Data Processing Agreement — Summary
Last Updated: 29 January 2026
This is a plain-language summary of the Sense Path Data Processing Agreement (DPA). The full legal document is available on request — contact us.
What is a DPA?
A Data Processing Agreement sets out how Sense Path Ltd (as Data Processor) handles personal data on behalf of schools (as Data Controllers) in accordance with UK GDPR.
Key Points
Roles
- Your school is the Data Controller for children's assessment data
- Sense Path Ltd is the Data Processor — we process data only on your instructions
What Data is Processed
- Child identifiers (as chosen by your school)
- Assessment responses (60 true/false questions)
- Assessment dates and staff attributions
- Generated results and recommendations
- Optional notes and comments
Where Data is Stored
- Belgium (Google Cloud region europe-west1) — within the EEA
- No data is transferred outside the UK or EEA
- If this ever changes, we will notify you 30 days in advance and obtain your written consent
Security Measures
- Encryption in transit (TLS 1.2+) and at rest (AES-256)
- Role-based access controls
- Daily encrypted backups (6-month retention)
- Staff confidentiality obligations and training
- Incident response procedures
Sub-processors
| Sub-processor | Service | Location |
|---|---|---|
| Google Ireland Limited (Firebase) | Hosting, database, authentication | Belgium (EEA) |
| Google Ireland Limited (Workspace) | Email communications | EEA |
| Stripe Payments Europe, Ltd | Payment processing | EEA |
We will give you 30 days' notice before adding any new sub-processor. You have the right to object.
Your Rights as a School
- Give documented instructions about data processing
- Audit our compliance (once per year, 14 days' notice)
- Approve or reject sub-processors
- Request data export (CSV or JSON) at any time
- Request deletion of all data
- Terminate the agreement if we breach our obligations
Our Obligations
- Process data only on your instructions
- Maintain security measures
- Assist with data subject rights requests promptly
- Notify you of data breaches within 24 hours
- Assist with Data Protection Impact Assessments
- Delete all data when you close your account
Data Subject Rights
We help you respond to requests from parents/guardians:
| Right | Our Assistance | Timeframe |
|---|---|---|
| Access | Provide data exports | Promptly |
| Correction | Enable corrections via the app or on your behalf | Promptly |
| Deletion | Delete specific records as instructed | Promptly |
| Restriction | Restrict processing as instructed | Promptly |
| Portability | Provide data in CSV or JSON | Promptly |
If a parent contacts us directly, we forward the request to your school promptly.
Data Retention
- Data retained while your account is active
- Schools can delete individual records at any time
- On account closure: data deleted within 30 days
- Backup data purged within 6 months
Breach Notification
- We notify you within 24 hours of discovering a breach
- We provide details of what happened, who was affected, and what we're doing about it
- We cooperate fully with any ICO notifications you need to make
Insurance
Sense Path Ltd holds cyber and data insurance (Hiscox CyberClear, £250,000 coverage).
Indemnity
We indemnify schools against costs arising from our breach of the DPA, except where the issue arose from the school's own instructions or breach.
How to Get the Full DPA
Contact us to receive the full Data Processing Agreement for review and signing.
Version: 2.0 | Last Updated: 29 January 2026
This summary is for informational purposes. The full DPA is the legally binding document.