Data Processing Agreement (DPA)
Last updated: 15 March 2026
This Data Processing Agreement ("DPA") forms part of the agreement between the subscribing school ("Controller", "School", "you") and ParentInform ("Processor", "we", "us") for the provision of the ParentInform school communication service ("Service").
This DPA is entered into pursuant to Article 28 of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person processed in connection with the Service.
- "Data Subject" means parents, guardians, and school staff whose data is processed through the Service.
- "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
- "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
2. Scope and Purpose of Processing
2.1 Purpose
The Processor shall process Personal Data solely for the purpose of providing the ParentInform communication service, enabling parents to receive school information via WhatsApp.
2.2 Nature of Processing
| Element |
Details |
| Subject matter |
School-to-parent communication via WhatsApp |
| Duration |
For the term of the service agreement, plus 30 days for deletion |
| Categories of Data Subjects |
Parents/guardians of enrolled pupils; school admin staff; teaching staff |
| Types of Personal Data |
Pseudonymised phone hashes, admin email addresses, message intent logs, voluntary feedback messages, year group/class preferences |
| Processing operations |
Collection (via WhatsApp), pseudonymisation (phone hashing), storage, retrieval, querying, erasure |
2.3 Data Minimisation
The Processor applies strict data minimisation:
- Phone numbers are immediately hashed using SHA-256. Raw numbers are never stored in any database, log, or file controlled by the Processor.
- No data about children or pupils is collected or stored.
- Message content is not stored — only the intent category (e.g. "holiday", "lunch") is logged.
3. Obligations of the Processor
3.1 Processing Instructions
The Processor shall:
- Process Personal Data only on documented instructions from the Controller, unless required by law
- Inform the Controller if, in the Processor's opinion, an instruction infringes UK GDPR
- Not process Personal Data for any purpose other than providing the Service
3.2 Confidentiality
The Processor shall ensure that all persons authorised to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
3.3 Security Measures
The Processor implements the following technical and organisational security measures:
- Pseudonymisation: Phone numbers are hashed with SHA-256 before storage
- Encryption in transit: All data transmitted over HTTPS/TLS
- Encryption at rest: Database encrypted at rest (Supabase/AWS)
- Access control: Row Level Security (RLS) ensuring schools can only access their own data
- Authentication: Magic link authentication for admin access (no passwords)
- Multi-tenancy isolation: All data is scoped to school_id, preventing cross-school access
- Audit logging: Message intent logs maintained for accountability
3.4 Sub-processors
The Controller provides general authorisation for the Processor to engage the following sub-processors:
| Sub-processor |
Purpose |
Location |
Safeguards |
| Twilio Inc. |
WhatsApp message delivery |
USA |
Standard Contractual Clauses (SCCs); SOC 2 Type II certified |
| Supabase Inc. |
Database hosting |
EU (AWS eu-west) |
SOC 2 Type II certified; data encrypted at rest and in transit |
| Cloudflare Inc. |
Website hosting, DNS, email routing |
Global CDN |
No personal data processed; ISO 27001 certified |
The Processor shall notify the Controller before adding or replacing any sub-processor, giving the Controller the opportunity to object.
3.5 Data Subject Rights
The Processor shall assist the Controller in responding to Data Subject requests, including:
- Right of access: Providing data held against a phone hash
- Right to erasure: Parents can send STOP for immediate session deletion; full erasure completed within 30 days of request
- Right to rectification: Parents can update their class preference at any time
- Right to data portability: Data export available on request
3.6 Data Breach Notification
In the event of a Data Breach, the Processor shall:
- Notify the Controller without undue delay and no later than 24 hours after becoming aware of the breach
- Provide the Controller with sufficient information to enable the Controller to meet its obligation to notify the ICO within 72 hours
- Cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach
3.7 Data Protection Impact Assessment
The Processor shall provide reasonable assistance to the Controller with any data protection impact assessments (DPIAs) required under Article 35 UK GDPR.
4. Obligations of the Controller
The Controller (School) shall:
- Ensure it has a lawful basis for processing Personal Data through the Service
- Inform parents about the use of ParentInform and how their data is processed (e.g. via school newsletter or website)
- Ensure the JOIN code is distributed appropriately to verified parents/guardians only
- Respond to Data Subject requests with the Processor's assistance
- Notify the Processor of any changes to processing instructions
5. International Transfers
Where Personal Data is transferred outside the UK (specifically to Twilio in the USA), the transfer is subject to appropriate safeguards under UK GDPR Chapter V, specifically Standard Contractual Clauses (SCCs) as adopted by the ICO.
6. Data Retention and Deletion
- Parent sessions expire automatically after 90 days
- Message intent logs are retained for up to 12 months, then automatically deleted
- Upon termination of the service agreement, the Processor shall delete all Personal Data within 30 days, unless retention is required by law
- The Processor shall provide written confirmation of deletion upon request
7. Audit Rights
The Controller has the right to audit the Processor's compliance with this DPA. The Processor shall:
- Make available all information necessary to demonstrate compliance
- Allow for and contribute to audits conducted by the Controller or an appointed auditor
- Provide audit responses within 30 days of a reasonable request
8. Liability
Each party's liability under this DPA is subject to the limitations and exclusions set out in the main service agreement. Nothing in this DPA limits either party's liability for breaches of UK GDPR obligations.
9. Term and Termination
This DPA shall remain in effect for the duration of the service agreement. Upon termination:
- The Processor shall cease all processing of Personal Data
- All Personal Data shall be deleted within 30 days
- The obligations in this DPA shall survive to the extent necessary to protect Personal Data
10. Governing Law
This DPA shall be governed by and construed in accordance with the laws of Scotland and the United Kingdom. Any disputes shall be subject to the exclusive jurisdiction of the Scottish courts.
Agreement
By using the ParentInform service, the School agrees to the terms of this Data Processing Agreement. For a signed copy or to discuss terms, please contact:
Email: hello@parentinform.co.uk
Website: parentinform.co.uk