Back

Data Processing Agreement

v1.0 · Last updated 18 April 2026

The DPA at a glance

  • LESSO Ltd is the processor; the school or trust is the controller.
  • All processing of customer and personal data occurs in the United Kingdom.
  • Binding no-training commitment for both Civo / relax.ai and Microsoft Azure UK South.
  • Sub-processor changes notified at least 30 days in advance.
  • Personal-data export available within 30 days of termination, in a machine-readable format.
  • Compliance handled by Luke, our co-founder (support@lesso.co.uk).
  • No individual-teacher surveillance: leadership reporting is aggregated and anonymised by design.

1. Parties

This Data Processing Agreement (the "DPA") is entered into between LESSO Ltd (registered in England and Wales — the "Processor") and the customer school, multi-academy trust, or other educational organisation identified in the corresponding School Agreement (the "Controller"). It supplements and forms part of the School Agreement and incorporates by reference the LESSO Terms of Service and Privacy Policy.

2. Subject-matter, nature, and purpose of processing

The Processor processes Personal Data on behalf of the Controller in order to provide the LESSO platform — an AI-assisted productivity tool for educators — including document generation, lesson planning, communications drafting, and the operation of Mrs J, the LESSO AI assistant.

  • Duration: for the term of the School Agreement, plus the wind-down period set out in §10.
  • Categories of data subjects: the Controller's staff users (teachers, leaders, administrators).
  • Categories of personal data: account identifiers (name, work email, role), conversation and prompt history with Mrs J, materials uploaded by the user, materials generated for the user, and technical/usage data needed to operate and secure the service.
  • Special-category data: not requested or expected. Users are instructed in the Acceptable Use section of the Terms not to upload pupil personal data; the platform is not built around special-category processing.

3. Processor obligations (Article 28(3))

The Processor shall:

  1. process Personal Data only on documented instructions from the Controller, including with regard to international transfers (none are made for customer or personal data — processing is UK-only);
  2. ensure that persons authorised to process Personal Data are bound by confidentiality;
  3. take all measures required pursuant to Article 32 — see §6 (Security);
  4. engage sub-processors only on the terms set out in §4;
  5. assist the Controller, by appropriate technical and organisational measures, in fulfilling data-subject rights requests;
  6. assist the Controller in ensuring compliance with Articles 32 to 36 (security, breach notification, DPIA, prior consultation), having regard to the nature of processing and the information available to the Processor — see §7;
  7. return or delete all Personal Data on termination, at the Controller's election — see §10;
  8. make available to the Controller all information necessary to demonstrate compliance with Article 28, and allow for audits — see §8.

4. Sub-processors

The Controller authorises the Processor to engage the sub-processors listed at /sub-processors. The Processor:

  • flows down equivalent data-protection obligations to each sub-processor in writing;
  • remains liable to the Controller for the acts and omissions of its sub-processors;
  • notifies the Controller of any intended addition or replacement of a sub-processor at least 30 days in advance, via the email-subscription mechanism on the sub-processor page; the Controller may object on reasonable data-protection grounds within the notice window.

5. Binding no-training commitment

Binding no-training commitment: we do not use your prompts, conversations, or generated content to train AI models — not our own, not Civo's, not relax.ai's, not Microsoft's. This commitment is binding and is reflected in our Data Processing Agreement with schools. If we ever offer a UK-trained-model contribution feature in the future, it will be a named, per-school opt-in with a separate consent flow and the default off; pre-existing prompts and outputs will never be retroactively pulled into training.

6. Security measures (Article 32)

The Processor implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

  • encryption of Personal Data in transit (TLS 1.3) and at rest (AES-256);
  • role-based access controls, least-privilege provisioning, and SSO/MFA for staff access;
  • inheritance of ISO 27001 and Cyber Essentials Plus certifications from Civo Ltd at the infrastructure layer;
  • centralised audit logging of administrative and security events, retained for a minimum of 12 months;
  • a documented incident-response procedure, summarised on the security overview page;
  • regular vulnerability scanning and an established vulnerability-disclosure route.

7. Personal-data breach notification

The Processor notifies the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting the Controller's data. The notification includes the information specified in Article 33(3) UK GDPR to the extent then available, and the Processor provides updates as the investigation progresses.

8. Audit and information rights

The Processor responds in good faith to reasonable requests from the Controller's DPO for information necessary to demonstrate compliance with this DPA. For school customers, audit needs are typically satisfied by:

  • this DPA;
  • the published Trust Hub (sub-processors, DPIA, security overview);
  • a written security inheritance letter (available on request via /security);
  • where reasonably required, an annual written-questionnaire response.

9. International transfers

Customer and personal data are stored and processed exclusively in the United Kingdom (Civo Ltd, LON1 region; Microsoft Azure UK South pinned as fallback for AI inference). The Processor does not make restricted transfers of Personal Data outside the UK for the provision of the LESSO service. The honest CLOUD Act note at /sub-processors applies to the Microsoft fallback path.

10. Return or deletion of data on termination

On termination of the School Agreement, the Processor will, at the Controller's choice, either return Personal Data to the Controller in a machine-readable format (CSV / JSON) or delete it from production systems within 30 days. Backup copies are purged on the next scheduled rotation, and in any event within 90 days of termination. Where law requires retention of specific records (for example billing records), those records are retained only for the minimum legal period.

11. Liability and governing law

Liability under this DPA is governed by the limitation of liability provisions in the School Agreement. This DPA is governed by the laws of England and Wales and is subject to the exclusive jurisdiction of the English courts.

12. Signatures

This DPA is offered for counter-signature by the Controller's authorised signatory. Schools needing a Word version, or a redline against an internal template, should contact support@lesso.co.uk.

For LESSO Ltd (Processor)

Luke · Co-founder, LESSO Ltd

support@lesso.co.uk

Signed: 18 April 2026

For the Controller (school / trust)

Name: __________________________

Role: __________________________

Signed: ________________________

Date: __________________________

LESSO Ltd | Registered in England and Wales

Trust HubSub-processorsDPIASecurityPrivacy Policy