Data Processing Agreement
Between the School ("Controller") and Igloo Labs ("Processor"), following ICO standard controller-processor clauses under Article 28 of the UK GDPR.
Download the full DPA
Pre-signed by Igloo Labs. Print, countersign, and return to schools@spellandgrow.app.
Download DPAParties
Controller: The School identified in the subscription agreement
Processor: Igloo Labs Ltd, London, United Kingdom
Document reference: SG-DPA-2026-01 · Version 1.0
Contents
1. Definitions
"Controller" means the School identified in the subscription agreement, which determines the purposes and means of the processing of Personal Data.
"Processor" means Igloo Labs, which processes Personal Data on behalf of the Controller.
"Data Protection Laws" means the UK General Data Protection Regulation (UK GDPR) as retained by the European Union (Withdrawal) Act 2018, the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003, and any successor legislation.
"Data Subject" means an identified or identifiable natural person whose Personal Data is processed under this Agreement, being teachers, school staff, and pupils as described in Appendix 1.
"Personal Data" means any information relating to a Data Subject as defined by the Data Protection Laws, processed by the Processor on behalf of the Controller under this Agreement.
"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
"Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
"Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
"Services" means the Spell & Grow for Schools service, including the teacher portal, mobile application school features, and associated infrastructure as described in the subscription agreement.
2. Scope and Purpose of Processing
2.1 The Processor shall process Personal Data solely for the purpose of providing the Services to the Controller, specifically:
- Authenticating and managing teacher and school administrator accounts;
- Enabling teachers to create, manage, and assign spelling word lists to classes;
- Facilitating the linking of pupil profiles to school classes via join codes;
- Recording and displaying pupil spelling progress to teachers and school administrators;
- Generating audio files for words and sentences in spelling lists; and
- Hosting and serving the teacher portal and associated application programming interfaces.
2.2 The Processor shall not process Personal Data for any purpose other than those set out in this Agreement, unless required to do so by applicable law.
2.3 The Processor shall not sell, rent, or otherwise make available Personal Data to any third party, except as expressly provided in this Agreement.
3. Categories of Data Subjects
Teachers and school staff: Individuals employed by or engaged by the Controller who use the teacher portal to manage spelling lists and monitor pupil progress.
Pupils: Children aged 4 to 13 who are enrolled at the Controller's school and whose profiles have been linked to a school class by a parent or guardian.
4. Types of Personal Data Processed
4.1 Teacher and School Staff Data
| Data Element | Purpose | Lawful Basis |
|---|---|---|
| Email address | Account authentication and communication | Performance of contract |
| Full name | Display in the teacher portal | Performance of contract |
| Role (admin/teacher) | Access control within the school account | Performance of contract |
| Password (hashed) | Account authentication | Performance of contract |
4.2 Pupil Data
| Data Element | Purpose | Lawful Basis |
|---|---|---|
| First name | Identification by teacher in progress dashboard | Legitimate interest (educational provision) |
| Anonymous identifier | Preventing duplicates; linking profile to class | Legitimate interest (educational provision) |
| Spelling progress data | Enabling teachers to monitor pupil progress | Legitimate interest (educational provision) |
| Class membership | Associating pupil with correct class and lists | Legitimate interest (educational provision) |
4.3 Data not collected from pupils
No surname, date of birth, email address, home address, device identifiers, IP addresses (linked to pupil records), photographs, biometric data, or special category data.
5. Duration of Processing
5.1 The Processor shall process Personal Data for the duration of the subscription agreement between the Controller and the Processor.
5.2 Upon termination or expiry, the Processor shall handle Personal Data in accordance with Section 13 (Termination and Data Return/Deletion).
5.3 Pupil progress data from previous academic years shall be retained for 12 months following the end of the academic year in which it was created, after which it shall be automatically deleted unless the Controller requests earlier deletion.
6. Processor Obligations
The Processor shall:
- Process Personal Data only on documented instructions from the Controller, including with regard to transfers outside the United Kingdom.
- Ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- Take all measures required pursuant to Article 32 of the UK GDPR (security of processing), as detailed in Appendix 2.
- Respect the conditions for engaging sub-processors set out in Section 8.
- Assist the Controller, by appropriate technical and organisational measures, in fulfilling the obligation to respond to data subject rights requests.
- Assist the Controller in ensuring compliance with obligations under Articles 32 to 36 of the UK GDPR.
- At the choice of the Controller, delete or return all Personal Data after the end of the provision of Services.
- Make available to the Controller all information necessary to demonstrate compliance and allow for audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.
- Immediately inform the Controller if, in the Processor's opinion, an instruction infringes Data Protection Laws.
7. Security Measures
7.1 The Processor shall implement and maintain appropriate technical and organisational security measures, including at a minimum:
- Encryption of Personal Data in transit using TLS 1.2 or higher;
- Encryption of Personal Data at rest using AES-256;
- Access controls including role-based access, multi-factor authentication for infrastructure access, and principle of least privilege;
- Regular security updates and vulnerability patching;
- Row-level security policies ensuring data isolation between schools;
- Regular backups with point-in-time recovery capability;
- Logging and monitoring of access to Personal Data; and
- Staff training on data protection and information security.
7.2 Full details of security measures are provided in Appendix 2.
8. Sub-processors
8.1 The Controller provides general written authorisation for the Processor to engage sub-processors, subject to the conditions below.
8.2 The current list of sub-processors is set out in Appendix 3 and maintained at spellandgrow.app/schools/sub-processors.
8.3 The Processor shall provide at least 30 days' notice before engaging a new sub-processor.
8.4 If the Controller objects on reasonable data protection grounds, the Processor shall use reasonable efforts to provide an alternative. If unable to do so within a reasonable period, either party may terminate the subscription agreement.
8.5 Sub-processors are bound by data protection obligations no less onerous than those in this Agreement.
8.6 The Processor remains fully liable for each sub-processor's obligations.
9. Personal Data Breach Notification
9.1 The Processor shall notify the Controller without undue delay, and in any event within 24 hours, after becoming aware of a Personal Data Breach.
9.2 Such notification shall include, at a minimum:
- A description of the nature of the breach, including categories and approximate number of Data Subjects and records concerned;
- The name and contact details of the Processor's data protection contact;
- A description of the likely consequences; and
- A description of the measures taken or proposed to address the breach.
9.3 The Processor shall cooperate with the Controller in the investigation, mitigation, and remediation of each breach.
9.4 The Processor shall document all breaches and make such documentation available to the Controller upon request.
10. Data Subject Rights
10.1 The Processor shall promptly notify the Controller if it receives a request from a Data Subject to exercise any rights under Data Protection Laws.
10.2 The Processor shall not respond directly unless authorised by the Controller.
10.3 The Processor provides the following self-service capabilities:
- Erasure: School administrators may delete individual pupil records, entire classes, or all school data via the teacher portal. Parents may unlink their child from a school class via the mobile application, triggering deletion of the associated pupil record on the server.
- Access and portability: School administrators and teachers may export all pupil progress data in CSV format via the teacher portal.
- Rectification: Teachers may update pupil display names. School administrators may update school and staff details.
11. International Transfers
11.1 The Processor shall not transfer Personal Data outside the United Kingdom or the European Economic Area without the prior written consent of the Controller.
11.2 As at the date of this Agreement, all Personal Data is processed and stored within the United Kingdom (AWS eu-west-2, London).
11.3 Where a sub-processor processes data outside the UK/EEA (for example, ElevenLabs for audio generation), the Processor ensures that only non-personal data is transmitted — specifically, word and sentence text only, with no pupil or teacher data.
12. Data Retention Schedule
| Data Category | Retention Period | Trigger for Deletion |
|---|---|---|
| Teacher account data | Duration of subscription + 30 days | Subscription termination |
| School configuration (classes, lists) | Duration of subscription + 30 days | Subscription termination |
| Pupil records (active academic year) | Duration of current academic year | Academic year end |
| Pupil progress data (historical) | 12 months after end of academic year | Automatic |
| Archived classes | 12 months after archival | Automatic |
| Server access logs | 90 days | Rolling deletion |
| Backup data | 30 days | Rolling deletion |
The Controller may request earlier deletion of any data category at any time.
13. Termination and Data Return/Deletion
13.1 Upon termination or expiry of the subscription agreement, the Processor shall:
- Cease all processing of Personal Data on behalf of the Controller;
- Within 30 days, make available a complete export of all Personal Data in a structured, commonly used, and machine-readable format (CSV);
- Following confirmation of receipt by the Controller, or after 30 days if no confirmation is received, securely delete all Personal Data from all systems including sub-processors; and
- Provide written confirmation that all Personal Data has been deleted.
13.2 The Processor shall not be required to delete Personal Data where retention is required by applicable law, provided that the Processor informs the Controller and ensures confidentiality of the retained data.
Appendix 1: Description of Processing
| Subject matter | Provision of the Spell & Grow for Schools spelling education service |
| Duration | Duration of the subscription agreement |
| Nature of processing | Collection, storage, retrieval, use, and deletion for spelling list management and progress reporting |
| Purpose | Educational provision: management of spelling lists, class administration, and progress reporting |
| Data subjects | (1) Teachers and school staff; (2) Pupils aged 4 to 13 |
| Personal data types | Teachers: email, name, role, hashed password. Pupils: first name, anonymous identifier, spelling progress, class membership |
| Special category data | None |
Appendix 2: Technical and Organisational Security Measures
Infrastructure Security
- All data hosted on Supabase / AWS eu-west-2 (London, United Kingdom)
- TLS 1.2+ encryption in transit with HSTS enforcement
- AES-256 encryption at rest (AWS-managed)
- No direct public access to database servers
Access Control
- Email/password authentication with bcrypt password hashing
- JWT-based session management with appropriate expiry
- PostgreSQL row-level security (RLS) for school data isolation
- Principle of least privilege for all service accounts
- Multi-factor authentication for infrastructure access
Data Protection
- Data minimisation: only the minimum data necessary for the educational purpose is collected
- Logical data isolation between schools via database-level RLS policies
- Pseudonymisation: app-generated anonymous identifiers for pupils (not device identifiers)
Backup and Recovery
- Daily automated backups by Supabase with point-in-time recovery (PITR)
- All backups encrypted at rest using AES-256
- Backup restoration procedures tested periodically
Monitoring and Incident Response
- Logging of authentication events, data access, and administrative actions
- Infrastructure monitoring for availability and security anomalies
- Documented incident response procedure with 24-hour breach notification
Staff Measures
- All personnel with access to Personal Data are bound by confidentiality obligations
- Personnel receive training on data protection and secure data handling
Appendix 3: Sub-processors
| Sub-processor | Processing Location | Purpose | Data Processed |
|---|---|---|---|
| Supabase Inc. | AWS eu-west-2 (London, UK) | Database, auth, file storage, serverless functions | Teacher accounts, school data, pupil records, progress, audio files |
| ElevenLabs Inc. | United States | Text-to-speech audio generation | Word/sentence text only. No personal data. |
| Vercel Inc. | Edge network (UK preferred) | Website and teacher portal hosting | Teacher portal session data (auth tokens) |
| Stripe Inc. | EU/UK | Subscription billing and payment processing | School billing contact details. No pupil data. |
Full sub-processor details at spellandgrow.app/schools/sub-processors
This Agreement is governed by and construed in accordance with the laws of England and Wales. The courts of England and Wales shall have exclusive jurisdiction.
This DPA follows the ICO's guidance on controller-processor contracts under Article 28 of the UK GDPR.
Data Processor: Igloo Labs Ltd, registered in England and Wales. London, United Kingdom.
Contact: schools@spellandgrow.app · privacy@spellandgrow.app
Document reference: SG-DPA-2026-01 · Last updated: February 2026
Ready to proceed?
Download the DPA, countersign, and return to schools@spellandgrow.app