This DPA forms part of the master licence between the customer ("Controller") and InclusiveXR Ltd ("Processor") and reflects Article 28 of the UK GDPR.
1. Subject matter & duration
Processing of personal data of staff, pupils and parents for the duration of the licence.
2. Nature & purpose
Hosting, AR delivery, transcription, sentiment analysis, EHCP evidence reporting, and impact analytics.
3. Categories of data subjects
- School staff (SENCO, teachers, TAs, headteachers).
- Pupils with SEND.
- Parents/carers (consent records only).
4. Categories of personal data
- Identifiers (work email, anonymised pupil keys).
- Special category data: SEND needs, EHCP status — Article 9 basis: explicit parental consent.
- Telemetry, transcripts, sentiment.
5. Processor obligations
- Process only on documented instructions.
- Ensure confidentiality of all personnel.
- Implement TOMs: encryption at rest (AES-256) and in transit (TLS 1.3), RLS, audit logs, MFA for admins.
- Notify Controller of any personal-data breach within 24 hours.
- Assist with DPIAs and data-subject requests.
- Delete or return all personal data at end of licence + 12 months.
6. Sub-processors
Listed in our Privacy Notice. We will give 14 days' notice of any change and the right to object.
7. International transfers
Covered by SCCs and the EU-US Data Privacy Framework where applicable.