Schoolcomms Licence Agreement for Schools v1.1 May 2018 (GDPR)
Important: Please read carefully before using this service.
This Agreement applies only to Schoolcomms Customers contracted before 1st December 2017 and is valid up until the first contract renewal after 1st December 2017.
Please read this Agreement carefully before using the Schoolcomms Products and Services. By installing, accessing or using the Schoolcomms Products and Services, or by clicking to indicate that you have read and agreed to these terms, you agree to be legally bound by this Agreement and as they may be modified and posted on our website from time to time.
If you do not wish to be bound by these terms and conditions then you may not use Schoolcomms Products and Services.
The terms: “you,” and “your” are referring to you, your employees, and your users; “we” and “our” refer to Schoolcomms, operating from Continental House, Kings Hill, Bude, Cornwall EX23 0LU; and, references to “party” and “parties”’ refer to either or both of us as a party or parties to this Agreement.
|“Agreement”||this agreement between us and you for the provision of Schoolcomms Products and Services;|
|“Annual Licence Fee”||an annual charge made to you in consideration of a licence to access and use any Schoolcomms Products and
Services for which you have contracted under this Agreement, representing a charge made for services
supplied until the next Annual Licence Fee invoice is due;
|“Customer”||you, the school or other establishment or organisation, that contracts with us under this Agreement;|
|“Effective Date”||the date this Agreement becomes effective either by its incorporation by means of an explicit reference in a
document signed by you, or, in the case of a valid order form submitted electronically by you to us, the date
such order form is received by us;
|“Intellectual Property Rights”||all copyrights, patents, utility models, trademarks, service marks, registered designs, moral rights, design rights
(whether registered or unregistered), technical information, know-how, database rights, semiconductor
topography rights, business names and logos, computer data, generic rights, proprietary information rights and
all other similar proprietary rights (and all applications and rights to apply for registration or protection of any
of the foregoing) as may exist anywhere in the world;
|“Schoolcomms Products and Services”||our products and services which may include Schoolcomms®, Schoolcomms Messaging™, Schoolcomms
Messaging – Just Text™, Schoolcomms Messaging – Standard™, Schoolcomms Messaging – Premium™,
Schoolcomms Payments™, Schoolcomms Clubs™, Schoolcomms Online Reporting™, Schoolcomms OLR™,
Schoolcomms Dinners™, School Gateway™, Schoolcomms Web Messenger™, Schoolcomms Mobile
Messenger™, Schoolcomms Desktop™, and related support sites for these products; and, services provided
by us that may include the Schoolcomms Collection Service™, Audit Services, and other services such as
support, setup, training, project management and consultancy;
|“Term”||a period of twelve (12) months from the Effective Date, which will be renewed automatically, for additional
periods of twelve (12) months, unless otherwise indicated on our renewal invoice;
In consideration of your payment of the Annual Licence Fee, we agree to provide you with, and you hereby accept, a non-exclusive, nontransferable licence for you to access and use Schoolcomms Products and Services for the Term, subject to the conditions laid out below.
1. Use of the Schoolcomms Products and Services is limited to the number of users specified in your purchase agreement. Without a purchase agreement, you are entitled to use the Schoolcomms Products and Services in a restricted demonstration mode only.
2. This Schoolcomms Products and Services are for use in the transmission of electronic messages and information, and the collection of parental income, and such use must follow Schoolcomms Acceptable Use Policy.
3. Use of the Schoolcomms Products and Services is limited to the number of years from the date of purchase as indicated by the invoice provided by us, and may be automatically renewed upon payment for additional years of use.
4. All proprietary Intellectual Property Rights in the Schoolcomms Products and Services and other materials used by us in the performance of this agreement, whether or not supplied to you, shall remain with us or our licensors.
5. We shall have no obligations under this Agreement during a given Term until we have received the fees due from you, in full, in cleared funds.
You may not:
1. Exceed the number of users as specified by the purchase agreement, without first purchasing an additional licence from us.
2. Modify, sell or distribute any of the Schoolcomms Products and Services, or use any of the content within the Schoolcomms Products and Services, other than to send and report on electronic communications transmitted solely though the Schoolcomms Products and Services.
3. Distribute or publish any part of the Schoolcomms Products and Services as part of an electronic document or web page other than for the promotion of the Schoolcomms Products and Services within or on behalf of the establishment for which the product is licensed.
4. Rent, lease, time-share, sub-license, or transfer the Schoolcomms Products and Services.
5. Modify, translate, adapt, disassemble, decompile, reverse engineer, or in any way copy the source code from the Schoolcomms Products and Services.
6. Copy or emulate in any way the design, layout, or functionality of this Schoolcomms Products and Services.
1. If you wish to cancel your Agreement, this must be done in writing giving no less than thirty (30) days’ notice in advance of the renewal date.
2. You may terminate this Agreement without any refund at any time by giving thirty (30) days’ notice in writing.
3. If you don’t provide the required notice, then you will be liable for the fees due for the subsequent renewal Term.
4. Upon cancellation any unused text credits remaining will be lost and no refunds are payable.
5. Pay as You Go licences may be terminated by us, if SMS credits are not purchased at least once in every calendar year after the date of activation.
6. Should the service not be used for whatever reason, we, or our distributor, shall not be responsible for any lack of use and no refunds will therefore be payable.
7. We reserve the right to cancel this Agreement at any time if you are in breach of any of these terms of this Agreement.
You shall pay the fees for the Term in full within thirty (30) days of the date of purchase as indicated on the invoice. You shall pay the fee for any SMS credits purchased in full within thirty (30) days of the date of purchase as indicated on the invoice.
We reserve the right to introduce or revise charges for any service provided at our sole discretion but any changes will be notified at least thirty (30) days prior to introduction unless enforced by a 3rd party (e.g. VAT rate change or similar).
Renewal of this Agreement:
Thirty (30) days prior to the end of any Term we will automatically submit an invoice for the Annual Licence Fee at our then prevailing rate, for a further Term. Any change to this Agreement, or to the Term, will be notified on the invoice. You shall be deemed to have accepted any changes to the Agreement or to the Term, if you have not notified us in writing, of your intention to cancel this Agreement, prior to the expiry of the current Term, or if you use the Schoolcomms Products and Services after the start of the renewal Term.
You may not assign any rights hereunder, directly or by operation of law, without our prior written consent, which consent may not be unreasonably withheld. For the purposes of this Agreement, assignment shall include, but not be limited to, transfer of control, any ownership change which results in a new majority owner and any change in the jurisdiction of incorporation.
For the purposes of an Academy conversion, written notification should be sent to the Bude office address prior to conversion, confirming the date of conversion, and changes of the school name or the DfE number.
We may at any time transfer all or any part of our rights and/or obligations under this Agreement and upon completion of any such transfer (including the assumption by the transferee of all our remaining rights, benefits and obligations) we will be released from and have no further obligation under this Agreement. You will promptly execute all documents reasonably requested by us to affect, perfect record or implement such transfer and will promptly comply with any of our or our successors’ other reasonable requests in respect of such transfer.
Acceptable Use Policy:
Users are solely responsible for the content of electronic communications delivered through the service, and agree not to transmit through the site any unlawful, harassing, libellous, threatening, harmful, vulgar, obscene statement or otherwise objectionable communication.
We may prevent you on a temporary or permanent basis from sending e-mail messages or SMS messages to e-mail addresses or mobile phone numbers where the recipient or any third party involved in the transmission of messages has notified us that messages from you are spam, or where the e-mail address or phone number are no longer valid.
We do not exercise editorial control over your transmissions; however, we do reserve the right to review your transmissions in order to ensure compliance with this Policy. We do not disclose the contents of any communication other than to the recipient, except as required by law or a legal proceeding or investigation. Occasionally, in the normal course of business our employees may view the contents of an electronic communication while providing technical support or troubleshooting delivery systems, or contents will be scanned for keywords to summarize how, in general, the service is being used.
Copyright & Trademark:
The information contained in Schoolcomms Products and Services is copyrighted and may not be distributed, modified, reproduced in whole or part without prior written our permission. Except for the incidental printing of web pages and Schoolcomms Products and Services transmission content as provided for herein, the images from Schoolcomms Products and Services may not be reproduced in any form without prior our written consent.
Disclaimer of Warranties:
To the maximum extent permitted by applicable law, we, and our suppliers, provide Schoolcomms Products and Services as is and with all faults, and hereby disclaim all warranties and conditions, either express, implied or statutory, including, but not limited to, any (if any) implied warranties or conditions of merchantability, of fitness for a particular purpose, of lack of viruses, of accuracy or completeness of responses, of results, and of lack of negligence or lack of workmanlike effort, all with regard to Schoolcomms Products and Services, and the provision of or failure to provide support services. THERE IS NO WARRANTY OR CONDITION OF TITLE, QUIET ENJOYMENT, QUIET POSSESSION, CORRESPONDENCE TO DESCRIPTION OR NON-INFRINGEMENT, WITH REGARD TO SCHOOLCOMMS PRODUCTS AND SERVICES. THE ENTIRE RISK AS TO THE QUALITY OF OR ARISING OUT OF USE OR PERFORMANCE OF SCHOOLCOMMS PRODUCTS AND SERVICES, IF ANY, REMAINS WITH YOU.
Exclusion of Incidental, Consequential and Certain other Damages:
To the maximum extent permitted by applicable law, in no event shall we or our suppliers be liable for any special, incidental, indirect, or consequential damages whatsoever (including, but not limited to, damages for loss of profits or confidential or other information, for business interruption, for personal injury, for loss of privacy, for failure to meet any duty including of good faith or of reasonable care, for negligence, and for any other pecuniary or other loss whatsoever) arising out of or in any way related to the use of or inability to use Schoolcomms Products and Services, the provision of or failure to provide support services, or otherwise under or in connection with any provision of this Agreement, even in the event of the fault, tort (including negligence), strict liability, breach of contract or breach of warranty by us or our supplier, and even if we or our supplier has been advised of the possibility of such damages.
Limitation of Liabilities and Remedies:
Notwithstanding any damages that you might incur for any reason whatsoever (including, without limitation, all damages referenced above and all direct or general damages), our entire liability and any of our suppliers under any provision of this Agreement and your exclusive remedy for all of the foregoing shall be limited to the amount actually paid by you for Schoolcomms Products and Services in the preceding twelve (12) months. The foregoing limitations, exclusions and disclaimers shall apply to the maximum extent permitted by applicable law, even if any remedy fails its essential purpose.
Schoolcomms is an operating division of
Cornwall EX23 0LU
Phone: +44 333 332 7147 www.schoolcomms.com
© Copyright 2018 ParentPay Limited. All Rights Reserved.
Schedule 2: Data Processing Agreement (“DP Agreement”)
This DP Agreement is by and between us, Schoolcomms, a trading division of ParentPay Limited, a private limited company registered in England and Wales, with Company Number 04513692, having its registered office at 11 Kingsley Lodge, 13 New Cavendish Street, London, W1G 9UG (“Company”), and its Group Companies, (“Data Processor”) and you, the Customer (“Data Controller”)
- Definitions and Scope
The following terms used in this Agreement shall have the meanings given to them below:
“Agreement” means the agreement between the Data Controller and the Data Processor for the provision of the Schoolcomms Products and Services;
“Company” means ParentPay Limited and its Group Companies;
“Customer” means the School or other establishment or organisation that contracts with the Company;
“Data” means the Personal Data disclosed to the Data Processor by or on behalf of the Data Controller in connection with the Purpose as more particularly described in Section 2, and Personal Data which may be disclosed by Data Subjects or by Data Controller by instructing the Data Processor to collect Personal Data directly from the Data Subject (or anyone authorised by the Data Subject to provide it);
“Data Protection Law” means law, legislation or regulation relating to data protection, the processing of Personal Data and privacy from time to time, including, but not limited to:
• the Data Protection Act 1998;
• (with effect from 25 May 2018) the General Data Protection Regulation (EU) 2016/679;
• the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as may be amended by the proposed Regulation on Privacy and Electronic Communications);
• any legislation that, in respect of the United Kingdom, replaces, or enacts into United Kingdom domestic law, the General Data Protection Regulation (EU) 2016/679, the proposed Regulation on Privacy and Electronic Communications or any other law relating to data protection, the processing of personal data and privacy as a consequence of the United Kingdom leaving the European Union; and
• more generally, references to statutory provisions include those statutory provisions as amended, replaced, re-enacted for the time being in force and shall include any bye-laws, statutory instruments, rules, regulations, orders, notices, codes of practice, directions, consents or permissions and guidelines (together with any conditions attached to the foregoing) made thereunder;
“Data Subject” means an individual who is the subject of any of the Data. The categories of Data Subject within the scope of this Agreement are listed in Schedule 1;
“Data Subject Request” means a written request of the Data Controller by or on behalf of a Data Subject to exercise any rights conferred by Data Protection Law;
“DP Agreement” means this Data Processor Agreement, including all Appendices and Schedules;
“Effective Date” means the effective date of this DP Agreement, which h shall be the later of 25 May 2018 or the Effective Date of the Agreement;
“Good Industry Practice” means, in relation to any undertaking and any circumstances, the exercise of skill, diligence, prudence, foresight and judgement that would reasonably be expected from a skilled person engaged in the same type of undertaking under the same or similar circumstances;
“Group Company” means the Company, any subsidiary or any holding company from time to time of the Company, and any subsidiary from time to time of a holding company of the Company and each company in the Group is a Group Company. Group Companies shall include, but not be limited to:
- ParentPay (Holdings) Limited, a company registered in England and Wales with Company Number 08212986, having its registered office at 11 Kingsley Lodge, 13 New Cavendish Street, London, W1G 9UG, including its division trading as Schoolcomms (formerly Isuz Ltd);
- Cypad Limited, a company registered in England and Wales with Company Number 04335803, having its registered office at 11 Kingsley Lodge, 13 New Cavendish Street, London, W1G 9UG;
- WIS Services BV, a company registered in the Netherlands with Company Number 24353928, having its registered office at Stavorenweg 4, Gouda, 2803PT, Netherlands;
- WIS Software BV, a company registered in the Netherlands with Company Number 24353936, having its registered office at Stavorenweg 4, Gouda, 2803PT, Netherlands;
- Nimbl Limited, a company registered in England and Wales with Company Number 09276538, having its registered office at 11 Kingsley Lodge, 13 New Cavendish Street, London, W1G 9UG;
- Just Education Limited, a company registered in England and Wales with Company Number 10509472 and having its registered office at 11 Kingsley Lodge, 13 New Cavendish Street, London, W1G 9UG; and,
- Just Education Recruitment Limited, a company registered in England and Wales with Company Number 10509490 and having its registered office at 11 Kingsley Lodge, 13 New Cavendish Street, London, W1G 9UG;
“Party” means any of Data Controller or Data Processor, and “Parties” means Data Controller and Data Processor;
“Personal Data” means any information relating to an identified or identifiable natural person, where an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
“Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
“Purpose” means the purpose or purposes set out in Clause 2 of this DP Agreement;
“Service” means the Schoolcomms Products and Services or any other applicable services provided by the Company to the Customer;
“Security Breach” means any breach or suspected breach of any of the Data Processor’s obligations in terms of Clauses 5 and/or 6 or any other unauthorised or unlawful processing, accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or damage or access to the Data;
“Security Incident” means a Security Breach or a Security Risk;
“Security Measures” has the meaning defined in Schedule 3 of this DP Agreement, and as updated from time to time by the Data Processor;
“Security Risk” means any risks or vulnerabilities that are likely to affect the integrity or effectiveness of the Security Measures (including vulnerabilities relating to any software or third party system or network) that are known or ought reasonably to be known to the Data Processor;
“Sub-processor” means any third party data processor engaged by Data Processor who receives Personal Data from Data Processor for processing on behalf of Data Controller and in accordance with Data Controller’s instructions (as communicated by Data Processor) and the terms of its written subcontract;
“Supervisor” or “Supervisory Authority means the Information Commissioner’s Office, which is the UK’s data protection authority;
“Third Party Functions” means optional product integrations between the Service and third parties, which may be enabled by the Customer (examples include cashless and catering solutions, finance systems or social media).
1.1. This DP Agreement is an amendment to the Schoolcomms Agreement for Schools v1 or other contract or agreement between the parties for the provision, operation or use by the Customer of Schoolcomms Products and Services (“the Agreement”). The terms of this DP Agreement shall be applicable to all Customers using Schoolcomms Products and Services, however the Customer contracted to do so.
1.2. This DP Agreement is designed to bring the Company’s Customer contracts in line with the obligations and requirements relating to data
protection as set out in the European Union General Data Protection Regulations (the “GDPR”). The GDPR will replace Data Protection
Directive 95/46/EC. The GDPR will come into force on 25 May 2018.
1.3. Unless otherwise stated, words and expressions defined in the Agreement shall have the same meaning in this DP Agreement.
1.4. For the avoidance of doubt, in the event of any conflict between the terms of this DP Agreement and the Agreement (including all associated Schedules, Annexes and Appendices to the Agreement), the terms of this DP Agreement will take precedence.
1.5. This DP Agreement will take effect on 25 May 2018.
1.6. The governing law and jurisdiction applicable to the Agreement shall govern this DP Agreement.
2.1. Data Controller and Data Processor have entered the Agreement pursuant to which Data Controller is granted certain rights to access and use the Service. In providing the Service, Data Processor will engage, on behalf of Data Controller, in the Processing of Personal Data submitted to and stored within the Service by Data Controller or third parties with whom Data Controller transacts using the Service.
2.2. The Parties are entering into this DP Agreement to ensure that the Processing by Data Processor of Personal Data, within the Service by Data Controller and/or on its behalf, is done in a manner compliant with Data Protection Law and its requirements regarding the collection, use and retention of Personal Data of Data Subjects.
2.3. The Data Processor may share Personal Information with Group Companies for the purpose of marketing by post, phone, email and electronic messaging services such as SMS or MMS. If Data Subjects do not wish to receive any such material, they may ‘opt out’ within the Service, within the communication received or by contacting the Data Processor using the relevant customer service channels.
2.4. In providing the Service, Data Processor may in some circumstances become a data controller under Data Protection Law. In such circumstances, both parties shall continue to operate in full compliance with applicable Data Protection Law whilst acknowledging and accepting that the specific obligations and restrictions set forth in this DP Agreement may not apply.
2.5. Schedule 1 of this DP Agreement describes data elements the Data Controller will be uploading as part of the Service.
2.6. Schedule 2 of this DP Agreement describes the specific purpose and nature of the processing.
3.1. This Agreement will remain in force as long as Data Processor Processes Personal Data on behalf of Data Controller under the Agreement.
4. Obligations of the Data Processor
4.1. The Parties agree that the subject-matter of Processing performed by Data Processor under this DP Agreement, including the nature and purpose of Processing, the type of Personal Data, and categories of Data Subjects, shall be as described in Schedule 1 and Schedule 2 of this DP Agreement.
4.2. As part of Data Processor providing the Service to Data Controller under the Agreement, Data Processor agrees and declares as follows:
4.2.1. to process Personal Data in accordance with Data Controller’s documented instructions as set out in the Agreement and this DP Agreement or as otherwise necessary to provide the Service, except where required otherwise by applicable laws (and provided such laws do not conflict with Data Protection Law); in such case, Data Processor shall inform Data Controller of that legal requirement upon becoming aware of the same (except where prohibited by applicable laws);
4.2.2. to ensure that all staff and management are fully aware of their responsibilities to protect Personal Data in accordance with this DP Agreement and have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
4.2.3. to implement and maintain appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access (a “Data Security Breach”), provided that such measures shall take into account the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, so as to ensure a level of security appropriate to the risks represented by the Processing and the nature of the Data to be protected;
4.2.4. to notify Data Controller, without undue delay, in the event of a confirmed Data Security Breach affecting Data Controller’s Data and to cooperate with Data Controller as necessary to mitigate or remediate the Data Security Breach;
4.2.5. to comply with the requirements of Clause 5 (Use of Sub-processors) when engaging a Sub-processor;
4.2.6. taking into account the nature of the Processing, to assist Data Controller (including by appropriate technical and organisational measures), insofar as it is commercially reasonable, to fulfil Data Controller’s obligation to respond to requests from Data Subjects to exercise their rights under Data Protection Law (a “Data Subject Request”). In the event Data Processor receives a Data Subject Request directly from a Data Subject, it shall (unless prohibited by law) direct the Data Subject to the Data Controller in the first instance. However, in the event Data Controller is unable to address the Data Subject Request, taking into account the nature of the Processing, the complexity and frequency of the request(s), and the information available to Data Processor, Data Processor, shall, on Data Controller’s request and at Data Controller’s reasonable expense, address the Data Subject Request, as required under the Data Protection Law;
4.2.7. upon request, to provide Data Controller with commercially reasonable information and assistance, taking into account the nature of the Processing and the information available to Data Processor, to help Data Controller to conduct any data protection impact assessment or Supervisor consultation it is required to conduct under Data Protection Law;
4.2.8. upon termination of Data Controller’s access to and use of the Service, to comply with the requirements of Clause 9 of this DP Agreement (Return and Destruction of Personal Data);
4.2.9. to comply with the requirements of Clause 6 of this DP Agreement (Audit) in order to make available to Data Controller information that demonstrates Data Processor’s compliance with this DP Agreement; and
4.2.10. to appoint a security officer who will act as a point of contact for Data Controller, and coordinate and control compliance with this DP Agreement, including the Security Measures.
4.3. Data Processor shall immediately inform Data Controller if, in its opinion, Data Controller’s Processing instructions infringe any law or regulation. In such event, Data Processor is entitled to refuse Processing of Personal Data that it believes to be in violation of any law or regulation.
5. Use of Sub-Processors
5.1. Data Controller agrees that Data Processor may appoint Sub-Processors to assist it in providing the Service and Processing Personal Data provided that such Sub-Processors:
5.1.1. agree to act only on Data Processor’s written instructions when Processing the Personal Data (which instructions shall be consistent with Data Controller’s Processing instructions to Data Processor); and
5.1.2. agree to protect the Personal Data to a standard consistent with the requirements of this DP Agreement, including by implementing and maintaining appropriate technical and organisational measures to protect the Personal Data they Process consistent with the Security Measures described in Schedule 3 of this DP Agreement.
5.2. Data Processor agrees and warrants to remain liable to Data Controller for the subcontracted Processing services of any of its direct or indirect Sub-Processors under this DP Agreement. Data Processor shall maintain an up-to-date list of the names and location of all Sub-Processors used for the Processing of Personal Data under this DP Agreement available upon request to the Data Protection Officer. Data Processor shall, where reasonably possible, inform the Data Controller at least 30 days prior to the date on which any newly appointed Sub-Processor shall commence processing Personal Data.
5.3. In the event that Data Controller objects to the Processing of its Personal Data by any newly appointed Sub-Processor as described in Clause 5.2, it shall inform Data Processor immediately, and in any case, no later than within the 30-day notification period. The Data Controller should present a reasonable justification for the objection as it relates to Data Protection Law – for example, if the processing is expected to present unnecessary risk to the interests, rights and freedoms of the data subject.
5.4. In the case that a Data Controller objects to the use of a Sub-Processor, it’s only remedy is to cease use of the Service and to terminate the Agreement subject to clause 3.4 of the Agreement. For the avoidance of doubt, such decision by the Data Controller will not diminish Data Controller’s obligations to pay the fees due under clause 3.4 of the Agreement.
5.5. In addition, the Service may provide links to integrations with Third Party Functions, including, without limitation, certain Third Party Functions which may be integrated directly into Data Controller’s account or instance in the Service. If Data Controller elects to enable, access or use such Third Party Functions, its access and use of such Third Party Functions is governed solely by the terms and conditions and privacy policies of such Third Party Functions, and Data Processor does not endorse, is not responsible or liable for, and makes no representations as to any aspect of such Third Party Functions, including, without limitation, their content or the manner in which they handle Data (including Personal Data) or any interaction between Data Controller and the provider of such Third Party Functions.
5.6. Data Processor is not liable for any damage or loss caused or alleged to be caused by or in connection with Data Controller’s enablement, access or use of any such Third Party Functions, or Data Controller’s reliance on the privacy practices, data security processes or other policies of such Third Party Functions. The providers of Third Party Functions shall not be deemed Sub-Processors for any purpose under this DP Agreement.
6.1. The Parties acknowledge that Data Processor uses security auditors to verify the adequacy of its security measures, including the security of the physical data centres from which Data Processor provides its data processing services. This audit:
6.1.1. will be performed at least annually;
6.1.2. will be performed according to ISO 27001 or PCI DSS standards or such other alternative standards that are substantially
equivalent to ISO 27001 or PCI DSS;
6.1.3. will be performed by independent third party security professionals or suitably skilled in house staff at Data Processor’s selection
and expense; and
6.1.4. will result in the generation of an audit report affirming that Data Processor’s data security controls achieve industry standards.
6.2. Data Processor shall provide appropriately detailed responses to Data Controller’s requests for information which may include responses to relevant information security and audit questionnaires.
6.3. At Data Controller’s written request, Data Processor will provide Data Controller with a confidential summary of the Report (“Summary Report”) so that Data Controller can reasonably verify Data Processor’s compliance with the security and audit obligations under this Agreement. The Summary Report
7. International Data Exports
7.1. Data Controller acknowledges that Data Processor and its Sub-Processors may maintain data processing operations in countries that are outside of the EEA. As such, both Data Processor and its Sub-Processors may Process Personal Data in non-EEA countries. This will apply even where Data Controller has agreed with Data Processor to host Personal Data in the EEA if such non-EEA Processing is necessary to provide support-related or other services requested by Data Controller.
7.2. Data Processor will make best endeavors to limit data exports to non-EEA countries to what is strictly necessary.
7.3. In all cases where transfers to non-EEA countries may take place, these transfers will be subject to necessary safeguards as defined within applicable Data Protection Law.
8. Obligations of the Data Controller
8.1. As part of Data Controller receiving the Service under the Agreement, Data Controller agrees and warrants that:
8.1.1. it is solely responsible for the accuracy of Personal Data and the means by which such Personal Data is acquired and the Processing of Personal Data by Data Controller, including instructing Processing by Data Processor in accordance with this DP Agreement, is and shall continue to be in accordance with all the relevant provisions of Data Protection Law, particularly with respect to the security, protection and disclosure of Personal Data;
8.1.2. that if Processing by Data Processor involves any “special” or “sensitive” categories of Personal Data (as defined under Data Protection Law), Data Controller has collected such Personal Data in accordance with Data Protection Law;
8.1.3. that Data Controller will ensure that Data Subjects receive a Privacy Notice compliant with Data Protection Law, the contents of which shall include but not be limited to:
8.1.4. the use of data processors to Process their Personal Data, including Data Processor; and
8.1.5. that their Personal Data may be Processed outside of the European Economic Area;
8.1.6. that it shall respond in a reasonable time and to the extent reasonably practicable to enquiries by Data Subjects regarding the Processing of their Personal Data by Data Controller, and to give appropriate instructions to Data Processor in a timely manner; and,
8.1.7. that it shall respond in a reasonable time to enquiries from a Supervisor regarding the processing of relevant Personal Data by Data Controller.
9. Return and Destruction of Personal Data
9.1. Upon the termination of Data Controller’s right to access and use the Service under the Agreement, Data Processor will for up to thirty (30) days following such termination permit Data Controller to export its Data, at its expense, in accordance with the capabilities of the Service. Following such period, Data Processor shall have the right to delete all Data stored or Processed by Data Processor on behalf of Data Controller in accordance with Data Processor’s deletion policies and procedures. Data Controller expressly consents to such deletion.
10. NO CONSEQUENTIAL DAMAGES; LIMITATION ON LIABILITY
10.1. UNDER NO CIRCUMSTANCES AND UNDER NO LEGAL THEORY (WHETHER IN CONTRACT, TORT, NEGLIGENCE OR OTHERWISE) WILL EITHER PARTY TO THIS DP AGREEMENT, OR THEIR AFFILIATES, OFFICERS, DIRECTORS, EMPLOYEES, AGENTS, SERVICE PROVIDERS, SUPPLIERS OR LICENSORS BE LIABLE TO THE OTHER PARTY OR ANY THIRD PARTY FOR ANY LOST PROFITS, LOST SALES OR BUSINESS, LOST DATA (BEING DATA LOST IN THE COURSE OF TRANSMISSION VIA DATA CONTROLLER’S SYSTEMS OR OVER THE INTERNET THROUGH NO FAULT OF DATA PROCESSOR), BUSINESS INTERRUPTION, LOSS OF GOODWILL, OR FOR ANY TYPE OF INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, CONSEQUENTIAL OR PUNITIVE LOSS OR DAMAGES, OR ANY OTHER LOSS OR DAMAGES INCURRED BY THE OTHER PARTY OR ANY THIRD PARTY IN CONNECTION WITH THIS DP AGREEMENT, OR THE SERVICES, REGARDLESS OF WHETHER SUCH PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF OR COULD HAVE FORESEEN SUCH DAMAGES.
10.2. NOTWITHSTANDING ANYTHING TO THE CONTRARY IN THIS DP AGREEMENT OR THE AGREEMENT, DATA PROCESSOR’S AGGREGATE LIABILITY TO DATA CONTROLLER OR ANY THIRD PARTY ARISING OUT OF THIS AGREEMENT AND ANY LICENSE, USE OR EMPLOYMENT OF THE SERVICE, SHALL IN NO EVENT EXCEED THE LIMITATIONS SET FORTH IN THE AGREEMENT.
10.3. FOR THE AVOIDANCE OF DOUBT, THIS SECTION SHALL NOT BE CONSTRUED AS LIMITING THE LIABILITY OF EITHER PARTY WITH RESPECT TO CLAIMS BROUGHT BY DATA-SUBJECTS.
Schedule 1: Data Elements, categories of Data Subjects
Schedule 2: Purpose for Processing
To provide payment collection, payment processing, parent communication and management information systems and services for the education market in the form of the Schoolcomms Products and Services.
|Data Subject (Who)||Data Category (What)||Description|
|Pupil \ Student||Forename||This is the forename of the pupil.|
|Pupil \ Student||Surname||This is the surname of the pupil.|
|Pupil \ Student||Known as||This is the name that the pupil is known as.|
|Pupil \ Student||DOB||This is the date of birth of the pupil.|
|Pupil \ Student||Gender||This is the pupil's gender|
|Pupil \ Student||Year Group||The year the pupil is in|
|Pupil \ Student||Registration Class||The name of the pupil’s registration class (if any)|
|Pupil \ Student||Salutation||This is the pupil’s salutation.|
|Pupil \ Student||Dietary Requirements||This is the pupils special dietary requirements|
|Pupil \ Student||Postal Address||The student's postal address|
|Pupil \ Student||Meal Selections and spend|
|This is a history of a pupil's meal selections and spends for school meals
or non-meal-related items.
|Parents \ Contacts||Title||This is the contact’s title (Mr, Mrs, Ms, etc).|
|Parents \ Contacts||Forename||This is the contact’s forename.|
|Parents \ Contacts||Surname||This is the contact’s surname.|
|Parents \ Contacts||Authentication data||Username and password or other authentication tokens|
|Parents \ Contacts||Gender||The contact’s gender|
|Parents \ Contacts||House Name||The text entered as the contact’s house name.|
|Parents \ Contacts||Street||The text entered as the contact’s street.|
|Parents \ Contacts||Locality||The text entered as the contact’s locality.|
|Parents \ Contacts||Town||The text entered as the contact’s town.|
|Parents \ Contacts||Postcode||The text entered as the contact’s post code.|
|Parents \ Contacts||Day Telephone||The contact’s daytime telephone number.|
|Parents \ Contacts||Home Telephone||The contact’s home telephone number.|
|Parents \ Contacts||Mobile Telephone||This is the contact’s mobile telephone number.|
|Parents \ Contacts||This is the contact’s E-mail address.|
|Parents \ Contacts||Payment card details||Payment details are forwarded to a 3rd party payment processor|
|Parents \ Contacts||Other||This is the contact’s alternative communication method.|
|Parents \ Contacts||In-app messages||Messages sent from parents to school within the application|
|Parents \ Contacts||Trouble ticket data||When users submit trouble ticket information, this gets stored.|
|Parents \ Contacts||Payment History and balances||This is the contact’s history of payment transactions, including reversals,
refunds and withdrawals of funds.
|Parents \ Contacts||Shop information||ParentPay can be used as a payment page from externally or internally
hosted shop systems. This the information captured as part of that
|School Staff||Title||This is the staff member’s title (Mr, Mrs, Ms, etc.).|
|School Staff||Forename||This is the staff member’s forename.|
|School Staff||Surname||This is the staff member’s surname.|
|School Staff||Gender||The staff member’s gender|
|Website Access||IP Address||The network address of your device or internet connection|
|Website Access||Browser Type and Version||The type of Web Browser your device is using|
|Website Access||Cookies||Special records in your browser to help the website operate|
|Website Access||Web Analytics||Generalised information about browsing behaviour and page statistics|
Schedule 3: Security Measures
As of the Effective Date of this DP Agreement, when Processing Personal Data on behalf of Data Controller in connection with the Service, Data Processor shall implement and maintain the following technical and organizational security measures for the Processing of such Personal Data (“Security Measures”):
• Physical Access Controls: Data Processor shall take reasonable measures to prevent physical access, such as security personnel and secured buildings and factory premises, to prevent unauthorised persons from gaining access to Personal Data, or ensure Third Parties operating data centres on its behalf are adhering to such controls.
• System Access Controls: Data Processor shall take reasonable measures to prevent Personal Data from being used without authorisation. These controls shall vary based on the nature of the Processing undertaken and may include, among other controls: authentication via passwords; two-factor authentication; documented authorisation processes; documented change management processes; and/or, logging of access on several levels.
• Data Access Controls: Data Processor shall take reasonable measures to provide that: Personal Data is accessible and manageable only by properly authorised staff; direct database query access is restricted; application access rights are established and enforced to ensure that persons entitled to use a data processing system only have access to the Personal Data to which they have privilege of access; and, that Personal Data cannot be read, copied, modified or removed without authorisation in the course of Processing.
• Transmission Controls: Data Processor shall take reasonable measures to ensure that it is possible to check and establish to which entities the transfer of Personal Data by means of data transmission facilities is envisaged so Data cannot be read, copied, modified or removed without authorisation during electronic transmission or transport.
• Input Controls: Data Processor shall take reasonable measures to provide that it is possible to check and establish whether and by whom Data has been entered into, modified or removed from data processing systems. Data Processor shall take reasonable measures to ensure that (i) the Personal Data source is under the control of Data Controller; and (ii) Personal Data integrated into
the Service is managed by secured transmission from Data Controller.
• Data Backup: Back-ups of the databases in the Service are taken on a regular basis, are secured, and encrypted to ensure that Personal Data is protected against accidental destruction or loss when hosted by Data Processor.
• Data Security: Where appropriate and reasonable, Data Processor should make use of accepted Data Security controls including but not limited to encryption, pseudonymisation and anonymisation.
• Logical Separation: Data from different Data Processor’s Customers is logically segregated on Data Processor’s systems to ensure that Personal Data that is collected for different purposes may be Processed separately.
• Network Security Controls: Data Processor shall implement appropriate network security controls based on risk assessment as it relates to Data Protection; commonly including Firewalls, Anti-Malware and system logging.
• Security Testing and Assurance: Data processor shall establish mechanisms for testing and assessing the effectiveness of technical or organisational measures used for establishing Information Security.