Signal

Data Processing Agreement

Effective date: January 2026

1. Parties and Scope

This Data Processing Agreement ("DPA") is entered into between Signal Education Ltd ("Processor") and the organization subscribing to Signal's services ("Customer" or "Controller"). This DPA governs the processing of personal data in connection with the Signal safeguarding platform ("Services").

This DPA applies to all Customer Data uploaded by authorized users of the Services and forms part of the main Service Agreement between the parties.

2. Definitions

  • "Customer Data" means all personal data and special category data relating to individuals that is uploaded, submitted, or generated through use of the Services by the Customer or its authorized users.
  • "Personal Data" has the meaning given in UK GDPR and includes any information relating to an identified or identifiable natural person.
  • "Special Category Data" means personal data revealing racial or ethnic origin, political opinions, religious beliefs, health data, or data concerning a child's safeguarding status.
  • "Processing" has the meaning given in UK GDPR and includes any operation performed on personal data.
  • "Data Subject" means the identified or identifiable natural person to whom personal data relates.
  • "UK GDPR" means the UK General Data Protection Regulation and the Data Protection Act 2018.

3. Controller-Processor Relationship

3.1 Roles and Responsibilities

The Customer acts as the Data Controller, determining the purposes and means of processing personal data. Signal acts as the Data Processor, processing Customer Data only on documented instructions from the Customer.

3.2 Processing Instructions

Signal shall process Customer Data only insofar as it is necessary for the performance of the Services under the Agreement. Signal will not process Customer Data for any other purpose unless required by applicable law.

3.3 Independent Processing

Signal may independently process limited data (account usernames, contact details, usage analytics) as a controller for legitimate business purposes including service provision, billing, support, and service improvement.

4. Nature and Purpose of Processing

4.1 Categories of Data

Customer Data processed through the Services may include:

  • Student Information: Names, dates of birth, identifiers, year groups, contact details
  • Safeguarding Records: Incident descriptions, categories, severity levels, concerns, observations
  • Special Category Data: Health information, safeguarding concerns, wellbeing data
  • Staff Information: Names, roles, contact details, account credentials
  • Documents: Uploaded files, images, and attachments with associated metadata
  • Communications: Messages, notes, action records, and correspondence
  • Parent/Guardian Data: Contact information and relationship details

4.2 Categories of Data Subjects

  • Children and students
  • Parents and guardians
  • School staff and employees
  • External agency representatives

4.3 Purpose of Processing

Processing is conducted to enable the Customer to manage safeguarding records, track student wellbeing, record and monitor incidents, collaborate with designated staff and agencies, and fulfill statutory safeguarding obligations.

5. Security Measures

5.1 Technical and Organizational Measures

Signal implements appropriate technical and organizational measures to ensure adequate protection of Customer Data, including:

Encryption

  • Data encrypted at rest using AES-256 encryption
  • Data encrypted in transit using TLS 1.3 or higher

Access Controls

  • Role-based access control (RBAC) with granular permissions
  • Multi-factor authentication (MFA) support
  • Passwordless authentication using WebAuthn/passkeys
  • Comprehensive audit logging of all access and changes

Infrastructure Security

  • Hosted on Microsoft Azure with SOC 2 Type II certification
  • UK-based data centers (UK South and UK West regions)
  • Web Application Firewall (WAF) protection
  • DDoS mitigation and rate limiting
  • Regular security assessments and penetration testing

5.2 Security Testing

Signal integrates automated security testing into the software development lifecycle, including vulnerability scanning and dependency analysis. Automated dependency scanning ensures third-party components remain secure and up to date.

6. Sub-Processors

6.1 Authorized Sub-Processors

The Customer authorizes Signal to engage the following sub-processors:

Sub-ProcessorPurposeLocation
Microsoft AzureCloud infrastructure, hosting, database, and storage servicesUnited Kingdom
ResendEmail delivery services (30-day retention)United States (Standard Contractual Clauses)

6.2 Sub-Processor Changes

Signal will provide the Customer with at least 30 days' notice before engaging new sub-processors or replacing existing ones. The Customer may object to such changes on reasonable data protection grounds within 14 days of notification.

6.3 Sub-Processor Obligations

All sub-processors are bound by written agreements imposing data protection obligations equivalent to those in this DPA, including appropriate security measures and confidentiality commitments.

7. Data Retention and Deletion

7.1 Retention Period

Signal retains Customer Data for the duration of the Service Agreement. Upon termination, Customer Data will be retained for 60 days to allow for data retrieval or transition.

7.2 Data Deletion

Following the 60-day retention period after termination, Signal will irreversibly delete or return all Customer Data, including copies, unless longer retention is required by law. Backup data held by Microsoft Azure may persist for up to 90 days from the deletion date.

7.3 Customer-Requested Deletion

The Customer may request early deletion of their data at any time during or after the retention period. Signal will comply with such requests within 30 days.

8. Data Subject Rights

8.1 Assistance with Rights Requests

Signal will assist the Customer in responding to data subject requests to exercise their rights under UK GDPR, including rights of access, rectification, erasure, restriction, portability, and objection.

8.2 Direct Requests

If Signal receives a data subject request directly, it will promptly refer the request to the Customer. The Customer remains responsible for responding to data subject requests within the required timeframes.

8.3 Technical Support

Signal provides tools within the Services to facilitate data subject access requests (DSARs), including data export functionality and search capabilities.

9. Data Breaches

9.1 Notification

Signal will notify the Customer without undue delay and within 24 hours wherever possible of becoming aware of any personal data breach affecting Customer Data. The notification will include available information about the nature of the breach, affected data categories, and measures taken or proposed.

9.2 Investigation and Remediation

Signal will investigate the breach, take appropriate measures to mitigate harm, and provide reasonable assistance to the Customer in meeting breach notification obligations to supervisory authorities and data subjects.

9.3 Documentation

Signal maintains records of all data breaches, including facts, effects, and remedial actions taken, to demonstrate compliance with UK GDPR breach notification requirements.

10. International Transfers

10.1 Data Location

Customer Data is stored and processed primarily within the United Kingdom using Microsoft Azure UK South and UK West regions.

10.2 Transfers Outside the UK

Limited data may be transferred to the United States for email delivery services (Resend). Such transfers are protected by:

  • EU-U.S. Data Privacy Framework (where applicable)
  • Standard Contractual Clauses approved by the European Commission
  • International Data Transfer Agreement/Addendum issued by the UK ICO

10.3 Transfer Impact Assessments

Signal conducts transfer impact assessments for international data transfers and implements supplementary measures where necessary to ensure adequate protection.

11. Audits and Compliance

11.1 Documentation

Signal will make available to the Customer information necessary to demonstrate compliance with this DPA and UK GDPR, including security certifications and audit reports.

11.2 Audit Rights

The Customer may conduct audits or appoint an independent auditor to verify Signal's compliance with this DPA, subject to reasonable notice, confidentiality obligations, and Signal's security requirements. Audits may be conducted no more than once annually unless required following a data breach.

12. Confidentiality

Signal ensures that all personnel authorized to process Customer Data are subject to confidentiality obligations and receive appropriate data protection training. Access to Customer Data is limited to personnel who require it to perform the Services.

13. Governing Law and Dispute Resolution

This DPA is governed by the laws of England and Wales. This DPA incorporates the requirements of UK GDPR and the Data Protection Act 2018.

In the event of conflict between this DPA and the main Service Agreement, this DPA shall prevail with respect to data protection matters.

14. Contact Information

For questions about this Data Processing Agreement or to exercise rights under this DPA, contact:

Data Protection Officer: dpo@signalschools.co.uk

Email: support@signalschools.co.uk

Address: Signal Education Ltd (Company No. 17014216), 12 Cooper Road, Bristol, BS9 3RA

ICO Registration: [TODO]

Need Additional Information?

For supplier due diligence documentation, security certifications, or to schedule a technical review, visit our Supplier Information page.