Data Processing Agreement

1. Parties

This Data Processing Agreement ("DPA") is entered into between:

• Data Controller ("the School"): The educational institution that subscribes to GCSE Python Lab and invites students and staff to use the Platform.
• Data Processor ("we", "us", "Forge Class"): Forge Class Software Ltd, 73 Shepperson Road, Sheffield, S6 4FG, United Kingdom. Company No. 16547331. Contact: enquiries@forgeclass.co.uk

This DPA supplements our Terms & Conditions and Privacy Policy, and is governed by UK GDPR (the retained EU GDPR as incorporated into UK law by the Data Protection Act 2018).

2. Scope and Purpose

2.1 Subject Matter

This DPA governs the processing of personal data by Forge Class on behalf of the School when the School uses the GCSE Python Lab platform ("the Platform").

2.2 Duration

Processing begins when the School creates an account or subscribes, and continues for the duration of the School's subscription. Upon termination, data is handled in accordance with Section 9 of this DPA.

2.3 Nature and Purpose of Processing

We process personal data solely to:

• Provide and operate the Platform (hosting, authentication, data storage)
• Deliver AI-powered marking, feedback, and student support features
• Send transactional emails (account confirmations, invoices, notifications)
• Generate analytics and reports for teachers (class performance, submission tracking)
• Maintain security and prevent abuse

3. Categories of Data Subjects

• Students: Learners who access the Platform through a class code provided by their teacher.
• Teachers / Staff: Educators who create accounts, manage classes, and set assignments.
• School Administrators: Staff who manage the school subscription and billing.

4. Types of Personal Data Processed

We do not process special category data (e.g. health, ethnicity, religion). We do not knowingly collect data beyond what is listed above.

5. Obligations of the Processor

Forge Class shall:

• 5.1 Process on instructions only. We will process personal data only on the documented instructions of the School (i.e. to deliver the Platform services), unless required to do so by UK law, in which case we will inform the School before processing unless prohibited from doing so.
• 5.2 Confidentiality. Ensure that all persons authorised to process personal data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
• 5.3 Security measures. Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:
  • Encryption of data in transit (HTTPS/TLS) and at rest (Firebase/GCP default encryption)
  • Authentication via OAuth 2.0 (Google, Microsoft) and optional email/password sign-in. Passwords are stored only as one-way bcrypt hashes (never plaintext).
  • Role-based access control (student, teacher, school admin, platform admin)
  • Rate limiting on AI endpoints to prevent abuse
  • Regular dependency updates and security patching
• 5.4 Sub-processors. Not engage another processor without prior specific or general written authorisation of the School. See Section 7 for our current sub-processor list. We will notify subscribing schools by email at least 30 days before adding any new sub-processor.
• 5.5 Data subject rights. Assist the School in responding to requests from data subjects exercising their rights under UK GDPR (access, rectification, erasure, portability, restriction, objection). Schools can email us at enquiries@forgeclass.co.uk and we will respond without undue delay (typically within 5 working days).
• 5.6 Breach notification. Notify the School without undue delay (and in any event within 72 hours) after becoming aware of a personal data breach that affects the School's data. The notification will include the nature of the breach, the categories and approximate number of data subjects affected, and the measures taken or proposed to address the breach.
• 5.7 Data Protection Impact Assessments. Assist the School with DPIAs and prior consultations with the ICO where required, taking into account the nature of processing and the information available to us.
• 5.8 Audit. Make available to the School all information necessary to demonstrate compliance with UK GDPR Article 28, and allow for and contribute to audits and inspections conducted by the School or an auditor mandated by the School, on reasonable notice.

6. Obligations of the Controller

The School shall:

• 6.1 Ensure it has a lawful basis under UK GDPR for processing student and staff personal data through the Platform (e.g. legitimate interest, public task, or consent where required).
• 6.2 Obtain and document any necessary parental or guardian consent for students under 13, in line with ICO Children's Code guidance.
• 6.3 Provide appropriate privacy notices to students and staff informing them that their data will be processed through the Platform and the third-party services listed in Section 7.
• 6.4 Ensure that teachers use the Platform in compliance with the School's own data protection, safeguarding, and acceptable use policies.
• 6.5 Notify Forge Class promptly of any data subject request or complaint that relates to Forge Class's processing.

7. Sub-processors

The School authorises Forge Class to use the following sub-processors. This list is current as of the date above and will be updated if sub-processors change.

Region details above reflect current configuration and provider disclosures as of the date of this DPA; data location may vary by School setup and service feature.

If we need to add a new sub-processor, we will email the School at least 30 days in advance. The School may object within that period; if the objection cannot be resolved, either party may terminate the subscription (the School will receive a pro-rata refund for the remaining subscription period).

8. International Transfers

Some of our sub-processors are located outside the United Kingdom. Where personal data is transferred to a country that does not have an adequacy decision from the UK Government, we rely on:

• The UK International Data Transfer Agreement (IDTA) or the EU Standard Contractual Clauses with the UK International Data Transfer Addendum, as appropriate.
• Additional technical measures (encryption in transit and at rest, access controls, contractual restrictions on data use).

We regularly review our sub-processors' data protection practices and will update transfer mechanisms as UK Government guidance evolves.

9. Data Retention and Deletion

9.1 During the Subscription

Personal data is retained for as long as the School's subscription is active. Schools can request deletion, rectification, or export of student data at any time by contacting us at enquiries@forgeclass.co.uk and using available platform administration controls, including student removal and student-data deletion actions available on the school management page.

9.2 On Termination

Upon termination of the School's subscription, we will:

• Retain data for up to 90 days to allow the School to request data export or re-activation.
• After 90 days, delete or anonymise all personal data associated with the School, unless retention is required by law (e.g. financial records for HMRC must be kept for 6 years).
• Confirm deletion in writing upon request.

9.3 Inactive Accounts

Individual accounts that have been inactive for more than 2 years may be deleted, as described in our Privacy Policy. Where reasonably practicable and contact details remain valid, we aim to send a reminder email before deletion.

10. Liability

Each party's liability under this DPA is subject to the limitations of liability set out in our Terms & Conditions.

11. Governing Law

This DPA is governed by and construed in accordance with the laws of England and Wales. Any disputes shall be subject to the exclusive jurisdiction of the courts of England and Wales.

12. Contact

For questions about this DPA, to request a signed copy, or to report a data concern: