Data Processing Agreement
Last updated: 22 April 2026
This is the Data Processing Agreement that governs how Cynapps Limited (trading as Parent Portal) processes personal data on behalf of schools using the Service. Schools with a ParentPortal account can sign this agreement from within their legal dashboard once their account is set up. To arrange an account, please contact us.
1. Parties
This Data Processing Agreement ("Agreement") is entered into between:
The Controller's details - school name, registered address, DPO, and authorised signatory - are completed when the school signs this agreement.
The Data Processor:
| Field | Details |
|---|---|
| Organisation | Cynapps Limited (trading as "ParentPortal") |
| Registered Address | 4th Floor, Radius House, 51 Clarendon Road, Watford, WD17 1HP |
| Company Number | 6922338 |
| VAT Number | GB 976 9776 28 |
| Data Protection Contact | sanjay@cynapps.net |
| Data Protection Officer | Not formally appointed; the Data Protection Contact above performs Data Protection Officer functions. The Processor keeps its Art. 37 UK GDPR obligations under ongoing review and will appoint a formal DPO if and when required. |
| Website | https://parentportal.com |
| Authorised Signatory | Sanjay Chawla, Director |
The Data Controller and the Data Processor are each a "Party" and collectively the "Parties".
2. Definitions
"Applicable Data Protection Law" - UK GDPR as retained by the EU (Withdrawal) Act 2018 and the Data Protection Act 2018, together with ICO guidance and codes of practice.
"Controller" - The School, which determines the purposes and means of processing Personal Data.
"Data Breach" - A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
"Data Subject" - An identified or identifiable natural person whose Personal Data is processed, including pupils, parents/carers, and school staff.
"Personal Data" - Any information relating to an identified or identifiable natural person (Art. 4(1) UK GDPR).
"Processing" - Any operation on Personal Data, whether automated or not, including collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.
"Processor" - Cynapps Limited (company number 6922338), trading as "ParentPortal", which processes Personal Data on behalf of the Controller.
"Services" - The ParentPortal platform services provided by the Processor to the Controller, comprising a school companion to the school's Management Information System covering teacher workflow, parent-teacher communication, safeguarding, appraisals, activity clubs, house points, and AI-assisted tasks, as further described in Clause 3.1.
"Special Category Data" - Personal Data revealing racial/ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, or sex life/orientation data.
"Sub-Processor" - Any third party appointed by the Processor to process Personal Data on behalf of the Controller.
3. Scope and Purpose of Processing
3.1 The Processor shall process Personal Data solely for providing the Services:
(a) Student observation and assessment tracking, including AI-assisted analysis and classification
(b) Staff performance appraisal management, including voice reflection recording, transcription, and AI-assisted processing
(c) Parent-teacher communication: messaging, forums, newsletters, event management
(d) Parents' evening booking and management, including optional recording, transcription, and AI analysis
(e) Homework management, including AI-generated content and submission tracking
(f) Safeguarding concern recording and management (multi-step concern wizard, actions, comments, and child chronology)
(g) Payment processing via Stripe
(h) Push notification delivery via Apple APNS, Google FCM, Web Push
(i) File storage and management via Wasabi S3
(j) Survey creation and response collection
(k) AI-powered educational tools: lesson planning, image generation, content creation
(l) System administration, security monitoring, and audit logging
(m) MIS integration via Wonde: synchronisation of pupil, class, attendance, contact, and house group data, including optional attendance writeback
(n) Healthcare plans (IHP), child medical profiles, allergy and dietary requirement management
(o) Safeguarding pattern detection across behaviour, attendance, and welfare data, with mandatory human triage by the Designated Safeguarding Lead
(p) Document knowledgebase with PDF extraction and staff Q&A
(q) Activity club catalogue, parent preferences, and allocation, including external enrolments
(r) Teacher-facing support ticketing with admin panel and role-based access
(s) House-points and rewards, including a token-authenticated dining-room display screen
(t) Lunch menu management and pupil meal preferences, including religious, ethical, and dietary selections
(u) Wellbeing notes: lightweight tagged welfare observations (emotional state, fatigue, hunger, behaviour) feeding the safeguarding pattern engine
(v) Timetabling: class schedules, room assignments, and teacher periods
3.2 The Processor shall not process Personal Data for any purpose other than those set out above or as instructed in writing by the Controller.
3.3 The Processor shall not process Personal Data for its own purposes, including marketing, profiling for commercial gain, selling data, or training AI models on Controller data. The Processor shall engage AI Sub-Processors only where the Sub-Processor's published API terms or DPA exclude Controller data from model training, and shall enable zero-retention or no-training API modes where offered. The Processor's Services are designed to align with the ICO's Age Appropriate Design Code (the "Children's Code") and the UK GDPR protections afforded to children.
3.4 Controller warranties and responsibilities. The Controller warrants and represents to the Processor that:
(a) It has a valid lawful basis under Applicable Data Protection Law for sharing Personal Data with the Processor and for instructing the Processor to process that Personal Data for the purposes set out in Clause 3.1
(b) It has provided all privacy notices, and obtained all consents, required under Applicable Data Protection Law from Data Subjects, including parents/carers where required for processing of children's data and, where applicable, explicit consent for processing of Special Category Data under Art. 9
(c) The Personal Data it provides to, or makes available to, the Processor is accurate, up-to-date, and lawfully obtained
(d) Its written instructions to the Processor comply with Applicable Data Protection Law
(e) It has the right to transfer or make available the Personal Data to the Processor for processing under this Agreement
3.5 The Controller shall indemnify the Processor against all claims, losses, damages, costs, and liabilities arising out of or in connection with any breach by the Controller of Clause 3.4.
4. Duration of Processing
4.1 This Agreement commences on the date of signature and continues for the duration of the Customer's use of the Platform, whether under trial, evaluation, or a subscription / service agreement, and survives thereafter in respect of any Personal Data remaining in the Processor's possession.
4.2 On termination, Clause 12 (Data Return/Deletion) applies.
4.3 Processor obligations survive termination to the extent Personal Data remains in Processor's possession.
5. Types of Personal Data Processed
5.1 Pupil Data
- Full name (first, last)
- Date of birth
- Gender
- Profile photographs
- Class enrolment and academic year information
- Educational observations and teacher notes
- AI-generated performance classifications (emerging/expected/exceeding)
- AI-generated comprehensive student profiles
- Attendance and absence records
- Homework assignments and submission records
- Homework submission photographs
- Marking and feedback records, including flagged concerns
- Learning progress and topic completion data
- Safeguarding concerns and related records (severity, parties, audit trail)
- Custom school-defined fields (may include additional SEN or medical information)
- Medical conditions, allergies, and dietary requirements (first-class feature)
- Meal preferences (pork/beef exclusions, halal, kosher, vegetarian, vegan, protein preferences) — used to select appropriate lunch menu options
- Wellbeing notes — tagged welfare observations (worried, tired, upset, withdrawn, physical, hungry, angry, positive, other) and optional free-text, feeding the safeguarding pattern engine
- Individual Healthcare Plan (IHP) content, versions, and attachments
- House assignment
- Activity club preferences, allocations, and attendance
- Safeguarding pattern detections (engine outputs, tags, DSL actions, dismissals)
- MIS-sourced identifiers (Wonde IDs for reconciliation)
- Event attendance and gallery photographs
- Memory/milestone records and media
5.2 Parent/Carer Data
- Full name (first, last)
- Email address(es)
- Date of birth (optional)
- Gender (optional)
- Profile photographs
- Relationship to child (parent, carer, guardian)
- Geographic location (latitude/longitude, where provided)
- Forum posts and message content
- Survey responses
- Activity club preference submissions
- Parents' evening booking records
- Recorded meeting audio and AI analysis (where consent given)
- Payment transaction records (amounts, dates, Stripe references - no card data)
- Push notification device tokens and subscription data
- Login sessions, IP addresses, browser user agent strings
5.3 School Staff Data
- Full name (first, last)
- Email address
- Role, permissions, and class assignments
- Appraisal objectives, success criteria, RAG status
- Appraisal voice reflection recordings and AI-processed transcriptions
- Appraisal meeting notes and manager performance notes
- Appraisal form/questionnaire responses
- Appraisal activity completion evidence
- Observation authorship records
- Support ticket authorship and content
- AI tool usage logs and cost records
- Two-factor authentication credentials
- Login sessions, IP addresses, browser user agent strings
- Push notification device tokens
5.4 Special Category Data
- Voice recordings (biometric data) - teacher observations, staff appraisal reflections, meeting recordings
- Health-related data - processed as a first-class feature: medical conditions, allergies, dietary requirements, Individual Healthcare Plans (IHP) and attachments, medical notes attached to child records. Also captured where schools additionally configure custom fields for SEN or other medical information
- Safeguarding records - may contain information about abuse, neglect, exploitation; may reveal racial/ethnic origin. Includes wellbeing notes (tagged welfare observations used as input to pattern detection) and the outputs of the safeguarding pattern detection engine (cross-domain risk analysis of behaviour, attendance, and welfare data)
- Religious or philosophical belief data - where meal preferences such as halal, kosher, no-pork, vegetarian, or vegan reveal religious or philosophical beliefs. Processed solely to match pupils to appropriate lunch menu options
6. Categories of Data Subjects
| Category | Description | Status |
|---|---|---|
| Pupils | Children aged 4-18 enrolled at the Controller's school | Vulnerable (children) |
| Parents/Carers | Adults with parental responsibility for enrolled pupils | Standard |
| School Staff | Teaching staff, TAs, senior leaders, admin staff | Standard (employee protections) |
7. Processor Obligations
7.1 Processing Instructions
7.1.1 The Processor shall process Personal Data only on documented instructions from the Controller, unless required by law (in which case the Processor shall inform the Controller beforehand unless prohibited).
7.1.2 The Processor shall immediately inform the Controller if an instruction infringes Applicable Data Protection Law.
7.1.3 Documented instructions are in Clause 3, supplemented by written instructions from time to time.
7.2 Confidentiality
7.2.1 All persons authorised to process Personal Data have committed to confidentiality or are under statutory obligation.
7.2.2 Access limited to personnel who need it. Such personnel receive appropriate data protection training.
7.3 Security Measures
7.3.1 The Processor implements appropriate technical and organisational measures including:
(a) Encryption in transit: All data via HTTPS/TLS with HSTS enforcement (1yr max-age). All external API calls use HTTPS.
(b) Password security: Argon2ID hashing (64MB memory, 4 iterations, 3 threads). Bcrypt fallback.
(c) Multi-factor authentication: TOTP-based 2FA via Google Authenticator for all staff accounts.
(d) Access controls: RBAC with school-scoped permissions. Parent-child enforcement. Multi-tenant isolation.
(e) SQL injection prevention: All queries use PDO prepared statements with positional parameters.
(f) CSRF protection: Cryptographically random tokens with constant-time comparison on all state-changing operations.
(g) Rate limiting: Login (10/hr), 2FA (20/hr), registration (5/hr) per IP. 1-second brute-force delay.
(h) Security headers: HSTS, X-Frame-Options: DENY, X-Content-Type-Options: nosniff, CSP frame-ancestors.
(i) Audit logging: Authentication attempts logged (IP, user agent, timestamp, success). Appraisal action audit trail.
(j) Session management: Server-side + DB-backed persistent sessions. Session regeneration on auth. Configurable expiry (90 days).
(k) Cloud storage security: Wasabi S3 AES-256 server-side encryption. Presigned URLs with 10-minute expiry.
(l) Payment security: PCI DSS compliant via Stripe. No card data stored on ParentPortal servers.
(m) AI sub-processor data minimisation: Where Personal Data is transmitted to AI sub-processors (OpenRouter, AssemblyAI, OpenAI Assistants), only the minimum fields necessary are sent. Pupil surnames are not transmitted to OpenRouter or its downstream model providers.
7.3.2 The Processor shall regularly test, assess, and evaluate the effectiveness of these measures.
7.3.3 Voice recordings and biometric data. Where the Processor processes voice recordings constituting biometric or special category data (teacher observations, staff appraisal reflections, meeting recordings), the Processor processes such data solely on the documented instructions of the Controller, relying on the Art. 9 condition (typically Art. 9(2)(a) explicit consent) identified and obtained by the Controller. Data Subjects may request deletion of their voice recordings at any time following transcription, which the Processor shall action without undue delay. The underlying transcription may be retained in accordance with the Controller's retention instructions.
7.3.4 Data outside direct control. The Processor shall have no responsibility for Personal Data to the extent it is held or processed outside the Processor's direct control, including on Data Subject devices, in browser or application caches under Data Subject control, or on systems operated by the Controller or the Controller's other suppliers. For the avoidance of doubt, Personal Data held on or processed by the Processor's production systems, staging or development environments, databases, backups, logs, and Sub-Processor infrastructure (as identified in Schedule 1) is within the Processor's direct control and covered by the security obligations in this Clause 7.3.
7.4 Sub-Processors
7.4.1 The Controller provides general written authorisation for the Sub-Processors in Schedule 1 (Section 8).
7.4.2 The Processor shall give 30 days' notice before engaging a new Sub-Processor, by email to the Controller's nominated data protection contact, giving the Controller opportunity to object.
7.4.3 Sub-Processors are contractually bound to at least the same data protection level as this Agreement.
7.4.4 The Processor remains fully liable for Sub-Processor performance.
7.4.5 If the Controller objects on reasonable grounds, the Processor shall endeavour to provide alternative arrangements. If unable, either Party may terminate the affected Services.
7.5 Data Subject Rights
7.5.1 The Processor assists the Controller in responding to rights requests:
- Right of access (Art. 15)
- Right to rectification (Art. 16)
- Right to erasure (Art. 17)
- Right to restriction (Art. 18)
- Right to data portability (Art. 20)
- Right to object (Art. 21)
- Rights re: automated decisions and profiling (Art. 22)
7.5.2 The Processor shall promptly notify the Controller of any direct request from a Data Subject and shall not respond without Controller's prior written authorisation (unless legally required).
7.5.3 The Processor shall provide all data held about a Data Subject in structured, machine-readable format within 10 working days of Controller request. No charge shall apply to routine assistance required to respond to Data Subject rights requests under this Clause 7.5. Costs may apply only to assistance materially exceeding the scope of routine response, for example bespoke data extraction, forensic searches, or handling of manifestly unfounded or excessive requests as permitted by Art. 12(5) UK GDPR; any such costs shall be notified to the Controller in advance and require the Controller's agreement before being incurred.
7.5.4 Safeguard against solely automated decisions (Art. 22). Where the Services include automated analysis that could produce effects relevant to Art. 22 (notably the safeguarding pattern detection engine described in Clause 3.1(o)), outputs are surfaced only to the Designated Safeguarding Lead or equivalent authorised person for human review and triage. No automated decision producing legal or similarly significant effects on a Data Subject is made without meaningful human intervention by an authorised member of the Controller's staff.
7.6 Data Breach Notification
7.6.1 The Processor shall notify the Controller of a Data Breach without undue delay, and in any event within 24 hours where reasonably practicable, and in all cases in sufficient time to enable the Controller to meet its 72-hour notification obligation to the ICO under Art. 33 UK GDPR.
7.6.2 This enables the Controller to meet its 72-hour ICO notification obligation (Art. 33). It is the Controller's responsibility, as Data Controller, to notify the ICO and, where required, affected Data Subjects of any Data Breach; the Processor's role is to provide the Controller with timely information to enable those notifications.
7.6.3 Notification shall include:
(a) Nature of the breach, categories and approximate numbers affected
(b) Processor's data protection contact details
(c) Likely consequences
(d) Measures taken or proposed to address and mitigate
7.6.4 Where not all information is available, it shall be provided in phases without undue delay.
7.6.5 The Processor shall cooperate in investigating, mitigating, and remediating any breach and meeting notification obligations.
7.7 DPIAs
7.7.1 The Processor provides reasonable assistance with Data Protection Impact Assessments and ICO consultations (Art. 35/36), at the Controller's reasonable expense where such assistance exceeds routine support.
7.8 Audit and Compliance
7.8.1 The Processor makes available all information to demonstrate Art. 28 compliance.
7.8.2 The Processor allows audits/inspections by the Controller or mandated auditor (30 days' notice, business hours, minimising disruption), no more than once in any calendar year save where a material Data Breach has occurred, and only by individuals producing reasonable evidence of identity and authority.
7.8.3 The Processor maintains Art. 30(2) records of processing activities.
8. Sub-Processor Register (Schedule 1)
| Sub-Processor | Purpose | Data Accessed | Location | Transfer Mechanism |
|---|---|---|---|---|
| OpenRouter Inc. (routes to OpenAI, Google, Anthropic) | AI observation analysis; student classification; lesson feedback; meeting analysis; text enhancement; homework generation | Student first names only (no surnames), gender, observations, transcriptions, meeting content | USA | UK-US Data Bridge |
| AssemblyAI Inc. | Speech-to-text with speaker diarisation | Voice recordings (temp URLs) | USA | UK-US Data Bridge + AssemblyAI DPA |
| Stripe Inc. | Payment processing (PCI DSS L1) | User email, amounts, transaction refs. No card data stored | USA (EU processing) | UK-US Data Bridge + Stripe DPA |
| Wasabi Technologies | Cloud object storage | All uploaded files (photos, voice, homework, docs) | EU (Frankfurt) | EU Adequacy + Wasabi DPA |
| Amazon Web Services (SES) | Email delivery | Recipient emails, email content | EU (Stockholm) | EU Adequacy + AWS DPA |
| Google LLC (Firebase FCM) | Android push notifications | Device tokens, notification content, deep links | USA | UK-US Data Bridge + Google DPA |
| Apple Inc. (APNS) | iOS push notifications | Device tokens, notification content, deep links | USA | UK-US Data Bridge |
| Runware AI | AI image generation for educational content | Text prompts only (no personal data shared) | N/A | N/A - not a data processor |
| OpenAI Inc. (Direct - Assistants) | Document Q&A (RAG) using educational handbooks | Educational PDFs, user questions | USA | UK-US Data Bridge + OpenAI DPA |
| Wonde Ltd | MIS integration — pupil, class, attendance, contact, and house group synchronisation including attendance writeback | Pupil names, DOB, gender, class enrolment, attendance records, parent contact details, house groups | UK | N/A (UK-based, no international transfer) — Wonde DPA |
9. International Data Transfers
9.1 The Processor shall not transfer Personal Data outside the UK except via Sub-Processors in Schedule 1.
9.2 Transfers require one of:
(a) Adequacy decision by UK Secretary of State
(b) UK-US Data Bridge framework (for certified US organisations)
(c) ICO-approved Standard Contractual Clauses (SCCs)
(d) Another Art. 46 safeguard
9.3 Transfer Impact Assessments conducted for non-adequate jurisdictions. All current Sub-Processors processing personal data are based in the USA or EU, with US transfers covered by the UK-US Data Bridge framework. Runware AI is used for image generation only and receives no personal data.
9.4 The Processor shall inform the Controller if a transfer cannot comply and shall cease until safeguards are implemented.
10. Data Breach Procedures
10.1 The Parties shall follow the breach-response timeline below. All timings run from T+0, the point at which the Processor becomes aware of the Data Breach.
| Timeline | Action | Responsible |
|---|---|---|
| T+0 (Discovery) | Identify/receive breach report. Initiate containment immediately | Processor |
| T+4 hours | Initial scope/severity/category assessment | Processor |
| T+24 hours (max) | Written notification to Controller per Clause 7.6.3 | Processor |
| T+48 hours | Supplementary report: additional findings, root cause, remediation plan | Processor |
| T+72 hours | Controller determines ICO notification (required if risk to individuals) | Controller |
| Without undue delay | If high risk, Controller notifies affected Data Subjects | Controller |
| T+14 days | Final incident report: root cause, full impact, prevention measures | Processor |
| Ongoing | Implement remediation; provide evidence of completion | Processor |
10.2 The Processor maintains a register of all breaches (including non-reportable) available to Controller on request.
11. Liability and Indemnification
11.1 Each Party is liable for damage from processing that infringes Applicable Data Protection Law (Art. 82). Nothing in this Clause 11 limits or excludes either Party's statutory liability to Data Subjects under Art. 82 UK GDPR.
11.2 Subject to Clauses 11.4 and 11.5, the Processor indemnifies the Controller against all claims, losses, damages, and costs arising from:
(a) Breach of this Agreement by the Processor
(b) Processing not in accordance with this Agreement or law
(c) A Data Breach caused by the Processor's failure to implement the security measures in Clause 7.3
11.3 Subject to Clauses 11.4 and 11.5, the Controller indemnifies the Processor against claims from instructions that infringe Applicable Data Protection Law, provided the Processor gave notice per Clause 7.1.2.
11.4 Aggregate liability cap. Subject to Clause 11.5, each Party's total aggregate liability to the other under or in connection with this Agreement (whether in contract, tort including negligence, for breach of statutory duty, or otherwise), including under the indemnities in Clauses 11.2 and 11.3, shall not exceed the total fees paid or payable by the Controller to the Processor under the service agreement in the twelve (12) months immediately preceding the event giving rise to the claim (or, where the claim arises in the first twelve months, the annualised fees based on the rate in effect on the date of the event).
11.5 Carve-outs from the cap. The cap in Clause 11.4 does not apply to liability arising from:
(a) Fraud or fraudulent misrepresentation
(b) Gross negligence or wilful misconduct
(c) Death or personal injury caused by negligence
(d) Breach of confidentiality obligations under Clause 7.2
(e) Administrative fines imposed directly on the liable Party by the ICO or a competent court under UK GDPR or the Data Protection Act 2018, to the extent those fines result from that Party's own acts or omissions
(f) Any liability that cannot be limited or excluded under Applicable Data Protection Law
(g) The Controller's indemnity obligations under Clause 3.5 for breach of its warranties in Clause 3.4
11.6 Excluded losses. Except for liability falling within Clause 11.5, neither Party shall be liable for indirect, consequential, or purely economic losses, loss of profits, loss of anticipated savings, or loss of goodwill, even if foreseeable.
11.7 Further exclusions of Processor liability. Without prejudice to Clauses 11.2 and 11.5, the Processor shall have no liability to the Controller, whether arising in contract, tort (including negligence), breach of statutory duty or otherwise, for or in connection with:
(a) Loss, interception, or corruption of data, except to the extent such loss is caused by the negligence, wilful misconduct, or breach of this Agreement by the Processor
(b) Any failure, interruption, or degradation of telecommunications, internet, or network services provided by third parties to the Processor, the Controller, or any Controller Supplier
(c) Any act, default, or negligence of a Controller Supplier, including the Controller's MIS provider, other application providers integrated with the Services, or any third party to whom the Controller grants access to the Services
(d) The Controller's failure to comply with its obligations under this Agreement or Applicable Data Protection Law, including failure to obtain lawful basis or consent where required, or issuing instructions that infringe law
(e) Any use of the Services by the Controller or Data Subjects in breach of the service agreement's acceptable use terms
12. Termination and Data Return/Deletion
12.1 On termination, the Controller instructs the Processor to either:
(a) Return all Personal Data in structured, machine-readable format (JSON or CSV); or
(b) Securely delete all Personal Data and provide written certification
12.2 Controller must instruct within 30 days of termination. If no instruction, Processor deletes within 90 days and certifies.
12.3 Sub-Processors also delete/return per Controller instructions.
12.4 Processor may retain where legally required, ensuring confidentiality and processing only for legal purposes.
12.5 Processor provides data extraction in machine-readable format on request during the term, at no charge.
12.6 Safeguarding records - statutory retention. The Parties acknowledge that safeguarding records must be retained in accordance with Keeping Children Safe in Education (KCSIE) and the IRMS Schools Toolkit, typically until the pupil reaches 25 years of age, and transferred with the pupil on roll change. On termination or on pupil roll change, the Controller shall instruct the Processor to either (a) return safeguarding records to the Controller or a successor Controller; or (b) where the Controller remains responsible, retain them on the Controller's behalf for the statutory retention period, under ongoing confidentiality obligations. Safeguarding records retained under this Clause shall not be deleted under Clauses 12.1 or 12.2.
12.7 In-term retention. During the term, the Processor retains Personal Data for the operational period necessary to deliver the Services. Retention periods for specific data categories align with the IRMS Schools Toolkit, and specific schedules may be documented separately on request. The Controller may at any time instruct shorter retention, subject to Clause 12.6.
13. Governing Law and Jurisdiction
13.1 Governed by laws of England and Wales.
13.2 Exclusive jurisdiction of courts of England and Wales.
13.3 Nothing limits Data Subject rights under law, including right to complain to ICO.
14. General Provisions
14.1 This Agreement constitutes the entire agreement on data processing, superseding all prior arrangements.
14.2 In conflict with the service agreement, this Agreement prevails for data processing matters.
14.3 Amendments must be in writing, signed by both Parties.
14.4 If any provision is invalid, remaining provisions continue in force.
14.5 Neither Party may assign without prior written consent, save that the Processor may assign or novate this Agreement to a successor in connection with a merger, acquisition, corporate restructuring, or sale of all or substantially all of the Processor's business, on written notice to the Controller.
14.6 No third-party rights under the Contracts (Rights of Third Parties) Act 1999.
14.7 The Processor may propose amendments to this Agreement required to maintain compliance with changes in Applicable Data Protection Law. For non-material administrative or compliance amendments (for example updates to statutory references, regulator names, or Sub-Processor details), such amendments shall take effect thirty (30) days after written notice to the Controller unless the Controller objects in writing within that period, in which case the Parties shall negotiate in good faith to agree alternative wording. Material amendments (including any change to Clauses 3 (Scope), 7.3 (Security), 9 (International Transfers), 11 (Liability), or 12 (Termination and Retention)) require the Controller's prior written agreement and do not take effect by deemed acceptance.
14.8 Interim confidentiality (trial / evaluation period). During any trial or evaluation period before a subscription or services agreement is signed between the Parties, each Party ("Receiving Party") shall treat as confidential all non-public information disclosed by the other Party ("Disclosing Party") that is marked as confidential or would reasonably be understood to be confidential given its nature or the circumstances of its disclosure. The Receiving Party shall use such information only for the purposes of evaluating or operating the Platform under this Agreement and shall limit access to personnel and professional advisers with a genuine need to know. These obligations do not apply to information that (a) is or becomes publicly available through no fault of the Receiving Party; (b) was lawfully known to the Receiving Party before disclosure; (c) is independently developed by the Receiving Party without reference to the Disclosing Party's Confidential Information; or (d) is required to be disclosed by law, regulator, or court order. This Clause 14.8 is superseded by any confidentiality clause in a subscription or services agreement signed between the Parties, with effect from the date that agreement is signed.
14.9 Marketing reference. The Controller consents to the Processor listing the Controller's name and crest/logo on the Processor's website and in routine business communications as a user of the Platform. The Controller may withdraw this consent at any time by written notice to the Processor's data protection contact. This consent does not extend to testimonials, case studies, or press releases, which require the Controller's separate prior written approval.