Data Processing Agreement (DPA) – Report Hero

Last updated: 23 January 2026

This Data Processing Agreement ("DPA") applies where Report Hero Ltd processes Personal Data on behalf of a school acting as Data Controller, in connection with the use of the Report Hero service.

This DPA is incorporated into and forms part of the Report Hero Terms and Conditions where applicable.

1. Definitions

For the purposes of this DPA:

Data Protection Legislation means the UK GDPR, the Data Protection Act 2018, and any applicable data protection or privacy laws in force in the United Kingdom.

Controller, Processor, Processing, Personal Data, Data Subject, Personal Data Breach, and Supervisory Authority have the meanings given in the UK GDPR.

Company means Report Hero Ltd, a company pending registration in England and Wales.

Customer means the school or educational organisation using Report Hero as Data Controller.

Platform means the Report Hero website and application.

Sub-processor means any third party appointed by the Company to process Personal Data on behalf of the Customer.

Protective Measures means appropriate technical and organisational measures designed to protect Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, or damage.

2. Roles of the parties

For the purposes of Data Protection Legislation:

• The Customer acts as Data Controller
• Report Hero Ltd acts as Data Processor

The Customer determines the purposes and means of processing Personal Data. Report Hero processes Personal Data only on documented instructions from the Customer, including as set out in this DPA.

3. Scope of processing

Report Hero processes Personal Data solely to provide the Platform to the Customer, as described in Schedule 1.

The Company shall not process Personal Data for any other purpose.

4. Customer obligations

The Customer warrants that:

• It has a lawful basis for Processing Personal Data under Data Protection Legislation
• It has provided all required information to Data Subjects
• It has authority to instruct the Company to process the Personal Data

The Customer remains responsible for compliance with its obligations as Data Controller.

5. Processor obligations

Report Hero shall:

• Process Personal Data only in accordance with this DPA and documented Customer instructions
• Notify the Customer if an instruction appears to infringe Data Protection Legislation
• Ensure that persons authorised to process Personal Data are subject to confidentiality obligations
• Implement appropriate technical and organisational security measures
• Not transfer Personal Data outside the UK
• Assist the Customer in complying with Data Subject rights
• Assist with Data Protection Impact Assessments (DPIAs) where reasonably required
• Maintain records of processing as required by Article 30(2) UK GDPR
• Permanently delete Personal Data when instructed by the Customer, unless retention is required by law

6. Security measures

Report Hero implements security measures appropriate to the nature of the processing, including:

• UK-hosted infrastructure (AWS and Azure)
• Encryption in transit and at rest
• Access controls and role-based permissions
• Monitoring and logging
• Data minimisation and anonymisation safeguards

All AI processing takes place within the UK. Pupil names and identifiers are automatically removed before AI processing.

7. Sub-processors

The Customer authorises the Company to appoint Sub-processors as listed in Schedule 2.

The Company shall:

• Enter into written agreements with Sub-processors that impose equivalent data protection obligations
• Remain fully liable for the acts and omissions of Sub-processors
• Notify the Customer of material changes to Sub-processors and allow reasonable objections

8. Personal Data Breaches

Report Hero shall notify the Customer without undue delay after becoming aware of a Personal Data Breach.

The notification will include all information reasonably required to enable the Customer to meet its reporting obligations.

9. Data Subject rights and regulatory requests

Report Hero shall promptly notify the Customer if it receives:

• A Data Subject Access Request
• A request for erasure, rectification, or restriction
• Any communication from the ICO or other supervisory authority

Report Hero will not respond directly unless instructed by the Customer or required by law.

10. Audits

The Customer may audit Report Hero's compliance with this DPA:

• No more than once in any 12-month period
• On reasonable notice
• In a way that does not unreasonably disrupt operations

Audits may include documentation review and written responses.

11. Deletion and return of data

Personal Data is retained:

• While the account is active, unless deleted earlier by the Customer
• Inactive unsubscribed accounts are deleted after 6 months

Upon termination of the service or written instruction, Report Hero will permanently delete all Personal Data unless retention is required by law.

12. Liability

Each party shall be liable for its own breaches of this DPA.

Report Hero's total liability under this DPA shall be limited in accordance with the limitation of liability set out in the Terms and Conditions.

Nothing in this DPA limits liability where it cannot be limited under applicable law.

13. Governing law

This DPA is governed by the laws of England and Wales. The courts of England and Wales shall have exclusive jurisdiction.