EduNest Data Processing Agreement (DPA)

Last updated: May 2025

This Data Processing Agreement ("Agreement") forms part of the Terms and Conditions between you (the "Controller") and EduNest ("Processor"), operated by Scott Baxter, Sole Trader, and governs the processing of personal data in accordance with the UK General Data Protection Regulation (UK GDPR).

1. Definitions

  • Controller: The user (e.g. educator, childminder, school) determining the purposes and means of processing personal data.
  • Processor: EduNest, acting on behalf of the Controller.
  • Data Subject: The individual to whom the personal data relates.
  • Personal Data: Any information relating to an identified or identifiable natural person.

2. Subject Matter

EduNest provides AI-powered tools for educators. The Processor processes personal data only to deliver these services as outlined in the Terms and Conditions and Privacy Policy.

3. Duration

This Agreement is effective for the duration of the Controller's use of EduNest services.

4. Nature and Purpose of Processing

The Processor will process personal data solely for the purposes of:

  • Generating educational content using AI tools
  • Storing reports and written outputs temporarily
  • Managing user accounts and communication
  • Supporting billing and support services

5. Types of Personal Data

  • Name
  • Email address
  • Telephone number
  • Usage and interaction data

Note: The Controller must not submit any sensitive data or personal data of children without proper consent or lawful basis.

6. Obligations of the Processor

  • Process personal data only on documented instructions from the Controller
  • Ensure that persons authorised to process personal data have committed to confidentiality
  • Implement appropriate technical and organisational security measures
  • Notify the Controller of any data breach without undue delay
  • Assist the Controller in fulfilling data subject rights and responding to ICO requests
  • Delete or return personal data upon termination of the service (unless legally required to retain it)

7. Subprocessors

The Controller authorises the use of the following subprocessors:

  • Stripe (payments)
  • OpenAI and Claude (Anthropic) (AI content generation – no personal data is shared)

The Processor ensures all subprocessors are GDPR-compliant.

8. International Data Transfers

Where data is transferred outside the UK, the Processor ensures appropriate safeguards, such as Standard Contractual Clauses (SCCs), are in place.

9. Controller Responsibilities

  • Provide lawful instructions
  • Ensure that data subjects are informed
  • Obtain all necessary consents
  • Not use the services to process special category or children's data unless lawfully permitted

10. Termination

Upon termination of the Agreement, the Processor will delete or return personal data within 30 days unless otherwise required by law.

11. Governing Law

This Agreement is governed by the laws of England and Wales.

12. Contact

If you have any questions about this DPA, please contact:
Email: [email protected]