top of page

EXPLOREBUDDY

DATA-PROCESSING ADDENDUM

This Data Processing Addendum (“DPA”) supplements the ExploreBuddy Terms & Conditions and applies where ExploreBuddy (the “Processor”) processes personal data on behalf of a school, organisation, parent or guardian (the “Controller”).

1. Definitions

Controller “Controller” has the meaning given in Article 4(7) UK GDPR: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of Processing Personal Data. In this DPA, the Controller is the entity or individual engaging ExploreBuddy and supplying the Personal Data.

Processor “Processor” means ExploreBuddy, which processes Personal Data solely on the Controller’s documented instructions.

Personal Data Any information relating to an identified or identifiable individual, including names, contact details, session notes, assessment data and billing records.

Processing Any operation performed on Personal Data as defined in Article 4(2) UK GDPR (collection, storage, use, disclosure, etc.).

Sub-Processor Any third party engaged by the Processor to carry out Processing on behalf of the Controller.

2. Subject Matter and Purpose

Subject Matter Provision of coaching, support sessions, training, consultations and related Services.

Purpose To enable ExploreBuddy to deliver Services in accordance with the Controller’s instructions.

Duration From first data receipt until seven years after the final session (or longer if required by law).

3. Categories of Data and Data Subjects

  • Identifiers (name, date of birth, address, email, phone)

  • Session details, clinical or educational assessments

  • Financial and billing information

Data Subjects include children, young people, adults, parents, carers and professional contacts.

4. Controller Obligations

The Controller warrants that it:

  1. Holds all necessary consents and lawful bases for processing the Personal Data.

  2. Provides only the data necessary for the agreed Services.

  3. Informs data subjects of the Processing activities and their rights.

5. Processor Obligations

ExploreBuddy shall:

  • Process Personal Data only on the Controller’s written instructions.

  • Ensure confidentiality: all staff and Sub-Processors are bound by confidentiality clauses.

  • Maintain technical and organisational measures (see section 7).

  • Notify Controller of any Personal Data breach within 48 hours of discovery.

  • Provide a remediation plan within 7 days of breach notification.

  • Assist Controller with data subject rights requests (access, correction, erasure, portability) at Controller’s direction.

  • Return or securely delete Personal Data on termination of Services, unless legal retention is required.

6. Sub-Processing

  • Controller authorises the engagement of Sub-Processors (e.g., cloud hosting, secure data storage).

  • A list of current Sub-Processors is available on request.

  • ExploreBuddy remains fully liable for any Sub-Processor’s acts or omissions.

7. Security Measures

ExploreBuddy implements and maintains:

  • Encryption of Personal Data at rest and in transit.

  • Pseudonymisation of data where feasible.

  • Role-based access controls with unique user credentials.

  • Regular encrypted backups and secure off-site storage.

  • Firewalls, antivirus protection and vulnerability management.

  • Annual security training and periodic audits.

8. Data Protection Officer

Questions or notices regarding this DPA and data protection should be directed to our DPO: Email: dpo@explorebuddy.co.uk

9. Data Retention

All Personal Data is retained securely for up to seven years to meet safeguarding and legal obligations. After this period, data is permanently and irreversibly deleted.

10. DPIA Assistance

Where a Data Protection Impact Assessment is required, ExploreBuddy will provide all necessary information and assistance to help the Controller fulfil its obligations under UK GDPR.

11. Liability

Processor’s liability under this DPA is subject to the limitations and exclusions in the ExploreBuddy Terms & Conditions.

12. Governing Law and Jurisdiction

This DPA is governed by the laws of Scotland and subject to the exclusive jurisdiction of the Scottish courts.

bottom of page