Back

ROPA Entry Template — LESSO

Last reviewed 19 June 2026 · Next review 19 June 2027

What is a ROPA and why do schools need one?

UK GDPR Article 30 requires every data controller (including schools) to maintain a Record of Processing Activities — a written log of all the ways personal data is processed in or on behalf of the organisation. When a school uses LESSO, it engages LESSO Ltd as a data processor; the school needs to record that processing in its own ROPA. This pre-populated entry gives you every mandatory field, ready to copy into your school or trust's ROPA without having to gather the information yourself.

Article 30 Mandatory Fields — LESSO Processing

Field
Entry
Controller name and contact
[Your school / trust name]
[Name and contact details of your DPO or designated data-protection lead]
Processor name and contact
LESSO Ltd
Registered in England and Wales
Data-protection contact: Luke (co-founder) — support@lesso.co.uk
Purposes of processing
Provision of an AI-assisted educator productivity platform (LESSO), including: lesson planning and document generation; communications drafting; batch assessment marking (AI produces draft marks which the teacher reviews and approves); curriculum search and retrieval; operation of the Mrs J AI assistant; account management and billing.
Categories of data subjects
Teaching staff and school administrators only. The current LESSO platform has no pupil accounts and does not directly process pupil personal data. Any future pupil-facing surface will require a full updated DPIA, an AADC compliance assessment, a separate Article 28 addendum, and at least 30 days' advance notice to contracted schools.
Categories of personal data
  • Account identifiers: name, work email address, job role
  • Conversation and prompt history with Mrs J
  • Materials uploaded by the teacher (curriculum resources, templates)
  • Materials generated for the teacher (lesson plans, worksheets, slide decks)
  • Technical and usage data (session logs, audit events, performance telemetry)

Special-category data is not requested or expected. The Acceptable Use clause instructs users not to upload pupil personal data.

Lawful basis (controller)
Article 6(1)(b) — contract performance (service delivery to teachers);
Article 6(1)(f) — legitimate interests (service personalisation and operational analytics, ring-fenced by the binding no-training commitment in the DPA).
Recipients and sub-processors
See the full list at lesso.co.uk/sub-processors. Summary:
  • Civo Ltd (including relax.ai) — UK-sovereign infrastructure and primary AI inference, LON1, UK
  • Microsoft Azure OpenAI Service — fallback AI inference, UK South region (with CLOUD Act transparency note)
  • Stripe Payments Europe Ltd — billing and payment processing (payment data only)
  • Resend — transactional email (account and billing notifications)
Retention schedule
See the full Retention Schedule. Key periods:
  • Teacher account and profile data — duration of the school agreement
  • Chat / conversation history with Mrs J — minimum 12 months (active service)
  • Teaching materials and generated artefacts — minimum 12 months (active service)
  • Production data deletion on termination — within 30 days of agreement end
  • Operational backup retention (active service) — 30 rolling days
  • Post-termination backup purge — within 90 days of agreement end
  • Audit and security logs — minimum 12 months
  • Billing records — 7 years (HMRC legal requirement)
Security measures
Encryption in transit (TLS 1.3) and at rest (AES-256); role-based access controls and least-privilege provisioning; SSO / MFA; audit logging (minimum 12 months); documented incident-response with 72-hour breach notification; annual third-party penetration testing. Full details at lesso.co.uk/security. Infrastructure certifications: ISO 27001 and Cyber Essentials Plus (Civo Ltd); ISO 27001/27017/27018, SOC 1/2/3 (Microsoft Azure UK South fallback).
International transfers
Primary path: UK-sovereign. All processing on the primary Civo / relax.ai path takes place within the United Kingdom (Civo Ltd, LON1 region — a UK-owned, UK-headquartered company under UK law only). No restricted transfer outside the UK.

Fallback path: Azure UK South (US-parent caveat). The Microsoft Azure OpenAI Service fallback is configuration-pinned to the UK South region. Microsoft Corp is US-headquartered and is theoretically subject to US law-enforcement requests under the CLOUD Act. LESSO uses the Azure path only when the primary path is unavailable. A school may request that the Azure fallback be disabled for its tenancy. See the CLOUD Act transparency note at lesso.co.uk/sub-processors.
Article 28 DPA in place?
Yes — school-counter-signable Article 28 UK GDPR DPA available at lesso.co.uk/dpa. Includes binding no-training commitment, 30-day sub-processor change notice, and 30-day data export on termination.
DPIA carried out?
Yes — LESSO has carried out and published a DPIA summary at lesso.co.uk/dpia. The DPIA covers the batch assessment marking workflow and confirms LESSO is outside Article 22 automated decision-making (teacher reviews and approves all draft marks). The internal long-form DPIA is available to controller customers on request.

How to use this template

  1. Copy the fields above into your school's ROPA (whether maintained in a spreadsheet, your DPO's ROPA tool, or a document).
  2. Fill in your school or trust name and your DPO contact details in the "Controller name and contact" field.
  3. Record the date you added this entry and set a review reminder for 19 June 2027 (or when LESSO notifies you of a material change — whichever is sooner).
  4. If your trust or MAT maintains a consolidated ROPA across all schools, this entry can be shared verbatim across member schools that use LESSO.

Commitment to update: LESSO will update this template within 30 days of any material change to the processing described above (new sub-processor, new data category, change of purpose, or change in international transfer position). Schools subscribed to change notifications at lesso.co.uk/sub-processors will be notified automatically. Last reviewed 19 June 2026 in compliance with UK GDPR, the Data Protection Act 2018, and the Data (Use and Access) Act 2025.

LESSO Ltd | Registered in England and Wales