Data Processing Agreement (Exemplar)
Last updated: June 2026
4Sight Education Ltd (trading as VESPA Academy)
| Document owner | Antony Dennis, Director |
| Version | 1.0 |
| Effective date | June 2026 |
| Review cycle | Annually or on material change |
| Status | Exemplar template — complete the bracketed fields per customer; have reviewed by your solicitor before commercial use |
This is our standard Data Processing Agreement exemplar (UK GDPR Article 28). Schools may also present their own DPA for negotiation. Have your solicitor review before commercial use.
1. Parties
This Data Processing Agreement ("Agreement") is between [Customer name] of [address] (the "Controller") and 4Sight Education Ltd, Company No. 14032238, of 79 Tib Street, Manchester, M4 1LS (the "Processor"), and takes effect from [date].
2. Definitions
Terms such as "personal data", "processing", "data subject", "controller", "processor" and "personal data breach" have the meanings given in the UK GDPR and the Data Protection Act 2018.
3. Subject matter and duration
The Processor processes personal data on behalf of the Controller solely to provide the VESPA Academy service for the duration of the service agreement between the parties, and as set out in Schedule 1.
4. Processor obligations
The Processor shall:
- process personal data only on the Controller's documented instructions, including this Agreement, unless required by law;
- ensure persons authorised to process the data are under a duty of confidentiality;
- implement appropriate technical and organisational security measures (see Schedule 2);
- not engage a sub-processor without the Controller's prior general authorisation, maintain a list of sub-processors, and inform the Controller of intended changes so the Controller may object;
- assist the Controller, taking account of the nature of processing, in responding to data subject requests and in meeting its obligations regarding security, breach notification, data protection impact assessments and consultation with the ICO;
- notify the Controller without undue delay on becoming aware of a personal data breach;
- at the Controller's choice, delete or return all personal data at the end of the service and delete existing copies, unless storage is required by law;
- make available information necessary to demonstrate compliance and allow for and contribute to reasonable audits.
5. International transfers
Personal data is hosted within the European Union (see Schedule 2). The Processor will not transfer personal data outside the UK or EEA without an appropriate transfer mechanism and the Controller's authorisation.
6. Liability and law
This Agreement is governed by the law of England and Wales. Liability is as set out in the parties' main service agreement.
Schedule 1 — Details of processing
| Subject matter | Provision of the VESPA Academy platform, resources and reporting |
| Nature and purpose | Hosting and processing of user accounts and questionnaire data to deliver coaching, reporting and study-skills support |
| Duration | For the term of the service agreement |
| Categories of data subjects | Students/learners; school and college staff users |
| Types of personal data | Names, school/college, email/usernames, year/cohort, VESPA questionnaire responses and scores, activity and usage data |
| Special category data | None required by the service |
Schedule 2 — Security measures and sub-processors
Security measures: Data hosted within the EU (Supabase EU; Vercel EU/edge); encryption in transit (HTTPS/TLS) and at rest; least-privilege access control; MFA on administrative systems; authenticated user access with SSO support; Cyber Essentials certified (IASME, certificate IASME-CE-060416); documented incident and breach response; backup and disaster-recovery arrangements per the Business Continuity & DR Plan.
Sub-processors (current):
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase | Application database / data storage | EU |
| Vercel | Application hosting / delivery | EU / edge |
| SendGrid (Twilio) | Transactional email | US (SCCs) |
| Stripe | Payment processing | EU / US |
| OpenAI | Optional AI features — prompt data sent via API for response generation only; API terms prohibit model training on customer data | US (SCCs) |
| Anthropic | Optional AI features — prompt data sent via API for response generation only; API terms prohibit model training on customer data | US (SCCs) |
| Wonde | MIS data integration (where enabled by customer) | UK |
AI processing note: Where optional AI features are used, the minimum data necessary for that request is transmitted to OpenAI and/or Anthropic as sub-processors. Data is not sold, licensed, or shared with third parties for marketing or unrelated purposes. Under API business terms (not consumer products), providers do not use submitted data to train their models. See our AI Usage Policy.
Signed for and on behalf of the Processor: Antony Dennis, Director, 4Sight Education Ltd — June 2026
Related Documents
See our full Policies & Compliance index for all published documents.
- Privacy Policy
- Data Protection Policy
- Data Processing Agreement
- Data Retention Policy
- Information Security Policy
- Modern Slavery Policy
- Quality Policy
- Environmental Policy
- Equality, Diversity & Inclusion Policy
- Health & Safety Policy
- Safeguarding Statement
- Accessibility Statement
- AI Usage Policy
- Terms and Conditions
- Business Continuity & Disaster Recovery Plan
© 2026 VESPA Academy — 4Sight Education Ltd. All rights reserved.