School Data Processing Schedule

This Schedule applies to school, tutor and organisational subscriptions to SignRise (“Platform”).

For family subscriptions, please refer to our Privacy Notice.

1. Roles and Responsibilities

For the purposes of UK data protection law:

• the School or Tutor is the Controller of personal data uploaded to or used within the Platform; and
• Sound Waves Foundation (“SWF”, “we”, “us”) acts as a Processor on behalf of the School or Tutor.

Both parties agree to comply with applicable UK data protection legislation, including the UK GDPR and Data Protection Act 2018.

2. Purpose of Processing

We process personal data only:

• to provide and support the Platform and related educational services;
• to maintain security and functionality;
• to provide customer support; and
• as otherwise instructed by the School or Tutor in connection with use of the Platform.

The School or Tutor confirms it has a lawful basis for sharing personal data with us.

3. Types of Data

The personal data processed may include:

• student and learner information;
• staff and tutor details;
• parent or guardian contact information;
• login and account details; and
• educational progress and usage data.

4. Security and Confidentiality

We implement appropriate technical and organisational security measures to protect personal data against unauthorised access, loss, misuse or disclosure.

Access to personal data is limited to authorised personnel and approved service providers who are subject to confidentiality obligations.

5. Sub-processors

We may use carefully selected third-party service providers (such as hosting, analytics or support providers) to help deliver the Platform.

Where we use sub-processors, we will ensure appropriate data protection obligations are in place.

A current list of significant sub-processors is available on request.

6. International Transfers

We will not transfer personal data outside the UK unless appropriate safeguards required under UK data protection law are in place.

7. Data Subject Rights and Assistance

We will provide reasonable assistance to Schools and Tutors in responding to:

• subject access requests;
• requests for deletion or correction;
• objections to processing; and
• other requests required under applicable data protection law.

8. Data Breaches

If we become aware of a personal data breach affecting School data, we will notify the affected School or Tutor without undue delay and provide reasonable cooperation and information.

Both parties agree to cooperate in managing and mitigating any breach.

9. Retention and Deletion

We will retain personal data only for as long as reasonably necessary to provide the Platform and comply with legal obligations.

Following termination or expiry of a subscription, personal data may be deleted in accordance with our retention policies unless otherwise required by law.

Schools or Tutors may request deletion of their data in writing.

10. Audit and Information Requests

We will make available reasonable information necessary to demonstrate compliance with this Schedule and applicable data protection law.

Formal audits may only be carried out where reasonably required by law or following a significant security incident, and must not unreasonably disrupt our business operations.

11. Liability

Each party is responsible for its own compliance with applicable data protection law.

Nothing in this Schedule limits liability where it cannot legally be excluded under English law.

12. Governing Law

This Schedule is governed by the laws of England and Wales and subject to the exclusive jurisdiction of the courts of England and Wales.