Noticed Technology Ltd
Data Sharing Agreement
(Data Processing Addendum)
March 2026
Between
Noticed Technology Ltd
(“the Company” / Data Processor)
and
The undersigned School / Trust
(“the Customer” / Data Controller)
Contact: Dominic Markham, CEO, Noticed Technology Ltd
Document Overview
This Data Sharing Agreement (“DSA”), also referred to as a Data Processing Addendum (“DPA”), forms part of the service agreement between Noticed Technology Ltd (“the Company”) and the undersigned school or trust (“the Customer”) for the provision of the Noticed platform (the “Service”).
The parties have agreed to enter into this DSA in order to ensure that adequate safeguards are put in place with respect to the protection of Personal Data as required by UK Data Protection Laws, including the UK GDPR and the Data Protection Act 2018.
Document Structure
- Main body of the DSA between the Company and the Customer (Sections 1–11, signature required in Section 11)
- Annex 1: Details of the Personal Data and Processing Activities
- Annex 2: Technical and Organisational Security Measures
How to Execute This DSA
1.This DSA has been pre-signed on behalf of the Company.
2.To complete this DSA, the Customer must complete the information in the signature box and sign in Section 11.
3.Send the completed and signed DSA to the Company by email to dominic@noticedtechnology.com, indicating the Customer’s legal name.
4.Upon receipt of the validly completed DSA by the Company, this DSA will become legally binding.
How This DSA Applies
This DSA is an addendum to and forms part of the service agreement between the Customer and the Company. The Customer entity signing this DSA must be the same as the Customer entity that is party to the service agreement.
1. Definitions
The following definitions are used in this DSA:
a.“Customer Group” means the Customer and any of its member schools, academies, or affiliated educational establishments that are onboarded to the Service under the Customer’s service agreement. Each member school within a Customer Group is a separate Controller for the Personal Data of its own pupils and staff.
b.“Data Protection Laws” means the UK GDPR (the retained EU law version of the General Data Protection Regulation (EU) 2016/679), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003, as amended, and any successor legislation.
c.“UK GDPR” means the General Data Protection Regulation as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018.
d.“Personal Data” has the meaning given in UK GDPR Article 4(1): any information relating to an identified or identifiable natural person.
e.“Special Category Data” has the meaning given in UK GDPR Article 9(1) and, for the purposes of this DSA, includes SEND/EHCP indicator flags where enabled by the Customer.
f.“Controller” means the school or trust that determines the purposes and means of the processing of Personal Data.
g.“Processor” means the Company, which processes Personal Data on behalf of the Controller in accordance with documented instructions.
h.“Sub-processor” means any third party engaged by the Company to carry out processing activities on behalf of the Controller.
i.“Security Breach” means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
2. Status of the Parties
a.The type of Personal Data processed pursuant to this DSA, the subject matter, duration, nature, and purpose of the processing, and the categories of data subjects, are described in Annex 1.
b.Each party warrants that it will comply with Data Protection Laws. As between the parties, the Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which the Customer acquired Personal Data.
c.The parties acknowledge and agree that the Customer is the Data Controller and the Company is the Data Processor, and accordingly the Company agrees that it shall process all Personal Data in accordance with this DSA.
d.Where and to the extent that the Company processes data which is defined as ‘personal data’ under Data Protection Laws as a data controller (for example, for account administration and platform security), the Company will comply with applicable Data Protection Laws in respect of that processing in accordance with its own privacy policy.
e.Each party shall appoint an individual within its organisation authorised to respond to enquiries regarding the Personal Data, and each party shall deal with such enquiries promptly.
3. Company Obligations
With respect to all Personal Data, the Company warrants that it shall:
i.Only process Personal Data in order to provide the Service, and shall act only in accordance with: (a) this DSA, (b) the Customer’s documented instructions as represented by the service agreement and this DSA, and (c) as required by applicable laws.
ii.Inform the Customer if, in the Company’s opinion, any instructions provided by the Customer violate Data Protection Laws.
iii.Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks presented by the processing of Personal Data, as detailed in Annex 2.
iv.Take reasonable steps to ensure that only authorised personnel have access to Personal Data and that any persons authorised to access the Personal Data are under obligations of confidentiality.
v.Notify the Customer of any Security Breach without undue delay and in any event within 24 hours of becoming aware, and promptly provide reasonable cooperation and assistance including: the possible cause and consequences; the categories of Personal Data involved; a summary of the possible consequences for data subjects; and the measures taken to mitigate any damage.
vi.Not make any public announcement about a Security Breach without the prior written consent of the Customer, unless required by applicable law.
vii.Promptly notify the Customer if it receives a Data Subject Request (access, rectification, erasure, restriction, objection, or portability). The Company shall not respond to a Data Subject Request without the Customer’s prior written consent. The Company shall acknowledge requests within 2 business days and provide reasonable assistance to the Customer to facilitate such requests within 5 working days of a written request from the Customer (or agree an updated timeline where the request is complex).
viii.Following termination or expiry of the service agreement, the Company shall, at the Customer’s election, either return all Personal Data in a commonly used electronic format or delete all Personal Data (including copies) within 14 days of the end date, or earlier if instructed by the Controller. Where the Customer does not make an election, the Company shall delete the data. Where data is deleted from the live service, it may persist only within encrypted backups for a rolling 7-day restore window, after which backups are automatically removed. Written confirmation of deletion will be provided on request.
ix.Provide reasonable assistance to the Customer in relation to data protection impact assessments, notification to the supervisory authority, communications to data subjects in response to any Security Breach, and the Customer’s compliance with its obligations under Data Protection Laws with respect to the security of processing.
x.Not process Personal Data for any purpose other than providing the Service. The Company does not use Personal Data for marketing, advertising, behavioural profiling, or any purpose unrelated to the delivery of the Service. AI-generated content is produced from curriculum materials only; no Personal Data is sent to AI sub-processors.
xi.Where the Company uses automated processing to summarise pupil activity, highlight possible misconceptions or skill gaps, or suggest learning resources, such outputs are designed to support teacher judgement and do not replace teacher decision-making. No grades, progression decisions, or interventions are applied automatically without a teacher’s review. No automated decisions are made that have legal or similarly significant effects on pupils within the meaning of Article 22 UK GDPR. Teachers retain full control over how they interpret and act on any insights.
xii.Maintain records of processing activities carried out on behalf of the Customer as required by Article 30(2) UK GDPR, and make such records available to the Customer or the supervisory authority on request.
4. Sub-processing
The Customer grants a general authorisation to the Company to engage sub-processors for the performance of the Service, provided that:
i.The Company maintains an up-to-date list of its sub-processors, available on request and/or on the Company website, and will notify the Customer of new and replacement sub-processors prior to them starting processing of Personal Data. If the Customer has a reasonable objection to any new or replacement sub-processor, it shall notify the Company in writing within 14 days. The parties will seek to resolve the matter in good faith. If the matter cannot be resolved within 90 days, the Customer may terminate the applicable Service with at least 30 days’ written notice. If the Customer does not provide a timely objection, the Customer will be deemed to have consented to the sub-processor.
ii.The Company will ensure that any sub-processor is engaged under a written contract which imposes obligations substantially no less protective of Personal Data than those imposed on the Company in this DSA. The Company shall remain liable for any breach of this DSA caused by an act, error, or omission of its sub-processor.
5. Audit and Records
a.The Company shall make available to the Customer such information as the Customer may reasonably request to demonstrate the Company’s compliance with its obligations under Data Protection Laws.
b.The Company holds Cyber Essentials Plus certification (issued February 2026). Evidence of accreditation is available on request.
c.To support the Customer’s assurance requirements, the Company will, on reasonable request, provide: (i) a copy of its current security certification; (ii) a summary of its most recent penetration test or vulnerability assessment, including remediation actions taken (where available); and (iii) responses to a reasonable written security questionnaire. Document-based audits are the default mechanism. On-site audits may be conducted by mutual agreement, at the Customer’s cost, and subject to reasonable notice.
6. International Data Transfers
a.Core Personal Data is stored in the United Kingdom (London). The Company selects UK/EU data processing and residency options wherever possible.
b.Some sub-processors operate global infrastructure and may process limited technical metadata (for example IP address, device/browser information, and request identifiers) outside the UK/EU. The Company minimises what is shared with such sub-processors, using pseudonymised identifiers where possible and limiting logging to what is operationally necessary.
c.Where any restricted transfer occurs, the Company relies on appropriate safeguards in vendor terms (UK International Data Transfer Agreement and/or UK Addendum to EU Standard Contractual Clauses, as applicable) and completes and maintains Transfer Impact Assessments where required. Completed transfer documentation and Transfer Impact Assessments are available on request.
d.Supplementary measures include encryption in transit (TLS) and at rest, strict access controls and authentication requirements, minimised logging, pseudonymisation where applicable, and regular review of sub-processor compliance and legal developments.
7. Children’s Data
a.The Company acknowledges that the Service processes the Personal Data of children and has had regard to the ICO’s Age Appropriate Design Code in the design and operation of the platform.
b.Key standards are addressed through: data minimisation (only data necessary for the Service is processed); high privacy by default (optional data fields are disabled unless the Customer enables them); age-appropriate transparency (the Customer is responsible for providing age-appropriate privacy information to pupils, supported by suggested wording available from the Company on request); and no detrimental use of data (pupil data is used only to support learning and is not used for marketing, advertising, or behavioural nudging).
c.Any automated insights or resource suggestions are advisory prompts for teacher review and do not make decisions about pupils automatically. Pupils can access only their own content and activity within the platform.
8. Cookies and Product Analytics
a.The Service uses essential cookies required for secure login and core service operation.
b.Product analytics is optional and will only be enabled with the Customer’s prior approval. If enabled, analytics will be configured for pseudonymous use only (no names or email addresses in event data; session recording disabled; IP anonymisation where supported). Analytics can be disabled at any time on request.
c.If product analytics is enabled, the Company will follow the Customer’s PECR-compliant consent or notice approach and will only initialise analytics after that approach is in place.
d.The Company will not use analytics data for any purpose other than understanding feature usage and improving the Service. Analytics data will not be shared with third parties except the analytics sub-processor identified in the Company’s sub-processor register.
9. Cooperation with Supervisory Authority
a.The Company shall cooperate with and assist the Customer in respect of any investigation, enquiry, or audit by the Information Commissioner’s Office (ICO) or any other relevant supervisory authority, to the extent that such investigation, enquiry, or audit relates to Personal Data processed under this DSA.
b.The Company shall promptly inform the Customer if it becomes aware of any investigation or enquiry by a supervisory authority that relates to the processing of Personal Data under this DSA, unless prohibited from doing so by applicable law.
10. Liability
a.The Company’s total aggregate liability under or in connection with this DSA (including under any transfer mechanism) shall not exceed the greater of: (a) the total fees paid by the Customer to the Company in the 12 months immediately preceding the event giving rise to the claim; or (b) one thousand pounds (£1,000).
b.Neither party shall be liable to the other for any indirect, consequential, special, or incidental losses or damages arising under or in connection with this DSA, including loss of profit, loss of revenue, loss of data (except Personal Data to the extent required by Data Protection Laws), or loss of business opportunity.
c.Nothing in this DSA shall limit or exclude either party’s liability for: (i) death or personal injury caused by its negligence; (ii) fraud or fraudulent misrepresentation; or (iii) any other liability that cannot be limited or excluded by applicable law.
11. General
i.This DSA is without prejudice to the rights and obligations of the parties under the service agreement. In the event of any conflict between the terms of this DSA and the service agreement, the terms of this DSA shall prevail so far as the subject matter concerns the processing of Personal Data.
ii.This DSA does not confer any third-party beneficiary rights. It is intended for the benefit of the parties hereto and their respective permitted successors and assigns only.
iii.This DSA shall be governed by and construed in accordance with the laws of England and Wales, and the parties submit to the exclusive jurisdiction of the English courts.
iv.This DSA is the final, complete and exclusive agreement of the parties with respect to the subject matter hereof. No modification or amendment shall be effective unless in writing and signed by an authorised representative of each party.
v.This DSA may be executed in counterparts, each of which shall be deemed to be an original, but all of which, taken together, shall constitute one and the same agreement.
12. Execution
IN WITNESS WHEREOF, the parties have each caused this DSA to be signed and delivered by their duly authorised representatives.
| CUSTOMER (Data Controller) | COMPANY (Data Processor): Noticed Technology Ltd |
|---|---|
| BY: | Pre-signed on behalf of the Company |
| NAME: | NAME: Dominic Markham |
| TITLE: | TITLE: CEO |
| ADDRESS: | ADDRESS: Manchester, United Kingdom |
| DATE: | DATE: |
Annex 1: Details of Personal Data and Processing Activities
Purpose of Processing
The Company processes Personal Data on behalf of the Customer to provide the Noticed platform, which helps pupils recover lost learning by linking lesson attendance to curriculum content and generating lesson-linked interactive worksheets. Processing includes: synchronising timetable, teaching group and lesson attendance data from the school MIS; generating lesson-linked resources from curriculum materials; providing student, teacher, and parent/carer portal access; recording worksheet interaction data; and using automated processing to summarise pupil activity, highlight possible misconceptions or skill gaps, and suggest learning resources to support teacher judgement.
Duration of Processing
Processing will continue until the earliest of: (a) expiry or termination of the service agreement; or (b) the date upon which the Customer instructs the Company in writing to cease processing. All Personal Data will be returned or deleted within 14 days of the applicable end date, in accordance with Section 3.viii.
Categories of Data Subjects
- Pupils registered at the Customer’s school(s) who are included in the Service
- Teaching and support staff at the Customer’s school(s) who interact with the Service
- Parents and carers of pupils included in the Service (only where the Parent/Carer Portal is enabled by the Customer)
Categories of Personal Data
Pupil data: Name, year group, class/teaching group membership, MIS identifiers (admission number, MIS ID, UPN where available), timetable and lesson context (lesson/session IDs, periods, room identifiers), attendance marks/codes, and learning interaction data generated within Noticed (worksheet access, completion status, responses).
Optional pupil data (where enabled by the school): Pupil photograph, PP/FSM eligibility flags, SEND/EHCP/EAL indicator flags, reading age, assessment results, and classroom seating plan data.
Staff data: Staff ID, name, school email address, role/department, and teaching schedule links to classes.
Parent/Carer data (only where the Parent/Carer Portal is enabled by the Customer): Parent/carer name, email address, and relationship to child. This data is not collected or processed unless the Customer has enabled the Parent/Carer Portal.
Special Category Data
Where the Customer enables SEND/EHCP indicator flags, these constitute special category data (health/disability information). Only high-level MIS status flags are processed; no case notes, medical information, safeguarding records, or other sensitive narrative fields are ingested. SEND/EHCP flags are disabled by default and will only be processed with the Customer’s explicit approval.
Non-Personal Data
The Company also processes non-personal curriculum content data (exam board specifications, schemes of learning, pacing plans, lesson resources) to generate lesson-linked worksheets. This data does not contain Personal Data.
Annex 2: Technical and Organisational Security Measures
The Company has implemented and shall maintain a security programme in accordance with industry standards. More specifically, the Company’s security programme shall include:
Access Control of Processing Areas
The Company implements suitable measures in order to prevent unauthorised persons from gaining access to the data processing equipment where Personal Data are processed or used, including:
- Establishing security areas and restricting access paths;
- Establishing access authorisations for employees and third parties;
- Securing data centres and hosting infrastructure with appropriate physical and logical security measures.
Access Control to Data Processing Systems
The Company implements suitable measures to prevent data processing systems from being used by unauthorised persons, including:
- Use of adequate encryption technologies;
- Identification of the terminal and/or the terminal user to the processing systems;
- Automatic temporary lock-out of user sessions if left idle, with identification and password required to reopen;
- Multi-factor authentication enforced for administrative access to production systems;
- Monitoring of break-in attempts and alerts.
Access Control to Use Specific Areas of Data Processing Systems
The Company commits that persons entitled to use its data processing systems are only able to access data within the scope and to the extent covered by their respective access permission (authorisation), and that Personal Data cannot be read, copied, modified or removed without authorisation. This shall be accomplished by various measures including:
- Employee policies and training in respect of each employee’s access rights to the Personal Data;
- Allocation of individual user accounts with identification characteristics exclusive to specific functions;
- Role-based access control, ensuring release of data only to authorised persons with differentiated access rights and roles;
- Use of adequate encryption technologies;
- Control of files, and controlled and documented destruction of data.
Availability Control
The Company implements suitable measures to ensure that Personal Data are protected from accidental destruction or loss, including:
- Infrastructure redundancy;
- Backups stored at an alternative site and available for restore in case of failure of the primary system;
- Encryption at rest for stored Personal Data.
Transmission Control
The Company implements suitable measures to prevent Personal Data from being read, copied, altered or deleted by unauthorised parties during transmission or transport, including:
- Use of adequate firewall, VPN and encryption technologies to protect the gateways and pipelines through which data travels;
- Encryption in transit for all data transmissions;
- As far as possible, all data transmissions are logged, monitored and tracked.
Input Control
The Company implements suitable input control measures, including:
- Authentication of authorised personnel;
- Protective measures for data input into memory, as well as for the reading, alteration and deletion of stored data;
- Utilisation of unique authentication credentials;
- Providing that entries to data processing facilities are appropriately secured;
- Automatic log-off of user accounts that have not been used for a substantial period of time;
- Electronic recording of entries.
Separation of Processing for Different Purposes
The Company implements suitable measures to ensure that data collected for different purposes can be processed separately, including:
- Access to data is separated through application security for the appropriate users;
- At the database level, data is stored in separate structures, segregated per Controller Customer or function they support;
- Interfaces and processes are designed for only specific purposes and functions, so data collected for specific purposes is processed separately;
- Personal Data and curriculum content are architecturally separated: AI processing receives only curriculum materials, never Personal Data.
Documentation
The Company will keep documentation of technical and organisational measures in case of audits and for the conservation of evidence. The Company shall take reasonable steps to ensure that persons employed by it, and other persons at the place of work concerned, are aware of and comply with the technical and organisational measures set forth in this Annex.
Monitoring
The Company shall implement suitable measures to monitor access to systems and to ensure that authorised personnel act in accordance with instructions received. This is accomplished by various measures including:
- Individual appointment and identification of system administrators;
- Adoption of suitable measures to register system access logs and keep them secure, accurate and unmodified;
- Regular audits of system administrators’ activity to assess compliance with assigned tasks and applicable laws;
- Keeping an updated list of system administrators’ identification details and tasks assigned, and providing it promptly to the Customer upon request.
Certification
Noticed Technology Ltd holds Cyber Essentials Plus certification (issued February 2026). Evidence of accreditation is available on request.