Data Processing Agreement

Last updated:

Between Animal Bonds (operated by Franklin Works) and the School

Version 1.0: 14/05/2026

This Data Processing Agreement (“DPA”) forms part of the agreement between Franklin Works (“Processor”) and the school named below (“Controller”) for use of the Animal Bonds service (“Service”).

This DPA governs the processing of personal data by the Processor on behalf of the Controller and is required under Article 28 of the UK GDPR.


Schedule 1: Parties

Controller (the School):

  • School name: ____________________
  • Address: ____________________
  • DPO contact name: ____________________
  • DPO email: ____________________
  • Authorised signatory name: ____________________
  • Authorised signatory role: ____________________

Processor:


Schedule 2: Details of processing

Subject matter

Provision of the Animal Bonds educational game and associated teacher dashboard.

Duration

Duration of the Service agreement, plus 30 days for return or deletion of data.

Nature and purpose of processing

  • Hosting pupil profiles and gameplay data.
  • Adapting question difficulty per pupil.
  • Providing teachers with progress reporting.
  • Providing the Controller with audit and export capability.

Categories of data subjects

  • Pupils enrolled at the Controller’s school.
  • Teachers and staff at the Controller’s school authorised to use the Service.

Categories of personal data

Pupils:

  • Real name, entered by the school administrator. Recommended format is first name plus surname initial (e.g. “Alex S.”). Visible to teachers, school admins, and linked parents only: not visible to the pupil themselves and never visible to other pupils.
  • Display name, auto-generated as an animal-noun combination (e.g. “OtterRiver”). Visible to the pupil themselves, other pupils in multiplayer, teachers, school admins, and linked parents. This is the only name shown on pupil-facing surfaces.
  • Year group or age band
  • Randomly generated player ID (internal identifier)
  • Educational performance data (responses, timings, mastery levels)
  • Technical metadata (browser, device, session timestamps)

Staff and parents:

  • Name (full name recommended)
  • Role (e.g. teacher, head of maths, parent of pupil)
  • Class or pupil assignments
  • Login credentials issued by the school administrator

No email addresses, postal addresses, or phone numbers are processed for any user. All adult access is via login credentials issued and managed by the school administrator within the Service.

Special category data

None processed.

Children

The Service is designed for children aged 5 to 11. Processing complies with UK GDPR provisions for children’s data and the ICO Children’s Code.


Schedule 3: Processor obligations

The Processor agrees to:

  1. Process only on documented instructions. Process the personal data only on the Controller’s documented instructions, including with regard to international transfers, unless required to do otherwise by UK or EU law.

  2. Confidentiality. Ensure that anyone authorised to process the data is bound by confidentiality.

  3. Security (Article 32). Implement appropriate technical and organisational measures, as set out in Schedule 5.

  4. Sub-processors. Engage sub-processors only as listed in Schedule 4. Notify the Controller at least 30 days before adding or replacing any sub-processor.

  5. Assistance with data subject rights. Assist the Controller in responding to data subject requests, by providing technical tools (export, deletion) and reasonable additional support.

  6. Assistance with security, breach notification, and DPIAs. Assist the Controller in complying with Articles 32 to 36 of UK GDPR, including notifying the Controller of personal data breaches affecting their pupils’ data within 24 hours of the Processor becoming aware.

  7. Return or deletion at end of service. At the Controller’s choice, return or delete all personal data within 30 days of the end of the Service agreement, and delete existing copies (subject to legal retention obligations).

  8. Audits. Make available all information necessary to demonstrate compliance and allow for audits by the Controller or an auditor mandated by the Controller.


Schedule 4: Sub-processors

The Controller authorises the use of the following sub-processors:

Sub-processorServiceLocationTransfer mechanism
Vercel Inc. (USA)Web hosting / edge deliveryUSA, with UK/EU edge cacheUK Addendum to EU SCCs
Supabase Inc. (USA, with EU infrastructure)Database, authenticationUK (eu-west-2) or Ireland (eu-west-1)UK Addendum to EU SCCs; data resident in UK/EU
Stripe Payments UK LtdPayment processing (school invoicing only)UK / EUUK GDPR-compliant entity

Schedule 5: Security measures

Organisational

  • Production data access limited to Franklin Works; no other personnel.
  • No personal data on local devices; access via cloud admin consoles only.
  • Annual review of security and data protection arrangements.

Technical

  • TLS 1.2+ for all connections; HSTS enforced.
  • AES-256 encryption at rest, managed by Supabase.
  • Row-level security on the database (pupils can only read own row; teachers limited to their school).
  • Encrypted automatic backups, retained 7 days.
  • Dependency vulnerability scanning (npm audit, Dependabot).
  • Web Application Firewall and DDoS protection (Vercel default).
  • Source-controlled code with review prior to production deployment.
  • No hardcoded credentials; secrets in environment variables.

Logical separation

Each school’s data is segregated by tenant identifier. Teacher accounts cannot read or modify data outside their school’s tenant.


Schedule 6: International transfers

Pupil data is held within the UK or EU. Where transfers to the United States are necessary, they are protected by the UK Addendum to the EU Standard Contractual Clauses, with encryption in transit and at rest.


Schedule 7: Liability

Liability under this DPA is subject to the limitations set out in the Service Terms or the Service agreement between the parties, except where applicable law (including UK GDPR) imposes obligations that cannot be limited.


Schedule 8: Term and termination

This DPA takes effect on signature and remains in force for the duration of the Service agreement plus 30 days for data return or deletion.


Signatures

For the Controller (the School):

Name: ____________________ Role: ____________________ Signature: ____________________ Date: ____________________

For the Processor:

Name: Franklin Works Role: Sole trader, Animal Bonds Signature: ____________________ Date: ____________________

Back to Compliance Hub