Legal

Data Processing Agreement

Effective date: 3 June 2026 · Version: 1.1

Between the subscribing school (the Customer, acting as Data Controller) and Lens School Evaluation Ltd, company number 13792467, of Cae Knovil, Llandenny, Usk, Monmouthshire, NP15 1DL (Lens, acting as Data Processor).

This Data Processing Agreement (DPA) forms part of, and is to be read together with, the Terms of Service for the Lens School Evaluation service (the Service) and the Privacy Policy at schoolevaluation.co.uk/privacy.html. In the event of conflict between this DPA and the Terms of Service in respect of the processing of personal data, this DPA prevails.

By subscribing to or continuing to use the Service, the Customer accepts this DPA on behalf of the school and acknowledges that they have authority to do so. Customers who require a counter-signed copy of this DPA may request one from [email protected].

1. Definitions

Terms used in this DPA have the meanings given to them in the UK GDPR and the Data Protection Act 2018, except where the context requires otherwise. In particular:

  • UK GDPR means the United Kingdom General Data Protection Regulation as it forms part of the law of England and Wales, Scotland and Northern Ireland.
  • Customer Data means personal data the Customer provides to, or causes to be processed by, the Service.
  • Authorised User means a member of the Customer's staff (including headteachers, senior leaders, teachers, governors and other personnel the Customer authorises) granted access to the Service.
  • Sub-processor means any third party engaged by Lens to process Customer Data on its behalf in connection with the Service.
  • Personal Data Breach has the meaning given in Article 4(12) UK GDPR.
  • Standard Contractual Clauses means the EU Standard Contractual Clauses as adopted by the European Commission and approved for UK use by the UK Addendum issued by the Information Commissioner.
  • IDTA means the International Data Transfer Agreement issued by the Information Commissioner.

2. Roles of the Parties

The parties acknowledge that, in respect of Customer Data processed under this DPA, the Customer is the Data Controller and Lens is the Data Processor.

Each party shall comply with its respective obligations under the UK GDPR and the Data Protection Act 2018. Nothing in this DPA shall relieve either party of its own statutory responsibilities.

3. Subject Matter, Nature and Purpose of Processing

The subject matter and purpose of the processing is the provision of the Service: a software platform enabling school leadership teams to conduct, review and report on school self-evaluation against UK inspection frameworks (Ofsted in England, Estyn in Wales).

The nature of the processing comprises:

  • storage and retrieval of self-evaluation content authored by Authorised Users;
  • structured review, scoring, commenting and audit of that content;
  • AI-assisted analysis and summarisation of content at the Customer's request (see clause 8);
  • account administration, billing, support and security operations incidental to the Service.

The categories of personal data, categories of data subjects and duration of processing are set out in Annex A.

4. Term

This DPA takes effect on the date the Customer first subscribes to the Service (or, where this DPA is issued after that date, on the effective date stated above) and continues for so long as Lens processes Customer Data on the Customer's behalf. The clauses that by their nature should survive termination — including those relating to liability, indemnification, confidentiality, return and deletion, and governing law — survive termination of this DPA.

5. Customer's Obligations

The Customer warrants and undertakes that:

  • it has, and shall maintain throughout the term of this DPA, all lawful bases, notices and (where relevant) consents required under the UK GDPR to provide Customer Data to Lens for the purposes of the Service;
  • its instructions for the processing of Customer Data comply with applicable law and do not put Lens in breach of the UK GDPR;
  • it will not upload, input or otherwise cause the Service to process any personal data relating to identified or identifiable pupils or students, or any other person under the age of 18 (see clause 10);
  • it is responsible for the configuration and use of the Service by its Authorised Users, including the timely revocation of access where a user leaves the Customer's organisation.

6. Lens's Obligations

6.1 Processing on documented instructions

Lens shall process Customer Data only on the Customer's documented instructions, which comprise this DPA, the Terms of Service, and any further instructions the Customer issues in writing or through the configuration of the Service. If Lens reasonably believes any instruction infringes the UK GDPR or other applicable data protection law, it shall promptly notify the Customer.

Where Lens is required by law to process Customer Data otherwise than on the Customer's instructions, it shall notify the Customer of that legal requirement before processing, unless the relevant law prohibits such notification on important grounds of public interest.

6.2 Confidentiality

Lens shall ensure that persons authorised to process Customer Data are bound by appropriate obligations of confidentiality, whether by written confidentiality agreement, statutory duty or enforceable terms in their employment contracts. Access to Customer Data is restricted to personnel who require it to provide or support the Service.

6.3 Security

Lens shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 UK GDPR. A description of the measures currently in place is set out in Annex B. Lens may update Annex B from time to time, provided that no update materially diminishes the overall level of protection.

6.4 Sub-processors

The Customer provides general authorisation for Lens to engage Sub-processors to assist in providing the Service. The list of Sub-processors currently engaged by Lens is set out in Annex C and maintained at schoolevaluation.co.uk/subprocessors.html.

Lens shall publish proposed changes to the Sub-processor list (including the addition or replacement of any Sub-processor) on the page identified above at least thirty (30) days before the change takes effect. Customers may subscribe to update notifications via the link on that page. The Customer may object to a proposed change for reasonable data-protection grounds by writing to [email protected] before the change takes effect. If Lens cannot reasonably accommodate the objection, the Customer may terminate the Service in respect of the affected processing on written notice, with a pro-rata refund of any prepaid fees for the unused period.

Lens remains responsible for the acts and omissions of each Sub-processor as if they were its own. Lens shall ensure that each Sub-processor is bound by contractual obligations no less protective of Customer Data than those in this DPA, including in respect of security and international transfers.

6.5 Assistance with data subject rights

Taking into account the nature of the processing, Lens shall assist the Customer by appropriate technical and organisational measures, insofar as possible, for the fulfilment of the Customer's obligation to respond to requests for exercising the data subject rights set out in Articles 12–22 UK GDPR. Where Authorised Users contact Lens directly with such requests, Lens shall promptly refer them to the Customer.

6.6 Personal Data Breach notification

Lens shall notify the Customer without undue delay, and in any event within seventy-two (72) hours of becoming aware, of any Personal Data Breach affecting Customer Data. The notification shall include, to the extent then available:

  • the nature of the breach, including the categories and approximate number of data subjects and records concerned;
  • the name and contact details of Lens's data protection contact;
  • the likely consequences of the breach;
  • the measures taken or proposed to address the breach and mitigate its possible adverse effects.

Where the information cannot be provided in full at the same time, it may be provided in phases without undue further delay. The Customer, as Data Controller, is responsible for assessing whether a breach is notifiable to the Information Commissioner's Office and/or affected data subjects.

6.7 Assistance with DPIAs and prior consultation

Taking into account the nature of the processing and the information available to Lens, it shall assist the Customer with data protection impact assessments and any prior consultation with the Information Commissioner under Articles 35 and 36 UK GDPR. Lens may make a reasonable charge for assistance going materially beyond Lens's standard documentation, agreed in advance.

6.8 Return or deletion of Customer Data

On termination of the Service, the Customer may, within sixty (60) days of the effective date of termination, request an export of Customer Data in a standard machine-readable format. Lens shall provide that export on request during the sixty-day window.

At the end of the sixty-day window, Lens shall securely delete or anonymise all Customer Data held in its primary systems, save that:

  • residual copies in encrypted backups shall be overwritten in the normal course of backup rotation and shall not be actively processed in the meantime;
  • Lens may retain limited data (for example, billing records and correspondence) where necessary to comply with legal, tax or regulatory obligations;
  • fully anonymised usage data may be retained indefinitely.

The Customer's election to request, or not to request, an export within the sixty-day window constitutes the Customer's choice under Article 28(3)(g) UK GDPR.

6.9 Audit rights

Lens shall make available to the Customer, on reasonable written request and subject to appropriate confidentiality obligations, such information as is reasonably necessary to demonstrate compliance with the obligations in this DPA. This will ordinarily take the form of summary security documentation, penetration-test results, sub-processor information, completed standard procurement questionnaires, and (when achieved) third-party certifications such as ISO 27001 or SOC 2 reports.

Where the Customer reasonably considers that the documentation provided is insufficient to demonstrate compliance, the Customer may, on at least thirty (30) days' written notice and not more than once per twelve-month period (except where required by a supervisory authority or following a Personal Data Breach), conduct an audit of the relevant aspects of Lens's processing. The audit shall be conducted during normal business hours, with minimal disruption to Lens's operations, subject to written confidentiality obligations, and at the Customer's reasonable cost. Lens may require the use of a mutually agreed independent auditor.

7. International Transfers

Customer Data is hosted on infrastructure located in the United Kingdom (see Annex C). Some Sub-processors may process limited Customer Data outside the United Kingdom in the course of providing their services. Where such transfers occur, Lens shall ensure they are subject to an appropriate transfer mechanism under Chapter V UK GDPR, which may include:

  • transfers to a country or organisation in respect of which the Secretary of State has determined that an adequate level of protection is ensured;
  • the IDTA, or the UK Addendum to the EU Standard Contractual Clauses;
  • any other lawful transfer mechanism permitted under the UK GDPR.

Copies of relevant transfer safeguards are available on request to [email protected].

8. AI Processing

The Service includes AI-assisted features that use third-party large language model (LLM) services to analyse and summarise content authored by Authorised Users. The Customer acknowledges and accepts that, in connection with such features:

  • Lens submits the specific Customer Data necessary for the request to its LLM Sub-processor (currently OpenAI — see Annex C) at the time of the request;
  • Lens does not permit its LLM Sub-processor to use Customer Data for training or improving its models;
  • AI-generated suggestions are presented to the relevant Authorised User for review and approval before they are committed to the Customer's evaluation records.

Lens shall keep the technical safeguards described in this clause under review and shall update Annex C if the identity or location of the LLM Sub-processor changes.

9. No Pupil Data

The Service is intended exclusively for school leadership self-evaluation. The Customer agrees that it shall not upload, input or otherwise cause the Service to process any personal data relating to identified or identifiable pupils or students, or any other persons under the age of 18.

If the Customer, or any Authorised User, processes personal data through the Service in breach of this clause, the Customer shall bear sole responsibility for that processing and shall indemnify Lens against all liabilities, costs, expenses, damages and losses arising from the breach, subject to clause 10.

10. Liability and Indemnification

Each party's liability arising out of or in connection with this DPA is governed by the liability and indemnification provisions of the Terms of Service for the Service. The aggregate limit on liability in the Terms of Service applies to this DPA, except that no limit applies to:

  • liability that cannot be excluded or limited at law (including death or personal injury caused by negligence, and fraud or fraudulent misrepresentation);
  • liability arising from wilful default or gross negligence;
  • liability arising from breach of the confidentiality provisions of this DPA;
  • liability under the indemnities in this DPA;
  • liability for direct administrative fines, claims or compensation paid to a data subject under Articles 82 or 83 UK GDPR to the extent caused by a party's own breach of this DPA.

The Customer shall indemnify Lens on demand against all liabilities, costs, expenses, damages and losses suffered or incurred by Lens arising out of:

  • the Customer's breach of clause 5 or clause 9;
  • the Customer's breach of its obligations as Data Controller under the UK GDPR or other applicable data protection law.

Lens shall indemnify the Customer on demand against all liabilities, costs, expenses, damages and losses suffered or incurred by the Customer arising out of:

  • Lens's material breach of this DPA;
  • any act or omission of a Sub-processor that would constitute a breach of this DPA if performed by Lens.

11. Notices

Notices under this DPA shall be given in writing to:

  • Lens: [email protected], with a copy to Lens School Evaluation Ltd, Cae Knovil, Llandenny, Usk, Monmouthshire, NP15 1DL.
  • Customer: the data protection contact email recorded on the Customer's account (the Customer is responsible for keeping this current), with a copy to the Customer's registered address.

Notices sent by email take effect when sent (unless the sender receives a bounce or non-delivery notification). Notices sent by post take effect two working days after posting.

12. Governing Law and Jurisdiction

This DPA is governed by the laws of England and Wales. The parties submit to the exclusive jurisdiction of the courts of England and Wales in respect of any dispute arising out of or in connection with this DPA.

13. General

This DPA, together with the Terms of Service and the Privacy Policy, contains the entire agreement between the parties in respect of the processing of personal data under the Service and supersedes any prior agreement on that subject matter.

No failure or delay by either party to exercise any right or remedy under this DPA constitutes a waiver of that right or remedy. If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall continue in full force.

Lens may update this DPA from time to time, provided that no update materially reduces the protections afforded to Customer Data. Material updates will be communicated to Customers by email and published on this page; continued use of the Service after the effective date of an update constitutes acceptance of the updated DPA. A version history is maintained at the foot of this document.

Annex A — Details of the Processing

Subject matter and duration

The processing relates to the provision of the Lens School Evaluation service. It continues for the duration of the Customer's subscription, plus the sixty-day post-termination export window described in clause 6.8.

Nature and purpose of processing

Hosting, storage, retrieval, structured review, AI-assisted analysis, account administration and incidental operational activities required to deliver the Service.

Categories of personal data

  • Account information: name, work email address, school name, role / job title.
  • Self-evaluation content authored by Authorised Users (text, judgements, scores, notes, file attachments and similar).
  • Usage data: login times, pages visited, feature usage, browser type, IP address, device information.
  • Payment data: billing contact details and transaction history (card details are handled solely by Stripe and are not received by Lens).
  • Support data: name, email address and the content of support enquiries.

Categories of data subjects

Authorised Users only — headteachers, senior leaders, teaching staff, governors and other personnel the Customer authorises. The Service does not collect or process personal data about pupils, students or other persons under the age of 18.

Special categories of personal data

None expected. The Customer warrants that it will not upload special category data within the meaning of Article 9 UK GDPR through the Service unless expressly agreed in writing with Lens.

Annex B — Technical and Organisational Measures

Lens implements measures appropriate to the risk presented by the processing, including the following. Lens reviews these measures regularly and may update them, provided that no update materially diminishes the overall level of protection.

  • Encryption in transit: all access to the Service is over TLS 1.2 or higher.
  • Encryption at rest: Customer Data is encrypted at rest in the primary database and in object storage.
  • Access control: role-based access controls within the Service. Multi-factor authentication is enforced for Lens administrative access to production systems.
  • Network protection: production infrastructure sits behind a managed load balancer and a web application firewall (Cloudflare); access to production hosts is restricted to identified Lens personnel.
  • Secrets management: production secrets are held in a managed secrets store (Doppler) and injected at process start; secrets are not stored in source control.
  • Logging and monitoring: application-level audit logs are maintained for security-relevant events (sign-in attempts, permission changes, impersonation, exports and deletions). Infrastructure metrics and error logs are reviewed regularly.
  • Backups: regular, encrypted database backups are taken and retained on a rotation; restores are tested periodically.
  • Patch management: operating systems, runtime and application dependencies are kept current; critical security patches are applied without undue delay.
  • Security review: periodic security reviews and vulnerability assessments are conducted. Independent penetration testing is scheduled at intervals appropriate to the risk.
  • Incident response: documented procedures for identifying, containing, investigating and reporting personal data breaches.
  • Staff training: personnel with access to Customer Data are given data protection and information security training, refreshed at suitable intervals.
  • Confidentiality: personnel are bound by contractual confidentiality obligations.
  • Resilience: the Service is deployed across multiple application instances behind a managed load balancer to maintain availability.

Lens does not warrant absolute security. No method of electronic transmission or storage is completely secure, but the measures above are designed to reduce risk to an appropriate level.

Annex C — Sub-processors

The current list of Sub-processors is published and maintained at schoolevaluation.co.uk/subprocessors.html. Customers may subscribe to update notifications via the link on that page. At the effective date of this DPA, the Sub-processors are:

Sub-processor Purpose Data Processed Location Transfer mechanism
DigitalOcean Cloud hosting and primary infrastructure (compute, managed database, object storage) All Customer Data (as host) United Kingdom (US-headquartered provider operating UK-resident infrastructure) UK-resident infrastructure (no international transfer)
Cloudflare TLS termination, content delivery, web application firewall and DDoS protection Inbound HTTPS request metadata (IP address, request headers) Global edge; configuration administered from the United Kingdom UK IDTA / UK Addendum to SCCs
Sentry (Functional Software, Inc.) Application error monitoring, performance monitoring and diagnostic logging for the Service Stack traces, request URL and headers, browser and operating-system metadata, IP address and limited contextual data captured when an application error occurs (obvious personal data scrubbed in Sentry configuration) European Union (EU instance, hosted in Germany) UK adequacy regulations for the EEA
OpenAI AI-assisted analysis and summarisation of Customer Data (training is contractually prohibited; see clause 8) Self-evaluation content submitted for AI processing only USA UK IDTA / UK Addendum to SCCs
Stripe Payment processing, subscription management and invoicing Payment card details, billing address, transaction history (card details handled solely by Stripe) USA / EU UK IDTA / UK Addendum to SCCs
Microsoft Corporation (Azure Active Directory) Identity provider for Authorised Users signing in via Microsoft 365 Name, email and profile metadata exchanged at sign-in EU / Global (per Microsoft's data residency) UK IDTA / UK Addendum to SCCs (where applicable)
Google LLC (Google Identity) Identity provider for Authorised Users signing in via Google Workspace Name, email and profile metadata exchanged at sign-in EU / Global (per Google's data residency) UK IDTA / UK Addendum to SCCs (where applicable)
Zoho Corporation Customer support desk and enquiry management Name, email, support enquiry content EU / USA UK IDTA / UK Addendum to SCCs
Intuit (QuickBooks) Accounting, financial record-keeping and invoicing Billing contact details, invoice data, payment records USA / EU UK IDTA / UK Addendum to SCCs
Google LLC (Google Workspace, internal) Lens's internal business operations, communications and file management Customer contact details, correspondence, operational documents Global; data residency configurable per Google Workspace settings UK IDTA / UK Addendum to SCCs, and adequacy decisions where applicable

Annex D — Acceptance

By subscribing to or continuing to use the Service, the Customer accepts this DPA. A record of the Customer's acceptance, including the date and the version of the DPA in force at that time, is maintained by Lens. Customers requiring a counter-signed copy may request one from the contact address in clause 11.

Lens details

  • Legal entity: Lens School Evaluation Ltd
  • Company number: 13792467
  • Registered address: Cae Knovil, Llandenny, Usk, Monmouthshire, NP15 1DL
  • ICO registration number: ZC042775
  • Data Protection Officer: Jamie Beer
  • Data protection contact: [email protected]

Version history

  • v1.1 — 3 June 2026 — three changes:
    1. Annex C updated to add Sentry (Functional Software, Inc.) as a Sub-processor for application error monitoring, performance monitoring and diagnostic logging. Sentry is engaged on its EU instance, hosted in Germany. Publication date: 3 June 2026. Effective date: 3 July 2026 (30 days from publication, per clause 6.4). Customers may object on reasonable data-protection grounds before the effective date by writing to [email protected].
    2. Annex C expanded from four columns to five by adding a "Data Processed" column, to match the schema used in the Privacy Policy and improve transparency.
    3. Clause 9 cross-reference corrected: the indemnity in clause 9 is now expressed to be "subject to clause 10" (the liability clause), not clause 11 (notices) as originally published.
  • v1.0 — 2 June 2026 — initial publication.