations no less protective than those in this DPA.
7Security Measures
The Processor implements the following technical and organisational measures:
Technical Measures
- Encryption in transit: All data transmitted over TLS 1.2 or higher (HTTPS enforced)
- Encryption at rest: Database and file storage encrypted using the provider's managed encryption (AES-256)
- Tenant isolation: Row-level security (RLS) policies ensure organisations can only access their own data
- Authentication: Passwordless authentication via OAuth (Google, Microsoft) or email one-time codes, no passwords stored
- API security: All API endpoints authenticated with session tokens; service role keys used server-side only
- HSTS: HTTP Strict Transport Security headers enforced
Organisational Measures
- Access to production systems is restricted to the Data Processor (Governance Assurance / Joshua Mangas)
- Security logging and monitoring of all system access
- Regular review of access controls and security configurations
- Privacy by design applied to all feature development
8Data Retention and Deletion
| Data Type | Retention Period |
|---|---|
| All tool data (audit responses, uploaded SIPs, extracted school data, generated documents and reports, website scan results, governor assignments, headteacher report data) | Retained for the duration of active use plus 2 years. Deleted within 30 days of account closure or deletion request if the retention period has elapsed. |
| Payment records | Retained for 7 years as required by HMRC, then deleted. |
| Account data | Deleted within 30 days of account closure request. |
| Processing logs | 90 days, then automatically purged. |
| AI provider API logs | Up to 30 days (managed by the AI provider), then deleted. |
The Controller may request deletion of all their data at any time by contacting info@governanceassurance.co.uk. The Processor will complete deletion within 30 days and confirm in writing.
9Data Subject Rights
The Processor will assist the Controller in responding to data subject access requests (DSARs) and other rights under UK GDPR, including:
- Right of access: export of all data held for the Controller's organisation
- Right to rectification: correction of inaccurate data
- Right to erasure: deletion of data upon request
- Right to data portability: export in machine-readable format (JSON or CSV)
- Right to restrict processing: suspension of processing upon request
The Processor will respond to Controller requests for assistance within 5 working days.
10Breach Notification
In the event of a personal data breach, the Processor will:
- Notify the Controller within 72 hours of becoming aware of the breach
- Provide full details of the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach
- Cooperate with the Controller in notifying the ICO and affected data subjects where required under UK GDPR Articles 33 and 34
- Document the breach and remediation steps taken
Breach notifications will be sent to the email address registered on the Controller's account.
11International Data Transfers
The primary data storage is located within the European Union. Application hosting is configured to the London region.
The AI provider processes SIP text in the United States. This transfer is covered by:
- Appropriate UK transfer safeguards (the UK International Data Transfer Agreement, or the EU Standard Contractual Clauses with the UK Addendum), as set out for each provider in Schedule 2
- The provider's independent security certification and enterprise security practices
- The transient nature of the processing, data is processed and returned, typically not stored beyond a 30-day trust-and-safety retention window
Transactional email is delivered by a US-based provider with EU processing capabilities. Identity providers process OAuth authentication data globally. Payment links are processed within the UK/EU. These transfers are covered by appropriate UK transfer safeguards (the IDTA or the EU SCCs with the UK Addendum) and data processing agreements where applicable. The named providers are listed in Schedule 2 of the signed Data Processing Agreement and available on request.
12Controller Obligations
The Controller agrees to:
- Ensure they have lawful authority to upload SIP data to the platform
- Redact any pupil data, staff personal data, or special category data from SIPs before upload
- Inform relevant data subjects (e.g. named priority leads, headteacher, chair) that their names may be processed through the platform
- Keep account credentials secure and not share login access with unauthorised individuals
- Notify the Processor promptly of any data breach involving data processed through the platform
- Comply with their own obligations under UK GDPR as Data Controller
13Term and Termination
This DPA is effective from the date the Controller accepts it during onboarding and remains in effect for the duration of the service agreement.
Upon termination:
- The Controller may request export of all their data in machine-readable format
- The Processor will delete all Controller data within 30 days of account closure
- The Processor will provide written confirmation of deletion upon request
Obligations relating to data security, breach notification, and confidentiality survive termination.
14Contact
Data Processing Queries
For questions about this Data Processing Agreement, to request data export or deletion, or to report a data breach:
Email: info@governanceassurance.co.uk
Data Processor: Governance Assurance / Joshua Mangas
Website: governanceassurance.co.uk