Data Processing Agreement

Last Updated: 19th March 2026

This Data Processing Agreement ("DPA") applies where users enter personal data into their inputs when using the Teachmate tools. It is incorporated into our Terms and Conditions. By using our products, you have indicated your agreement to the Terms and this Data Processing Agreement.

1. Definitions

Data Protection Legislation: the UK GDPR, the Data Protection Act 2018 and any other applicable laws as amended from time to time about the processing of personal data and privacy.

Data Protection Impact Assessment: an assessment by the Controller of the impact of the envisaged processing on the protection of Personal Data.

Controller, Processor, Processing, Data Subject, Personal Data, Personal Data Breach, Data Protection Officer: take the meaning given in the UK GDPR.

Company: means TeachMateAI Ltd (trading as Teachmate) (Company Number: 14972646) whose registered office is at C/O High Royd Business Services Limited BBIC, Innovation Way, Barnsley, South Yorkshire, United Kingdom, S75 1JL.

Customer: means the subscriber to the free or paid for educational services provided by the Company.

Data Loss Event: any event that results, or may result, in unauthorised access to Personal Data held by the Company under this Agreement, and/or actual or potential loss and/or destruction of Personal Data in breach of this Agreement, including any Personal Data Breach.

Data Subject Access Request: a request made by, or on behalf of, a Data Subject in accordance with rights granted pursuant to the Data Protection Legislation to access their Personal Data.

Platform: means the services provided by the Company at https://www.teachmate.com/.

Protective Measures: appropriate technical and organisational measures which may include: pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of such measures adopted by it.

Schedule: means the schedules attached to this Agreement forming part of this Agreement.

Sub processor: any third party appointed to process Personal Data on behalf of the Company related to this Agreement.

Writing: includes emails and writing in any electronic form.

2. Roles and Responsibilities

2.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the Controller and the Company is the Processor.

2.2 The only processing of any Personal Data that is entered by the Customer into the AI tools provided by the Company on the Platform that the Company is authorised to do is listed in the Schedule by the Customer and may not be determined by the Company.

2.3 The Customer warrants and represents that it has a lawful basis (pursuant to Data Protection Legislation) for supplying all Personal Data to the Company in connection with the Customer's use of the Platform and the lawful Processing of the Data by both the Customer and the Company for the purposes set out in this Agreement.

2.4 The Customer shall indemnify the Company against all costs, claims, damages, expenses, losses and liabilities incurred by the Company arising out of or in connection with any failure (or alleged failure) by the Customer to have a lawful basis for Processing Personal Data.

2.5 The Customer hereby instructs and authorises the Company to process the Data for the purposes described in the Schedule to this Agreement, and as otherwise reasonably necessary to enable the Company to provide the Platform to the Customer. The Company shall notify the Customer immediately if it considers that any of the Customer's instructions infringe the Data Protection Legislation.

2.6 The Company shall process Personal Data only in accordance with the Schedule, unless the Company is required to do otherwise by Law. If it is so required, the Company shall promptly notify the Customer before processing the Personal Data, unless prohibited by Law.

3. Security and Protective Measures

3.1 The Company shall ensure that it has in place Protective Measures, which have been reviewed and approved by the Customer as appropriate to protect against a Data Loss Event having taken account of the:

1. nature of the data to be protected;
2. harm that might result from a Data Loss Event;
3. state of technological development; and
4. cost of implementing any measures.

3.2 Without prejudice to the generality of the above, the Company's current technical and organisational measures include:

1. encryption of Personal Data in transit using TLS;
2. encryption of Personal Data at rest using AES 256;
3. hosting on infrastructure providers (AWS and Microsoft Azure) that maintain SOC 2 and ISO 27001/ISO 27002 certification;
4. all customer data entered into the AI tools is stored and processed within the UK and EU; and
5. regular review and testing of the effectiveness of these measures.

4. Company Personnel

4.1 The Company shall ensure that:

1. the Company Personnel do not process Personal Data except in accordance with this Agreement (and in particular, the Schedule);
2. it takes all reasonable steps to ensure the reliability and integrity of any Company Personnel who have access to the Personal Data and ensure that they:
   1. are aware of and comply with the Company's duties under this Agreement and the Data Protection Legislation;
   2. have received appropriate training in relation to the handling and protection of Personal Data;
   3. are subject to enforceable obligations of confidentiality with respect to any Personal Data.

5. International Data Transfers

5.1 All customer data entered into the Company's AI tools is processed and stored within the UK and EU.

5.2 The Company shall not transfer Personal Data outside of the UK and EU unless the following conditions are fulfilled:

1. the Company has ensured there are appropriate safeguards in relation to the transfer (in accordance with UK GDPR Article 46);
2. the Data Subject has enforceable rights and effective legal remedies;
3. the Company complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Customer in meeting its obligations).

5.3 Where Personal Data is transferred outside the UK and EU, the safeguards relied upon by the Company include:

• the UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU Standard Contractual Clauses;
• the UK US Data Bridge (UK extension to the EU US Data Privacy Framework); and
• transfers to countries covered by UK adequacy regulations.

5.4 The specific transfer mechanisms applicable to each Sub processor are set out in Annex B.

6. Data Loss Events and Notification

6.1 The Company shall notify the Customer as soon as reasonably possible if it becomes aware of a Data Loss Event. The Company's obligation to notify under this clause shall include the provision of further information to the Customer in phases, as details become available, if necessary.

6.2 The Company shall notify the Customer as soon as reasonably possible if it:

1. receives a Data Subject Access Request (or purported Data Subject Access Request);
2. receives a request to rectify, block or erase any Personal Data;
3. receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation;
4. receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement;
5. receives a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law.

7. Cooperation and Assistance

7.1 Taking into account the nature of the processing, the Company shall provide the Customer with reasonable assistance in relation to the Customer's obligations under Data Protection Legislation and any complaint, communication or request made under clause 6 (and insofar as possible within the timescales reasonably required by the Customer) including by promptly providing:

1. the Customer with full details and copies of the complaint, communication or request;
2. such assistance as is reasonably requested by the Customer to enable the Customer to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation;
3. the Customer, at its request, with any Personal Data it holds in relation to a Data Subject;
4. assistance, as requested by the Customer, following any Data Loss Event;
5. assistance, as requested by the Customer, with respect to any request from the Information Commissioner's Office, or any consultation by the Customer with the Information Commissioner's Office.

7.2 The Company shall provide all reasonable assistance to the Customer in the preparation of any Data Protection Impact Assessment.

7.3 The Company will comply with any reasonable written instructions notified to it in advance by the Customer with respect to the processing of the Personal Data and at the written direction of the Customer, will delete Personal Data (and any copies of it) on termination of the Agreement unless the Company is required by Law to retain the Personal Data.

8. Records

8.1 The Company shall maintain complete and accurate records as required by Article 30(2) of the UK GDPR. This requirement does not apply where the Company employs fewer than 250 staff, unless:

1. the Company determines that the processing is not occasional;
2. the Company determines the processing includes special categories of data as referred to in Article 9(1) of the UK GDPR, or Personal Data relating to criminal convictions and offences referred to in Article 10 of the UK GDPR; or
3. the Company determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects.

8.2 The Customer is obliged to notify the Company if it considers any of the conditions listed above apply to the data processed by it on the Platform.

9. Audit

9.1 The Company shall make available to the Customer, on request, all information reasonably necessary to demonstrate compliance with this Agreement and the Data Protection Legislation. This may include provision of relevant security certifications, completed security questionnaires, summaries of technical and organisational measures, and other written evidence of compliance.

9.2 The Customer may request an audit only where, after reviewing the information provided under clause 9.1, it reasonably identifies a material unresolved concern regarding the Company's compliance with this DPA or applicable data protection law.

9.3 Any audit shall, unless otherwise required by applicable law, a competent supervisory authority, or following a confirmed Personal Data Breach or other material security incident, be conducted remotely and through review of documentation, policies, certifications, summaries of technical and organisational measures, and interviews with relevant personnel.

9.4 Any on site inspection shall be permitted only where a remote audit would not reasonably address the material unresolved concern.

9.5 Audits shall be limited to once every 24 months, during normal business hours, on at least 30 days' written notice, and shall be limited in scope to systems, records, personnel and facilities relevant to the processing of the Customer's Personal Data.

9.6 The Customer and its auditor must enter into appropriate confidentiality obligations, must not access data relating to other customers, and must not perform penetration testing, vulnerability scanning, load testing or similar disruptive testing without the Company's separate written agreement.

9.7 The Customer shall bear its own audit costs and the Company's reasonable internal costs of supporting the audit, unless the audit identifies a material breach of this DPA.

10. Data Protection Officer

10.1 The Company shall designate a data protection officer if required by the Data Protection Legislation.

11. Sub processors

11.1 The Customer hereby authorises the Company to appoint the Sub processors listed in Annex B to carry out Processing activities in connection with the Data.

11.2 The Company shall use reasonable endeavours to promptly notify the Customer of any changes to the identity of its Sub processors from time to time and allow the Customer to reasonably object to the appointment of those Sub processors.

11.3 Before allowing any Sub processor to process any Personal Data related to this Agreement, the Company must:

1. enter into a written agreement with the Sub processor which gives effect to the terms set out in this clause, such that they apply to the Sub processor; and
2. provide the Customer with such information regarding the Sub processor as the Customer may reasonably require.

11.4 The Company shall remain fully liable for all acts or omissions of any Sub processor in respect of Processing of the Data.

12. AI Model Training and Feedback Data

12.1 The Company does not use any customer data, including user inputs, outputs, or feedback, to train or fine tune any AI models. No customer data is incorporated into any model weights, training datasets, or fine tuning processes.

12.2 Where the Customer uses the feedback feature within the Company's AI tools, the Company may use the feedback and associated output data to improve the quality and accuracy of its services, for example by refining prompts, identifying errors, or improving system performance. This does not involve training or fine tuning of AI models.

12.3 Authorised Company personnel may access Customer input or output data solely for the purposes of technical troubleshooting, and only when requested by the Customer or where necessary to resolve a technical issue. Such access is subject to the confidentiality and security obligations set out in this Agreement.

13. Liability and Indemnity

13.1 Each party (the "Indemnifying Party") shall indemnify the other (the "Indemnified Party") from and against all loss, cost, harm, expense (including reasonable legal fees), liabilities or damage ("Damage") suffered or incurred by the Indemnified Party as a result of the Indemnifying Party's breach of the provisions of this Agreement, and provided that:

1. the Indemnified Party gives the Indemnifying Party prompt notice of any circumstances of which it is aware that give rise to an indemnity claim under this clause; and
2. the Indemnified Party takes reasonable steps and actions to mitigate any ongoing Damage it may suffer as a consequence of the Indemnifying Party's breach.

13.2 The Company shall have no liability to the Customer, whether arising in contract, tort (including negligence), breach of statutory duty or otherwise, for or in connection with loss, interception or corruption of any Data resulting from any negligence or default by any provider of telecommunications services to the Company or the Customer; any loss arising from the default or negligence of any supplier to the Customer; damage to reputation or goodwill; and/or any indirect or consequential loss.

13.3 The Company's total aggregate liability in contract, tort (including negligence or breach of statutory duty), misrepresentation, restitution or otherwise, arising in connection with the performance or contemplated performance of the Contract shall be limited to the total fees paid for the Customer's access to the Platform during the 12 months immediately preceding the date on which the claim arose.

13.4 Nothing in this clause shall limit the liability of the Company for any death or personal injury caused by its negligence, fraud or fraudulent misrepresentation, or any other matter for which liability cannot be limited or excluded as a matter of law.

14. Term and Termination

14.1 This DPA shall remain in effect for the duration of the Company's processing of Personal Data on behalf of the Customer.

14.2 Upon termination or expiry of the Customer's subscription to the Platform, or upon termination of the Terms and Conditions, this DPA shall automatically terminate. The Company shall delete all Personal Data processed under this DPA in accordance with the retention periods set out in the Schedule, unless the Company is required by law to retain any such data.

15. Governing Law

15.1 This DPA shall be governed by and construed in accordance with the laws of England and Wales.

15.2 Any disputes arising under or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales.

Annex A: Schedule of Processing, Personal Data and Data Subjects

The Company shall comply with any further written instructions with respect to processing by the Customer. Any such further instructions shall be incorporated into this Schedule.

Annex B: Sub processors

Category 1: Core Platform Services

Essential for platform operation.

Category 2: Website Operational Services

Consent based services that can be declined by the user. These services are separate from the core AI platform and do not have access to customer data entered into the AI tools.

Where the Company uses third party services to run and administer the Platform and services, only the minimal amount of information needed for the purposes of delivering their service will be shared. The Company carries out due diligence against all third party suppliers for the purposes of ensuring their compliance with data protection, maintaining adequate security of data and ensuring they apply adequate data protection principles to the processing of the data supplied.