# School Data Processing Agreement > **Private — not for public website publication.** This Agreement is provided to schools that have purchased or are evaluating Linguistic Quest. It is intended to be signed or incorporated into school order forms, school subscription agreements or school terms. **Linguistic Quest / Southern African Traders Ltd** **Version:** v1.0 — April 2026 ## 1. Parties This Data Processing Agreement is between: - (1) **The School:** \[School / Trust / District legal name\] of \[address\] (**School**, **Controller**); and - (2) **Southern African Traders Ltd** trading as Linguistic Quest, company number 12003857, with registered office at the address notified to the School (**Supplier**, **Processor**). Together, the **parties**. ## 2. Background The School wishes to use Linguistic Quest for language-learning puzzles and related educational services. The School determines the purposes and means of processing student personal data. The Supplier processes student personal data on behalf of the School to provide the Service. This agreement is intended to satisfy Article 28 of the UK GDPR. ICO guidance states that Article 28 requires a written contract between controller and processor containing specific safeguards, including documented instructions, confidentiality, security, subprocessors, assistance, deletion or return, audit information and related obligations. ## 3. Definitions - **Data Protection Laws** means the UK GDPR, Data Protection Act 2018, PECR, and any other applicable UK data protection or privacy laws. - **Personal Data**, **Processing**, **Controller**, **Processor**, **Data Subject**, **Personal Data Breach** and **Subprocessor** have the meanings given in Data Protection Laws. - **School Data** means personal data processed by the Supplier on behalf of the School under this agreement. - **Service** means the Linguistic Quest website, platform, learning tools and related support services. ## 4. Roles For School Data: - (a) the School is Controller; - (b) the Supplier is Processor; and - (c) the Supplier will process School Data only on documented instructions from the School, unless required by law. The Supplier is an independent controller for limited business administration data, such as school billing contacts, contract records, legal compliance records and security logs used for Supplier-side compliance. ## 5. Processing instructions The School instructs the Supplier to process School Data as necessary to: - (a) create and manage school, teacher and student accounts; - (b) provide access to language-learning puzzles and activities; - (c) track student progress and learning history; - (d) provide teacher dashboards and reports; - (e) provide support and troubleshooting; - (f) maintain security and prevent misuse; - (g) comply with agreed retention, deletion and export instructions; and - (h) perform the Service described in the order form or school agreement. The Supplier must notify the School if, in its opinion, an instruction infringes Data Protection Laws. ## 6. Processing details ### 6.1 Subject matter Provision of the Linguistic Quest educational language-learning platform to the School. ### 6.2 Duration For the term of the school subscription or order form, plus any agreed retention or deletion period. ### 6.3 Nature and purpose Hosting, storing, accessing, displaying, analysing and otherwise processing School Data to provide educational puzzle activities, learner progress tracking, teacher reporting, account administration, support, security and service maintenance. ### 6.4 Categories of data subjects - (a) students; - (b) teachers; - (c) school administrators; - (d) parents or guardians, if provided by the School; and - (e) authorised school staff. ### 6.5 Types of personal data - (a) student name, nickname, username or identifier; - (b) school email or login identifier, if used; - (c) class, group, year or teacher association; - (d) language-learning settings; - (e) puzzle responses, scores, streaks and progress; - (f) account status and login data; - (g) technical logs, IP address and device information; - (h) support communications; and - (i) other data uploaded or provided by the School. ### 6.6 Special category data The Supplier does not require special category data. The School must not upload special category data unless expressly agreed in writing. ### 6.7 Children's data The parties acknowledge that School Data may include children's personal data. The Supplier will apply appropriate safeguards for child users. ## 7. Supplier obligations The Supplier shall: - (a) process School Data only on documented instructions from the School; - (b) ensure persons authorised to process School Data are bound by confidentiality; - (c) implement appropriate technical and organisational security measures; - (d) assist the School with data subject requests where reasonably possible; - (e) assist the School with data protection impact assessments and regulator consultation where reasonably required; - (f) notify the School of personal data breaches as set out below; - (g) delete or return School Data at the end of the services as instructed; - (h) make available information reasonably necessary to demonstrate compliance; and - (i) not sell School Data or use School Data for behavioural advertising. ## 8. School obligations The School shall: - (a) ensure it has a lawful basis for providing School Data to the Supplier; - (b) provide required privacy notices to students, parents and staff; - (c) obtain any required parental permissions or approvals; - (d) ensure user lists and instructions are accurate; - (e) use the Service lawfully and appropriately; - (f) avoid uploading unnecessary personal data; - (g) respond to data subject requests where it is the Controller; and - (h) maintain appropriate security over school-issued accounts and devices. ## 9. Confidentiality The Supplier shall ensure that staff, contractors and authorised personnel who access School Data are subject to confidentiality obligations. ## 10. Security measures The Supplier shall maintain appropriate technical and organisational measures, which may include: - (a) encryption in transit; - (b) access controls and least-privilege permissions; - (c) password hashing or secure authentication controls; - (d) logging and monitoring; - (e) backups and recovery procedures; - (f) vulnerability management; - (g) secure development practices; - (h) staff confidentiality obligations; - (i) supplier due diligence; - (j) incident response procedures; and - (k) segregation of school accounts where appropriate. ## 11. Subprocessors The School gives general written authorisation for the Supplier to use subprocessors. The Supplier shall: - (a) maintain a list of subprocessors; - (b) ensure subprocessors are bound by written terms providing at least equivalent protection; - (c) remain liable for subprocessor performance; and - (d) give reasonable notice of material subprocessor changes. The School may object to a new subprocessor on reasonable data protection grounds. If the parties cannot resolve the objection, the School may terminate the affected services. ## 12. International transfers The Supplier shall not transfer School Data outside the UK unless it uses a lawful transfer mechanism, such as UK adequacy regulations, the UK International Data Transfer Agreement, the UK Addendum to EU Standard Contractual Clauses, or another lawful mechanism. ## 13. Personal data breaches The Supplier shall notify the School without undue delay after becoming aware of a Personal Data Breach affecting School Data. The notification shall include, where available: - (a) nature of the breach; - (b) categories and approximate number of data subjects affected; - (c) categories and approximate number of records affected; - (d) likely consequences; - (e) measures taken or proposed; and - (f) contact point for further information. The Supplier shall provide reasonable assistance to the School in investigating, mitigating and reporting the breach. The School is responsible for deciding whether to notify the ICO or affected data subjects, unless the law requires otherwise. ## 14. Data subject requests If the Supplier receives a request from a student, parent, teacher or other data subject relating to School Data, it shall either: - (a) refer the request to the School; or - (b) notify the School, unless prohibited by law. The Supplier shall not respond substantively to the request unless instructed by the School or required by law. ## 15. DPIAs and prior consultation The Supplier shall provide reasonable assistance to the School with data protection impact assessments and prior consultation with a regulator, taking into account the nature of processing and information available to the Supplier. ## 16. Audits and compliance information The Supplier shall make available information reasonably necessary to demonstrate compliance with this agreement. The School may audit the Supplier no more than once per year, unless a serious incident or regulator requirement justifies additional audit. Audits must be: - (a) on reasonable notice; - (b) during normal business hours; - (c) subject to confidentiality; - (d) limited to relevant systems and records; and - (e) conducted in a way that does not compromise security or other customers' data. The Supplier may satisfy audit requests by providing independent certifications, policies, summaries, security documentation or written responses where appropriate. ## 17. Deletion and return At the end of the services, the Supplier shall, at the School's choice, delete or return School Data unless law requires retention. Unless otherwise agreed, School Data will be deleted from production systems within 30 days after termination or written deletion request, and from backups within 90 days. ## 18. Use restrictions The Supplier shall not: - (a) sell School Data; - (b) use School Data for behavioural advertising; - (c) build student marketing profiles; - (d) contact students directly for marketing; - (e) use identifiable School Data to train public AI models; or - (f) combine School Data with other data except as needed to provide, secure or support the Service. ## 19. AI tools The Supplier may use AI-assisted tools for educational content creation, support, quality assurance, security or product improvement. The Supplier shall not submit identifiable School Data, including identifiable student data, to public AI systems for model training. Where AI tools process School Data, they must be treated as subprocessors or otherwise assessed under Data Protection Laws. ## 20. Liability Liability under this agreement is subject to the liability terms in the main school contract or order form, unless otherwise agreed in writing. Nothing limits liability that cannot be limited by law. ## 21. Term and termination This agreement starts on the effective date of the school order or contract and continues while the Supplier processes School Data. Termination of the main school contract terminates this agreement, subject to clauses that must survive, including confidentiality, deletion, audit, liability and data protection obligations. ## 22. Order of precedence If there is a conflict between this agreement and other terms, the following order applies: - (a) any signed bespoke data protection amendment; - (b) this School Data Processing Agreement; - (c) the school order form; - (d) the main school terms; - (e) the public Terms of Service. ## 23. Governing law This agreement is governed by the laws of England and Wales. The courts of England and Wales have exclusive jurisdiction. ## 24. Signatures **For the School** - Name: - Title: - Signature: - Date: **For Southern African Traders Ltd** - Name: - Title: - Signature: - Date: