Data Processing Agreement
How Triptico processes personal data on behalf of schools and other education providers, in line with UK GDPR and the Data Protection Act 2018.
Data Processing Agreement (DPA)
This Data Processing Agreement (“DPA”) forms part of the agreement between Triptico (“we”, “us”, the “Processor”) and the school, college, organisation or institution whose staff use Triptico (“you”, the “Customer”, the “Controller”). It applies where, in the course of using Triptico, we process personal data on your behalf.
It is governed by, and uses the terms defined in, the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018. Where this DPA conflicts with our general Terms and Conditions on the subject of data protection, this DPA prevails.
1. Roles of the parties
You are the Controller. For any personal data that your staff enter into Triptico in the course of their teaching (for example, a pupil’s name included in a list or activity), you determine the purposes and means of processing. We act as your Processor and process that data only on your documented instructions.
We are an independent Controller only for the limited personal data we collect to operate the service and manage teacher accounts directly with the account holder (for example, a teacher’s registration email and billing details). That processing is described in our Privacy Policy and is outside the scope of this DPA.
Students do not need accounts. Triptico is designed so that students take part in shared activities without registering or providing personal details, which keeps the personal data processed on your behalf to a minimum.
2. Subject matter, duration, nature and purpose
Subject matter and duration: the processing lasts for as long as your staff hold active Triptico accounts under your subscription, plus any short retention period described in section 8.
Nature and purpose: we process personal data solely to provide the Triptico service — storing and displaying the lists, activities and lessons your staff create, enabling them to be shared with a class via a link or code, and maintaining the security and reliability of the service.
3. Types of personal data and categories of data subject
Categories of data subject may include your teaching and support staff and, where staff choose to include it in their content, your pupils/students.
Types of personal data processed on your behalf may include:
- Any personal data your staff voluntarily enter into the content they create — for example a pupil’s first name or initials used in a list, quiz or activity. Staff are asked not to enter more personal data than a task needs.
- Technical and usage data necessary to deliver shared activities securely (for example a temporary share code and basic device/log information).
Triptico does not request special category data, and it is not designed to store sensitive personal data about pupils. You instruct us not to do so, and your staff should not enter it.
4. Our obligations as Processor
In respect of personal data processed on your behalf, we will:
- Process only on your instructions. We process the data only to provide the service and on your documented instructions (including those given through normal use of Triptico), unless required to do otherwise by law — in which case we will tell you first unless the law forbids it.
- Ensure confidentiality. Anyone authorised to process the data is bound by an appropriate duty of confidentiality.
- Keep it secure. We implement appropriate technical and organisational measures under Article 32 UK GDPR (see section 5).
- Use sub-processors responsibly. We only engage the sub-processors listed in section 6, impose equivalent data-protection obligations on them, and remain responsible for their performance.
- Assist you. We provide reasonable assistance with data subject requests, security, breach notification, and data protection impact assessments (see sections 7 and 8).
- Delete or return data at the end of the service, as set out in section 8.
- Demonstrate compliance. We make available the information you reasonably need to show compliance with Article 28 UK GDPR, and allow for and contribute to audits on reasonable notice.
5. Security measures
We take appropriate measures to protect personal data, including:
- Encryption of data in transit (HTTPS/TLS) and encryption at rest provided by our hosting platform.
- Access controls and authentication, so accounts and saved content are only accessible to the account holder and those they share with.
- Hosting on Google Cloud / Firebase infrastructure, which maintains recognised security certifications.
- Restricting administrative access to the minimum number of people necessary, under confidentiality obligations.
- Regular maintenance, monitoring and backups to support availability and resilience.
6. Sub-processors
We use the following trusted sub-processors to operate Triptico. Each processes personal data only as needed to provide its service to us and under contractual data-protection obligations.
| Sub-processor | Purpose | Location |
|---|---|---|
| Google / Firebase (Google Cloud) | Hosting, database, authentication and serverless functions | EU / UK / US (with safeguards) |
| Stripe | Payment processing for subscriptions (no card data reaches Triptico’s own systems) | EU / US (with safeguards) |
| Email delivery provider | Sending service and account emails to teachers | EU / US (with safeguards) |
We will give you reasonable notice of any intended addition or replacement of a sub-processor so that you have the opportunity to object on reasonable data-protection grounds.
7. International transfers
Some sub-processors may process personal data outside the UK. Where they do, we rely on safeguards recognised under UK law — such as UK adequacy regulations or the International Data Transfer Agreement / Addendum to the EU Standard Contractual Clauses — to ensure an equivalent level of protection.
8. Data subject rights and breach notification
Data subject requests. If we receive a request from one of your data subjects to exercise their rights (access, rectification, erasure, restriction, portability or objection) in relation to data we process on your behalf, we will, where lawful, refer the request to you and assist you in responding within the statutory time limits.
Personal data breaches. We will notify you without undue delay — and in any event within 48 hours — after becoming aware of a personal data breach affecting data processed on your behalf, and will provide the information you reasonably need to meet your own notification obligations to the Information Commissioner’s Office (ICO) and affected individuals.
DPIAs. We will provide reasonable assistance with any data protection impact assessment or prior consultation with the ICO that relates to our processing on your behalf.
9. Return and deletion of data
When a teacher deletes their account, or when your subscription ends, we will delete or anonymise the personal data we hold on your behalf, except where we are required by law to retain it. On request, and where technically feasible, we will return a copy of the relevant content to you before deletion.
Backups are overwritten on a rolling cycle; any residual personal data in backups is protected by the measures in section 5 and is deleted as those backups expire.
10. Liability and governing law
Each party’s liability under this DPA is subject to the limitations and exclusions set out in our Terms and Conditions. This DPA is governed by the laws of England and Wales, and the courts of England and Wales have exclusive jurisdiction.
11. Contact
Questions about this DPA, or requests for a countersigned copy, can be sent via the contact form on triptico.app. We aim to respond promptly to all data-protection enquiries from schools.
Last updated: 18 June 2026