Data Processing Agreement

Between the School ("Data Controller") and Tutor Volt Ltd ("Data Processor")

Last updated: 15 February 2026

1. Parties

This Data Processing Agreement ("DPA") is entered into between:

Data Controller: The school, academy, trust, or educational institution ("the School") that has entered into a service agreement with Tutor Volt for the provision of the Platform.

Data Processor: Tutor Volt Ltd, a company registered in England and Wales ("Tutor Volt").

This DPA supplements and forms part of the service agreement between the parties and is entered into in accordance with Article 28 of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Definitions

• "Personal Data" has the meaning given in Article 4(1) of UK GDPR.
• "Processing" has the meaning given in Article 4(2) of UK GDPR.
• "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
• "Sub-Processor" means any third party engaged by Tutor Volt to process Personal Data on behalf of the School.
• "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
• "Platform" means the Tutor Volt educational platform at tutorvolt.ai and tutorvolt.co.uk.

3. Subject Matter, Duration, and Purpose

3.1 Subject Matter

The processing of student and teacher personal data through the Tutor Volt AI-powered educational platform.

3.2 Duration

This DPA shall remain in effect for the duration of the service agreement between the School and Tutor Volt. Upon termination of the service agreement, Tutor Volt shall process Personal Data only as required by this DPA (see Section 14).

3.3 Nature and Purpose of Processing

Tutor Volt processes Personal Data for the following purposes:

• Providing AI-powered educational content delivery, personalised to each student's year group and learning progress
• Generating and delivering quizzes, flashcards, mind maps, and assessment materials
• Providing the AI tutor chat feature (Live Wire) for student learning support
• Tracking and reporting student learning progress and performance
• Generating adaptive learning recommendations and grade predictions
• Monitoring student-AI interactions for safeguarding purposes
• Providing speech-to-text and text-to-speech functionality
• Managing user accounts and authentication
• Providing administrative dashboards and reporting tools

4. Categories of Data Subjects

Personal Data processed under this DPA relates to the following categories of data subjects:

• Students enrolled at the School who use the Platform (aged 5-16)
• Teachers and staff at the School who use the Platform to create, manage, and deliver educational content
• Parents and guardians who access the Platform to monitor their child's progress (where applicable)

5. Types of Personal Data

The following types of Personal Data are processed:

| Category | Data Types | |---|---| | Identity data | Full name, username, email address | | Educational profile | School name, year group, class assignments, subject selections | | Learning progress | Lesson completion rates, time on task, learning path progress | | Assessment data | Quiz scores, test results, answers submitted, grade predictions | | AI interaction data | Chat transcripts with the AI tutor, questions asked, responses received | | Voice data | Speech-to-text recordings (retained for 30 days only) | | Gamification data | XP points, levels, streaks, achievements, leaderboard rankings | | Access and security data | Login timestamps, IP addresses, device information, audit logs |

Special Category Data: Tutor Volt does not intentionally collect special category data. However, students may inadvertently disclose such data during AI chat interactions. Tutor Volt's content monitoring system flags such disclosures and handles them in accordance with the Safeguarding Policy.

6. Obligations of the Data Processor

Tutor Volt shall:

6.1 Lawful Processing

• Process Personal Data only on the documented instructions of the School, unless required to do so by UK law. Where Tutor Volt is required by law to process data, it shall inform the School of that legal requirement before processing (unless prohibited from doing so by law).

6.2 Confidentiality

• Ensure that all personnel authorised to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.

6.3 Security Measures

• Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

| Measure | Implementation | |---|---| | Encryption in transit | TLS 1.2+ for all data transmission | | Encryption at rest | AES-256 encryption for stored data | | Row-Level Security (RLS) | Database-level access controls ensuring users can only access authorised data | | Multi-Factor Authentication | Available for all users; mandatory for administrator accounts | | Audit logging | Comprehensive logging of all data access and modifications | | Access controls | Role-based access with principle of least privilege | | Vulnerability management | Regular security assessments and patching | | Incident response | Documented data breach response plan |

6.4 Sub-Processors

• Not engage another processor (sub-processor) without prior specific or general written authorisation of the School. In the case of general written authorisation, Tutor Volt shall inform the School of any intended changes concerning the addition or replacement of sub-processors, giving the School the opportunity to object (see Section 7).

6.5 Data Subject Rights

• Assist the School, by appropriate technical and organisational measures and insofar as possible, in fulfilling the School's obligation to respond to requests for exercising data subject rights under Chapter III of UK GDPR.

6.6 Assistance with Compliance

• Assist the School in ensuring compliance with the obligations pursuant to Articles 32 to 36 of UK GDPR, taking into account the nature of processing and the information available to Tutor Volt.

6.7 Deletion or Return

• At the choice of the School, delete or return all Personal Data to the School after the end of the provision of services, and delete existing copies unless UK law requires storage of the Personal Data (see Section 14).

6.8 Audits and Inspections

• Make available to the School all information necessary to demonstrate compliance with the obligations laid down in Article 28 of UK GDPR, and allow for and contribute to audits, including inspections, conducted by the School or an auditor mandated by the School (see Section 13).

7. Authorised Sub-Processors

The School provides general written authorisation for Tutor Volt to engage the following sub-processors:

| Sub-Processor | Purpose | Location | Data Processed | |---|---|---|---| | Anthropic | AI content generation and tutoring chat | United States | Anonymised questions, lesson topics, curriculum context | | Deepgram | Speech-to-text processing | United States | Voice recordings (retained 30 days) | | ElevenLabs | Text-to-speech audio generation | United States | Lesson text for audio conversion | | Supabase | Database hosting and authentication | EU / United States | All Platform data (encrypted) | | Stripe | Payment processing | United States | Payment data (if school makes direct payments) | | Vercel | Application hosting and delivery | Global (edge network) | Application data in transit | | Sentry | Error monitoring and tracking | United States | Error logs, anonymised usage data |

7.1 Changes to Sub-Processors

Tutor Volt shall notify the School at least 30 days in advance of any intended addition or replacement of sub-processors, providing the School with the opportunity to object. If the School objects on reasonable grounds relating to data protection, the parties shall discuss the matter in good faith. If no resolution is reached, the School may terminate the service agreement.

7.2 Sub-Processor Agreements

Tutor Volt shall ensure that each sub-processor is bound by data protection obligations no less onerous than those set out in this DPA, by way of a written contract.

8. International Data Transfers

Where Personal Data is transferred outside the United Kingdom, Tutor Volt shall ensure that appropriate safeguards are in place in accordance with Chapter V of UK GDPR:

• Standard Contractual Clauses (SCCs): Tutor Volt has executed the UK International Data Transfer Addendum to the EU Standard Contractual Clauses with all US-based sub-processors.
• Data Minimisation: Personal identifiers are removed or pseudonymised before transmission to AI processing services (Anthropic, Deepgram, ElevenLabs) wherever technically feasible.
• Transfer Impact Assessments: Tutor Volt maintains transfer impact assessments for each international transfer and will provide these to the School on request.

9. Data Breach Notification

9.1 Notification to the School

Tutor Volt shall notify the School without undue delay, and in any event within 72 hours, after becoming aware of a Data Breach affecting Personal Data processed under this DPA.

9.2 Content of Notification

The notification shall include:

• A description of the nature of the Data Breach, including where possible the categories and approximate number of data subjects and records concerned
• The name and contact details of Tutor Volt's Data Protection Officer
• A description of the likely consequences of the Data Breach
• A description of the measures taken or proposed to be taken to address the Data Breach, including measures to mitigate its possible adverse effects

9.3 Cooperation

Tutor Volt shall cooperate with the School and take reasonable steps to assist in the investigation, mitigation, and remediation of any Data Breach. Tutor Volt shall not notify data subjects or the ICO directly without the School's prior approval, unless required by law.

10. Obligations of the Data Controller

The School shall:

• Ensure that it has a lawful basis for the processing of Personal Data by Tutor Volt, including obtaining any necessary consents (particularly parental consent for children under 13)
• Provide clear and transparent privacy notices to data subjects in accordance with Articles 13 and 14 of UK GDPR
• Ensure that its instructions for processing are lawful and do not place Tutor Volt in breach of UK GDPR
• Notify Tutor Volt promptly of any data subject requests that require Tutor Volt's assistance
• Maintain appropriate records of processing activities as required by Article 30 of UK GDPR

11. Safeguarding

11.1 Safeguarding Obligations

Both parties acknowledge their duties under the Children Act 2004 and Keeping Children Safe in Education (KCSIE) 2025. Tutor Volt implements the following safeguarding measures within the Platform:

• Automated real-time monitoring of all student-AI interactions using 210+ keyword patterns across 4 severity tiers
• Automated escalation of critical safeguarding concerns to the Designated Safeguarding Lead
• DBS verification requirements for marketplace tutors
• Safeguarding record retention until the data subject reaches age 25

11.2 School Responsibilities

The School remains the primary body responsible for the safeguarding of its students. The School shall designate a Safeguarding Lead who is the primary contact for any safeguarding concerns identified through the Platform.

12. Data Retention

Tutor Volt shall retain Personal Data in accordance with the following retention schedule:

| Data Type | Retention Period | |---|---| | User profiles and account data | Duration of service agreement + 30 days | | AI chat transcripts | 2 years from creation | | Quiz scores and assessment data | 7 years (educational record-keeping) | | Voice recordings | 30 days from creation | | Safeguarding records | Until data subject reaches age 25 | | Audit and security logs | 7 years |

Upon expiry of the retention period, data is securely deleted or anonymised using industry-standard methods.

13. Audit Rights

13.1 Right to Audit

The School has the right to audit Tutor Volt's compliance with this DPA, subject to reasonable notice (not less than 30 days) and during normal business hours.

13.2 Audit Scope

Audits may include inspection of Tutor Volt's data processing facilities, systems, policies, and documentation relevant to the processing of Personal Data under this DPA.

13.3 Third-Party Audits

Tutor Volt may satisfy the School's audit requirements by providing:

• Relevant third-party audit reports or certifications
• Completion of the School's data protection questionnaire
• A virtual or in-person review meeting with Tutor Volt's Data Protection Officer

13.4 Costs

Each party shall bear its own costs in connection with any audit, unless the audit reveals a material breach of this DPA by Tutor Volt, in which case Tutor Volt shall bear the reasonable costs of the audit.

14. Data Return and Deletion on Termination

14.1 School's Choice

Upon termination of the service agreement, the School may request that Tutor Volt:

• Return all Personal Data in a structured, commonly used, machine-readable format (JSON or CSV); or
• Delete all Personal Data

The School must make this election within 30 days of termination. If no election is made, Tutor Volt shall delete the data.

14.2 Exceptions

Tutor Volt may retain Personal Data after termination where required by UK law, including:

• Safeguarding records (retained until data subject reaches age 25)
• Audit logs required for regulatory compliance (retained for 7 years)
• Payment records required by HMRC (retained for 7 years)

14.3 Confirmation

Tutor Volt shall provide written confirmation of deletion to the School within 30 days of completing the deletion process.

15. Liability

The liability of each party under this DPA shall be subject to the limitations and exclusions set out in the service agreement between the parties, provided that neither party may limit its liability for breaches of its data protection obligations under UK GDPR.

16. Governing Law

This DPA is governed by and construed in accordance with the laws of England and Wales. Any disputes shall be subject to the exclusive jurisdiction of the courts of England and Wales.

17. Contact

Tutor Volt Data Protection Officer Email: [email protected]

Tutor Volt Security Team Email: [email protected]

Tutor Volt Safeguarding Lead Email: [email protected]

This Data Processing Agreement is effective from the date of execution of the service agreement between the parties.