Named school at point of reading and accepting Terms and Conditions that include this DPA (Controller)
Harding Education Ltd, 5 George Fitzroy Court, St. Mary Park, Morpeth, United Kingdom, NE61 6FE registered in England and Wales with Company Number 13252960 (Processor)
The Controller and the Processor entered into an agreement under which the Processor is providing IT Services for the provision of the Winning With Numbers software as a service platform commencing on date of registration that requires the Processor to process Personal Data on behalf of the Controller.
This Data Processing Agreement (Agreement) sets out the terms and conditions on which the Processor will process Personal Data when providing the agreed IT Development Services for the provision of the Winning With Numbers software as a service platform. This Agreement contains the mandatory clauses required by Article 28(3) of the UK General Data Protection Regulation for contracts between Controllers and Processors.
The following definitions and rules of interpretation apply in this Agreement.
1.1 Definitions:
Data Protection Legislation: all applicable data protection laws including UK GDPR and any applicable national implementing laws, regulations and secondary legislation relating to the processing of Personal Data and the Privacy and Electronic Communications Directive (2002/58/EC) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426).
Data Subject: an individual who is the subject of Personal Data (i.e. School Pupils, Staff, parents etc)
GDPR: UK General Data Protection Regulation
Personal Data: means any information relating to an identified or identifiable natural person that is processed by the Processor as a result of, or in connection with, the provision of the services under the Services Agreement; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Personal Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
Processing: means any operation or set of operations which is performed on personal data or on sets of personal data, whether by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
1.2 The Schedules form part of this Agreement and will have effect as set out in full in the body of this Agreement. Any reference to this Agreement includes the Schedules.
1.3 A reference to writing or written includes email.
2.1 The Controller and the Processor acknowledge that the Controller is the controller, and the Processor is the processor. The Controller retains control of the Personal Data and remains responsible for its compliance obligations under Data Protection Legislation.
2.2 The Processor may process the Personal Data categories and Data Subject types set out in Schedule 1 of this Agreement.
3.1 The Processor shall:
3.1.1 implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of Data Protection Legislation and ensure the protection of the rights of the Data Subject, as further set out below in this Agreement.
3.1.2 only use subcontractors to help with the processing of Personal Data in the circumstances set out in clause 4 below.
3.1.3 process the Personal Data only on documented instructions from the Controller, unless required to do so by domestic law to which the Processor is subject; in such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
3.1.4 ensure that persons authorised to process the personal data (such as its employees) have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3.1.5 take the security measures set out in clause 5 below.
3.1.6 considering the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising the Data Subject’s rights as set out in clause 6 below.
3.1.7 assist the Controller in ensuring compliance with the obligations set out in clause 7 below (data breach) considering the nature of processing and the information available to the Processor.
3.1.8 at the choice of the Controller, delete or return all the Personal Data to the Controller after the termination or expiry of the Services Agreement and delete existing copies (unless domestic law requires storage of the Personal Data).
3.1.9 make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of UK GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.
3.1.10 assist the Controller in ensuring compliance with the requirement to carry out Data Protection Impact Assessments as set out in Article 35 of UK GDPR, considering the nature of processing and the information available to the Processor.
3.1.11 designate a Data Protection Officer if required by Article 37(1) of GDPR and in accordance with the provisions of Articles 37, 38 and 39 of UK GDPR; and
(a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity,
(b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale,
(c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data and personal data relating to criminal convictions and offences.
3.1.12 immediately inform the Controller, if in the opinion of the Processor, an instruction from the Controller infringes Data Protection Legislation.
3.2 The Processor will promptly comply with any request by or instruction from the Controller to process the Personal Data, or to stop, mitigate or remedy any unauthorised processing.
3.3 The Processor will keep all Personal Data confidential and not disclose such data to third parties unless specifically authorised in writing by the Controller or as required by law. If the Processor is required by law, court, regulator, or supervisory authority to process or disclose any Personal Data, the Processor will first inform the Controller of this and allow the Controller to object or challenge the requirement, unless the law prohibits the Processor from informing the Controller.
4.1 The Processor may only authorise a third party (“subcontractor”) to process the Personal Data if:
4.1.1 the Processor has obtained the prior written consent from the Controller for each appointment of a subcontractor (or the subcontractor’s name is set out in Schedule A).
4.1.2 where the controller has provided prior general written authorisation for the appointment of subcontractors, the processor shall inform the controller of any intended changes concerning the addition or replacement of subcontractors, thereby giving the controller the opportunity to object to such changes. If the controller so objects, the processor shall immediately terminate the appointment of such subcontractor. If the processor fails to terminate the appointment of such subcontractor, the controller may terminate the services agreement with immediate effect without any liability.
4.1.3 the Processor has carried out appropriate due diligence on any subcontractor to ensure that the subcontractor can satisfy its contractual obligations.
4.1.4 the Processor and the subcontractor have entered a written contract containing terms the same as those set out in this Agreement in relation to data security measures.
4.1.5 the Processor maintains control over all Personal Data it shares with the subcontractor.
4.1.6 the Processor ensures that the subcontractor does not process the Personal Data except on instructions from the Data Controller (unless required to do so by domestic law).
4.1.7 the contract between the Processor and the subcontractor terminates automatically on termination of this Agreement.
4.1.8 the Processor shall be fully liable for the actions and inactions of the subcontractor and shall be responsible for the subcontractor’s performance of obligations.
5.1 The Processor shall, considering the state of the art, the costs of implementation and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as detailed in Schedule 2 of this agreement, including as appropriate:
5.1.1 the pseudonymisation and encryption of Personal Data.
5.1.2 the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
5.1.3 the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
5.1.4 a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
5.1.5 in assessing the appropriate level of security, the Processor shall take account of the risks that are presented by processing, from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored, or otherwise processed.
6.1 The Processor will put in place such technical and organisational measures as may be appropriate to enable the Controller to comply with the rights of Data Subjects under Data Protection Legislation, including the right of access, the right to rectification, the right to erasure, the right to restriction of processing, the right to data portability, the right to object to processing and the right to object to automated individual decision making.
6.2 If the Processor receives any complaint or other communication relating to the processing of the Personal Data or a Subject Access Request from a Data Subject, it must notify the Controller as soon as possible after it receives it and in any event within 3 working days and will provide the Controller with all reasonable assistance in helping the Controller to reply to such communications.
6.3 The Processor will provide to the Controller such information as the Controller may reasonably require for the Controller to comply with the rights of Data Subjects under Data Protection Legislation. The Processor may not charge an additional amount for fulfilling its obligations under this clause 6.
6.4 The Processor will provide all appropriate assistance to the Controller to enable it to comply with any information or assessment notices served on the Controller by the Commissioner under the Data Protection Legislation.
6.5 The Processor shall not disclose Personal Data to any third party other than at the Controller’s written request or as set out in this agreement or as required by law.
7.1 If any Personal Data is lost or destroyed or becomes damaged, corrupted, or unusable (“Personal Data Loss”), the Processor must notify the Controller without undue delay (and in any event within 24 hours) after learning of such Personal Data Loss and the Processor shall to the extent possible restore any such data at its own expense.
7.2 If the Processor becomes aware of any unauthorised or unlawful processing of the Personal Data or any Personal Data Breach, it must notify the Controller without undue delay (and in any event within 24 hours) including all relevant information such as:
(a) a description of the nature of the Personal Data Breach, the unauthorised or unlawful processing and/or the Personal Data Loss, including the categories and approximate number of both Data Subjects and Personal Data records concerned,
(b) the likely consequences,
(c) description of the measures taken, or proposed to be taken, including measures to mitigate the impact.
7.3 The parties will co-ordinate and co-operate with each other to investigate any matters arising as contemplated by this clause.
7.4 The Processor shall take all reasonable steps to mitigate the effects and reduce the impact of any Personal Data Breach or unlawful Personal Data processing.
7.5 The Processor agrees that it shall not (and the Controller is solely responsible to):
(a) provide notice of the Personal Data Breach to any Data Subjects, the Commissioner, regulators, law enforcement agencies or any other third party, except when the Processor (as opposed to the Controller) is required by law or regulation to provide such notice,
(b) offer any type of remedy to affected Data Subjects.
7.6 The Processor will cover all reasonable expenses associated with the performance of its obligations under this clause 7.
8.1 The Processor (or any subcontractor of the Processor) shall not transfer or otherwise process Personal Data outside the United Kingdom without obtaining the Controller’s prior written consent (except where the Processor is required to transfer such data by domestic law, in which case the Processor shall inform the Controller of such legal requirement before processing takes place, unless any law prohibits such disclosure on important grounds of public interest).
8.2 If the Controller consents to the transfer or other processing of the Personal Data outside of the United Kingdom and no appropriate safeguards exist (such as adequacy regulations under section 17A of the 2018 Act), the Processor and the Controller will adopt appropriate safeguards as set out in Article 28 (8) for example, standard data protection clauses for the transfer of Personal Data from the United Kingdom to processors established in third countries (controller-to-processor transfers), as set out in Article 46 which ensure data subject rights and effective legal processes for data subjects are available. Approval may be required from the Commissioner in some instances.
8.3 If the Processor appoints subcontractors that are based outside of the United Kingdom, the Processor shall, prior to any Personal Data being transferred to such countries, (i) ensure that the subcontractor executes the standard data protection clauses specified in regulations made by the Secretary of State under section 17C of the 2018 Act and for the time being in force; and (ii) send a copy of such executed clauses to the
Controller.
9.1 This Agreement will continue for so long as the Processor processes any Personal Data related to the Services Agreement (Term).
9.2 If the Processor breaches this Agreement, such breach shall constitute a material breach of the Services Agreement and the Controller may terminate the Services Agreement immediately on written notice to the Processor without further liability or obligation for the Controller.
10.1 The Processor will, on the request of the Controller, provide the Controller with a copy of or access to the Personal Data in its possession or control in the format and on the media reasonably specified by the Controller.
10.2 On termination or expiry of the Services Agreement, the Processor will at least 7 days prior to the date of expiry or termination ask the Controller whether the Controller wants the Personal Data to be deleted, destroyed, returned, or retained and shall follow the Controller’s instructions accordingly.
10.3 If the Processor is required by any law, regulation, or government or regulatory body to retain any documents or materials, the Processor will inform the Controller in writing of such requirement, providing details of the legal basis for retention and setting out the timings for deletion when such retention period ends.
10.4 If the Controller requires the Processor to delete or destroy certain documents or materials or anything else containing Personal Data, the Processor shall certify in writing that it has so deleted or destroyed the Personal Data within 3 days of doing so.
11.1 The Processor will keep detailed, accurate and up-to-date written records regarding any processing of Personal Data it carries out for the Controller, in such form as the Controller may require from time to time (Records) and shall send the Records to the Controller as required by the Controller.
11.2 The Processor will ensure that the Records are sufficiently detailed to enable the Controller to confirm the Processor’s compliance with its obligations under this Agreement and Data Protection Legislation.
11.3 The Controller and the Processor shall review the information listed in the Schedules to this Agreement as and when required to confirm their current accuracy and update them when required to reflect current practices.
12.1 The Controller (and any third-party representatives) may audit the Processor’s compliance with its obligations under this Agreement and the Processor will give the Controller (and its third-party representatives) all necessary assistance and co-operation to conduct such audits.
12.2 If a Personal Data Breach occurs, or the Processor becomes aware of a breach of any of its obligations under this Agreement or any Data Protection Legislation, or if the Controller so requires it, the Processor will:
(a) conduct its own investigation to confirm the cause of such Personal Data Breach or breach of obligations,
(b) provide to the Controller a written report on the investigation including any proposals to remedy any problems identified by the investigation,
(c) remedy the problems identified within 7 days of the date of the written report.
12.3 On the Controller’s written request, the Processor will audit a subcontractor’s compliance with its obligations regarding the Controller’s Personal Data and provide the Controller with the audit results.
12.4 The Processor will security audits at such other periods required by the Controller identifying any areas of deficiency (when considering the scope and nature of the processing of Personal Data and the best practice technologies available at such time) and will provide the written report to the Controller.
13.1 The Processor warrants and represents that:
(a) its employees, subcontractors, agents and any other person or persons processing Personal Data on its behalf are reliable and trustworthy and have received the required training on the Data Protection Legislation,
(b) it and anyone operating on its behalf will process the Personal Data in compliance with the Data Protection Legislation,
(c) it has no reason to believe that the Data Protection Legislation prevents it from providing any of the Services Agreement’s contracted services.
14.1 The Processor agrees to indemnify and keep indemnified the Controller against all costs, claims, damages, expenses, or any other liability (including reasonable professional fees) incurred by the Controller (or for which the Controller may become liable) due to any failure by the Processor or its employees, subcontractors, or agents to comply with any of its obligations under this Agreement or the Data Protection Legislation.
14.2 Any limitation of liability set out in the Services Agreement will not apply to this Agreement’s indemnity.
15.1 Any notice or other communication given to a party under or in connection with this Agreement must be in writing and delivered to:
For the Controller: Name and email address of the school Headteacher/Data Protection Officer
For the Processor: Bethan Harding MBE at email bethan@hardingeducation.com
15.2 Clause 15.1 does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution.
16.1 This agreement, and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims), shall be governed by, and construed in accordance with the law of England and Wales.
16.2 Each party irrevocably agrees that the courts of England and Wales shall have non-exclusive jurisdiction to settle any dispute or claim arising out of or in connection with this agreement or its subject matter or formation (including non-contractual disputes or claims).
This agreement has been entered into on the date Terms and Conditions were accepted.
Subject matter of the processing: The provision of IT Services for the maintenance and development of the Winning With Numbers software as a Service platform.
Duration of the Processing: For the length of the contract only.
Nature and purposes of the processing: The School Data will be obtained, held and used by the Company to carry out its obligations arising from the terms and conditions entered into between the School and the Harding Education Ltd regarding the use by the School and its users of the Product.
Personal data will be processed for the following purposes:
Type of Personal Data: For school leaders, the following personal data will be processed: Name, email address, contact details (including phone numbers and school postal address), username & role. For Teachers, the following personal data will be processed: Name, email address, contact details, username & role. For Students, the following personal data will be processed: Name, email address, class and username, the answers provided to online questions. Technical data including device ID, IP address and browser information.
Categories of Data Subject: Teachers and Students of the schools who subscribe to the service.
Plan for return and destruction of the data once the processing is complete UNLESS requirement under union or member state law to preserve that type of data: All personal data will either be deleted by the Processor or returned to the Controller upon termination of the contract for services. Any data deleted shall be done so securely and the Processor will confirm the same.
The following sub-contractors are utilised to support Harding Education Ltd in fulfilling the requirements of the services agreement.
AWS (Amazon Web Services) – hosting provider. UK/EU. https://aws.amazon.com/
Aircury – platform developers and maintenance. UK/EU. chris@aircury.com
Google Analytics EU (processing may occur globally). https://support.google.com/policies/contact/general_privacy
Robinson Web Design. UK. richard@robinsonwebdesign.com
Stripe – Third Party Payment Provider for Credit Card Transactions. EU/UK. https://stripe.com/privacy-center/legal
Wonde – School MIS data integration (from summer 2026). UK. dpo@wonde.com
Without prejudice to its other obligations, the Processor shall implement and maintain all technical and organisational security measures as applicable to safeguard the Protected Data, for example, but not exclusively:
