Data Processing Agreement (DPA)

1. Parties and roles

Customer (the “controller”) is the school, trust, local authority, or other organisation that creates an account and instructs users to enter pupil and staff-related data into Report-O-Matic.

Processor (the “processor”) is Report-O-Matic Ltd (company number 17239610), registered in England and Wales, who hosts and operates the Report-O-Matic software on the Customer's behalf. Processor contact for data protection matters: privacy@report-o-matic.online.

The Processor processes personal data only on documented instructions from the Customer (including through the service configuration and normal use of the product), unless EU or UK law requires otherwise — in which case the Processor shall inform the Customer of that legal requirement before processing, unless the law prohibits such notice on important grounds of public interest.

2. Subject matter, nature, and purpose

Subject matter: processing of personal data within the Report-O-Matic service to support school reporting workflows (accounts, classes, pupil records, report text, timetables, optional AI-assisted drafting where enabled, billing metadata, and security logs as described in the privacy notice).

Nature of processing: collection, storage, organisation, retrieval, adaptation, disclosure by transmission to authorised users of the Customer, and erasure in line with product features and this agreement.

Purpose: providing the Report-O-Matic service subscribed to by the Customer. The Customer remains responsible for determining the lawfulness of processing in its own context (including lawful basis, transparency to parents/pupils where required, and retention policies for pupil data).

3. Categories of data and data subjects

As determined by the Customer's use of the service, this may include: identifiers and contact data for staff users; pupil names and related class metadata; report content; optional profile fields; usage and security metadata; and billing-related identifiers where purchases are made.

Data subjects may include pupils, parents/guardians (where data refers to them), and school staff.

4. Processor obligations

The Processor shall:

• process personal data only on the Customer's instructions unless required by EU or UK law to the contrary;
• ensure that persons authorised to process the data are bound by confidentiality or are under an appropriate statutory obligation;
• implement appropriate technical and organisational measures to protect personal data, taking into account the state of the art, cost, and risks (including encryption in transit, access control, and separation of tenants);
• assist the Customer, taking into account the nature of processing, with responding to requests from data subjects and with DPIAs or consultations with supervisory authorities where applicable, insofar as possible and subject to reimbursement for unreasonable cost;
• notify the Customer without undue delay after becoming aware of a personal data breach affecting the Customer's data, with information reasonably available to enable the Customer to meet its obligations;
• at the end of the service relationship, delete or return personal data as the Customer directs, except where law requires retention;
• make available information necessary to demonstrate compliance and allow for audits reasonably scoped to the service (e.g. summaries of controls and subprocessors), with on-site audits only where mandated by a supervisory authority or agreed in writing.

5. Subprocessors

The Customer generally authorises the Processor to engage the subprocessors listed or referenced in the privacy notice and subprocessor list (for example hosting/database, transactional email, optional AI, Paddle, Wise, and edge security). The Processor shall impose data protection terms on subprocessors that are materially equivalent to those in this DPA. The Customer may object to a new subprocessor on documented reasonable grounds; where no alternative can be agreed within a reasonable period, either party may terminate the affected part of the service.

6. International transfers

Where personal data is transferred outside the UK or EEA, the Processor shall use appropriate safeguards (such as the UK IDTA / Addendum or EU standard contractual clauses) offered by subprocessors or as otherwise required by law.

7. Limitation — Customer's own compliance

The Processor does not control how the Customer uses exported reports, emails, printouts, or other data outside the service. The Customer is solely responsible for its own compliance when it copies, shares, or re-uses data beyond what the software enforces. The Processor's obligations apply to processing within the hosted service and as described in this DPA.

8. Term and termination

This DPA applies for as long as the Processor processes personal data on behalf of the Customer. Clauses intended to survive (including confidentiality, deletion, and liability allocations permitted by law) survive termination.

9. Contact

Processor contact for privacy and processing questions: privacy@report-o-matic.online