Data Processing Agreement (DPA)

Last updated:


Data Processing Agreement

Shuttle Learning Limited & your School

UK GDPR Article 28 processing contract for the Shuttle Learning Educational App

Document: docs/privacy/DPA_TEMPLATE.md Version: 1.0 (template) Current as of: June 2026 Governing law: England & Wales

How acceptance works

When a member of your school staff with delegated authority ticks the “I accept” box during onboarding, that click has the same legal effect as a counter-signature on a paper contract. Under English contract law a clearly presented click-wrap acceptance forms a binding agreement, and under UK GDPR Article 28(9) a processing contract is valid where it is “in writing, including in electronic form”. A counter-signed Word or PDF version is available on request and has identical legal effect.

1 Plain English preamble

Plain English

This document explains how Shuttle Learning handles your pupils’ and teachers’ data, and protects your school legally.

This Data Processing Agreement (“DPA”) is between your school (“the School”, the Controller) and Shuttle Learning Limited (“Shuttle Learning”, the Processor), whose registered office is 167–169 Great Portland Street, London, England, W1W 5PF. It exists because the School decides why and how pupil and teacher data is used, and Shuttle Learning processes that data only to run an educational app that teaches OCR GCSE Computer Science (J277) in Python. UK data protection law (UK GDPR Article 28) requires a written contract whenever a processor handles personal data for a controller, and this DPA is that contract. Pressing “I accept” during onboarding binds the School to this DPA.

2 Definitions

Plain English

Plain meanings for the words used throughout this DPA.

Controller

the body that decides the purposes and means of processing. Here, the School.

Processor

the body that processes data on the Controller’s behalf. Here, Shuttle Learning.

Personal Data

any information relating to an identified or identifiable living person.

Data Subject

the individual the Personal Data is about (here, students and teachers).

Processing

any operation performed on Personal Data, such as collecting, storing, using or deleting it.

Sub-processor

another processor engaged by Shuttle Learning to help deliver the service (here, Google).

Personal Data Breach

a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.

School

the educational institution accepting this DPA.

Student

a pupil aged 14 to 16 (a minor) using the Educational App at the School.

Educational App

Shuttle Learning’s Firebase-backed web platform teaching OCR GCSE Computer Science (J277) in Python.

Attempts

records in the attempts collection capturing a student’s submitted answer, marking and metadata.

Lesson Summaries

per-student, per-lesson AI-generated “What Went Well” and “Even Better If” notes plus MCQ scores.

Gemini Outputs

scores and feedback produced by Google’s Gemini API when marking submissions.

3 Parties and how acceptance works (UK GDPR Art 28(9))

Plain English

A staff member with authority ticks “I accept” and that binds the whole school.

The parties are the School (Controller) and Shuttle Learning Limited (Processor). Acceptance is by click-wrap: a member of school staff with delegated authority (a Head Teacher, Deputy Head, Head of Department, or Data Protection Officer) creates the school’s first teacher account and ticks the acceptance box during onboarding. This binds the School. UK GDPR Article 28(9) provides that “the contract or the other legal act referred to in paragraphs 3 and 4 shall be in writing, including in electronic form”, and English contract law (consistent with the Law Commission’s 2019 report on the electronic execution of documents) treats a clearly presented “I accept” tick, made with intent to authenticate, as a valid acceptance forming a binding contract. A counter-signed Word or PDF version is available from support@shuttlelearning.com with identical legal effect.

4 Scope, subject matter and duration

Plain English

What we do and for how long.

Shuttle Learning processes Personal Data to: operate the Educational App; mark student submissions using the Gemini API; store progress; and provide teacher dashboards. The duration runs from acceptance ([ONBOARDING DATE]) until termination under Section 13. The School’s identifying details are: [SCHOOL NAME], [SCHOOL ADDRESS], [SCHOOL CONTACT].

5 Nature and purpose of processing

Plain English

Educational use only. We do not advertise, profile, sell data or train AI on student work.

Processing is for educational purposes only. Shuttle Learning explicitly does NOT: serve advertising; profile students for commercial purposes; sell Personal Data; or use student work to train or improve AI models. The Gemini API is used on its paid tier, and Google’s Gemini API Additional Terms of Service state:

When you use Paid Services, including, for example, the paid quota of the Gemini API, Google doesn’t use your prompts (including associated system instructions, cached content, and files such as images, videos, or documents) or responses to improve our products, and will process your prompts and responses in accordance with the Data Processing Addendum for Products Where Google is a Data Processor.

There is no analytics, advertising or behavioural processing in the Educational App. This approach reflects the data-minimisation and “no commercial use of pupils’ intellectual property” expectations in the ICO Children’s Code and the DfE’s “Generative AI: product safety expectations” (22 January 2025).

6 Categories of personal data and data subjects

Plain English

Exactly what data we hold and whose.

Categories of Personal Data: school Microsoft email; Firebase Auth UID; display name; role (student or teacher); classroom membership (classId, teacherId, student UID lists, join code); submitted source code; MCQ answers; Gemini scores and feedback; Lesson Summaries; rate-limit counters; and server logs (UID, lessonId, questionId for diagnostics; raw code is not logged). Approximate country-level location may be inferred. Data subjects: students (minors aged 14 to 16) and teachers. Shuttle Learning does NOT process home address, phone number, payment details, biometrics, advertising identifiers, or any location beyond approximate country. This minimised data set is designed to align with the Children’s Code standard of collecting only data needed for the element of the service a child is actively using.

7 Documented instructions from the Controller (Art 28(3)(a))

Plain English

We only process data as the school instructs.

The School instructs Shuttle Learning to process the categories listed in Section 6 to deliver the Educational App according to its functionality, and for no other purpose without further documented instruction. This DPA, together with the onboarding configuration, constitutes the School’s documented instructions and is capable of being saved as a record. If a legal obligation requires Shuttle Learning to process outside these instructions, including in relation to transfers to a third country, it will inform the School first unless the law prohibits this on important grounds of public interest. As UK GDPR Article 28(10) provides, “if a processor infringes this Regulation by determining the purposes and means of processing, the processor shall be considered to be a controller in respect of that processing”, and Shuttle Learning accepts controller responsibility in any such case.

8 Confidentiality (Art 28(3)(b))

Plain English

Our people are bound to keep data confidential.

All Shuttle Learning personnel authorised to process Personal Data are committed to confidentiality, whether by contract or an appropriate statutory duty of confidentiality. This covers employees, temporary workers and contractors with access to Personal Data. Access is granted on a least-privilege, need-to-know basis, and access is logged and reviewed.

9 Security measures (Art 28(3)(c) + Art 32)

Plain English

A layered set of technical and organisational controls. The list below is illustrative, not exhaustive.

Taking into account the state of the art, the costs of implementation and the risks to data subjects, Shuttle Learning implements appropriate technical and organisational measures under Article 32, including: Firebase App Check (reCAPTCHA v3) on API calls; Firestore Security Rules that deny direct client writes to grading data; all grading writes performed server-side via the Google Admin SDK; encryption in transit (HTTPS) and at rest; per-user rate limits (30 submissions per minute, 200 per day); secrets such as GEMINI_API_KEY held in Google Secret Manager; multi-factor authentication on all developer and admin accounts; UK and EU data residency where possible; and regular review against ICO and NCSC guidance. This addresses the ongoing confidentiality, integrity, availability and resilience of processing systems, and the ability to restore access after an incident. This list is illustrative and not exhaustive; measures evolve as risks change. See Annex B for detail.

10 Sub-processors (Art 28(2) + Art 28(4))

Plain English

Google is our only sub-processor. We tell you before any new one and you can object.

The School gives general written authorisation for Shuttle Learning to engage sub-processors. Shuttle Learning’s sole sub-processor is Google (Google LLC and Google Cloud EMEA Limited), providing seven services: Firebase Authentication; Cloud Firestore (eur3 multi-region); Cloud Functions (europe-west1); Firebase Hosting; Firebase App Check (reCAPTCHA); Cloud Logging; and the Gemini API paid tier (gemini-2.5-flash-lite). Shuttle Learning will give 30 days’ notice by email of any new or replacement sub-processor, giving the School the opportunity to object. The School may object on reasonable data-protection grounds within that window; if the objection cannot be resolved, either party may terminate. Shuttle Learning imposes data protection obligations on its sub-processors that offer an equivalent level of protection to this DPA, and remains fully liable to the School for its sub-processors’ compliance. Google’s Cloud Data Processing Addendum is incorporated by reference (see Annex A and Sources).

11 Assistance with data subject rights (Art 28(3)(e))

Plain English

We help you answer pupil and staff data-rights requests, normally within 5 working days.

Taking into account the nature of processing, Shuttle Learning assists the School by appropriate technical and organisational measures, insofar as possible, to respond to data subject requests under: Access (Art 15), Rectification (Art 16), Erasure (Art 17), Restriction (Art 18), Portability (Art 20), Objection (Art 21), and rights related to automated decision-making (Art 22). Service level: Shuttle Learning will respond to a written request for assistance within 5 working days, unless complexity requires longer, in which case it will notify the School in advance. The Children’s Code expects accessible tools for children to exercise their rights, and Shuttle Learning will route any direct student or parent request to the School, which instructs Shuttle Learning accordingly.

12 Personal data breaches (Art 28(3)(f) + Art 33–34)

Plain English

We tell you within 72 hours and help you respond.

Shuttle Learning will notify the School without undue delay and within 72 hours of becoming aware of a Personal Data Breach, providing the information required by Article 33(3): the nature of the breach, the categories and approximate numbers of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address it and mitigate harm. The School decides whether to notify affected data subjects under Article 34; Shuttle Learning will assist. Where Shuttle Learning is itself controller for some data, it will notify the ICO directly where required.

13 Termination and return or deletion of data (Art 28(3)(g))

Plain English

On exit, we return your data and delete our copies.

On termination, at the School’s choice, Shuttle Learning will return all Personal Data in a portable format AND delete its copies within 30 days. Backups are retained for a rolling window (e.g. 35 days) and then deleted; pending deletion, backup data is put beyond use, consistent with ICO guidance that data in backups need not be deleted instantly provided it is beyond use and deleted on the next cycle. Shuttle Learning will confirm deletion in writing on request. The School may request mid-term deletion of individual students under the Right to Erasure SLA in Section 11.

14 Retention while the agreement is in force

Plain English

We keep active data while you use us, then delete or anonymise it.

Active student data is retained for the duration of the agreement. Beyond a school year, the default is that data is anonymised or deleted 12 months after the end of the relevant academic year unless the School instructs otherwise in writing. Server logs are retained for 30 days. All retention periods are overridable by the School in writing. These defaults support the data-minimisation and storage-limitation principles relevant to children’s data.

15 International transfers (Art 28(3)(a) regarding transfers)

Plain English

Storage stays in the UK and EU. Gemini marking may touch US infrastructure, covered by approved transfer terms.

Storage and compute are pinned to UK and EU regions. Cloud Firestore uses the eur3 multi-region, which comprises read-write replicas in europe-west1 (Belgium) and europe-west4 (Netherlands) with a witness replica in europe-north1 (Finland), so stored data remains within the EU; Cloud Functions run in europe-west1. Gemini API calls may process prompts on Google infrastructure that could include the United States. Any such restricted transfer relies on the UK International Data Transfer Agreement (IDTA), or the EU Standard Contractual Clauses with the UK Addendum (the ICO-approved mechanisms in force since 21 March 2022), as incorporated into Google’s Cloud Data Processing Addendum. Shuttle Learning will not initiate new restricted transfers without an appropriate Article 46 safeguard in place.

16 AI-marked submissions (Gemini)

Plain English

Marking uses the paid Gemini API. Google does not train on paid prompts. A teacher always has the final say.

Marking uses the paid Gemini API tier (gemini-2.5-flash-lite). Google’s current public position, in its Gemini API Additional Terms of Service, is that when paid services are used it does not use prompts or responses to improve its products. For paid services, Google’s terms state that it:

logs prompts and responses for a limited period of time, solely for the purpose of detecting violations of the Prohibited Use Policy and any required legal or regulatory disclosures.

Where Zero Data Retention (ZDR) is approved for the project, Google clears all user content and identifiable metadata before logging, so the abuse-monitoring record is sanitised and contains zero identifiable user data; Shuttle Learning will keep its configuration current and notify the School of material changes. Separately, because the Educational App serves users in the United Kingdom, Google’s terms require use of Paid Services for those users in any event. Gemini’s score is decision-support, not solely-automated decision-making within the meaning of Article 22: a human teacher has visibility of marking and retains final authority. Exact ZDR availability for gemini-2.5-flash-lite is flagged in “Decisions still required”.

17 Audit and compliance (Art 28(3)(h))

Plain English

You can audit us, or rely on our certifications, once a year.

Shuttle Learning maintains records of its processing activities under Article 30 and makes available to the School all information necessary to demonstrate compliance with Article 28. On reasonable written notice (at least 30 days) and no more than once per 12 months (unless following a Personal Data Breach), the School may conduct an audit or inspection, OR rely on a third-party audit or industry certification that Shuttle Learning provides. Audit costs are borne by the School unless material non-compliance is found, in which case Shuttle Learning bears reasonable costs.

18 Liability and indemnity

Plain English

A fair, mutual liability framework with a sensible cap.

Each party is liable for its own breach of this DPA and of UK GDPR, and nothing in this DPA relieves either party of its direct responsibilities under UK GDPR. Liability is capped at £1,000. Carve-outs from the cap apply for: fines or losses arising from the other party’s breach; intellectual property infringement; and breach of confidentiality. Nothing limits liability that cannot be limited or excluded by law (including liability for death or personal injury caused by negligence). Any limitation of liability must be fair and reasonable under the Unfair Contract Terms Act 1977.

19 Governing law and jurisdiction

Plain English

English law applies.

This DPA is governed by the laws of England and Wales, and the courts of England and Wales have exclusive jurisdiction.

20 Variations and entire agreement

Plain English

Changes must be in writing; electronic acceptance counts.

Variations are valid only in writing. Electronic acceptance counts as writing for this purpose. This DPA, together with its annexes and the onboarding configuration, is the entire agreement on data processing between the parties and supersedes prior arrangements on that subject.

21 Annex A — Sub-processor list (live link)

Plain English

The current sub-processor list, kept up to date online.

The live current list is maintained at https://shuttlelearning.com/legal/sub-processors.

Sub-processor service

Provider

Processing location

Reference

Firebase Authentication

Google LLC / Google Cloud EMEA Ltd

EU/UK

Google Cloud DPA

Cloud Firestore

Google LLC / Google Cloud EMEA Ltd

eur3 (Belgium, Netherlands; witness in Finland)

Google Cloud DPA

Cloud Functions

Google LLC / Google Cloud EMEA Ltd

europe-west1 (Belgium)

Google Cloud DPA

Firebase Hosting

Google LLC / Google Cloud EMEA Ltd

Global CDN, EU origin

Google Cloud DPA

Firebase App Check (reCAPTCHA)

Google LLC / Google Cloud EMEA Ltd

EU/global

Google Cloud DPA

Cloud Logging

Google LLC / Google Cloud EMEA Ltd

EU/UK

Google Cloud DPA

Gemini API (paid tier, gemini-2.5-flash-lite)

Google LLC / Google Cloud EMEA Ltd

EU with possible US transit

Google Cloud DPA + Gemini API terms

Google’s Cloud Data Processing Addendum and Google Cloud sub-processor list are incorporated by reference (URLs in Sources).

22 Annex B — Technical and organisational measures (TOMs)

Plain English

A one-page expansion of our security controls.

  • Firestore Security Rules: deny-all client writes on grading and summary collections; reads scoped to the authenticated user and their class.

  • Firebase App Check (reCAPTCHA v3): attests that requests originate from the genuine app before the backend serves them.

  • Server-side grading: all writes to grading and summary collections performed server-side via the Google Admin SDK.

  • Per-user rate limits: 30 submissions per minute and 200 per day to deter abuse and scraping.

  • Secret management: GEMINI_API_KEY and other secrets held in Google Secret Manager, never in client code.

  • Multi-factor authentication: enforced on all developer and admin accounts.

  • Backups and resilience: managed backups with a rolling retention window, then deletion; data put beyond use pending deletion.

  • Monitoring and logging: Cloud Logging captures UID, lessonId and questionId for diagnostics; raw submitted code is not logged.

  • Encryption: HTTPS in transit and encryption at rest across Google Cloud services.

  • Data residency: storage and compute pinned to EU/UK regions where the service allows.

  • Authentication: Microsoft SSO restricted to the school’s domain via a Firestore allowlist and a beforeUserCreated Firebase blocking function; Email/Password and Google providers disabled in steady state.

  • Incident response: documented breach procedure feeding the 72-hour notification in Section 12.

23 How this DPA is recorded as accepted

Plain English

The “I accept” tick at school onboarding is the signature; we keep a record of who clicked it and when.

When a member of school staff with delegated authority ticks the “I accept” box during onboarding, Shuttle Learning records the school’s acceptance against this version of the DPA: the school name, the name and role of the person who accepted, the email address used, the timestamp, and the DPA version number. That record is the School’s countersignature for the purposes of UK GDPR Article 28(9). A counter-signed Word or PDF version, recording the same details, is available on request to support@shuttlelearning.com.

Shuttle Learning Limited · 167–169 Great Portland Street, London, England, W1W 5PF · Governing law: England & Wales · DPA template v1.0

Logo

All trademarks, logos and brand names are the property of their respective owners. All company, product and service names used in this website are for identification purposes only. Use of these names, trademarks and brands does not imply endorsement.


Follow us on:

Icon
Icon
Icon
Icon
Icon

All Pages

Book Lesson

Resources

Learn Python

Blog

Contact

Privacy Policy

404

Support@shuttlelearning.com

Logo

All trademarks, logos and brand names are the property of their respective owners. All company, product and service names used in this website are for identification purposes only. Use of these names, trademarks and brands does not imply endorsement.


Follow us on:

Icon
Icon
Icon
Icon
Icon

All Pages

Book Lesson

Resources

Learn Python

Blog

Contact

Privacy Policy

404

Support@shuttlelearning.com

Logo

All trademarks, logos and brand names are the property of their respective owners. All company, product and service names used in this website are for identification purposes only. Use of these names, trademarks and brands does not imply endorsement.


Follow us on:

Icon
Icon
Icon
Icon
Icon

All Pages

Book Lesson

Resources

Learn Python

Blog

Contact

Privacy Policy

404

Support@shuttlelearning.com