Data Processing Agreement

Last updated 14 July 2026.

Between:the school or trust named in the account (“the School”, the controller) and After Hours Education Ltd, trading as rounded.education, company no. 17051217, of Wellesley House, Duke of Wellington Avenue, London, England, SE18 6SS (“the Provider”, the processor).

This Agreement forms part of the Service terms and is made under Article 28 UK GDPR. No signature is required: it applies automatically and binds both parties from the moment the School registers an account or first uploads content to BenchMark or the Enrichment Mark (“the Service”), whichever is earlier. The version published at https://rounded.education at the time of use is the version in force.

1. What this covers

The Provider processes, on the School’s behalf: self-evaluation responses, comments, action plans and uploaded evidence, which may contain personal data of staff and pupils (names, roles, images, and – only if the School includes it – special category data within evidence). Processing continues for the duration of the School’s account plus the retention periods in the Provider’s Retention Policy. Nature and purpose: hosting, display, generation of outputs, and human moderation of Enrichment Mark applications. The School should minimise pupil data in uploads and anonymise where practicable.

2. The Provider will:

  1. (a)process School content only on the School’s documented instructions (this Agreement and the School’s use of the Service) and never for its own purposes, including AI training;
  2. (b)ensure all staff and reviewers with access are bound by confidentiality obligations;
  3. (c)apply appropriate technical and organisational measures: encryption in transit and at rest, hashed credentials, role-based access limited to the assigned reviewer, access logging, and UK/EEA data residency;
  4. (d)engage sub-processors only from the published list at https://rounded.education (currently: [hosting], [payments], [email]), give the School 30 days’ notice of changes with a right to object, and remain fully liable for them;
  5. (e)make no transfer outside the UK except under UK adequacy regulations or ICO-approved safeguards;
  6. (f)assist the School (at no charge, within reason) with data subject requests, security, breach notification, and DPIAs relating to the Service;
  7. (g)notify the School without undue delay, and in any event within 48 hours, of becoming aware of a personal data breach affecting School content, with enough detail to meet the School’s own 72-hour ICO duty;
  8. (h)at the School’s choice, return or delete all School content on termination of the account (and delete evidence uploads within 90 days of an award decision in any event), subject only to records the Provider must keep by law;
  9. (i)make available information needed to demonstrate compliance and allow audits by the School or its auditor on reasonable notice, no more than once per year unless a breach has occurred.

3. The School will:

ensure it has a lawful basis and, where needed, has informed data subjects for the content it uploads; issue lawful instructions; and keep its account credentials secure.

4. Liability and precedence

Each party’s liability is as set out in the Service terms. If this Agreement conflicts with the Service terms on data protection matters, this Agreement prevails.

5. Changes

The Provider will give account holders 30 days’ email notice of material changes to this Agreement. Continued use after that period constitutes acceptance; a School that objects may terminate its account and have its content returned or deleted under clause 2(h).

Draft. This Data Processing Agreement is provided for review and is not yet the final, legally reviewed version, which will be published before wide release.