Data Processing Agreement

Parties

PREAMBLE

Agreement Overview

This Data Processing Agreement ("DPA") forms part of the agreement between Hey Tech Labs Ltd, company number 15972086, trading as "HeyEd" ("HeyEd", "we", "us") and the customer using the HeyEd platform ("Client", "you"). HeyEd and the Client are each a "Party" and together the "Parties".

If there is a conflict between this DPA and another agreement between the Parties about the processing of Client Personal Data, this DPA controls that processing. The main service agreement or Terms of Service continue to govern commercial terms, product use, payment, liability, and other non-data-processing matters unless expressly stated otherwise.

SECTION 01

Scope and Roles

This DPA applies when HeyEd processes personal data on behalf of the Client in connection with the HeyEd platform and related services (the "Services").

For Client Personal Data processed under this DPA:

• The Client is the Controller.
• HeyEd is the Processor.
• HeyEd's sub-processors are listed in Annex 2.

This DPA does not apply to personal data for which HeyEd acts as an independent controller, such as HeyEd's own account administration, billing relationship, legal compliance, internal business records, security administration, and supplier management. Those activities are governed by HeyEd's applicable privacy notice and the relevant service provider terms.

SECTION 02

Definitions

"Applicable Data Protection Laws" means all data protection and privacy laws applicable to the processing of Client Personal Data under this DPA, including the UK GDPR, the Data Protection Act 2018, the EU GDPR where applicable, and the Privacy and Electronic Communications Regulations where applicable.

"Client Personal Data" means personal data processed by HeyEd on behalf of the Client through the Services.

"Controller", "Processor", "Personal Data", "Personal Data Breach", "Processing", "Data Subject", and "Sub-Processor" have the meanings given to them in Applicable Data Protection Laws.

SECTION 03

Processing Details

The subject matter, nature, purpose, duration, categories of Client Personal Data, and categories of Data Subjects are set out in Annex 1.

HeyEd will process Client Personal Data only:

• to provide, secure, support, monitor, maintain, and improve the reliability, security, performance, and functionality of the Services, using aggregated or de-identified data where practical;
• to comply with the Client's documented instructions, including instructions given through use of the Services;
• as otherwise required by Applicable Data Protection Laws.

HeyEd will not sell Client Personal Data or use Client Personal Data for third-party advertising.

SECTION 04

Client Instructions

The Client instructs HeyEd to process Client Personal Data as necessary to provide the Services and as otherwise documented in the agreement, this DPA, the platform configuration, support requests, or written instructions from the Client.

HeyEd will promptly inform the Client if, in HeyEd's reasonable opinion, an instruction infringes Applicable Data Protection Laws, unless prohibited from doing so by law.

SECTION 05

Confidentiality

HeyEd will ensure that personnel authorised to process Client Personal Data are bound by a written confidentiality undertaking or appropriate statutory duty of confidence before being granted access to Client Personal Data, and may access Client Personal Data only where needed for the Services, support, security, or legal compliance.

SECTION 06

Security Measures

HeyEd will implement and maintain appropriate technical and organisational measures designed to protect Client Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include the controls described in Annex 3.

HeyEd will periodically review these measures and may update them, provided the updated measures do not materially reduce the overall protection of Client Personal Data.

SECTION 07

Sub-Processors

The Client gives HeyEd general written authorisation to use sub-processors to provide the Services. Current sub-processors are listed in Annex 2.

HeyEd will ensure that each sub-processor is subject to written obligations that provide a level of protection for Client Personal Data materially equivalent to this DPA. HeyEd remains responsible to the Client for the performance of its sub-processors' data protection obligations.

HeyEd will give at least 30 days' advance notice of any material addition or replacement of a sub-processor that processes Client Personal Data where practicable. Notice may be given by email, in-product notice, or by maintaining an updated sub-processor list. Shorter notice may be given where a change is needed for security, continuity, legal compliance, or another urgent operational reason.

Where required by Applicable Data Protection Laws, the Client may object on reasonable data protection grounds within 14 days of notice. The objection must explain the specific data protection concern. The Parties will work in good faith to resolve the concern. Where reasonably possible, the Parties may agree to use an alternative sub-processor, or to disable the affected feature for the Client, instead of terminating the affected Services. If the concern cannot reasonably be resolved and the relevant processing is not optional, the Client may terminate the affected Services in accordance with the main service agreement.

SECTION 08

International Transfers

HeyEd's core production application hosting, application file storage, database, backups, and related AWS-hosted production infrastructure are currently hosted in the United Kingdom. Content delivery, email, support, monitoring, AI-assisted support or migration tools, and optional analytics providers may process Client Personal Data in other jurisdictions as needed to provide their services.

Where Client Personal Data is transferred outside the UK, EEA, or another adequate jurisdiction, HeyEd will ensure that appropriate transfer safeguards are in place, such as an adequacy decision, the UK International Data Transfer Addendum, EU Standard Contractual Clauses, the UK Extension to the EU-US Data Privacy Framework, or another lawful transfer mechanism.

Where this DPA references the UK International Data Transfer Addendum, the EU Standard Contractual Clauses, or the UK Extension to the EU-US Data Privacy Framework, the current versions published by the Information Commissioner's Office, the European Commission, and the UK Government respectively are incorporated by reference and apply to the relevant transfer.

HeyEd is established in the United Kingdom and provides the Services to Clients established in the United Kingdom. HeyEd is not established in the European Union and is not subject to a requirement to appoint a representative under Article 27 of the EU GDPR.

SECTION 09

Data Subject Rights

Taking into account the nature of the Services, HeyEd will provide reasonable assistance to the Client in responding to requests from Data Subjects to exercise their rights under Applicable Data Protection Laws, including access, rectification, erasure, restriction, objection, and portability.

If HeyEd receives a request directly from a Data Subject concerning Client Personal Data, HeyEd will, where legally permitted, direct the Data Subject to the Client or notify the Client.

SECTION 10

Personal Data Breach Notification

HeyEd will notify the Client without undue delay and, where reasonably possible, within 72 hours after becoming aware of a Personal Data Breach affecting Client Personal Data.

The notification will include, to the extent available:

• a description of the nature of the breach;
• the categories and approximate number of affected Data Subjects and records;
• likely consequences;
• measures taken or proposed to address the breach;
• contact details for follow-up.

HeyEd will provide reasonable assistance to help the Client meet any required regulatory or Data Subject notification obligations.

SECTION 11

Retention, Return, and Deletion

HeyEd processes Client Personal Data for the duration of the Client's subscription or other agreed service term.

At the end of the Services, or on documented request, HeyEd will return, export, delete, or put beyond use Client Personal Data in accordance with the Client's instructions and the functionality reasonably available in the Services, unless continued retention is required by law or reasonably necessary for legal claims, accounting, security, fraud prevention, or dispute handling.

Unless otherwise agreed, HeyEd's default target is to delete Client Personal Data from active production systems within 90 days after termination or a verified deletion request. Backup copies, immutable logs, provider logs, and disaster recovery copies may remain until overwritten or deleted under the applicable backup or log retention cycle, provided they remain protected, access-restricted, and not used for ordinary business purposes.

During an active subscription, the Client may archive, delete, or retain staff and compliance records according to its own statutory and operational retention requirements. HeyEd may retain archived staff records and related compliance records while the Client instructs HeyEd to do so through continued use of the Services.

SECTION 12

Audits and Information

HeyEd will make available reasonable information necessary to demonstrate compliance with this DPA. Audit requests should be handled on a documentation-first basis and may be satisfied by providing security documentation, sub-processor information, policies, summaries of controls, third-party certifications, or written responses where appropriate.

If the Client reasonably requires an audit or inspection, it may request one on reasonable written notice no more than once in any 12-month period, unless required by a regulator or following a confirmed Personal Data Breach affecting Client Personal Data. Any audit or inspection must be limited to the processing of the Client's own Client Personal Data, take place during normal business hours, be subject to confidentiality, avoid disruption to the Services, and not give access to other customers' data, production systems, source code, trade secrets, or information that would compromise security. HeyEd may reject an auditor that is a competitor or does not provide appropriate confidentiality and security commitments. Unless otherwise agreed, each Party bears its own audit costs, except that HeyEd will reimburse the Client's reasonable audit costs if the audit identifies a material non-compliance by HeyEd with this DPA.

SECTION 13

Records and Assistance

HeyEd will maintain records of processing activities where required by Applicable Data Protection Laws.

Taking into account the nature of the processing and information available to HeyEd, HeyEd will provide reasonable assistance to the Client with:

• security obligations;
• breach assessment and notifications;
• data protection impact assessments;
• regulator consultation where required;
• retention and deletion requests.

HeyEd may charge reasonable fees, agreed in advance, for assistance that is materially beyond what is needed to operate the Services or that requires significant manual effort by HeyEd's personnel.

SECTION 14

Client Responsibilities

The Client is responsible for:

• determining the lawful basis for processing Client Personal Data;
• giving required privacy notices to Data Subjects;
• obtaining consent where required for Client-controlled optional features or processing choices;
• ensuring that Client instructions are lawful;
• deciding what staff, safeguarding, DBS, health, reference, and employment information should be uploaded or recorded in the Services;
• ensuring that user accounts and permissions are appropriate for its organisation.

Where HeyEd deploys optional analytics, product analytics, or session replay tools in the Services, HeyEd is responsible for using those tools only where appropriate notice, consent or other lawful basis, masking, suppression, and access controls are in place. The Client remains responsible for privacy notices and lawful basis decisions for its own staff and authorised users.

SECTION 15

Liability

Each Party's liability under this DPA is subject to the limitations and exclusions of liability in the main service agreement or applicable Terms of Service, unless Applicable Data Protection Laws require otherwise.

SECTION 16

Governing Law

This DPA is governed by the laws of England and Wales.

SECTION 17

Contact

For questions about this DPA, contact:

Hey Tech Labs Ltd

legal@heyed.co.uk

128 City Road, London, EC1V 2NX

ANNEX 1

Details of Processing

Subject Matter

The provision of the HeyEd platform, including staff onboarding, compliance tracking, document storage, task management, reference workflows, form/document workflows, notifications, support, security, monitoring, and related operational tools for Ofsted-registered settings and other education or care operators.

Nature of Processing

Collection, recording, organisation, structuring, storage, hosting, retrieval, consultation, display, transmission, disclosure to authorised users, email delivery, calculation of compliance status, task and alert generation, document upload and download, electronic signature capture, reference collection, error monitoring, backup, deletion, and export.

Purpose of Processing

To provide, secure, maintain, support, and improve the reliability, security, performance, and functionality of the Services for the Client, including:

• managing staff records, onboarding, training, qualifications, documents, and compliance status;
• supporting safeguarding, DBS, right-to-work, reference, and operational workflows;
• storing and generating documents, evidence, and form submissions;
• sending transactional emails and maintaining email delivery logs through Resend;
• assisting with client-requested data migration, parsing, cleansing, normalisation, and import preparation, including approved AI-assisted parsing or transformation where appropriate;
• monitoring errors, availability, performance, and security.

Duration

For the duration of the Client's subscription or other agreed service term, and afterwards as described in Section 11 or as otherwise required by law or agreed in writing.

Categories of Client Personal Data

The Services may process the following categories, depending on the Client's use of the platform:

• account and user details, including names, email addresses, phone numbers, role, permissions, account status, profile image, timezone, preferences, terms acceptance, and marketing preference;
• company, venue, manager, head office, and support contact details;
• staff identity and employment data, including names, address, date of birth, contact details, national identifiers where entered, start date, employment type, staff type, archived status, and role;
• staff compliance data, including DBS certificate numbers and status, right-to-work records, qualification records, training history, certificate numbers, issue/check/expiry dates, compliance scores, document requirements, and audit/provenance metadata;
• uploaded documents and metadata, including certificates, right-to-work files, DBS or safeguarding evidence, task evidence, filenames, MIME types, upload timestamps, uploader identity, and file access metadata;
• staff notes and free-text fields, which may include personal data entered by the Client;
• emergency contact details, including contact name, phone number, and relationship;
• health-related staff information where entered by the Client, including medical conditions and allergies;
• reference workflow data, including staff submission details, referee names and email addresses, reference responses, timelines, and generated reference documents;
• form and document workflow data, including template snapshots, assignments, form responses, signature images, signed timestamps, IP addresses, user agent strings, rendered PDFs, and completion metadata;
• task and notification data, including assignments, reminders, skip reasons, completion status, and in-app or email notification metadata;
• authentication, session, and security data, including account security metadata, session identifiers, verification and reset-flow metadata, IP addresses or user agents where captured, and audit metadata;
• migration and import-assistance data, including client-provided spreadsheets, source exports, parsed dates, normalised fields, mapping notes, transformation outputs, and limited task context where approved AI-assisted tools are used;
• transactional email data processed by Resend via SMTP, including sender and recipient addresses, subject lines, message bodies, attachments where sent, delivery status, bounce or complaint data, message metadata, and open or click events if enabled;
• observability and support data, including error events, trace data, limited user or tenant identifiers, support correspondence, and diagnostic context.

Special Category, Criminal Offence, and Safeguarding-Related Data

The Services are not intended for unrestricted sensitive-data collection, but Client use of the platform may include:

• health-related information such as medical conditions or allergies;
• safeguarding, DBS, right-to-work, reference, or suitability information;
• uploaded documents or free-text notes that may reveal special category data or criminal offence-related information.

The Client is responsible for ensuring that it has an appropriate lawful basis, condition, policy document, privacy notice, and retention basis for this data.

Categories of Data Subjects

• staff, employees, workers, contractors, volunteers, candidates, and former staff recorded by the Client;
• managers, head office users, app owners, administrators, and other authorised Client users;
• Client company, venue, and support contacts;
• referees and reference providers;
• emergency contacts;
• form respondents, signatories, and people named in uploaded documents, evidence, notes, or correspondence.

ANNEX 2

Sub-Processors

Operational tools that are not intended to process Client Personal Data are not listed here. Additional providers that process Client Personal Data will be handled under Section 7 before use or notification as applicable.

ANNEX 3

Technical and Organisational Measures

HeyEd will implement and maintain at minimum the following technical and organisational measures:

• encryption in transit using HTTPS/TLS for application traffic and secure SMTP transport where supported;
• private object storage for uploaded files and production storage encryption through AWS-managed controls where configured;
• role-based access controls and permission checks for platform users;
• workspace, company, and venue scoping controls to limit access to authorised records;
• password policy enforcement for platform accounts;
• secure session management in production;
• email verification, password reset, and account email-change verification flows;
• rate limiting on sensitive authentication and API routes;
• verification controls for sensitive integrations;
• access controls for internal operational and vendor accounts, and MFA where enabled and supported;
• data minimisation, pseudonymisation where practical, and task-specific access controls for AI-assisted migration or support work involving Client Personal Data;
• logging and monitoring for platform reliability, errors, security events, and scheduled jobs;
• data scrubbing and masking controls for observability, diagnostics, and replay tools where configured;
• least-privilege access for production systems and customer support;
• database backup and restoration controls, plus provider-level backup or retention controls for selected sub-processors where available;
• secure deletion or putting data beyond use when deletion is instructed and no legal retention basis remains;
• staff confidentiality obligations and access limited to business need;
• incident assessment and breach notification procedures.