Data Processing Agreement (DPA)
Effective Date: April 14, 2025
Last Updated: July 14, 2025
This Data Processing Agreement ("DPA") forms part of the agreement between Hey Tech Labs Ltd (trading as "HeyEd") and the Client (each a "Party" and together the "Parties").
1. Parties and Scope
This DPA applies to all customers using HeyEd and governs how we process personal data on your behalf.
- Data Processor: Hey Tech Labs Ltd (Company No. 15972086)
- Data Controller: You (the Client)
- Services: The HeyEd platform, including compliance tracking, document storage, staff onboarding, and operational tools for Ofsted-registered settings.
2. Nature and Purpose of Processing
We process personal data for the sole purpose of providing our Services, including:
- Managing staff records, documents, and training
- Tracking compliance status and alerts
- Supporting onboarding and safeguarding logs
3. Types of Personal Data
- Staff names
- DBS certificate numbers
- Email addresses
- Right-to-work documentation
- Qualifications and training records
- Uploaded certificates and documents
4. Categories of Data Subjects
- Staff employed or contracted by the Client
- Managers and Head Office contacts
5. Duration of Processing
We process personal data for the duration of your subscription. After termination, data is retained for a grace period of 90 days unless otherwise agreed.
6. Data Storage and Transfers
- All data is stored within the UK and/or EEA.
- We do not transfer personal data outside the UK without your instruction or appropriate safeguards (e.g., SCCs).
7. Sub-Processors
We use the following sub-processors to deliver our services:
| Sub-Processor | Purpose | Location |
|---|---|---|
| AWS (S3) | File and data storage | UK/EU |
| MySQL (RDS) | Core database hosting | UK/EU |
| Stripe | Payment processing | UK/EU |
| Resend / SMTP | Transactional email delivery | EU |
| Google Workspace | Internal support operations | UK/EU |
| Hotjar (if enabled) | UX session tracking | EU |
| Sentry (if enabled) | Error logging (pseudonymous) | EU |
Note: We do not provide advanced sub-processor change notices by default.
8. Security Measures
We implement the following controls:
- Encryption in transit (TLS) and at rest (S3-managed encryption)
- ISO 27001 certified infrastructure (AWS)
- Role-based access controls
- 2FA support for users
- Secure authentication tokens (moving to HttpOnly cookies)
- Rate-limiting, email verification, and password policy enforcement
- Regular backups and monitoring
9. Breach Notification
We will notify you within 48 hours of becoming aware of any personal data breach that affects your data, providing relevant details and mitigation steps.
10. Your Rights and Instructions
- We will only process personal data on your written instructions (including through the use of HeyEd).
- We assist you in responding to data subject access requests (SARs), rectification, erasure, restriction, and data portability as required by UK GDPR.
11. Data Retention and Deletion
- Personal data is deleted within 90 days of subscription termination unless legal obligations require retention.
- Clients may request data export prior to deletion.
12. Audits and Records
- We maintain records of all processing activities under UK GDPR Article 30.
- We will cooperate with reasonable audit requests, subject to confidentiality and operational limitations.
13. Liability
Each Party's liability under this DPA is subject to the limitations of liability in the main service agreement.
14. Governing Law
This DPA is governed by the laws of England and Wales.