This Data Processing Agreement ("DPA") applies to and forms part of the Terms & Conditions and any other agreements between Redpen AI Ltd ("Redpen AI") and the subscribing school or organisation ("the School"), and is effective from the date the School subscribes to the Redpen AI platform.

Any capitalised terms not defined in this DPA shall have the meanings given to them in the Terms & Conditions. Where there is any conflict between the Terms & Conditions and this DPA, the provisions of this DPA shall prevail.

Definitions

"Controller" means the natural or legal person who determines the purposes and means of processing personal data.

"Data Protection Legislation" means all laws relating to the processing of personal data, privacy and security, including but not limited to the Data Protection Act 2018, the UK General Data Protection Regulation, and any amendments to these.

"School Data" means personal data provided by the School to Redpen AI, or otherwise processed by Redpen AI, pursuant to the agreement between the parties.

"Personal Data" means any information relating to an identified or identifiable natural person.

"Process" or "Processing" means any operation or set of operations performed on personal data, whether or not by automated means.

"Processor" means an entity that processes personal data on behalf of a Controller.

Obligations of the Parties

Each party shall comply with its respective obligations under applicable Data Protection Legislation.

To the extent that Redpen AI processes School Data as a Processor, Redpen AI shall:

Only process data on your instructions — School Data will only be processed in accordance with the School's instructions. By subscribing to and using the Redpen AI platform, the School instructs Redpen AI to process School Data for the purposes set out in this DPA and the Terms & Conditions. Redpen AI will not process School Data for any other purpose unless required to do so by law, in which case Redpen AI will inform the School before processing, unless prohibited from doing so. Upon termination of the agreement, Redpen AI will promptly delete or return all School Data upon request.

Keep data secure — Redpen AI will implement appropriate technical and organisational measures to protect School Data against unauthorised or unlawful processing, and against accidental loss, destruction, damage, alteration or disclosure. All personnel with access to School Data are bound by a confidentiality obligation.

Notify you of any incidents promptly — In the event of any data incident — including any suspected, potential or actual accidental, unlawful or unauthorised destruction, disclosure, loss, alteration or access — Redpen AI will notify the School in writing without undue delay, and in any event within 24 hours of becoming aware of it.

Support your compliance obligations — Redpen AI will provide reasonable information and assistance to help the School comply with its obligations under Data Protection Legislation, including promptly referring on any requests, notices or communications from individuals, third parties or data protection authorities relating to School Data.

Not use subprocessors without consent — Redpen AI will not subcontract any processing of School Data without the prior written consent of the School. By subscribing to Redpen AI, the School consents to the use of the subprocessors listed in Schedule 1. From time to time, Redpen AI engages a number of individual contractors to assist with the moderation of AI-generated feedback. These contractors are based in the United Kingdom and are subject to binding confidentiality obligations. Redpen AI will notify the School of any material changes to its approved subprocessors and provide a reasonable opportunity to object before any new subprocessor begins processing School Data. Any subprocessors are subject to the same or equivalent obligations as those set out in this DPA, and Redpen AI remains fully liable for the acts and omissions of any subprocessors.

Not transfer data outside the UK without consent — Redpen AI will not process or transfer School Data outside the United Kingdom without the prior written consent of the School, and only where a lawful data transfer mechanism is in place.

Maintain clear records of processing activities — Where required by Data Protection Legislation, the parties will ensure that a description of relevant processing activities is documented, including the subject matter, duration, nature and purpose of the processing, the types of personal data involved, the categories of data subjects, and the rights and obligations of the School.

Indemnity

Redpen AI shall indemnify and hold the School harmless in respect of all losses, damages, costs, charges, expenses and liabilities — including any regulatory penalties — arising out of or in connection with a breach by Redpen AI of this DPA.

Schedule 1 — Approved Subprocessors

Microsoft Azure Role: Provides the background infrastructure for the Redpen AI platform. Location: United Kingdom. Transfer safeguard: Not applicable (data does not leave the UK).

Feedback Moderation Contractors Role: Individual contractors engaged to review and moderate AI-generated feedback to ensure quality and appropriateness. Location: United Kingdom. Transfer safeguard: Not applicable (data does not leave the UK).