Thinkbox Education – Data Processing Agreement
1.1. This data processing agreement (“Data Processing Agreement“) applies to the existing terms and conditions (“the Agreement”) for services between Thinkbox Education Ltd (“Thinkbox”) and you (School).
1.2 This Agreement details the licence Thinkbox Education Ltd (“we” or “us”) grant users (to include pupils, students, teachers and/or parents (Users) and governs their use of the SATs Companion and Mirodo educational resource, the website https://www.satscompanion.com and https://www.mirodoeducation.com (Sites), together all known as (Thinkbox Platforms).
1.3. By this Data Processing Agreement, the terms of the Agreement are amended to address Thinkbox’s and your respective rights, duties and obligations arising because of the implementation of Data Protection Legislation, where Thinkbox is acting in its capacity as a Processor and the School acting in your capacity as a Controller under Data Protection Legislation.
1.4 By subscribing (both on a paid for, gifted and/or trial basis) to and/or using Thinkbox Platforms, Users are agreeing to the terms that appear below.
2.1 Users’ access to and use of Thinkbox Platforms is conditional on their acceptance and compliance with the terms, conditions, notices and disclaimers contained within this Agreement (General Conditions).
2.1 User’s access to and use of Thinkbox Platforms constitutes their agreement to be bound by the General Conditions. If you do not agree to any of the General Conditions, you must immediately cease using Thinkbox Platforms.
2.2 We reserve the right to revise and update the General Conditions at any time effective on the date of posting to the Site the new and/or revised provisions.
2.3 All Users must agree to the Thinkbox Platforms – SATs Companion Privacy Notice and Mirodo Privacy Notice (Privacy Notice). Access to and use of Thinkbox Platforms constitutes the User’s agreement to be bound by the Privacy Notice and constitutes the User’s consent to the collection, storage, use and dissemination of the User’s personal information in accordance with the Privacy Notice.
2.4 All Schools must agree to comply with the terms and conditions contained in the Schedule to these General Conditions (Data Protection with Schools). Access to and use of Thinkbox Platforms, constitutes the School’s (and their Users’) agreement to be bound by the Schedule, and constitutes the School’s consent to the processing and handling of their Users’ personal data by us in accordance with the Schedule and our Privacy Notice.
2.5 We agree to comply with the terms and conditions contained in the Schedule to these General Conditions (Data Protection with Schools).
3.1 In order to access and use Thinkbox Platforms, all Users must have a valid subscription or trial. All access and use of Thinkbox Platforms is strictly limited to the User’s subscription period (or where applicable, trial period). If a subscription period (or where applicable, trial period) expires and the User has not applied for a new subscription, the User’s account will be immediately terminated.
3.2 All pupil/child/parent/teacher data will be automatically deleted by us after 12 weeks after a date of expiry of a trial and 3 years after the date of expiry of a subscription, if the school, tutor or family has not subsequently renewed their subscription or trial. Please note that subscriptions are not renewed automatically upon expiry.
3.3 Subscriptions to Thinkbox Platforms are for non-commercial use only. Subscriptions are not transferable.
3.4 Unless expressly agreed with us in advance, each school must have their own separate subscription to Thinkbox platforms, and subscriptions cannot be shared by multiple schools, whether within the same ownership, academy trust or federation or otherwise. If a school is found to be sharing its subscription to Thinkbox Platforms with any other school without our prior permission it’s account may be immediately terminated by us.
3.5 We reserve the right to temporarily suspend and/or cancel unpaid subscriptions.
For parent subscriptions, we offer a no-questions-asked 14- day money back guarantee. To request a refund within this period of time, please contact us at firstname.lastname@example.org or email@example.com.
3.6 No refunds will be offered after this time except in the event the goods/services are faulty and cannot be repaired or replaced, or otherwise in accordance with applicable statutory consumer protection laws.
3.7 Schools are entitled to one 2-week free trial of Thinkbox Platforms prior to subscribing the school to Thinkbox Platforms for the first time.. Once a subscription is taken out by a School or organisation, no refunds will be offered except in the event the goods/services are faulty and cannot be repaired or replaced, or otherwise in accordance with applicable statutory consumer protection laws.
3.8 Users of the Site and/or Apps are liable for their own internet usage and mobile device charges. It is the responsibility of Users to ensure their computers, mobile devices and internet access is sufficient to access Thinkbox Platforms.
3.9 Any User found to be intentionally misusing the Site or Thinkbox Platforms (e.g. hacking or sending fraudulent results) will have their subscriptions revoked without refund. Users are not to use rude or inappropriate words when sharing feedback.
3.10 Users must protect their usernames and passwords from unauthorised use.
3.11 We reserve the right to levy additional charges for access to resources beyond the scope of the initial subscription. In some cases, additional subscription charges may apply for premium additional content, new features and printed content (where applicable).
3.12 Discounts are offered entirely at our discretion.
4. CONSUMER DATA POLICY
4.1 After payment, no credit card details are retained or stored.
4.2 Stringent physical and technological measures are taken to protect User’s payment information.
5. OWNERSHIP OF CONTENT
5.1 All materials including paper based resources, and all materials displayed on the Site and the Thinkbox Platforms, including without limitation all information, text, materials, graphics, software, tools, results derived from the use of software and tools, advertisements, names, logos and trade marks on the paper based version, the Site and the Thinkbox Platforms (Content) are protected by copyright, trade mark and other intellectual property laws unless otherwise indicated.
a. Copyright in the Site (including text, graphics, logos, icons, sounds recordings, computer code and software) and the Content is owned or licensed by Thinkbox Education Ltd (Company Number 07369057). Except as expressly authorised by these General Conditions, or by legislation or statute, Users must not in any form or by any means:
i. adapt, copy, reproduce, store, distribute, print, display, perform, publish or create derivative works from any part of the Content; or
ii. commercialise any information, products, or services obtained from any part of the Content.
b. Users must not modify, copy, reproduce, republish, frame, download onto a computer, upload to a third party, post, transmit, share or distribute this Content in any way except as expressly provided for in these General Conditions or with our express prior written consent.
c. Users must not use the Content for commercial purposes without first obtaining our prior written consent.
6. ACCESS TO AND USE OF THINKBOX PLATFORMS (https://www.satscompanion.com and https://www.mirodoeducation.com)
6.1 Schools may print the paper based version of resources from Thinkbox Platforms for use by their staff and pupils only.
6.2 Schools may print, and save electronic copies of, the certificates, and other resources specifically available on the Site for Users, but only if they can keep all Content intact and in the same form as presented on the Site (including without limitation all copyright, trade mark and other proprietary notices and all advertisements).
6.3 Users must not access or use the Site or the Content in any manner or for any purpose which:
i. is illegal or prohibited by any laws that apply to the User;
ii. violates our rights in any way;
iii. is prohibited by the General Conditions.
6.4 Users must take their own precautions to ensure that the process, which they employ for accessing the Site and Thinkbox Platforms, does not expose them to the risk of viruses, malicious computer code, or other forms of interference, which may damage their own computer system or mobile device. We do not accept responsibility for any interference or damage to users’ own computer systems, mobile devices or data, which arises in connection with their access and/or use of the Site and/or Thinkbox Platforms.
7 DISCLAIMER AND LIMITATION OF LIABILITY
7.1 Although we have no reason to believe that any information contained within Thinkbox Platforms, including our Sites, is inaccurate, we do not warrant the accuracy, adequacy or completeness of the information, we endeavour to keep the Sites and Thinkbox Platforms updated.
7.2 We do not accept responsibility for loss suffered as a result of your reliance on the accuracy or currency of information contained in the Site or Thinkbox Platforms. We and our directors, officers, agents, employees and contractors do not guarantee or warrant the Site and Thinkbox Platforms will be uninterrupted, without delay, error-free, omission-free, or free of viruses. The Content is provided “as is” without warranties of any kind, express or implied, including as to accuracy, timeliness and completeness.
7.3 Neither we, nor our directors, officers, agents, employees or contractors will be liable for any loss or damage, howsoever arising (whether in negligence or otherwise) in connection with Users’ use of, and/or access to Thinkbox Platforms, the Site, the Content, or any omissions from the Content, save where legislation states otherwise.
8.1 All Users must indemnify us and our directors, officers, agents, employees and contractors and keep us and all of them indemnified against all losses, actions, proceedings, costs, expenses (including legal fees), claims and damages arising from any breach by the User of the General Conditions.
9.1 We may terminate access to the Site and/or Thinkbox Platforms at any time without notice. These General Conditions will nevertheless survive any such termination.
10 ADVERTISING AND LINKS TO OTHER WEBSITES
10.1 The Site may contain links to third party sites (Linked Sites). Linked Sites are not under our control and we are not responsible for the content of any Linked Site. We provide these hyperlinks to you as convenience only, and the inclusion of any link does not imply any endorsement of the Linked Site by us or our directors, officers, agents, employees and contractors. Users link to any Linked Sites entirely at their own risk.
10.2 Neither we nor our directors, officers, agents, employees or contractors give any representation or warranty as to the reliability, accuracy, or completeness of any Linked Sites, nor do we accept any responsibility arising in any way for any errors in, or omissions from, any Linked Sites.
11.1 This Agreement shall be governed by and construed in accordance with English law. The courts of England shall have exclusive jurisdiction to adjudicate any dispute arising under or in connection with these General Conditions.
11.2 If any of the General Conditions are held to be unenforceable, invalid or illegal for any reason, the remaining terms and conditions will nevertheless continue in full force.
SCHEDULE TO GENERAL CONDITIONS
DATA PROTECTION WITH SCHOOLS
Please note that this Schedule only applies to school subscriptions and not to family subscriptions. This is because when contracting with schools, schools are “controllers” of data and we are considered to be “processors” of that data. Whenever a controller uses a processor, standard contract terms need to be put in place to identify the responsibilities and liabilities of each party regarding the processing of data. For further details on data protection and family subscriptions, please visit our Privacy Notice.
In this Schedule, the following terms shall have the following meanings:
12.1 “Controller”, “Processor”, “Data Subject”, “Personal Data” and “Processing” (and “Process“) shall have the meanings given in Applicable Data Protection Law as amended from time to time;
12.2 “Applicable Data Protection Law” shall mean: (i) prior to 25 May 2018, Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data together with any transposition of that Directive into member state law to which the controller is subject; and (ii) on and after 25 May 2018, Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
12.3 “Company” means Thinkbox Education Ltd (Company Number 07369057), whose registered office is at Office 2, 127 Trinity Road, London, SW17 7HJ
12.4 “School” means the relevant school or establishment using the Product;
12.5 “School Data” means Personal Data relating to students, parents and guardians, and staff at the School, and other data regarding the school, including year group information;
12.7 A reference to writing or written includes faxes, emails and writing in any electronic form.
13. GENERAL PROVISIONS
13.1 By continuing to use the Product, and by providing the Company with the School
Data, the School agrees to the terms of this Schedule.
13.2 The School and the Company acknowledge that, for the purposes of Applicable Data Protection Law, the Company is a Processor and the School is a Controller in respect of the School Data comprising Personal Data described in Annex A to this Schedule (the “Data”).
13.3 The Company and the School shall comply with all Applicable Data Protection Law in respect of the Processing of the Data.
13.4 The Company shall Process the Data as a Processor for the purposes described in Annex A to this Schedule and otherwise strictly in accordance with the instructions of the School (the “Permitted Purpose”), except where otherwise required by any EU (or any EU Member State) law applicable to the Company.
13.5 The School hereby instructs and authorises the Company to process the Data for the purposes described in Annex A to this Schedule, and as otherwise reasonably necessary to enable the Company to provide the Product to the School.
13.6 The School warrants and represents that it has a lawful basis (pursuant to Applicable Data Protection Law) for supplying all Data to the Company in connection with the School’s use of the Product and the lawful Processing of the Data by both the School and the Company for the purposes set out in this paragraph 13.2. The School shall indemnify the Company against all costs, claims, damages, expenses, losses and liabilities incurred by the Company arising out of or in connection with any failure (or alleged failure) by the School to have a lawful basis for Processing Data.
14. INTERNATIONAL TRANSFERS
14.1 The Company shall not transfer the Data (nor permit the Data to be transferred) outside of the European Economic Area (“EEA“) unless it first takes such measures as are necessary to ensure any such transfer is in compliance with Applicable Data Protection Law.
14.2 In addition, our Sites servers are in the UK through Digital Ocean and not processed internationally. Nonetheless, we have taken appropriate safeguards to require that your personal information will remain protected in accordance with this Agreement.
15. CONFIDENTIALITY OF PROCESSING
15.1 The Company shall ensure that any person that it authorises to Process the Data (including the Company’s staff, agents and subcontractors) (an “Authorised Person”) shall be subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty or otherwise), and shall not permit any person to Process the Data who is not under such a duty of confidentiality.
15.2 The Company shall ensure that all Authorised Persons Process the Data only as necessary for the Permitted Purpose.
15.3 None of the data processing takes place out of the UK (see point 14.2)
16.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing to be carried out by the Company, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Company shall implement appropriate technical and organisational measures to protect the Data from (i) accidental or unlawful destruction, (ii) accidental loss, alteration, unauthorised disclosure or access, and (iii) any other breach of security ((i), (ii) and (iii) together, a “Security Incident”) in each case appropriate to that risk.
17.1 The Company may appoint sub-contractors to carry out any or all of its Processing activities in accordance with the terms of this paragraph
17.2 The School hereby authorises the Company to appoint third parties to provide web and app development services to the Company in connection with the Product, and third parties to provide electronic data storage and transmission services to the Company in connection with the Product.
17.3 The School hereby authorises the Company to appoint the sub-contractors listed in Annex B to this Schedule to carry out Processing activities in connection with the Data. The Company shall use reasonable endeavours to promptly notify the School of any changes to the identity of such third parties from time-to-time.
17.4 Save as permitted by paragraphs 15.1 and 15.2 the Company shall not appoint any other sub-contractor in connection with the processing of the Data without the prior permission of the School.
17.5 Where the Company appoints a sub-contractor pursuant to paragraph 15, it shall ensure that the Company imposes data protection terms on any sub-contractor it appoints that protect the Data to the same standard as those provided for in this schedule, and meet the requirements of Applicable Data Protection Law.
17.6 The Company acknowledges that it remains fully liable for the acts, errors or omissions of any of its sub-contractors in respect of the Processing of the Data.
18. COOPERATION AND DATA SUBJECTS’ RIGHTS
18.1 The Company shall provide all reasonable and timely assistance (including by appropriate technical and organisational measures) to the School (at the School’s expense) to enable the School to respond to:
18.1.1. any request from a Data Subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable); and
18.1.2 any other correspondence, enquiry or complaint received from a Data Subject, regulator or other third party in connection with the processing of the Data.
18.2 In the event that any such request, correspondence, enquiry or complaint is made directly to the Company, the Company shall promptly inform the School providing full details of the same and the School shall provide all reasonable and timely assistance to the Company to enable the Company to take appropriate action.
19. DATA PROTECTION IMPACT ASSESSMENT
19.1 If the Company believes or becomes aware that its Processing of the Data is likely to result in a high risk to the data protection rights and freedoms of data subjects, it shall promptly inform the School and provide the School with all such reasonable and timely assistance as the School may require in order to conduct a data protection impact assessment and, if necessary, consult with its relevant data protection authority.
20. SECURITY INCIDENTS
20.1 Upon becoming aware of a Security Incident, the affected party shall inform the other party without undue delay and shall provide all such timely information and cooperation as the other party may reasonably require including in order for the affected party to fulfil its data breach reporting obligations under (and in accordance with the timescales required by) Applicable Data Protection Law.
20.2 The parties shall each further take all such measures and actions as are reasonably necessary to remedy or mitigate the effects of the Security Incident and shall keep the other party up-to-date about all developments in connection with the Security Incident.
21. DELETION OR RETURN OF DATA
21.1. Upon written request by the School, the Company shall destroy all Data (including all copies of the Data) in its possession or control (including any Data subcontracted to a third party for processing).
21.1. This requirement shall not apply to the extent that the Company is required by any EU (or any EU Member State) law to retain some or all of the Data, in which event the Company shall isolate and protect the Data from any further processing except to the extent required by such law.
22. 1 The Company shall permit the School (or its appointed third party auditors) to audit the Company’s compliance with this Schedule, and shall make available to the School all information, systems and staff reasonably necessary for the School (or its third party auditors) to conduct such audit.
The School will not exercise its audit rights more than once in any twelve (12) calendar month period, except (i) if and when required by instruction of a competent data protection authority; or (ii) the School believes a further audit is necessary due to a Security Incident suffered by the Company. The information and audit rights of the School under paragraph 20.1 shall apply only to the extent required by Applicable Data Protection Law.
The School shall give the Company reasonable notice of any audit or inspection that it wishes to conduct, and shall (and shall ensure that any nominated auditor shall) avoid causing (or, if it cannot avoid, minimise) any damage, injury or disruption to the Company or its sub-contractors’ business.
Each party (the “Indemnifying Party”) shall indemnify the other (the “Indemnified Party”) from and against all loss, cost, harm, expense (including reasonable legal fees), liabilities or damage (“Damage”) suffered or incurred by the Indemnified Party as a result of the Indemnifying Party’s breach of the provisions of this Schedule, and provided that: (i) the Indemnified Party gives the Indemnifying Party prompt notice of any circumstances of which it is aware that give rise to an indemnity claim under this Clause; and (ii) the Indemnified Party takes reasonable steps and actions to mitigate any ongoing Damage it may suffer as a consequence of the Indemnifying Party’s breach.
24.1 The Company shall have no liability to the School, whether arising in contract, tort (including negligence), breach of statutory duty or otherwise, for or in connection with:
24.1.1 any loss arising from the default or negligence of any supplier to the School;
24.1.2 loss, interception or corruption
24.1.3 damage to reputation or goodwill; and/or
24.1.4 damage to reputation or goodwill; and/or
24.1.5 any indirect or consequential loss.
24.2 Nothing in this clause shall limit the liability of the Company for any death or personal injury caused by its negligence, fraud or fraudulent misrepresentation, or any other matter for which liability cannot be limited or excluded as a matter of law.
Data Processing Description
This Annex A forms part of the General Conditions and describes the Processing that the Company will perform on behalf of the School.
The School Data to be processed concern the following categories of Data Subjects:
2. Parents and Guardians
CATEGORIES OF DATA
The School Data to be Processed concern the following categories of data:
4. school name and contact information (including school postal address, phone number and email address), teachers’ names and contact information (including phone numbers and email addresses), pupils’ names (optional), and class, year and groups;
5. details of interactions that the School and its Data Subjects have with us regarding the Product, together with any other information that the School and its Data Subjects choose to provide us with, for example, through correspondence and interactions with our customer and technical support teams;
6. information collected automatically relating to the Product to include information like a user’s IP address, device type, unique device identification numbers and login information, browser-type and version, time zone setting, operating system and platform, broad geographic location (e.g. country or city-level location) and other technical information;
7. information collected automatically relating to the Product about how a user’s device has interacted with the Site, including the pages accessed and links clicked, download errors, length of visits to certain pages, page interaction information, and methods used to browse away from any page;
8. the answers provided by users of the Product to the questions and the length of time taken to respond in each case.
PROCESSING OPERATIONS/PERMITTED PURPOSE
The School Data will be obtained, held and used by the Company to enable the Company to carry out its obligations arising from the terms and conditions entered into between the School and the Company regarding the use by the School and its users of the Product, including the Site and Apps.
The Company shall ensure that any person that it authorises to Process the Data (including the Company’s staff, agents and subcontractors) (an “Authorised Person”) shall be subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty or otherwise), and shall not permit any person to Process the Data who is not under such a duty of confidentiality.