Tools
Case Studies
Help
>
Home
>
Data Processing Agreement

Data Processing Agreement

This Data Processing Agreement applies where users enter personal data into their inputs when using the TeachMateAI tools. It is incorporated into our Terms and Conditions. By using our products, you have indicated your agreement to the Terms and this Data Processing Agreement:
DEFINITIONS:

Data Protection Legislation: the UK GDPR, the Data Protection Act 2018 and any other applicable Laws as amended from time to time about the processing of personal data and privacy;

Data Protection Impact Assessment: an assessment by the Controller of the impact of the envisaged processing on the protection of Personal Data;

Controller, Processor, Processing, Data Subject, Personal Data, Personal Data Breach, Data Protection Officer take the meaning given in the UK GDPR;

Company: means TeachMateAI (Company Number: 14972646) whose registered office is at C/O High Royd Business Services Limited BBIC, Innovation Way, Barnsley, South Yorkshire, United Kingdom, S75 1JL;

Customer: means the subscriber to the free or paid for educational services provided by the Company;

Data Loss Event: any event that results, or may result, in unauthorised access to Personal Data held by the Company under this Agreement, and/or actual or potential loss and/or destruction of Personal Data in breach of this Agreement, including any Personal Data Breach;

Data Subject Access Request: a request made by, or on behalf of, a Data Subject in accordance with rights granted pursuant to the Data Protection Legislation to access their Personal Data;

Platform: means the services provided by the Company at https://teachmateai.com/;

Protective Measures: appropriate technical and organisational measures which may include: pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of such measures adopted by it;

Schedule: means the schedule attached to this Agreement forming part of this Agreement and titled: ‘Schedule of Processing, Personal Data and Data Subjects’;

Sub-processor: any third Party appointed to process Personal Data on behalf of the Company related to this Agreement; and

Writing: includes faxes, emails and writing in any electronic form.

  1. The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the Controller and the Company is the Processor. The only processing of any Personal Data that is entered by the Customer into the AI tools provided by the Company on the Platform that the Company is authorised to do is listed in the Schedule by the Customer and may not be determined by the Company.
  2. The Customer warrants and represents that it has a lawful basis (pursuant to Data Protection Legislation) for supplying all Personal Data to the Company in connection with the Customer’s use of the Platform and the lawful Processing of the Data by both the Customer and the Company for the purposes set out in this Agreement. The Customer shall indemnify the Company against all costs, claims, damages, expenses, losses and liabilities incurred by the Company arising out of or in connection with any failure (or alleged failure) by the Customer to have a lawful basis for Processing Personal Data.
  3. The Customer hereby instructs and authorises the Company to process the Data for the purposes described in the Schedule to this Agreement, and as otherwise reasonably necessary to enable the Company to provide the Platform to the School. The Company shall notify the Customer immediately if it considers that any of the Customer's instructions infringe the Data Protection Legislation.
  4. The Company shall process Personal Data only in accordance with the Schedule, unless the Company is required to do otherwise by Law. If it is so required, the Company shall promptly notify the Customer before processing the Personal Data, unless prohibited by Law.
  5. The Company shall ensure that it has in place Protective Measures, which have been reviewed and approved by the Customer as appropriate to protect against a Data Loss Event having taken account of the: a) nature of the data to be protected; b) harm that might result from a Data Loss Event; c) state of technological development; and d) cost of implementing any measures.
  6. The Company shall ensure that: a) the Company Personnel do not process Personal Data except in accordance with this Agreement (and in particular, the Schedule); b) it takes all reasonable steps to ensure the reliability and integrity of any Company Personnel who have access to the Personal Data and ensure that they:
      i. are aware of and comply with the Company’s duties under this clause;
      ii. are subject to appropriate confidentiality undertakings with the Company or any Sub-processor;
      iii. are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Customer or as otherwise permitted by this Agreement; and
      iv. have undergone adequate training in the use, care, protection and handling of Personal Data.
  7. The Company shall not transfer Personal Data outside of the EU unless the following conditions are fulfilled: a) the Company has ensured there are appropriate safeguards in relation to the transfer (in accordance with UK GDPR Article 46); b) the Data Subject has enforceable rights and effective legal remedies; c) the Company complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Customer in meeting its obligations).
  8. The Company will comply with any reasonable written instructions notified to it in advance by the Customer with respect to the processing of the Personal Data and at the written direction of the Customer, will delete Personal Data (and any copies of it) on termination of the Agreement unless the Company is required by Law to retain the Personal Data.
  9. The Company shall notify the Customer as soon as reasonably possible if it: a) receives a Data Subject Access Request (or purported Data Subject Access Request); b) receives a request to rectify, block or erase any Personal Data; c) receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; d) receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement; e) receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or f) becomes aware of a Data Loss Event. The Company’s obligation to notify under this clause shall include the provision of further information to the Customer in phases, as details become available, if necessary.
  10. Taking into account the nature of the processing, the Company shall provide the Customer with reasonable assistance in relation to the Customer's obligations under Data Protection Legislation and any complaint, communication or request made under clause 9 (and insofar as possible within the timescales reasonably required by the Customer) including by promptly providing: a) the Customer with full details and copies of the complaint, communication or request; b) such assistance as is reasonably requested by the Customer to enable the Customer to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation; c) the Customer, at its request, with any Personal Data it holds in relation to a Data Subject; d) assistance, as requested by the Customer, following any Data Loss Event; e) assistance, as requested by the Customer, with respect to any request from the Information Commissioner’s Office, or any consultation by the Customer with the Information Commissioner's Office.
  11. The Company shall provide all reasonable assistance to the Customer in the preparation of any Data Protection Impact Assessment.
  12. The Company shall maintain complete and accurate records as required by Article 30(2) of the UK GDPR. This requirement does not apply where the Company employs fewer than 250 staff, unless: a) the Company determines that the processing is not occasional; b) the Company determines the processing includes special categories of data as referred to in Article 9(1) of the UK GDPR, or Personal Data relating to criminal convictions and offences referred to in Article 10 of the UK GDPR; and c) the Company determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects. The Customer is obliged to notify the Company if it considers any of the conditions listed above apply to the data processed by it on the Platform.
  13. The Company shall allow for audits of its Data Processing activity by the Customer or the Customer’s designated auditor. The Customer will not exercise its audit rights more than once in any twenty-four (24) calendar month period, except if and when required by instruction of a competent data protection authority; or the Customer believes a further audit is necessary due to a Data Loss event suffered by the Company. The information and audit rights of the Customer under this clause shall apply only to the extent required by Applicable Data Protection Law. The Customer shall give the Company reasonable notice of any audit or inspection that it wishes to conduct and shall (and shall ensure that any nominated auditor shall) avoid causing (or, if it cannot avoid, minimise) any damage, injury or disruption to the Company or its sub-contractors’ business. Where the Customer appoints a third-party auditor, that third-party auditor shall not be a direct competitor of the Company.
  14. The Company shall designate a data protection officer if required by the Data Protection Legislation.
  15. The Customer herby authorises the Company to appoint the Sub-processors listed in the Schedule to carry out Processing activities in connection with the Data. The Company shall use reasonable endeavours to promptly notify the Customer of any changes to the identity of such Sub-processors from time-to-time and allow the Customer to reasonably object to the appointment of those Sub-processors.  Before allowing any Sub-processor to process any Personal Data related to this Agreement, the Company must: a) enter into a written agreement with the Sub-processor which give effect to the terms set out in this clause, such that they apply to the Sub-processor; and b) provide the Customer with such information regarding the Sub-processor as the Customer may reasonably require. The Company shall remain fully liable for all acts or omissions of any Sub-processor in respect of Processing of the Data.
  16. Each party (the "Indemnifying Party") shall indemnify the other (the "Indemnified Party") from and against all loss, cost, harm, expense (including reasonable legal fees), liabilities or damage ("Damage") suffered or incurred by the Indemnified Party as a result of the Indemnifying Party's breach of the provisions of this Agreement, and provided that: a) the Indemnified Party gives the Indemnifying Party prompt notice of any circumstances of which it is aware that give rise to an indemnity claim under this clause; and b) the Indemnified Party takes reasonable steps and actions to mitigate any ongoing Damage it may suffer as a consequence of the Indemnifying Party's breach. The Company shall have no liability to the Customer, whether arising in contract, tort (including negligence), breach of statutory duty or otherwise, for or in connection with loss, interception or corruption of any Data resulting from any negligence or default by any provider of telecommunications services to the Company or the Customer; any loss arising from the default or negligence of any supplier to the Customer; damage to reputation or goodwill; and/or any indirect or consequential loss. The Company’s total aggregate liability in contract, tort (including negligence or breach of statutory duty), misrepresentation, restitution or otherwise, arising in connection with the performance or contemplated performance of the Contract shall be limited to the total fees paid for the Customer’s access to the Platform during the 12 months immediately preceding the date on which the claim arose. Nothing in this clause shall limit the liability of the Company for any death or personal injury caused by its negligence, fraud or fraudulent misrepresentation, or any other matter for which liability cannot be limited or excluded as a matter of law.

The Schedule

Annex A - Schedule of Processing, Personal Data and Data Subjects

The Company shall comply with any further written instructions with respect to processing by the Customer.

Any such further instructions shall be incorporated into this Schedule.


Description
Details


Subject matter of the processing
Any Personal Data entered into the AI tools for the education sector as provided by the Company. Any such Personal Data entered shall be at the discretion and choice of the Customer.


Duration of the processing
28 days unless the Customer has requested that the Company carry out further processing on the data through use of the feedback option within the AI tool, in which case the duration of the further processing will be as reasonably needed to resolve the Customer's request.


Nature and purposes of the processing
The purpose is determined by the Customer but includes generating output content for the purpose of supporting the Customer with school-related work, including communication, administration, planning, preparation and assessment.


Type of Personal Data
This is determined by the Customer, but may include names, academic attainment information, health information, career information, work performance data, special educational needs information.


Categories of Data Subject
This is determined by the Customer, but may include Students, Parents and Guardians, Staff or other such persons who interact with the Customer


Plan for return and destruction of the data once the processing is complete UNLESS requirement under union or member state law to preserve that type of data
Data is retained on the Platform for 28 days unless the Customer deletes it before then. Data may be deleted at any time by the Customer directly.


Annex B- Sub-processors


Sub-processor name.              
Purpose of Processing                        
Weblink          


Microsoft Azure Open AI
AI Base Model
Link


Amazon AWS
AI Base Model & Data Storage
Link


Where the Company uses third party services to run and administer the Platform and services, only the minimal amount of information needed for the purposes of delivering their service will be shared. The Company carries out due diligence against all third-party suppliers for the purposes of ensuring their compliance with data protection, maintaining adequate security of data and ensuring they apply adequate data protection principles to the processing of the data supplied.
Trusted AI built for education
Site
HomeSign UpContactLogin
Info
HelpPricingSchool PricingCase StudiesResourcesBlogAbout Us
Legal
Privacy PolicyTerms & ConditionsData Processing AgreementData Protection
© Copyright 2025 - TeachMateAI Ltd