Data Processing Agreement
For schools using SimmaSend.
Last updated: April 2026
1. Introduction
This Data Processing Agreement (“DPA”) forms part of the agreement between SimmaSend (“Processor”) and the school or educational establishment using SimmaSend (“Controller”) for the processing of personal data.
This DPA is entered into to ensure compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
2. Scope and duration
The Processor shall process personal data on behalf of the Controller for the purpose of providing the SimmaSend feedback service. Processing begins when the school's SimmaSend account is created and continues until the account is deleted or the service is terminated.
3. Nature and purpose of processing
The Processor provides a web-based service that allows the Controller's staff (teachers) to record audio, video, photo and text feedback for students. This feedback is transcribed and summarised using AI, stored securely, and made available to students via a unique QR code URL.
Processing consists of: collecting, storing, organising, retrieving, transmitting (to third-party sub-processors for transcription/summarisation), restricting and deleting personal data.
4. Types of personal data processed
- Student first names and last names
- Student email addresses (optional — provided by school administrator for feedback notifications)
- Teacher names and subjects
- Teacher email addresses (optional — provided by school administrator for invitations and communications)
- Administrator names and email addresses
- Audio recordings, video recordings, photographs and text feedback
- AI-generated transcripts, summaries, titles, subject classifications and action points
- Student text responses to feedback
5. Data subjects
- Students (including children) at the Controller's school
- Parents/guardians of students (where a parent/guardian email is provided for notifications)
- Teachers and staff at the Controller's school
- School administrators
6. Obligations of the Processor
6.1. The Processor shall only process personal data in accordance with the Controller's documented instructions and this DPA, unless required to do so by law.
6.2. The Processor shall ensure that all personnel with access to personal data are bound by appropriate confidentiality obligations.
6.3. The Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including: encryption in transit (HTTPS/TLS); Row Level Security on the database; private storage buckets with time-limited signed URLs for media files; magic link authentication (single-use, 15-minute expiry) for administrators; and regular security updates.
6.4. The Processor shall assist the Controller in responding to data subject access requests and in ensuring compliance with the Controller's obligations under Articles 32–36 of the UK GDPR.
6.5. The Processor shall notify the Controller without undue delay (and in any event within 72 hours) upon becoming aware of a personal data breach.
6.6. Upon termination of the service, the Processor shall delete all personal data processed on behalf of the Controller, including all copies, unless retention is required by law.
7. Sub-processors
The Controller agrees that the Processor may use the following sub-processors:
| Sub-processor | Purpose | Data location |
|---|---|---|
| Supabase (via AWS) | Database and file storage | EU/UK |
| Vercel | Website hosting and serverless functions | Global (edge network) |
| OpenAI | Audio transcription (Whisper API) and text summarisation (GPT-4o-mini) | USA* |
| Resend | Transactional email delivery (magic links, feedback notifications) | USA |
*Note: Audio and video recordings are sent to OpenAI's API for transcription and summarisation. OpenAI's API data usage policy states that data submitted via the API is not used to train models and is retained for up to 30 days for abuse monitoring before deletion. The Controller should be aware that this involves a transfer of data outside the UK.
The Processor shall notify the Controller before adding or replacing any sub-processor. If the Controller objects, the Controller may terminate the agreement.
8. Data location
Application data (database records, media files) is stored in Supabase infrastructure in the EU/UK region. Audio and video data is temporarily transmitted to OpenAI (USA) for processing. Email delivery (administrator magic links and student feedback notifications) is handled by Resend (USA). The Processor ensures that all sub-processors provide adequate data protection safeguards.
9. Rights of the Controller
9.1. The Controller may request information about the Processor's compliance with this DPA at any time.
9.2. The Controller may audit the Processor's compliance, subject to reasonable advance notice (at least 4 weeks) and during normal business hours, no more than once per 12-month period.
10. Data subject rights
The Processor shall assist the Controller in handling data subject requests including: access, rectification, erasure, restriction of processing and data portability. School administrators can manage student and teacher data directly through the SimmaSend admin dashboard. For requests that cannot be handled through the dashboard, the Controller should contact the Processor at hello@simmasend.com.
11. Termination
Upon termination of the service agreement, the Processor shall permanently delete all personal data within 30 days, unless the Controller requests a data export. The Processor shall confirm deletion in writing upon request.
12. Liability
The Processor's liability under this DPA is subject to the limitations set out in the main Terms and Conditions.
13. Contact
For any queries regarding this DPA, please contact: hello@simmasend.com