Independent. Not sponsored by universities or employers. Methodology.

Legal

Data Processing Agreement (schools)

Last updated: 31 May 2026

How this document applies. When a school, college, multi-academy trust, or other organisation ("Controller") enters a written licence or order form with Ames AI Ltd ("Processor") that references this agreement, these terms form the data processing agreement required by UK GDPR Article 28. Until such a licence is signed, direct-to-family use of Ask Ewan is governed by the Privacy policy, under which Ames AI Ltd acts as controller. To execute this DPA, contact us via the B2B enquiry form.

1. Definitions

  • Agreement means this Data Processing Agreement together with the applicable licence, order form, or statement of work.
  • Controller means the organisation identified in the order form that determines the purposes and means of processing Personal Data via the Service.
  • Personal Data has the meaning in UK GDPR and is further described in Annex A.
  • Processor means Ames AI Ltd, Ames AI Ltd (company no. 17071760), registered in England and Wales. Registered office: 9 Middle Street, Shaldon, Teignmouth, England, TQ14 0DR.
  • Service means the Ask Ewan platform and related support made available to the Controller under the Agreement.
  • Sub-processor means a third party engaged by the Processor to process Personal Data on behalf of the Controller.

2. Roles and scope

The parties acknowledge that, for Personal Data processed through the Service on the Controller's instructions, the Controller is the controller and the Processor is the processor. The Processor shall process Personal Data only to provide the Service and as documented in Annex A and the Controller's written instructions, unless required by law — in which case the Processor shall inform the Controller before processing unless the law prohibits such notice.

3. Processor obligations

The Processor shall:

  1. process Personal Data only on documented instructions from the Controller, including regarding transfers (subject to Section 9);
  2. ensure that persons authorised to process Personal Data are bound by confidentiality obligations;
  3. implement appropriate technical and organisational measures as described in Annex C and UK GDPR Article 32;
  4. respect the conditions for engaging Sub-processors in Section 4;
  5. assist the Controller, taking into account the nature of processing, with data subject rights requests under UK GDPR Chapter III (Section 6);
  6. assist the Controller with security, breach notification, and impact assessment obligations under UK GDPR Articles 32–36 (Sections 5 and 7);
  7. at the Controller's choice, delete or return Personal Data at termination of the Agreement, except where retention is required by law (Section 8); and
  8. make available information reasonably necessary to demonstrate compliance and allow audits as in Section 10.

4. Sub-processors

The Controller provides general written authorisation for the Processor to engage Sub-processors listed in Annex B. The Processor shall:

  • impose data protection obligations on each Sub-processor equivalent to this Agreement;
  • notify the Controller of intended changes to Sub-processors at least 14 days before engagement, by updating Annex B and notifying the Controller's designated contact;
  • allow the Controller to object on reasonable grounds relating to data protection within that notice period; if the parties cannot resolve the objection, the Controller may terminate the affected Service without penalty.

The Processor remains liable to the Controller for Sub-processor performance.

5. Security and personal data breach

The Processor shall implement the measures in Annex C and notify the Controller without undue delay, and in any event within 72 hours of becoming aware, of a Personal Data breach affecting Controller Personal Data. The notification shall include, to the extent known: nature of the breach, categories and approximate numbers of data subjects and records, likely consequences, and measures taken or proposed. The Processor shall cooperate with the Controller's breach response and regulatory notifications.

6. Data subject rights

The Processor shall promptly notify the Controller if it receives a request from a data subject to exercise rights under UK GDPR. The Processor shall not respond directly except on the Controller's documented instructions or as required by law. The Processor shall provide reasonable assistance to enable the Controller to respond, including by providing export or deletion tooling where available in the Service.

7. DPIA and prior consultation

Taking into account the nature of processing and information available, the Processor shall provide reasonable assistance to the Controller with data protection impact assessments and prior consultation with the ICO where the Controller is required to carry them out.

8. Term, deletion, and return

This Agreement applies for the duration of the licence and until Personal Data is deleted or returned. On termination or expiry, the Processor shall, at the Controller's written choice within 30 days, delete or return Controller Personal Data and delete existing copies unless UK law requires storage. The Processor may retain anonymised or aggregated data that cannot identify individuals.

9. International transfers

The Processor shall not transfer Personal Data outside the United Kingdom unless: (a) the transfer is to a country with a UK adequacy regulation; or (b) appropriate safeguards are in place, including the UK International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs, as applicable; or (c) a specific derogation under UK GDPR Article 49 applies and the Controller has authorised the transfer in writing. Annex B identifies Sub-processor locations and safeguards.

10. Audit and information

The Processor shall make available on request reasonable information to demonstrate compliance with this Agreement. The Controller may conduct or appoint an independent auditor to review compliance no more than once per 12-month period on 30 days' notice, during business hours, subject to confidentiality and without disrupting operations. The Processor may satisfy audit requests by providing current third-party certifications or audit reports where they cover the relevant controls.

11. Controller obligations

The Controller shall:

  • ensure it has a lawful basis and, where required, appropriate notices and consents for processing;
  • provide documented instructions that comply with UK GDPR;
  • ensure staff and students use the Service in accordance with the Agreement and acceptable use rules;
  • designate a contact for security incidents, Sub-processor objections, and data subject requests.

12. Liability and order of precedence

Liability between the parties is governed by the main licence or order form. If there is a conflict between this Agreement and the Privacy policy (which applies to direct consumer use), this Agreement prevails for Controller Personal Data processed under a school licence.

13. Governing law

This Agreement is governed by the laws of England and Wales. Courts of England and Wales have exclusive jurisdiction, subject to mandatory protections applicable to public-sector bodies.

Annex A — Description of processing

Subject matterProvision of the Ask Ewan careers pathway platform under a Controller licence.
DurationTerm of the licence plus retention period in Section 8 and Annex C.
Nature and purposeHosting, analysis, and presentation of student pathway data; careers decision-support; optional staff administration; transactional communications related to the Service.
Categories of data subjectsStudents (typically 16+), parents/carers where the Controller permits access, and authorised Controller staff.
Types of personal dataIdentifiers (name, email, user ID); educational data (year group, subjects, predicted grades, questionnaire responses); career interests and preferences; usage logs; support correspondence. Special category data is not intentionally collected; the Controller must not upload unnecessary special category data without a documented lawful basis and instruction.
Processing operationsCollection, storage, retrieval, analysis, display, export, deletion, and backup of Personal Data within the Service.

Annex B — Authorised Sub-processors

Current list as at the last-updated date on this page. Changes notified per Section 4.

Sub-processorPurposeLocationSafeguards
Supabase, Inc.Database hosting and authenticationEU / US (region-dependent)Processor agreement; UK IDTA / SCCs where data leaves the UK
Vercel Inc.Application hosting and edge deliveryGlobal (EU regions available)Processor agreement; UK IDTA / SCCs where required
Stripe Payments Europe, Ltd. / Stripe, Inc.Payment processing and subscription billingEU / USStripe DPA; UK IDTA / SCCs as applicable
Resend, Inc.Transactional email deliveryUSProcessor agreement; UK IDTA / SCCs
Anthropic PBCAI narrative generation for certain paid outputs (where enabled)USCommercial terms; UK IDTA / SCCs; prompts exclude unnecessary personal data
Plausible Insights OÜ (optional)Privacy-preserving website analytics (if enabled)EUEU hosting; no cross-site advertising cookies in default configuration

Annex C — Technical and organisational measures

The Processor maintains measures appropriate to the risk, including:

  • Encryption: TLS in transit; encryption at rest for database storage provided by the hosting platform.
  • Access control: role-based access; least-privilege for staff; separate production and development environments where feasible.
  • Authentication: industry-standard auth for staff and end users; optional SSO where agreed in the order form.
  • Availability and resilience: hosted on managed cloud infrastructure with backups and monitoring.
  • Secure development: code review, dependency monitoring, and rate limiting on sensitive API routes.
  • Incident response: internal escalation procedures and Controller notification per Section 5.
  • Retention: Personal Data retained only for the licence term and lawful backup windows, then deleted per Section 8.
  • Staff training: personnel with access to Personal Data bound by confidentiality and security policies.

Detailed security documentation is available to Controllers on request under Section 10.

Ask Ewan

Ask Ewan is a trading name of Ames AI Ltd.

Ames AI Ltd (company no. 17071760), registered in England and Wales. Registered office: 9 Middle Street, Shaldon, Teignmouth, England, TQ14 0DR.

For support, refunds, and privacy requests: contact form.