Data Processing Agreement

Our role in your privacy

If you are a Pupil Progress customer or subscriber, or just trialling our platform, this agreement applies to you. As part of the Terms of Service and Privacy Policy in our contract with you, you should check this agreement to make sure that this is understood to be the instructions that YOU (the Data Controller) give US (the Data Processor), as we are the provider of the Pupil Progress platform.

Our responsibilities

If you are a registered customer or using a trial, we act as the ‘Data Processor’ of personal data. This means that we provide you with a service that allows you to process personal data based on the purpose and means that you have decided on. We are registered with the UK Information Commissioner’s Office under reference ZA226391.

 Your responsibilities

  • Read this Data Processing Agreement.
  • Check any contract between us or any other document we have asked you to look at, as these may also have specific information that you want.
  • Where you have provided us with personal information as part of our service, or where your end-users (staff and children) have provided us with personal data, it will only be used for the reasons it was provided to us. By submitting the information to us, you confirm that you have the right to authorise us to process it on your behalf in accordance with this Data Processing Agreement.

What if I am just using Pupil Progress as a user (such as a member of staff)?

If you are signing into Pupil Progress because it is provided to you through your organisation (that is to say, the organisation is the Data Controller and we are the Data Processor), then this document will help you better understand how Pupil Progress handles your information on behalf of your organisation. In addition, your organisation will be able to explain more through things such as their Privacy Notice. You should be able to find this on your organisation’s website or it may have been provided to you as part of general organisation information. If you are being contacted by us as a customer (e.g. processing your order information), then we are the Data Controller and it is not covered within this guide. Please see Privacy Policy for more information.


Our platform supports our customers to organise student assessment data so it’s simple and actionable, giving you back the time you need to focus on what you do best.

Our trackers support you to use students raw assessment data to calculate accurate student grades exactly as the exam board does, in real time. We provide this data in student reports with a detailed breakdown of marks across the course. We support you to analyse data to help you to identify ways and areas to improve students’ achievement.

When and how we collect data

From the first moment your users interact with Pupil Progress, we are collecting data. Sometimes users provide us with data, sometimes your organisation provides us with data and sometimes data about users is collected automatically.

Here’s when and how this is done

Data You (the customer) Provide Data users (Logged in staff members) provide Data we (pupil Progress) collect When


When you create staff accounts 



When you provide information about learners to identify and group them



You access sections of the platform




You chat with us for customer support



You receive emails or notifications from us



You provide additional information about learner attainment and behaviour

What types of data we collect

Contact details – users of Pupil Progress

Your name, email address, role in the organisation, groups such as class/year/department, contact numbers, organisation details.

Data that identifies you – users of Pupil Progress

Your IP address, login information, browser type, time zone setting, browser plug-in types, geolocation information about where you might be, the device you are using, operating system and version, applications installed and used, websites accessed.

Data on how you use Pupil Progress for the school

Information about learners based on prior attainment, set targets, expected outcomes and progress. Information about which staff teach or support different groups of learners.

What about really sensitive data?

We know that you will be using Pupil Progress to support your understanding of learners and as part of life in your organisation. Where this information includes very specific groups, this may include areas that is sensitive information (like racial or ethnic origin, or health data). This may also include other information that you wish to treat as sensitive data (like Looked-After Child status, free school meals or other funded groups). Where you share sensitive information or we use it, then it will be allowed based on how you, as an organisation, have agreed to it. We will process this information on the understanding that you have a Lawful Basis for processing it. This may include explicit consent or substantial public interest, but this will need to be shared by the organisation through the organisation’s Privacy Notice.

What about children’s data?

Pupil Progress is designed to provide organisations with information on children to help monitor and identify the progress of learners. This means that both staff and pupil personal data will be used. We know this and take additional care as a result.

Why we collect your data

Data protection law means that we can only use your data for certain reasons, where instructed by the organisation and where they have a lawful basis to do so. As part of the building of Pupil Progress, we have taken this into account and these are the areas we have identified and are likely to be used by your organisation. Where there are differences to our normal list, it is because your organisation has identified something differently, which you can do as Data Controller.

How we collect your students’ (Data Subjects) data

Children’s data is submitted to Pupil Progress in a csv or excel file sent through our end-to-end encrypted portal on the Users account, or by any other secure method chosen by the user meeting your organisations data protection requirements. This data is then uploaded to the platform by the Pupil Progress team. This data can also be entered directly by the user on the Pupil Progress platform in to the appropriate fields. This data can be updated as regularly as the Customer requires.

Here is a list of the student data that you or your organisation is able to submit to Pupil Progress:

Data Element Name Purpose of Collection Legal Grounds of Collection Sensitivity rating Handling Notes
Name For identification purposes Public interest Personal data
Contact details To enable communication Public interest Personal data
Medical and SEN To manage the additional needs of the data subject Public interest Special category personal data Art 9(2)(g) – Substantial Public interest. Only to be used by staff who have been trained to use this data with sensitivity and security.
Pupil Premium type To ensure the welfare of the data subject is considered Public interest Special category personal data Art 9(2)(g) – Substantial Public interest. Only to be used by staff who have been trained to use this data with sensitivity and security.
Groups To identify membership Public interest Personal data
Gender Personal Identifier Public interest Personal data
Ethnicity To ensure the welfare of the data subject is considered Public interest Special category personal data Art 9(2)(g) – Substantial Public interest. Only to be used by staff who have been trained to use this data with sensitivity and security.
Education details To manage the educational needs of the data subject Public interest Personal data
Attainment Information on attainment status, achievement and/or progress Public interest Personal data
Behaviour To ensure the welfare of the data subject is considered Public interest Personal data

Giving you Pupil Progress and all relevant resources

This means making sure that Pupil Progress gives you all the available tools. This includes access to progress information, relationships between teachers and pupils and helping you identify particular groups of pupils.

Suggested lawful basis for this data usage: Public Task/Substantial Public Interest.

Improving Pupil Progress

This means making sure that Pupil Progress is the right tool for you and works as you need it to, including any improvements needed to make sure it continues to be the right tool. This will include technical support and analytical information.

This may also mean taking personal data and anonymising it so that when different people within Pupil Progress use it, we have protected it as much as we can.

Lawful basis for this data usage: Public Task/Substantial Public Interest.

Here is what each of the “lawful bases” means:

Public Task

This states:

“…processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”

This means that the organisation, as a public authority, has many things it does with children’s personal data. It has to do these things as it has been told that it needs to do it (by laws, regulations or statutory guidance) or it does the task as it is in the best interest of the children.

Substantial Public Interest

This states:

“…processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;”

This means that the organisation has taken extra measures to ensure that any information is safe (including having the appropriate policy documents). It also means that the organisation has taken the approach that the use of any ‘sensitive data’ is part of its work on safeguarding children and helping to identify and work with any who are at risk.

Other Lawful Bases

It may be that your organisation has decided it cannot use Public Task and/or Substantial Public Interest. This could be for a variety of reasons. If your organisation is an independent school, then it may be that you are using the contract between the parent and the school as the reason, or you have asked the parent/child for their consent (which has been freely given). Where ‘sensitive data’ is used, then it may be that explicit consent has been given.

Other options are available, and the schools or organisations will have checked to see which is most appropriate, including anything needed to keep things safe.

Data processing responsibilities

We shall process personal data only on documented instructions from you.

We shall inform you without undue delay of any request or complaint received directly from a data subject, any data security issues and any Data Breach incidents.

We shall respond promptly to enquiries from you relating to its processing, including providing documentation relating to data security arrangements, sub-processing arrangements and relevant data protection documentation.

We will assist the Data Controller in meeting its obligations to notify data breaches to the Information Commissioner’s Office (ICO), respond to ICO interventions, notify data breaches to data subjects, to carry out data protection impact assessments (DPIA) when required and consult with the ICO where a DPIA indicates there is a high risk that cannot be mitigated.

Ensuring your data’s security

How secure is the data we collect?

We have organisational and technical measures in place to safeguard and secure the information we hold, based on standard industry practices. More information can be provided about this on request, as we prefer not to publicly publish too much security information as a measure to protect our services.

And please remember:

  • Only share personal data where you need to.
  • You are responsible for your username and password, so keep them secret and safe!
  • If you believe that your privacy has been breached, then contact your Data Protection Officer or follow the guidance your organisation provides.

How do we ensure our staff are aware of their data protection responsibilities

All our staff and management are fully aware of their responsibilities to protect personal data and are subject to a duty of confidentiality, through a contractual duty or a statutory duty or otherwise.

All staff follow an induction procedure, have a regular review and security & data protection updates are delivered as required through our regular meetings. If any issue is raised relating to data security, then this is reviewed and directly addressed with the individual/s involved and builds on our current practice.

The Data Processor shall not permit any person to process the data who is not under a duty of confidentiality.

Where do we store your data?

The personal data we collect is processed at our offices in Brighton or regional offices, or our platform, which is hosted by Amazon Web Services in the UK or EEA.

By using our Support Channel, we may transfer your data outside of the EEA. This will only be done where an agreement with the sub-processor provides adequate safeguards.

By submitting your personal data, you agree to this transfer, storing or processing by us. No personal data from the platform is transferred or stored outside of the UK or EEA. If we do start to transfer data outside of the UK or EEA, we will notify you, including explaining any steps being taken to ensure that your privacy rights continue to be protected as outlined in this Data Processing Agreement.

For how long do we store your data?

We continue to hold all ‘active’ data (data that has been provided and is linked to active accounts on a verified licence) until the following:

  • If your subscription licence has run out and accounts are no longer active, personal data is kept for 3 months and then securely deleted.
  • We also operate a rolling backup that retains information for 24 months. 

We provide a way for you to download a complete copy of all personal data held on Pupil Progress before termination.

If you request it, we will provide written certification that all personal data has been completely deleted.

Security of Data Processing

We will implement appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction or damage to personal data.

We will inform the Data Controller of any unlawful processing of personal data and any loss, destruction or damage to personal data.

Notification of Personal Data Breach

Upon becoming aware of a Personal Data Breach, we shall inform the Data Controller without undue delay providing all necessary information and shall cooperate as reasonably required to fulfil Data Breach reporting obligations under Data Protection Law.

Our procedures assess all security incidents and then report relevant breaches to the ICO within the statutory time frame

Partners (sub-processors) who process your data

Edtech businesses often use contractors and outside companies to help them host their applications, power their support tools, etc. Any company or individual that we use when processing information under this agreement is a “sub-processor”. This means that any agreement or contract we have with them is, at least, as strict as this agreement. We make sure that we are happy that they will also take the same level of care of the personal data you are trusting us with, including checking if they hold any certificates for their work. As part of our agreement to work with you, this is also an agreement to work with our sub-processors. 

Here are the details of the main sub-processors and service providers; what they collect, process and store; and a general explanation of why.


Service provider Data collected or processed Purpose Place of processing
Amazon Web Services (AWS)

AWS Data Processing Addendum (DPA) – Navigating GDPR Compliance on AWS (

All personal data Enable the use of the platform to review, analyse and monitor learner data around attainment, progress and expected outcomes. UK
FRAM All personal data Development and support of the platform EEA


Service provider Data collected or processed Purpose Place of processing

Data Processing Agreement (

Account details Provide support US

Integrations (optional)

Service provider Data collected or processed Purpose Place of processing

Data Processing Agreement (

Account details Provide support US


Service provider Data collected or processed Purpose Place of processing
Google Mail School and account details Provide notifications about accounts and platform EEA

Data Processing Agreement (

School and account details Provide support US

You agree that we have general permission to, from time to time, make changes to who our sub-processors are, or what they will be doing in order to provide you with an improved service. Any agreement or contract we have with new sub-processors will be, at least, as strict as this agreement.

If we do, we will notify you beforehand.  This will give you a chance to check any of the changes and raise any possible objections. If there are any objections, we will happily discuss these with you and address any concerns.

Your privacy choices and rights

You have various rights about your personal data. These are all managed directly by your organisation and any questions about the rights would normally be dealt with by the organisation. These may vary, depending on the lawful bases mentioned in the previous section.

Your Choices

We will only use the personal data you give us. Where we have been given personal data by your organisation and instructions on what to do with it, giving us more personal data will depend on what your organisation says is needed. We will only use what has been provided.

Turning off cookies in your browser by changing its settings. There are various settings in your web browser that you can use to block or refuse cookies. You can also delete cookies through your browser settings as well. However, if you do delete cookies some of Pupil Progress may not work. We have already mentioned that we collect some information about your computer and how you use Pupil Progress, and any cookies we use really are needed.

No need to ask us not to use your data for marketing. Any information you provide to us or that you create when you use Pupil Progress is only ever used as part of giving you Pupil Progress. We do not use it for any marketing or anything else.

Your Rights

Please have a look at your organisation’s Privacy Notice for how you can exercise your rights.

Data Subject Rights

We will provide reasonable assistance to the Data Controller (including by technical and organisational measures) to enable the Data Controller to respond to complaints from Data Subjects and requests from Data Subjects to exercise any of their rights under Data Protection Law.

In the event that we receive any such complaint or request directly from a Data Subject, we shall inform you promptly and provide full details to enable the you to take appropriate action.

How we use cookies

We use cookies. Unless you adjust your browser settings to refuse them, we (and our sub-processors) will issue cookies when you interact with Pupil Progress. These may be session cookies, meaning they delete themselves when you leave Pupil Progress or ‘persistent’ cookies which do not delete themselves and help us to recognise you when you return so we can provide you with a tailored service. We also have part of our business operations within the platform, allowing for the management and payment of any subscriptions. This is not part of the DPA, but part of our business operations and included here for transparency.

How can I block cookies?

You can block cookies by activating a setting in your browser allowing you to refuse the setting of cookies. You can also delete cookies through your browser settings. If you use your browser to disable, reject, or block cookies (including essential cookies), certain parts of our platform will not function fully. In some cases, our platform may not be available at all. Please note that where sub-processors use cookies, it is also to enable the service to work correctly. We do not allow third-parties to set cookies.

Which specific cookies do we use?

Service provider Key cookies  Purpose
HubSpot __cf_bm Security
__hstc Support analytics
hubspotutk Support analytics
__hssrc Support analytics
__hssc Support analytics
__hs_opt_out Tracking opt out
__hs_initial_opt_in Tracking permissions
Stripe M Browser/device check
__stripe_mid Security*
__stripe_sid Security*

*Cookies set are as part of the payment systems, to allow schools to choose online payment options.

Keeping a check on our processes

We shall provide information necessary to demonstrate our compliance with the Data Processing Agreement.

As part of our obligations, we will support you with audits in relation to the processing of personal data by Pupil Progress and its sub-processors.

To support us with this, you must provide reasonable notice in writing of any audit you wish to take and the scope and purpose of that audit. Any audit will take place within our normal business hours and will not occur more than once in any calendar year.

Making this DPA great

Well done for getting through this Data Processing Agreement and reviewing everything in it! It is designed to help you best understand what we do, under your instructions. Where you have instructions outside of this agreement, then they will be treated as support or account requests, as long as they do not fundamentally change anything mentioned in this agreement.

N.B. This DPA was built based on an open-source design for Privacy Notices from & Get these patterns free at This DPA pattern is open source and reuse is permitted when using the attributions above. Specific content relating to the service itself may not be reused without the permission of Pupil Progress Ltd

Publication date: 25th September 2021

Version: 1.1 – update added list of student’s information that can be submitted to Pupil Progress (29th September 2021)

Version: 1.2 – update added how student’s information can be submitted to Pupil Progress (7th October 2021)

Version: 1.3 – latest update added further detail to sections on Purpose, Ensuring your data’s security, Data Subject Rights and Keeping a check on our processes (7th December 2021)