This Data Processing Agreement describes the processing terms that apply where Assessment Questionnaires processes assessment-related personal data on behalf of an assessor, practitioner, school, business, or other customer organisation.
1. Roles
The customer is the controller of assessment data. Assessment Questionnaires acts as the processor for that data. The customer determines the purpose and essential means of the processing, including who is assessed, what questionnaires are used, who receives links, how reports are used, and how assessment records are shared.
2. Subject matter and duration
Processing covers hosting, collecting, storing, displaying, exporting, transmitting, and, where enabled, generating assessment-related content from questionnaire responses. Processing lasts for the duration of the customer’s use of the platform and any agreed retention or deletion period.
3. Categories of data
- Assessment subject details, such as name, date of birth, school, year group, and contact context.
- Questionnaire responses from parents, carers, teachers, SENDCos, tutors, or the subject.
- Educational, developmental, health-related, family learning, and support history.
- Uploaded attachments and generated report/background content.
- Access links, completion records, audit data, and technical metadata.
4. Customer instructions
Assessment Questionnaires will process assessment data only on documented customer instructions, including through platform configuration and ordinary customer use, unless required to do otherwise by law.
5. Confidentiality and security
Assessment Questionnaires will take appropriate technical and organisational measures to protect assessment data, including access controls, authentication, encryption in transit, restricted administrative access, backups, monitoring, and operational security measures appropriate to the risk.
6. Subprocessors
The customer authorises Assessment Questionnaires to use subprocessors needed to operate the platform. Subprocessors will be subject to contractual obligations intended to protect personal data. A current summary is published on the Subprocessors page.
7. Assistance
Assessment Questionnaires will provide reasonable assistance to customers with data subject requests, security incidents, deletion or export requests, and information needed for DPIAs or consultations, taking into account the nature of the processing and information available to the platform.
8. Personal data breach
Assessment Questionnaires will notify affected customers without undue delay after becoming aware of a personal data breach affecting assessment data processed on their behalf.
9. Return and deletion
On termination or written instruction, Assessment Questionnaires will delete or return assessment data unless retention is required by law or needed for legitimate backup, security, or dispute-resolution purposes for a limited period.
10. Customer responsibilities
Customers are responsible for their lawful basis, special category condition where applicable, respondent privacy notices, professional obligations, accuracy of report content, decisions to share reports, and responding to data subject rights requests where they are the controller.