For data protection officers

Data protection & your DPIA

This page is for school data protection officers and anyone completing a Data Protection Impact Assessment (DPIA) before rolling out Educator. It gives you the processor-side facts you need, grouped under the usual ICO DPIA headings.

Questions, or need our DPIA / RoPA / a countersigned DPA? support@educator-labs.com

Who is responsible for what

When your school adopts Educator, the school is the data controller for its students' and staff's personal data, and Educator is your processor under the Data Processing Agreement. That means your school completes its own DPIA — this page gives you what you need to fill it in. (Individuals who sign up directly, without a school, are a separate arrangement where Educator is the controller; that isn't part of your school deployment.)

Nature, scope & purpose of the processing

What it is: browser-based daily revision practice. Students answer short sessions of cards; a spaced-repetition algorithm chooses what they see next; teachers see class progress. Ten subjects across GCSE and KS3.
Data subjects: students (aged 11–16) and teaching staff.
Purpose: deliver the revision practice the school subscribed to, and let teachers monitor their classes. No advertising, no profiling for marketing, no sale of data.
Lawful basis: Article 6(1)(b) (performance of the contract) for account and practice data; Article 6(1)(f) (legitimate interest in operating the service securely) for short-lived server logs. The school provides privacy information to students and parents.

Personal data processed (data minimisation)

Identity

Name, email address, date of birth (used only to age-gate sign-up)

School context

Year group, exam board, exam tier, class membership

Practice activity

Which cards were answered, correct/incorrect, time-to-answer, timestamps

Progress & cosmetics

XP, streak count, daily goal, equipped badge/character

Not collected

No postcode, photo, demographic data, location/geolocation, device fingerprint, or special-category data

Storage, sub-processors & international transfers

Data is stored in AWS us-east-1 (Virginia, USA). The transfer is covered by the UK International Data Transfer Agreement (IDTA). Educator uses six sub-processors, all US-based and all under the UK IDTA:

Clerk

Authentication and account management

Neon

Database hosting (AWS us-east-1, Virginia)

Vercel

Application hosting and delivery

Sentry

Error monitoring

Stripe

Payment processing — school billing contacts only, never students

Resend

Transactional and digest email

The authoritative, version-controlled sub-processor list lives on the Data Processing Agreement page.

Retention

Account and practice data: kept while the account is active.
After a school pilot or subscription ends: data is retained for 60 days to allow retrieval, then deleted in full.
Self-service deletion from the profile is immediate and irreversible.
Server logs: 30 days.

Security measures

Encryption at rest and TLS for all data in transit.
Authentication delegated to Clerk; student passwords are never visible to Educator staff.
Least-privilege production credentials with periodic rotation.
Changes are tested on an isolated preview environment before reaching production; production and test data are kept separate.
Ongoing internal security review and testing; an independent external penetration test is planned, with results available to school DPOs on request once completed.

Children's data — ICO Age Appropriate Design Code

Hard age-gate at sign-up: date of birth is collected and under-13s are routed to a parental-consent flow rather than creating a self-serve account.
Profiling is used only to choose the next revision card (spaced repetition) — never for advertising or behavioural profiles.
Progress-only feedback and high-privacy defaults; class and school leaderboards are never public and students' real names never appear on a public board.
No countdown timers, streak-loss guilt prompts, or other dark patterns.

Data subject rights

Logged-in users can download their data and delete their account from their profile at any time; deletion cascades through the database and the auth provider. Rectification requests are handled by email. The school passes on any rights requests it receives, and Educator assists within 5 working days.

Key risks & mitigations

Engagement loop applies pressure on a child

Progress-only feedback, banked streak freezes, no countdown timers or FOMO prompts, no 'you've been overtaken' messaging. Competitive signals are teacher-side only.

One student's data visible to another class or school

All class/school queries are scoped server-side; students' real names never appear on public leaderboards.

Personal-data breach at Educator or a sub-processor

Encryption at rest and in transit; least-privilege credentials; the school is notified without undue delay and within 24 hours where feasible.

Cross-border transfer to a non-adequate jurisdiction

All processors are US-based and covered by the UK International Data Transfer Agreement (IDTA).

Documents

Privacy policy →
Data Processing Agreement (incl. full sub-processor list) →
Our own DPIA and Record of Processing Activities (RoPA) are available to your DPO on request — email support@educator-labs.com.

Talk to us

If your DPO has questions not covered here, or needs anything in a particular format for your records, email support@educator-labs.com. We aim to respond within one working day.

To attach to your DPIA: use your browser's File → Print → Save as PDF to create a printable copy.