← Back to Trust CentreData Processing Agreement (DPA)
Version 1.0 · Effective 14 June 2026 · Governing law: England & Wales
1. Parties
This DPA is entered into between Britwise School Ltd (“Processor”, Companies House 17253094, ICO —) and the Customer (“Controller”) named in the underlying Subscription Order.
2. Subject matter
Britwise processes Personal Data on behalf of Controller solely to deliver the Service: AI English coaching, learner progress tracking, manager dashboards, and (where applicable) safeguarding flag review. Categories of data: name, email, employer/school, voice recordings, transcripts, CEFR/IELTS band scores, device identifiers.
3. Sub-processors
OpenAI (US/EU), Anthropic (US/EU), Deepgram (EU endpoint, Helsinki), ElevenLabs (EU), MongoDB Atlas (Helsinki), Hetzner (Helsinki HEL1), Resend (EU), Stripe (UK + EU). Audio + transcripts are stored in Helsinki, Finland. Controller will be notified 30 days before any new sub-processor is added.
4. International transfers
Where transfers occur outside the UK/EEA (e.g. OpenAI fallback to US endpoints), they are covered by the UK’s International Data Transfer Agreement (IDTA) or the EU Standard Contractual Clauses (2021/914) annexed to this DPA as Schedule 1.
5. Security measures
TLS 1.3 in transit, AES-256 at rest, RBAC with least-privilege, audit logging (immutable, 7-year retention), MFA enforced for all staff with Personal Data access, quarterly penetration testing, annual third-party security review, Cyber Essentials certification roadmap (target Q4 2026).
6. Data subject rights
Britwise assists Controller in fulfilling Data Subject Access Requests, rectification, erasure, restriction, portability, and objection within 30 calendar days. Send DSARs to dpo@britwise.school.
7. Breach notification
Britwise will notify Controller within 72 hours of becoming aware of a Personal Data Breach affecting Controller’s data, with full details required by UK GDPR Article 33.
8. Deletion
On termination, Britwise will delete or return all Personal Data within 30 days, unless legally required to retain (e.g. financial records, audit trails for 7 years per UK Companies Act).
9. Audit
Controller may audit Britwise’s compliance once per calendar year with 30 days’ notice, at Controller’s cost. Britwise will provide ISO 27001 / SOC 2 reports (when available) in lieu of on-site audit.
10. Contact
Data Protection Officer: dpo@britwise.school · Britwise School Ltd, Companies House 17253094, ICO —, England & Wales.
To countersign this DPA for your organisation, email dpo@britwise.school with your company name + signatory details. We’ll return a co-signed PDF within 2 business days.