ROPA Entry Template — LESSO
Last reviewed 19 June 2026 · Next review 19 June 2027
What is a ROPA and why do schools need one?
UK GDPR Article 30 requires every data controller (including schools) to maintain a Record of Processing Activities — a written log of all the ways personal data is processed in or on behalf of the organisation. When a school uses LESSO, it engages LESSO Ltd as a data processor; the school needs to record that processing in its own ROPA. This pre-populated entry gives you every mandatory field, ready to copy into your school or trust's ROPA without having to gather the information yourself.
Article 30 Mandatory Fields — LESSO Processing
[Name and contact details of your DPO or designated data-protection lead]
Registered in England and Wales
Data-protection contact: Luke (co-founder) — support@lesso.co.uk
- Account identifiers: name, work email address, job role
- Conversation and prompt history with Mrs J
- Materials uploaded by the teacher (curriculum resources, templates)
- Materials generated for the teacher (lesson plans, worksheets, slide decks)
- Technical and usage data (session logs, audit events, performance telemetry)
Special-category data is not requested or expected. The Acceptable Use clause instructs users not to upload pupil personal data.
Article 6(1)(f) — legitimate interests (service personalisation and operational analytics, ring-fenced by the binding no-training commitment in the DPA).
- Civo Ltd (including relax.ai) — UK-sovereign infrastructure and primary AI inference, LON1, UK
- Microsoft Azure OpenAI Service — fallback AI inference, UK South region (with CLOUD Act transparency note)
- Stripe Payments Europe Ltd — billing and payment processing (payment data only)
- Resend — transactional email (account and billing notifications)
- Teacher account and profile data — duration of the school agreement
- Chat / conversation history with Mrs J — minimum 12 months (active service)
- Teaching materials and generated artefacts — minimum 12 months (active service)
- Production data deletion on termination — within 30 days of agreement end
- Operational backup retention (active service) — 30 rolling days
- Post-termination backup purge — within 90 days of agreement end
- Audit and security logs — minimum 12 months
- Billing records — 7 years (HMRC legal requirement)
Fallback path: Azure UK South (US-parent caveat). The Microsoft Azure OpenAI Service fallback is configuration-pinned to the UK South region. Microsoft Corp is US-headquartered and is theoretically subject to US law-enforcement requests under the CLOUD Act. LESSO uses the Azure path only when the primary path is unavailable. A school may request that the Azure fallback be disabled for its tenancy. See the CLOUD Act transparency note at lesso.co.uk/sub-processors.
How to use this template
- Copy the fields above into your school's ROPA (whether maintained in a spreadsheet, your DPO's ROPA tool, or a document).
- Fill in your school or trust name and your DPO contact details in the "Controller name and contact" field.
- Record the date you added this entry and set a review reminder for 19 June 2027 (or when LESSO notifies you of a material change — whichever is sooner).
- If your trust or MAT maintains a consolidated ROPA across all schools, this entry can be shared verbatim across member schools that use LESSO.
Commitment to update: LESSO will update this template within 30 days of any material change to the processing described above (new sub-processor, new data category, change of purpose, or change in international transfer position). Schools subscribed to change notifications at lesso.co.uk/sub-processors will be notified automatically. Last reviewed 19 June 2026 in compliance with UK GDPR, the Data Protection Act 2018, and the Data (Use and Access) Act 2025.
LESSO Ltd | Registered in England and Wales