Data Processing Agreement

Between Controller and Processor

Version: 1.1
Date: 17 April 2026

This Data Processing Agreement is intended as a school-facing template for the use of SENScribe by Irish schools and authorised school staff.

This document is drafted to reflect the current implemented encrypted-sync service as described in the codebase and public legal pages as of 9 April 2026. It is not legal advice and should be reviewed before execution.

Parties

This Data Processing Agreement is entered into between:

Controller

Name of school / ETB / board of management / other educational body: ____________________
Registered address: ____________________
Contact name and role: ____________________
Contact email: ____________________

and

Processor

SENScribe Limited
Company number: 813862
Registered address: ARKINS & COMPANY LIMITED, BLOCK 15, Galway Technology Park, Parkmore, Galway, GALWAY, Ireland, H91 AY0Y
Contact: hello@senscribe.ie

The Controller and Processor are together the Parties.

1. Background and Interpretation

1. The Controller uses SENScribe to create, maintain, review, export and store Student Support Files and related student-support records.
2. The Processor provides the SENScribe service, including encrypted storage, synchronisation, AI-assisted drafting and account services.
3. The Parties enter into this Agreement to satisfy Article 28 GDPR and the equivalent requirements of applicable Irish data protection law.

For the purposes of this Agreement:

• Customer Data means personal data processed by the Processor on behalf of the Controller through the SENScribe service.
• Data Protection Law means Regulation (EU) 2016/679, the Irish Data Protection Act 2018, and any binding guidance or legislation applicable to the processing under this Agreement.
• Services means the SENScribe application and associated support, sync, storage and AI-assisted drafting services made available to the Controller.

2. Scope and Duration

1. This Agreement applies for as long as the Processor processes Customer Data on behalf of the Controller in connection with the Services.
2. This Agreement covers:
   • teacher account access to the Services
   • encrypted storage of student-support records
   • encrypted multi-device synchronisation
   • anonymised AI drafting and rewrite requests
   • export and support operations directly related to the Services
3. This Agreement does not cover processing where the Processor acts as independent controller for its own corporate, accounting, tax, security or legal compliance purposes, except that such processing must still comply with Data Protection Law.

3. Subject Matter, Nature and Purpose of Processing

3.1 Subject matter

The subject matter of the processing is the provision of SENScribe as a service for creating, storing, syncing, reviewing and exporting student-support records.

3.2 Nature of processing

The processing may include:

• collection
• recording
• organisation
• structuring
• storage
• encryption
• retrieval
• consultation
• transmission
• synchronisation
• export
• deletion

3.3 Purpose of processing

The purpose of processing is to enable the Controller's authorised staff to:

• produce and maintain Student Support Files and related records
• manage review cycles and interventions
• sync encrypted records across devices
• generate and edit draft educational documentation using anonymised AI-assisted workflows

4. Categories of Data Subjects and Personal Data

4.1 Data subjects

Customer Data may relate to:

• students
• parents or guardians
• teachers, SETs and school staff

4.2 Personal data categories

Customer Data may include:

• teacher account identifiers and login information
• student names and dates of birth
• year group, school level and class/support information
• educational observations, strengths, concerns and interventions
• special educational needs and support information
• plans, reviews, targets, strategies and log entries
• parent comments, student voice and review notes
• staff names or role references contained in records

4.3 Special-category data

Customer Data may include special-category personal data, especially data concerning health and special educational needs, where entered by the Controller.

5. Controller Obligations

The Controller shall:

1. ensure that it has a valid lawful basis under Articles 6 and, where required, 9 GDPR for the processing of Customer Data through the Services
2. ensure that its authorised users are entitled to use the Services on its behalf
3. provide only documented instructions to the Processor
4. ensure that personal data entered into the Services is adequate, relevant and limited to what is necessary
5. remain responsible for the accuracy, quality and legality of Customer Data and the means by which it acquired Customer Data
6. determine retention periods for Customer Data unless the Parties agree a default retention rule in writing

6. Processor Obligations

The Processor shall:

1. process Customer Data only on the documented instructions of the Controller, unless otherwise required by Union or Member State law
2. ensure that persons authorised to process Customer Data are subject to confidentiality obligations
3. implement appropriate technical and organisational measures to protect Customer Data
4. assist the Controller, taking into account the nature of processing and information available to the Processor, with responding to data-subject requests
5. assist the Controller with its obligations under Articles 32 to 36 GDPR, taking into account the nature of processing and information available to the Processor
6. delete or return Customer Data as provided in Clause 12
7. make available to the Controller information reasonably necessary to demonstrate compliance with this Agreement
8. inform the Controller if, in the Processor's opinion, an instruction infringes Data Protection Law

7. Documented Instructions

1. The Controller instructs the Processor to process Customer Data for the purposes described in this Agreement and the underlying service agreement.
2. The Controller authorises the Processor to:
   • host encrypted Customer Data
   • sync encrypted Customer Data between authorised devices
   • process anonymised prompts for AI drafting and rewrite functions
   • provide support and service operations reasonably necessary to deliver the Services
3. Additional instructions outside the agreed scope must be documented in writing and may require amendment of the commercial terms, security measures, or both.

8. Confidentiality

1. The Processor shall ensure that any person authorised to process Customer Data is under an appropriate duty of confidentiality.
2. The Processor shall limit internal access to Customer Data and related systems to what is reasonably necessary.
3. Because the service is designed so that encrypted student-support content cannot be decrypted by the Processor without the Controller-held secret, the Processor's ordinary operational access to intelligible customer content is intentionally restricted.

9. Security Measures

9.1 General obligation

The Processor shall implement appropriate technical and organisational measures as required by Article 32 GDPR.

9.2 Current measures

The Processor represents that the current service includes the following measures:

• AES-256-GCM encryption for stored student-support payloads
• browser-side encryption of customer student-support content before upload
• a separate data-password model for unlocking synced content on devices
• KEK derivation using PBKDF2 with 600,000 iterations and SHA-256
• DEK wrapping using AES-KW before server storage
• authenticated access to sync APIs
• deletion capability for encrypted sync data
• hosting of encrypted sync data in Azure Cosmos DB in North Europe (Ireland)
• AI processing using anonymised inputs through Azure OpenAI within the EU data zone

9.3 Important accuracy statement

The Parties acknowledge that encryption and zero-knowledge design materially reduce risk but do not remove the Processor's GDPR obligations. The Processor does not claim that encryption alone makes the processing non-personal-data processing.

9.4 Security appendix

Further detail is set out in Annex 2 to this Agreement.

10. Sub-processors

1. The Controller grants a general written authorisation for the Processor to engage the sub-processors listed in Annex 3.
2. The Processor shall:
   • maintain an up-to-date sub-processor list
   • notify the Controller of intended additions or replacements that materially affect the processing of Customer Data
   • impose data-protection obligations on sub-processors that are no less protective than those in this Agreement, to the extent applicable to the services they provide
3. The Processor remains responsible for the performance of its sub-processors' obligations where required by Data Protection Law.

11. Data Subject Rights and Assistance

1. Taking into account the nature of the processing, the Processor shall assist the Controller by appropriate technical and organisational measures, insofar as possible, in fulfilling the Controller's obligation to respond to requests for exercising data-subject rights.
2. If the Processor receives a request directly from a data subject relating to Customer Data, the Processor shall:
   • not respond on the merits unless legally required to do so
   • promptly notify the Controller unless legally prohibited
3. The Controller acknowledges that where the Service stores only encrypted customer content that the Processor cannot decrypt, certain assistance functions may depend on the Controller's own access to the decrypted content.

12. Retention, Return and Deletion

1. The Controller is responsible for setting retention rules for Customer Data unless otherwise agreed in writing.
2. During the term, the Controller may delete Customer Data using available product functionality or by instructing the Processor through support channels.
3. Upon termination of the Services, the Processor shall, at the choice of the Controller, delete or return Customer Data, unless Union or Member State law requires storage.
4. Where the Controller requests deletion:
   • the Processor shall delete server-side encrypted sync data within a reasonable period
   • any legally required residual records may be retained only to the extent and for the duration required by law
5. The Parties acknowledge a practical limitation of the zero-knowledge model: if the Controller retains local decrypted or decryptable copies on its own devices, deletion by the Processor cannot erase those controller-side copies.

13. Personal Data Breach

1. The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach affecting Customer Data.
2. The notification shall include, where reasonably available:
   • the nature of the breach
   • likely consequences
   • measures taken or proposed to address the breach
   • contact details for follow-up
3. The Parties acknowledge that if compromised data is rendered unintelligible to unauthorised persons through effective encryption, the Controller may conclude that notification obligations to data subjects are reduced or do not arise. That legal assessment remains the Controller's responsibility.

14. Audits and Information Rights

1. The Processor shall make available to the Controller information reasonably necessary to demonstrate compliance with this Agreement.
2. The Controller may request reasonable documentary evidence of compliance, including policies, summaries of technical measures, and sub-processor information.
3. On reasonable written notice, and no more than once in any twelve-month period unless required by law or following a material incident, the Controller may request an audit or inspection proportionate to the risk and scope of the processing.
4. Any audit must:
   • be carried out in a manner that minimises disruption
   • avoid access to other customers' data
   • respect the Processor's confidentiality and security obligations
   • be subject to appropriate confidentiality undertakings by the auditor
5. The Processor may satisfy audit obligations by providing recent independent documentation, policies, or detailed written responses where that is reasonably sufficient.

15. International Transfers

1. The standard service configuration is intended to keep encrypted customer storage in North Europe (Ireland) and AI processing within the EU data zone.
2. The Processor shall not transfer Customer Data outside the EEA except in accordance with Data Protection Law and this Agreement.
3. If a restricted transfer becomes necessary, the Processor shall ensure that an appropriate transfer mechanism is in place before the transfer occurs.

16. Liability and Order of Precedence

1. This Agreement forms part of the agreement between the Parties for the Services.
2. If there is a conflict between this Agreement and another agreement between the Parties concerning the processing of Customer Data, this Agreement prevails to the extent of that conflict.
3. Liability between the Parties is governed by the main service agreement except to the extent prohibited by Data Protection Law.

17. Termination

This Agreement terminates automatically when the Processor no longer processes Customer Data on behalf of the Controller, subject to any surviving obligations regarding deletion, confidentiality, and legal retention.

18. Governing Law and Jurisdiction

This Agreement shall be governed by the laws of Ireland, unless the main service agreement expressly provides otherwise in a manner consistent with Data Protection Law.

19. Signatures

Signed for and on behalf of the Controller:

Name: ____________________
Title: ____________________
Signature: ____________________
Date: ____________________

Signed for and on behalf of the Processor:

Name: ____________________
Title: ____________________
Signature: ____________________
Date: ____________________

---

Annex 1: Details of Processing

A. Parties

Controller: the school or educational body identified on page 1.
Processor: SENScribe Limited.

B. Subject matter

Provision of the SENScribe service for the management of Student Support Files and related student-support documentation.

C. Duration

For the term of the services plus any limited post-termination period required to complete deletion, return, or legally required retention.

D. Nature and purpose

• create, review, maintain and export student-support records
• store and sync encrypted records across authorised devices
• generate draft educational content using anonymised AI requests

E. Data subjects

• students
• parents or guardians
• teachers, SETs and school staff

F. Categories of personal data

• teacher identifiers and account data
• student names, dates of birth and educational context data
• support plans, reviews, targets, interventions, log entries and related comments
• special-category educational and support-needs data where entered by the Controller

G. Special categories

May include health and special educational needs information.

H. Processing frequency

Continuous for the duration of service use.

---

Annex 2: Security Measures

The Processor currently implements or documents the following measures:

• browser-side encryption of student-support content before upload
• AES-256-GCM encryption of stored content
• DEK/KEK envelope-encryption model
• PBKDF2-based KEK derivation with 600,000 iterations and SHA-256
• AES-KW wrapping of the DEK for cross-device unlock
• user authentication and session controls for access to sync APIs
• customer-data separation by user partition in storage
• deletion endpoint for server-side encrypted sync data
• hosting of encrypted storage in Azure Cosmos DB in North Europe (Ireland)
• AI generation using anonymised prompts only

Operational note:

• The Processor cannot ordinarily decrypt customer student-support content because the decryption secret is derived client-side from the Controller user's data password or recovery flow.

Known legal/operational caveats:

• controller/processor wording on public pages should remain aligned with this Agreement
• retention periods for customer content should be agreed and documented by the Parties
• sub-processor list and notification process should be maintained actively

---

Annex 3: Approved Sub-processors

Sub-processor	Purpose	Data involved	Region / location notes
Microsoft Azure Cosmos DB	Encrypted sync storage and related service data storage	Encrypted student-support records, account-related records, wrapped keys, metadata	North Europe (Ireland), according to current service documentation
Microsoft Azure OpenAI	AI drafting and rewrite functions	Anonymised prompts and outputs, not intended to include direct student identifiers	EU data zone, according to current service documentation
Microsoft Azure Communication Services	Transactional emails	Email address and email-delivery data	Europe, according to current service documentation
Resend	Fallback email delivery where configured	Email address and email-delivery data	Verify active configuration before relying on this row

Processor note:

• If additional sub-processors are added that materially affect Customer Data, this Annex should be updated and customers notified in line with Clause 10.

---

Drafting Notes

This template is intentionally strict and conservative.

It does not claim:

• that SENScribe is not processing personal data
• that the teacher is always the correct controller in the school-use model
• that encryption alone resolves all GDPR obligations

This template assumes the school deployment model reflected in the product research: the school is the controller and SENScribe is the processor.