Data Processing Agreement
A summary of how we handle pupil data on behalf of schools using SENDCo View.
Last updated: 30 April 2026 · Version 1.0
What is a DPA?
A Data Processing Agreement (DPA) is a contract between two organisations that handle personal data together. Under UK and EU GDPR, when a “controller” (the school) shares personal data with a “processor” (us) to provide a service, a DPA is legally required.
The DPA spells out:
- What data is being processed
- For what purpose
- For how long
- Under what security measures
- Who can sub-process
- What happens if there's a breach
- What happens at the end of the contract
For SENDCo View, the school is the controller. We are the processor. The DPA governs that relationship.
The key terms in our DPA
Roles
- Controller: The school. The school determines whose data is in SENDCo View, what the data is used for, and when it's deleted.
- Processor: My School View Ltd. We process the data on the school's instructions, only for the purposes set out in our agreement.
Data we process
On behalf of schools using SENDCo View:
- Pupil basic data (name, date of birth, year group, contact details)
- Attendance, behaviour and assessment data (from MIS)
- Medical conditions and care plans
- SEND-specific data (ISPs, EHCPs, intervention records, professional involvement, parent and pupil voice)
- Parent and carer contact data (for the parent portal)
- School staff data (account credentials, role assignments)
Purposes
We process the data only to:
- Provide the SENDCo View service to your school
- Maintain security and audit trails
- Provide technical support when requested
- Comply with our legal obligations
We do not use pupil or parent data for:
- Marketing
- Profiling
- Training AI models
- Any third-party analytics
- Any purpose not authorised by the school
Data residency
All pupil and parent data is stored in the UK region (London). We don't transfer it outside the UK.
Sub-processors
We use a small number of sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase | Database hosting | UK (London region) |
| Vercel | Application hosting | EU/UK |
| Wonde | MIS data integration | UK |
| Resend | Transactional email | EU |
We don't add new sub-processors without 30 days' notice. Schools have the right to object to new sub-processors.
Security measures
- Encryption in transit (TLS 1.3)
- Encryption at rest (AES-256)
- Multi-factor authentication for all staff with data access
- Field-level permissions for school users
- Full audit trail of all data access
- Annual third-party penetration testing
- Documented incident response procedures
Breach notification
If we become aware of a personal data breach affecting your school's data, we'll notify the school's named contact within 24 hours of becoming aware. We'll provide all the information the school needs to assess the breach and notify the ICO within 72 hours if required.
Data subject rights
Where a parent, pupil, or staff member exercises their data subject rights (access, rectification, erasure, portability, objection), the school is responsible for responding. We'll support the school by providing data exports and making technical changes within 14 days of a documented request.
End of contract
When a school stops using SENDCo View:
- The school can request a full data export in machine-readable format at any time before contract end
- After contract end, data is retained in read-only form for 90 days
- After 90 days, data is deleted from active systems
- Data is removed from rolling backups within a further 30 days
The 90-day grace period exists so schools have time to migrate to a new system or change their minds.
The full DPA
The full Data Processing Agreement is available on request — email dpa@myschoolview.co.uk and we'll send the current version. It's pre-signed by My School View Ltd; to complete it for your school, your authorised signatory countersigns and returns it.
Negotiating the DPA
Most schools are happy with our standard DPA. For MATs and larger schools that need bespoke terms, we'll work with your DPO or legal team to agree any necessary amendments.
To start a DPA negotiation:
- Email: dpa@myschoolview.co.uk
We aim to respond within two working days and complete most negotiations within two weeks.
Frequently asked questions
Do I need a DPA before I can use SENDCo View?
Yes. A signed DPA is required before any pupil data is processed. We send the DPA as part of the onboarding process, before any MIS data is connected.
Can the DPA be agreed by email or does it need to be signed?
Either works under UK GDPR. We accept electronic signatures (DocuSign, Adobe Sign, or scanned wet signatures by email).
Who signs on the school's side?
Typically the Headteacher or the school's named DPO. For MATs, the central office often signs on behalf of all schools in the trust.
What if our school's data protection policy requires specific clauses?
Send us your policy. We'll review and confirm what we can accommodate within standard SaaS practice.
Are you covered by any data protection certifications?
- ICO registered (registration number ZC110115)
- Working towards Cyber Essentials Plus certification
- Working towards ISO 27001 certification (target 2027)
- Annual third-party penetration testing in place
Contact
For DPA questions:
- Email: dpa@myschoolview.co.uk
- Post: Data Protection, My School View Ltd, 71-75 Shelton Street, London WC2H 9JQ