⚠️ Draft for review — not legal advice.
This is a working draft. It must be reviewed and approved by a qualified data-protection / education-law professional and the responsible Data Protection Officer before it is published or relied upon. Placeholders in [square brackets] need real values.
Data Processing Agreement (DPA)
Last updated: Draft — not yet published
A summary of the processor terms under which Storyjar handles personal data on a school's behalf, as required by UK GDPR Article 28. A signable version is available for your office.
[This is a plain summary. A full, signable DPA — with the required Art. 28(3) clauses and schedules — should be prepared and reviewed by a solicitor/DPO. Contact [dpo@storyjar.co.uk] for the signable version.]
1. Roles
The school is the controller; Storyjar is the processor. We process personal data only on the school's documented instructions, as needed to provide Storyjar, and for no other purpose. We never sell data or use it for advertising or profiling.
2. Subject-matter & details (Schedule)
- Subject-matter: providing a class journal/portfolio service.
- Duration: the term of the subscription.
- Nature & purpose: storing and displaying children's learning moments under teacher moderation.
- Data types: children's first names and their work (incl. images); staff account data; parent contact data and child links.
- Data subjects: pupils (aged 3–7), school staff, parents/carers.
3. Our obligations (Art. 28(3))
- Process only on documented instructions.
- Ensure persons authorised to process are under confidentiality obligations.
- Apply appropriate technical & organisational security measures (Art. 32) — access control scoped to who may see a child's work, access-controlled media, encryption in transit, hashed passwords, least-privilege roles.
- Engage sub-processors only under equivalent terms and with notice (see Sub-processors); remain responsible for them.
- Assist the school with data-subject requests, DPIAs, and breach notification.
- Notify the school of a personal-data breach without undue delay.
- On termination, delete or return all personal data (deletion removes records and media files) at the school's choice.
- Make available information to demonstrate compliance and allow audits.
4. International transfers
Personal data is stored and processed in the UK/EU. We will not transfer children's personal data outside the UK/EU without an adequacy decision or appropriate safeguards, and will tell the school first.
5. Sub-processors
Current sub-processors and their locations are listed on the Sub-processors page. We will give schools prior notice of changes and an opportunity to object.