Legal
Data processing agreement
Between Nectarwood Ltd and the School or Organisation Version 1.0 | 7 June 2026 UK GDPR and Data Protection Act 2018
Parties
Data Processor: Nectarwood Ltd Suite A, 82 James Carter Road, Mildenhall, IP28 7DE Email: support@readingfluency.co.uk ICO Registration: ZC112415 (hereinafter "the Processor" or "Nectarwood")
Data Controller: The school, educational institution, or organisation that has subscribed to Reading Fluency (hereinafter "the Controller" or "the School").
1. Definitions
1.1 "Data Protection Laws" means the UK GDPR, the Data Protection Act 2018, and any other applicable UK data protection legislation. 1.2 "Personal Data" means any information relating to an identified or identifiable natural person. 1.3 "Processing" means any operation performed on Personal Data. 1.4 "Data Subject" means the individual to whom the Personal Data relates. 1.5 "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller. 1.6 "Child Data" means Personal Data relating to pupils under the age of 18. 1.7 "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data. 1.8 "Services" means the Reading Fluency application as described in Schedule 1. 1.9 "DPIA" means a Data Protection Impact Assessment under Article 35 of the UK GDPR.
2. Scope and purpose
2.1 This Agreement sets out the terms on which the Processor will process Personal Data on behalf of the Controller in connection with Reading Fluency. 2.2 The Processor shall process Personal Data solely to provide the Services as described in the Terms of Service and this Agreement. 2.3 The nature and purpose of processing, the types of Personal Data, and the categories of data subjects are described in Schedule 1. 2.4 The Controller acknowledges that the Services are designed for use in primary school settings and involve the processing of Child Data. Both parties acknowledge their enhanced obligations under the Data Protection Laws in respect of children's data.
3. Processor obligations
3.1 General
The Processor shall: (a) Process Personal Data only on the documented instructions of the Controller, unless required by law (in which case it will inform the Controller before processing, unless legally prohibited). (b) Ensure persons authorised to process Personal Data are under an appropriate obligation of confidentiality. (c) Implement appropriate technical and organisational measures to ensure security appropriate to the risk, as described in Schedule 3. (d) Not engage a sub-processor without the prior general written authorisation of the Controller, subject to Clause 6 and Schedule 2. (e) Assist the Controller in responding to data subject rights requests. (f) Assist the Controller with security, breach notification, DPIAs, and prior consultation with the ICO. (g) At the Controller's choice, delete or return all Personal Data after the end of the Services, and delete existing copies unless storage is required by law. (h) Make available all information necessary to demonstrate compliance, and allow for and contribute to audits.
3.2 Data breach notification
3.2.1 The Processor shall notify the Controller without undue delay, and in any event within 24 hours, after becoming aware of a Data Breach affecting the Controller's Personal Data. 3.2.2 Such notification shall include the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed.
3.3 Data subject requests
3.3.1 The Processor shall promptly notify the Controller of any request from a data subject. 3.3.2 The Processor shall assist the Controller in responding within the statutory timeframe. 3.3.3 The Processor shall provide the ability to export all Personal Data in a commonly used, machine-readable format (CSV or JSON).
4. Controller obligations
4.1 The Controller shall ensure it has a lawful basis for the processing, including any necessary consents. 4.2 The Controller shall ensure the Personal Data provided is accurate and up to date. 4.3 The Controller is responsible for informing data subjects about the processing of their Personal Data. 4.4 The Controller shall ensure appropriate safeguards are in place for Child Data, including obtaining any necessary parental consent. 4.5 The Controller shall notify the Processor promptly of any changes to applicable requirements affecting the Processor's obligations.
5. International data transfers
5.1 The Processor's primary database is hosted in the United Kingdom (London, AWS eu-west-2 region). All pupil data, assessment records and staff records are stored and processed within the UK. The Processor also uses ancillary sub-processors located in the EU and the US, as detailed in Schedule 2. 5.2 For transfers to the US, the Processor relies on the EU-US Data Privacy Framework (DPF) and the UK Extension, where the sub-processor is certified. 5.3 Where a sub-processor is not DPF-certified, the Processor shall ensure appropriate safeguards such as ICO-approved Standard Contractual Clauses. 5.4 The Processor shall inform the Controller of any changes to the location of processing or the safeguards relied upon.
6. Sub-processors
6.1 The Controller provides general written authorisation for the Processor to engage the sub-processors listed in Schedule 2. 6.2 The Processor shall maintain an up-to-date list at readingfluency.co.uk/sub-processors. 6.3 The Processor shall notify the Controller at least 30 days before adding or replacing a sub-processor. 6.4 If the Controller objects on reasonable data protection grounds, the parties shall discuss in good faith; if unresolved, the Controller may terminate the affected Service without penalty. 6.5 The Processor shall impose data protection obligations on each sub-processor no less protective than those in this Agreement.
7. Data retention and deletion
7.1 Personal Data shall be retained for the periods specified in Schedule 1. 7.2 Upon termination, the Controller may request the return of all Personal Data in a commonly used, machine-readable format (CSV or JSON) within 30 days. 7.3 Following the return period (or on the Controller's instruction), the Processor shall securely delete all Personal Data within 90 days, except where retention is required by law. 7.4 The Processor shall provide written confirmation of deletion upon request.
8. Security measures
8.1 The Processor shall implement and maintain the measures described in Schedule 3. 8.2 The Processor shall regularly test, assess and evaluate their effectiveness. 8.3 The Processor shall ensure anyone acting under its authority processes Personal Data only on the Controller's instructions, unless required by law.
9. Audit rights
9.1 The Controller may, on not less than 30 days' notice, audit the Processor's compliance. 9.2 The Processor shall cooperate and provide access to relevant documentation, systems and premises. 9.3 Audits shall be during normal business hours and shall not unreasonably interfere with operations. 9.4 The Controller shall bear its own audit costs unless the audit reveals a material breach.
10. Liability
10.1 Each party shall be liable for damage caused by processing that infringes the Data Protection Laws. 10.2 The Processor's total aggregate liability under this Agreement shall not exceed the greater of (a) the total fees paid by the Controller in the 12-month period preceding the claim, or (b) one thousand pounds sterling (£1,000). 10.3 Nothing in this Agreement excludes or limits liability for death or personal injury caused by negligence, fraud or fraudulent misrepresentation, or any liability that cannot be excluded by law.
11. Term and termination
11.1 This Agreement takes effect on the date the Controller accepts it and remains in force for the duration of the Processor's provision of the Services to the Controller. 11.2 Either party may terminate on 30 days' written notice. 11.3 Clauses relating to data retention, deletion, confidentiality and liability survive termination.
12. Amendments
12.1 The Processor may amend this Agreement to reflect changes in Data Protection Laws or processing activities. Material changes will be notified at least 30 days in advance. 12.2 Continued use of the Services after notification of a material change constitutes acceptance.
13. Governing law
13.1 This Agreement is governed by the laws of England and Wales. 13.2 The parties submit to the exclusive jurisdiction of the courts of England and Wales.
14. Entire agreement
14.1 This Agreement, with the Terms of Service and Privacy Policy, constitutes the entire agreement regarding the processing of Personal Data. 14.2 If any provision is found invalid, the remaining provisions continue in full force.
Acceptance
By clicking "I accept" or by using the Services after being presented with this Agreement, the Controller confirms acceptance on behalf of their school or organisation.
Recorded at acceptance: school or organisation name, authorised signatory name, job title, email address, date of acceptance, method of acceptance.
Electronic acceptance (clicking "I accept" or email confirmation) is legally binding and constitutes a valid written agreement under UK GDPR Article 28.
Schedule 1: Data processing details
Product covered: Reading Fluency, a reading fluency assessment and progress tracking tool.
Categories of data subjects:
- Pupils: children attending the School (Child Data)
- Teachers and staff: employees of the School using the Services
Categories of Personal Data:
| Data category | Data elements | Retention period |
|---|---|---|
| Account data | Name, email, password (hashed), school, role | Duration of account + 30 days |
| Pupil identifiers | Full name, gender, year group, class | Duration of subscription + 30 days |
| Pupil characteristics | SEN status, Pupil Premium, EAL status | Duration of subscription + 30 days |
| Assessment data | Reading scores, words correct per minute, progress records | Duration of subscription + 30 days |
Special category data: SEN status is special category data. The lawful basis for processing is substantial public interest (education and safeguarding of children) under Schedule 1, Part 2 of the Data Protection Act 2018.
Schedule 2: Approved sub-processors
See readingfluency.co.uk/sub-processors. As at the date of this Agreement:
| Sub-processor | Purpose | Location | Safeguards |
|---|---|---|---|
| Supabase | Database hosting and authentication | UK (London) | SOC 2 Type II, GDPR compliant |
| Vercel | Application hosting and CDN | US | ISO 27001, SOC 2 Type II |
| Stripe | Card payment processing | US | PCI DSS Level 1, EU-US DPF, UK Extension |
| Resend | Transactional email | US | EU-US DPF, UK Extension |
| Brevo | Marketing and onboarding email | EU (France) | GDPR compliant, ISO 27001 |
Schedule 3: Security measures
Access controls: Role-based access control with standard roles. Permissions granular and configurable per school. Row-Level Security enforced at the database level on all tables containing personal data. Access is limited on a need-to-know basis.
Encryption: All data encrypted in transit (TLS 1.2 or higher) and at rest (AES-256). Passwords hashed (bcrypt via Supabase Auth). Secrets stored as encrypted environment variables, never exposed client-side.
Infrastructure security: Hosted on Vercel's edge network with DDoS protection. Database on Supabase managed PostgreSQL in London (AWS eu-west-2) with daily automated backups. All core Personal Data remains in the UK. Server-side API routes protected by authentication.
Application security: Input sanitisation, CSRF protection, no personally identifiable information in logs, service-role credentials restricted to server-side code, regular security reviews.
Audit trail: Changes to pupil records are logged in audit tables with timestamp, user and before and after values. Staff role and permission changes are tracked. Deletions of records are logged and audit-checked to maintain a reliable audit trail.
Incident response: Breach notification to the Controller within 24 hours of discovery; ICO notification within 72 hours where required; affected data subjects notified without undue delay where high risk.
Document information
- Version: 1.0
- Issue date: 7 June 2026
- Effective: on acceptance by the Controller
- Document owner: Nectarwood Ltd
- ICO Registration: ZC112415