Sign in Book a walkthrough
Back to trust pack
Trust pack document

Data Processing Agreement (Template)

Controller-processor terms template for school procurement and legal review.

Outleap Data Processing Agreement (School Template)

Status: Approved baseline template for contracting. School-specific fields and legal review are still required before signature.

1. Parties

  • Controller (School): [School legal entity name]
  • Processor (Supplier): Outleap Limited (Company No. 14277395), 86-90 Paul Street, London, England, EC2A 4NE
  • Processor representative: Jesse Merrigan (Director and named data protection contact, supported by Outleap's documented governance and review process), hello@outleap.io
  • Effective date: [YYYY-MM-DD]

2. Services in Scope

This DPA covers personal data processed by Outleap to provide the current first-school rollout of the Outleap destinations workflow. The processing in scope today comprises: the Evidence Bank, the UCAS three-question statement workflow, staff-released managed feedback, references (where enabled for the School), and school oversight tools (cohort visibility, at-risk flags, and school setup metadata). Where Outleap later enables additional workstreams (for example non-university application workspaces), the scope of this DPA will be extended by agreement before any such processing begins; those workstreams are not part of current processing.

3. Roles and Instructions

  1. The School acts as Controller and determines the educational purpose and lawful basis for processing.
  2. Outleap acts as Processor and processes personal data only on the School's documented instructions, unless required by law.
  3. Outleap will promptly notify the School if an instruction appears to conflict with UK GDPR obligations.

4. Categories of Data and Data Subjects

  • Data subjects: students, teachers, school administrators.
  • Core identifiers: name, school email address, user ID, school ID, role.
  • Education workflow data: evidence entries, statement draft text, submitted statement snapshots, staff-published feedback, submission status, and reference workflow records where references are enabled for the School. (If non-university application workspaces are enabled in a future scope, their records would be added here by agreement; they are not processed today.)
  • Operational metadata: course progress, timestamps, audit events, role-based access events.
  • Special category data: may be processed where the School chooses to include extenuating-circumstances or other special category information in authorised workflows (for example UCAS reference Section 2). Such processing remains under the School's instructions and is subject to role-scoped access, safeguarding controls, and the School's lawful basis and Article 9 condition.

5. Security and Confidentiality Controls

Outleap applies technical and organisational measures appropriate to the service, including:

  • Role-based access control and school-level tenant scoping.
  • Authentication controls using Firebase Authentication.
  • Encryption in transit (HTTPS/TLS) and encryption at rest on managed cloud services.
  • Audit logging for administrative and operational actions.
  • Logging policy to avoid student statement text and AI output content in application logs.
  • Least-privilege access for runtime service accounts and infrastructure components.

Personnel with access to personal data are bound by confidentiality obligations.

6. Subprocessors (Current/Planned)

Outleap uses the following subprocessors for platform delivery.

Subprocessor Service purpose Typical data processed Hosting/processing location notes
Google Cloud / Firebase (Google) Hosting, API runtime, auth, database, task queue, storage of platform records Account data, workflow metadata, statement/feedback records, audit logs Configured for UK/EU-oriented regions (europe-west2, europe-west4) for core workloads
Vertex AI (Google) AI-assisted statement feedback generation and reference claims drafting Statement submission snapshots, relevant evidence context, and staff-provided notes/context needed for authorised feedback or reference drafting workflows Configured to process in europe-west4 by default
Postmark (designated transactional email provider) Transactional email delivery (login links, reminders, notifications) Recipient email address, message metadata, delivery events Region/transfer terms to be confirmed in signed contract schedule

Outleap remains responsible for subprocessor compliance and will maintain an up-to-date subprocessor list for customers.

7. International Transfers

Outleap aims to keep customer workloads in UK/EU-hosted infrastructure. If personal data is transferred outside the UK, Outleap will use an appropriate transfer mechanism (for example UK IDTA or UK Addendum to SCCs) and provide supporting documentation on request.

8. Data Subject Rights Support

Outleap will provide reasonable assistance to the School in responding to data subject rights requests (access, rectification, erasure, restriction, portability, objection), subject to identity and role verification.

9. Personal Data Breach Process

Outleap will notify the School without undue delay after confirming a personal data breach affecting School data, and provide known details on:

  • nature and likely impact,
  • categories/approximate volume affected,
  • containment and remediation steps,
  • ongoing update cadence.

10. Retention and Deletion

Retention periods and deletion controls are defined in the approved retention schedule (see data-retention-policy-template.md). On contract termination, Outleap will support data export/handover and then delete or return personal data, except where legal obligations require retention.

11. Audit and Assurance

On reasonable notice, Outleap will provide information needed to demonstrate compliance with this DPA, including policy documentation and control evidence appropriate to the service risk profile.

12. Annex A: Processing Details

  • Subject matter: operation of the current first-school rollout of the Outleap destinations workflow.
  • Nature of processing: collection, storage, access control, role-scoped display, staff-released managed feedback workflow processing, reminder/notification operations, and reference workflows where references are enabled for the School.
  • Purpose: support school-led evidence capture, UCAS three-question statement drafting, staff review and managed release, references where enabled, and cohort progress management. Any future post-18 support workspaces would be added to this purpose by agreement before processing begins.
  • Duration: for the term of the service agreement plus agreed retention/deletion windows.

13. Annex B: Contact Points

  • School privacy contact: [Name, role, email]
  • Outleap privacy contact: Jesse Merrigan, Director, hello@outleap.io — supported by Outleap's documented data-protection governance and review process.
  • Breach notification email: hello@outleap.io

14. Signatures

School (Controller)

  • Name:
  • Role:
  • Signature:
  • Date:

Outleap Limited (Processor)

  • Name: Jesse Merrigan
  • Role: Director
  • Signature:
  • Date:

This is a template document. School-specific fields require completion and legal review before use. For questions, contact hello@outleap.io.

For data, IT and DPOs

Need a walkthrough of this document?

We can walk your procurement and governance team through the trust pack and answer school-specific questions.

Book a trust review