Data Processing Agreement (DPA)
Last updated: January 24, 2026
This Data Processing Agreement applies when a school or educational institution ("Customer") uses FeedbackFlow.AI (Feedback Flow) to process student work. It sets out how FeedbackFlow.AI processes personal data on behalf of the Customer under UK GDPR and EU GDPR.
Processor: FeedbackFlow.AI (Daniel). Contact: [email protected]
Download: DPA Template (PDF)
Governance summary: Privacy and Governance Summary
1. Roles and Scope
Customer (School): Data Controller for student data uploaded to the service.
FeedbackFlow.AI: Data Processor for student data; Data Controller for account and billing data.
This DPA covers processing of student work, feedback, and related metadata provided by the Customer.
The Customer is responsible for determining the lawful basis for processing student data and for providing any notices, permissions, or consent required by its own policies or applicable law.
2. Processing Details
- Subject matter: Student work, teacher feedback, and assessment artifacts.
- Duration: For the term of the Customer's account, plus defined retention periods in the Privacy Policy.
- Nature and purpose: Transcription, marking assistance, and educational feedback workflows.
- Data subjects: Students and teachers.
- Categories of data: Student names (if provided), handwritten essays (PDF), transcribed text, grades, feedback, class metadata, short teacher workflow notes, and limited PP/SEND support indicators where the Customer has approved that use.
FeedbackFlow.AI applies name minimisation before AI processing where technically possible: known student names are replaced with temporary placeholders in text prompts and AI upload display names are generic. This does not remove names that are visible within the content of an uploaded PDF or image, so Customers should apply local minimisation or redaction practices before upload where needed.
PP/SEND processing is limited to support indicators such as pupil premium/disadvantage eligibility, SEN Support status, or EHCP status. The service is not intended for EHCP documents, SEND case files, safeguarding records, child protection records, detailed medical records, behaviour logs, counselling notes, biometric/genetic data or criminal-offence data unless separately agreed in writing and strictly necessary.
3. Processor Obligations
- Process personal data only on documented instructions from the Customer.
- Ensure staff and contractors are bound by confidentiality.
- Implement appropriate technical and organizational security measures.
- Assist the Customer with data subject rights requests.
- Notify the Customer without undue delay of any personal data breach.
- Allow audits or provide evidence of compliance on request.
4. Sub-Processors
FeedbackFlow.AI uses the following sub-processors for infrastructure and processing:
- Supabase (EU-West-2): Database and storage hosting.
- Cloudflare (EU-West-2): Hosting and edge functions.
- Google Gemini API: AI transcription and marking assistance. For billing-enabled API use, Google states that prompts, files, and responses are not used to improve Google products or models; limited logs may be retained for abuse detection, safety, and legal or regulatory purposes. Text prompts use student-name placeholders where known names are detected.
- Stripe: Payment processing.
We will notify Customers of material changes to sub-processors via the Privacy Policy and service updates.
5. International Transfers
If processing involves transfers outside the UK/EU (e.g., Google Gemini), we rely on Standard Contractual Clauses and applicable UK Addendum safeguards, as described in the Privacy Policy.
6. Security Measures
- Encryption in transit (TLS 1.2+).
- Encryption at rest for database and file storage.
- Row Level Security for tenant isolation.
- Access controls with least privilege.
7. Data Retention & Deletion
On termination, FeedbackFlow.AI will delete or return personal data in accordance with the Privacy Policy, the published retention schedule and Customer instructions, unless retention is required by law.
The default technical schedule makes uploaded pupil work, transcripts, AI outputs, draft feedback and related marking records eligible for deletion after 395 days from last update. Schools or trusts may require a different period in their DPIA, contract or records-management policy, and that period should be agreed before rollout.
8. Contact
For DPA questions or requests, email [email protected].
