Last updated: 30 March 2026
This Data Processing Agreement (“Agreement”) forms part of the Terms & Conditions between MasteryByte (“Processor”, “we”, “our”, or “us”) and the organisation using the service (“Controller”, “you”).
This Agreement governs the processing of personal data in accordance with the UK GDPR and applicable data protection laws.
1. Roles of the Parties
- The Controller (school or organisation) determines the purposes and means of processing personal data.
- The Processor (MasteryByte) processes personal data on behalf of the Controller to provide the platform and services.
2. Scope of Processing
MasteryByte will process personal data solely for the purpose of providing its services, including:
- Creating and managing user accounts
- Delivering assessments
- Processing student responses
- Generating reports and analytics
- Providing support and maintenance
3. Types of Data Processed
The Processor may process the following categories of personal data:
- Student data (e.g. name, email, assessment responses, results)
- Teacher and staff data (e.g. name, email, account details)
- Technical and usage data (e.g. IP address, activity logs)
4. Instructions from the Controller
The Processor will only process personal data:
- In accordance with the Controller’s instructions
- As necessary to provide the services
- As required by law
5. Confidentiality
The Processor ensures that all personnel authorised to process personal data:
- Are bound by confidentiality obligations
- Access data only as required to perform their duties
6. Security Measures
The Processor implements appropriate technical and organisational measures to protect personal data, including:
- Secure access controls
- Encryption where appropriate
- Regular system monitoring
- Protection against unauthorised access, loss, or misuse
7. Sub-Processors
The Controller authorises the Processor to use trusted third-party service providers (sub-processors), such as hosting and email delivery services.
The Processor will:
- Ensure sub-processors are bound by data protection obligations
- Remain responsible for their compliance
A list of sub-processors can be provided upon request.
8. Data Subject Rights
The Processor will assist the Controller, where reasonably possible, in responding to requests from data subjects, including:
- Access requests
- Correction or deletion requests
- Data portability requests
9. Data Breach Notification
In the event of a personal data breach, the Processor will:
- Notify the Controller without undue delay
- Provide relevant information to support compliance with legal obligations
10. Data Retention and Deletion
Upon termination of the service, or upon request:
- The Processor will delete or return personal data
- Data will be retained only as required by law or for legitimate operational purposes
11. Audits and Compliance
The Processor will make available information necessary to demonstrate compliance with this Agreement and applicable data protection laws.
12. International Transfers
Personal data will be processed within the UK or EEA where possible.
If data is transferred outside these regions, appropriate safeguards (such as standard contractual clauses) will be in place.
13. Liability
Each party remains responsible for its own compliance with applicable data protection laws.
14. Governing Law
This Agreement is governed by the laws of England and Wales.