← Compliance

Data Processing Agreement

Template version 1.1 (4 July 2026). This is eViva's standard form, published at eviva.tech/dpa (which renders this document). Fields in {{double braces}} are completed per school at signature; the agreement is executed through eViva's ordinary signature process, not by downloading this page. Changes to this template are versioned here.

Between:

{{SCHOOL_NAME}} of {{SCHOOL_ADDRESS}} (the "Controller" or "School")

and:

Copeland Digital Ltd, a company incorporated in England and Wales (Company No. 17207220), of {{COPELAND_DIGITAL_REGISTERED_ADDRESS}}, trading as eViva (the "Processor" or "eViva")

Each a "Party" and together the "Parties".

Effective date: {{DPA_EFFECTIVE_DATE}}


1. Background and interpretation

1.1 The Parties have entered into a {{COMMERCIAL_AGREEMENT_NAME}} (the "Principal Agreement") under which the Processor provides the eViva service to the Controller.

1.2 This Data Processing Agreement ("DPA") forms part of the Principal Agreement and governs the Processor's processing of Personal Data on behalf of the Controller in connection with the provision of the Service. In the event of conflict between this DPA and the Principal Agreement on data-protection matters, this DPA prevails.

1.3 Capitalised terms not otherwise defined in this DPA have the meanings given in the GDPR or the PDPL, as applicable.

1.4 "Applicable Data Protection Law" means, in respect of each Party, all laws relating to the protection of Personal Data that apply to that Party's processing under this DPA, including: - the EU General Data Protection Regulation (Regulation (EU) 2016/679) and any implementing law in the United Kingdom or any EU member state (collectively, "GDPR"); and - the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) and its executive regulations (collectively, "PDPL").

1.5 "Service" means the eViva oral-assessment platform provided by the Processor to the Controller under the Principal Agreement.

1.6 "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller in connection with the Service.

1.7 "Personal Data Breach" has the meaning given in GDPR Art. 4(12) and includes any "breach of Personal Data" as defined in PDPL Art. 1.


2. Subject matter, nature, and purpose

2.1 The subject matter, nature, purpose, duration, types of Personal Data, and categories of data subject are set out in Annex I.

2.2 The Processor processes Personal Data only on the documented instructions of the Controller as set out in the Principal Agreement, this DPA, and any further written instructions the Controller may give from time to time. The Controller's use of the Service through the operator UI constitutes documented instruction for the operations the UI exposes.

2.3 The Processor will inform the Controller without undue delay if, in the Processor's opinion, an instruction infringes Applicable Data Protection Law.


3. Roles

3.1 The Controller is the data controller and the Processor is the data processor in respect of all Personal Data processed under this DPA, except that:

(a) the Controller's relationship with its own cloud-storage platform (which holds the recording files themselves) is governed by the Controller's own contract with that platform provider, being Google (for Google Workspace / Google Drive tenancies) or Microsoft (for Microsoft 365 / OneDrive tenancies), in respect of which the Processor is not a party; and

(b) the Controller's relationship with Stripe (which processes payment data where the Principal Agreement involves payment) is governed by Stripe's terms of business and Stripe's own DPA, to which the Controller assents on first use of Stripe Checkout.


4. Processor obligations

The Processor will:

4.1 Lawfulness. Process Personal Data only on the Controller's documented instructions and only for the purposes set out in Annex I, except where the Processor is required by law to process otherwise (in which case the Processor will notify the Controller before processing unless prohibited by law).

4.2 Confidentiality. Ensure that any person authorised to process Personal Data has committed themselves to confidentiality or is under an appropriate statutory obligation of confidentiality.

4.3 Security. Implement and maintain the technical and organisational measures set out in Annex II to ensure a level of security appropriate to the risk.

4.4 Sub-processors. Engage Sub-processors only in accordance with clause 6 and Annex III.

4.5 Data subject rights. Taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as possible, in fulfilling the Controller's obligations to respond to requests from data subjects exercising their rights under Applicable Data Protection Law. The Service exposes self-service export and deletion functions that the Controller can use without separate Processor involvement; for requests not satisfiable through those functions, the Processor will respond to a written request from the Controller within 10 working days.

4.6 Assistance with controller obligations. Assist the Controller in ensuring compliance with the Controller's obligations under GDPR Arts. 32-36 and PDPL Arts. 7-10 (security, breach notification, DPIA, prior consultation), taking into account the nature of processing and the information available to the Processor.

4.7 Breach notification. Notify the Controller without undue delay, and in any event within 24 hours, after the Processor becomes aware of a Personal Data Breach affecting the Controller's Personal Data. The notification will include the information set out in clause 7 below, to the extent then known. Further details and updates will follow as the investigation progresses.

4.8 Return or deletion of data. On termination of the Principal Agreement, at the Controller's choice, delete or return all Personal Data to the Controller and delete existing copies, unless retention is required by applicable law. The Service exposes a self-service export of all metadata held by the Processor in a portable JSON format. Recordings themselves reside in the Controller's own cloud storage (Google Drive or OneDrive, per the Controller's tenancy) and are not affected by the Service's termination.

4.9 Records of processing. Maintain a record of all categories of processing activities carried out on behalf of the Controller, as required by GDPR Art. 30(2).

4.10 Audit. Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, in accordance with clause 8.


5. Controller obligations

5.1 The Controller warrants that:

(a) it has the right to disclose the Personal Data to the Processor, and that the Processor's processing as described in this DPA will not breach Applicable Data Protection Law;

(b) it has obtained, or will obtain, all necessary consents and authorisations (including, where applicable, parental consent for minors) and has provided, or will provide, all necessary notices to data subjects;

(c) its instructions to the Processor comply with Applicable Data Protection Law; and

(d) it has carried out (or will carry out) any data protection impact assessment required of it before commencing processing.

5.2 The Controller is responsible for the content of any prompts, assignment titles, free-text fields, uploaded reference images, or other inputs that teachers may enter into the Service, and for ensuring that such content does not solicit or contain special-category data within the meaning of GDPR Art. 9 or PDPL Art. 6.


6. Sub-processors

6.1 The Controller authorises the Processor to engage the Sub-processors listed in Annex III.

6.2 The Processor will notify the Controller by email at least 30 days before any addition or replacement of a Sub-processor takes effect. The notice will identify the Sub-processor, the processing operations to be performed, and the location of the processing.

6.3 The Controller may object to any new Sub-processor on reasonable data-protection grounds by written notice given within 30 days of the Processor's notice. If the Parties cannot agree a resolution within a further 30 days, the Controller may terminate the Principal Agreement with effect from the proposed Sub-processor change date, without penalty, with a pro-rata refund of any prepaid fees for the unexpired term.

6.4 The Processor will impose on each Sub-processor obligations no less protective than those imposed on the Processor by this DPA. The Processor remains fully liable to the Controller for the performance of each Sub-processor's obligations.


7. Personal Data Breach

7.1 A breach notification from the Processor to the Controller under clause 4.7 will include, to the extent then known:

(a) the nature of the Personal Data Breach, including where possible the categories and approximate number of data subjects concerned and the categories and approximate number of Personal Data records concerned;

(b) the likely consequences of the Personal Data Breach;

(c) the measures taken or proposed to be taken by the Processor to address the Personal Data Breach, including measures to mitigate its possible adverse effects;

(d) the name and contact details of the Processor's incident-response contact; and

(e) a written confirmation of the Processor's intention to provide further information as the investigation progresses, at intervals no longer than every 48 hours until the matter is closed.

7.2 The Controller is responsible for any onward notification to the UAE Data Office (PDPL Art. 9), the Information Commissioner's Office or another supervisory authority (GDPR Art. 33), and to affected data subjects (GDPR Art. 34 / PDPL Art. 10). The Processor's 24-hour notification window is calibrated to give the Controller sufficient time to meet its own 72-hour ceiling under those laws.

7.3 The full Processor incident-response procedure is set out in docs/dpia/incident-response-procedure.md, which is incorporated by reference.


8. Audit

8.1 The Processor will, on no fewer than 30 days' written notice and no more than once per 12-month period (unless required by a supervisory authority or following a Personal Data Breach affecting the Controller), make available to the Controller (or its mandated auditor) such information as is reasonably necessary to demonstrate compliance with this DPA.

8.2 The Controller may satisfy its audit rights by:

(a) reviewing the Processor's then-current audit reports, certifications, or attestations (including any SOC 2 reports the Processor or its Sub-processors hold);

(b) submitting a written questionnaire to be answered by the Processor within 30 days; or

(c) (where the above do not adequately address the Controller's reasonable audit need) requesting an on-site or remote audit, conducted during normal business hours and at the Controller's cost (except where the audit reveals a material breach by the Processor, in which case the Processor will bear reasonable cost).

8.3 The Controller will not exercise audit rights in a manner that disrupts the Service or compromises the confidentiality, security, or availability of other Processor customers' data.


9. International transfers

9.1 The Processor processes the Controller's Personal Data in the European Union (Frankfurt, Germany) as detailed in Annex I and Annex III. The transfer of Personal Data from the United Arab Emirates to the European Union is governed by the safeguards in Annex IV.

9.2 If the law applicable to either Party changes such that the safeguards in Annex IV become insufficient, the Parties will negotiate in good faith to put alternative safeguards in place within 60 days.


10. Liability

10.1 Each Party's liability under this DPA is subject to the limits and exclusions set out in the Principal Agreement.

10.2 Nothing in this DPA excludes or limits liability that cannot lawfully be excluded or limited under Applicable Data Protection Law, including liability under GDPR Art. 82.


11. Term and termination

11.1 This DPA takes effect on the Effective Date and continues until the Principal Agreement terminates or expires, except that clauses imposing obligations that survive termination of the Principal Agreement (including clauses 4.7, 4.8, 7, and 8) continue for as long as the Processor holds any Personal Data of the Controller.

11.2 On termination, the Processor will perform its obligations under clause 4.8.


12. Governing law and jurisdiction

12.1 This DPA is governed by {{GOVERNING_LAW}}. The Parties submit to the exclusive jurisdiction of the courts of {{JURISDICTION}} in respect of any dispute arising out of or in connection with this DPA, save that either Party may seek interim or injunctive relief in any court of competent jurisdiction.

12.2 Nothing in this clause affects a data subject's right to bring proceedings in the courts of the data subject's country of habitual residence as provided by Applicable Data Protection Law.


Signatures

For the ControllerFor the Processor
Name: {{SCHOOL_SIGNATORY_NAME}}Name: Anthony Copeland
Role: {{SCHOOL_SIGNATORY_ROLE}}Role: Director
Organisation: {{SCHOOL_NAME}}Organisation: Copeland Digital Ltd
Signature:Signature:
Date:Date:

Annex I: Description of the processing

Subject matter: Provision of the eViva oral-assessment service to the Controller.

Duration: From the Effective Date until termination of the Principal Agreement, plus any post-termination retention period set out in clause 4.8 of this DPA.

Nature and purpose: As described in §§2.1, 2.2, 2.6 of the accompanying DPIA.

Types of Personal Data:

  • Teacher account: email, name, identity-provider profile picture URL (Google or Microsoft, per the Controller's tenancy).
  • Assignment metadata: title, prompt text, due dates, settings.
  • Reference images (optional): teacher-uploaded images attached to assignment questions as stimulus material; the Acceptable Use Policy prohibits images containing student or other personal data.
  • Attempt metadata: student name, attempt start/end times, cloud-storage file ID (Google Drive or OneDrive), duration.
  • Teacher feedback and follow-up questions: free-text assessment commentary a teacher writes about a student's responses, and any follow-up questions the teacher adds; human-authored (not AI-generated); emailed to the student when the teacher returns it.
  • Integrity events: timestamps and event types only (focus loss, fullscreen exit, copy/paste, tab switch).
  • Audit and access logs: authentication events, admin actions.
  • Subscription metadata (paid agreements only): Stripe customer ID, subscription ID, status, plan, renewal date.

Categories of data subject:

  • Students of the Controller using the Service.
  • Teaching and authorised support staff of the Controller using the Service.
  • Billing contact at the Controller (paid agreements only).

Frequency of processing: Continuous during the term.

Location of processing: eu-central-1 (Frankfurt, Germany) for metadata and reference images held in Supabase (Postgres and Storage respectively). Stripe processing primarily in Ireland for payment data (paid agreements only). Recording files reside in the Controller's own Google Workspace or Microsoft 365 tenancy.


Annex II: Technical and organisational measures

The Processor implements the following measures, reviewed at least annually:

Access control:

  • All staff access to production Personal Data requires Google Workspace sign-in with 2-step verification on the anthonycopeland.com domain.
  • Production Supabase access is limited to the Director (single named individual at the date of this DPA).
  • Row-Level Security policies enforce data isolation in Supabase so that each Controller's teachers see only their own assignments and attempts.

Encryption:

  • All data in transit uses TLS 1.2 or above.
  • Data at rest in Supabase is encrypted using AES-256 (Supabase platform-level).
  • OAuth refresh tokens for teacher accounts are encrypted at rest using a key held only in production Vercel secrets.

Network and platform security:

  • Production application runs on Vercel with secrets scoped to the Production environment only. Vercel preview deployments are disabled at the platform level for non-main branches (vercel.json git.deploymentEnabled restricted to main).
  • No personal data is processed in pre-production environments.
  • Dependency security updates are reviewed weekly via GitHub Dependabot; critical-severity patches are applied within 7 days.

Logging and monitoring:

  • Authentication events and admin actions are logged with 12-month retention.
  • Failed sign-in attempts are rate-limited.
  • Stripe webhooks are signature-verified.

Backup and recovery:

  • Supabase Pro automated daily backups with 7-day point-in-time recovery.
  • Annual restore-from-backup rehearsal, logged on the compliance page (eviva.tech/compliance).

Vulnerability management:

  • Dependency vulnerabilities are reviewed weekly.
  • Public security contact: admin@eviva.tech.
  • Responsible-disclosure policy published at eviva.tech/security (and eviva.tech/.well-known/security.txt).

Incident response:

  • Procedure documented at docs/dpia/incident-response-procedure.md.
  • 24-hour notification to Controller on becoming aware of any Personal Data Breach.

Personnel:

  • All personnel handling Personal Data are bound by confidentiality.
  • At the date of this DPA, the Processor is a single-person company (Anthony Copeland, Director).

Annex III: Authorised Sub-processors

The Processor is authorised to engage the following Sub-processors on the Effective Date:

Sub-processorEntityServiceProcessing location
SupabaseSupabase Inc. (US)Database, authentication, file storage (reference images; demo recordings)eu-central-1 (Frankfurt, Germany)
Google (Google-tenancy Controllers only)Google LLC (US) / Google Ireland LtdOAuth, Drive API, Classroom APIController's own Google Workspace tenancy region
Microsoft (Microsoft-tenancy Controllers only)Microsoft Corporation (US) / Microsoft Ireland Operations LtdEntra ID sign-in (OAuth), Microsoft Graph API (orchestration of uploads into the Controller's own OneDrive)Controller's own Microsoft 365 tenancy region
VercelVercel Inc. (US)Application hosting, edge functions, scheduled jobs, basic visitor analyticsfra1 (Frankfurt, Germany)
ResendResend Inc. (US)Transactional emailEU region
Stripe (paid agreements only)Stripe Payments Europe Ltd (Ireland)Subscription billing, Checkout, Customer Portal, taxIreland (EU primary); US for some operational data under Stripe SCCs

Storage-platform engagement is per-tenancy and mutually exclusive: for a Controller on Google Workspace the Processor engages Google and never Microsoft in respect of that Controller's Personal Data, and vice versa for a Controller on Microsoft 365. The selection follows the Controller's own identity platform and does not change without the Controller changing platform.

A current Sub-processor list is maintained at eviva.tech/compliance. The Processor will notify the Controller of any change in accordance with clause 6.


Annex IV: International transfer safeguards

For transfers of Personal Data from the United Arab Emirates to the European Union, the Parties rely on the layered safeguards set out below, pursuant to PDPL Art. 22:

1. Contractual safeguards (PDPL Art. 22(2)(b)). The Parties incorporate by reference the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), Module 2 (Controller-to-Processor), as the substantive standard for the protections accorded to the transferred data. The Parties further agree to:

(a) treat the choices in Annex I.A, I.B, and II of the EU SCCs as the equivalent details set out in Annex I and Annex II of this DPA;

(b) treat the Controller as the data exporter and the Processor as the data importer;

(c) treat the optional docking clause and onward-transfer clause as engaged on the same terms as the EU SCCs.

2. Express data subject consent (PDPL Art. 22(2)(c)). The Controller obtains, and the Processor relies upon, the express consent of data subjects (or their parents/guardians where required) for the international transfer of their Personal Data to the European Union for the purpose of the Service.

3. Contract necessity (PDPL Art. 22(2)(d)). The transfer is necessary for the performance of the Principal Agreement between the Parties.

4. Adequacy contingency. If, during the term, the UAE Data Office issues an adequacy decision in respect of the European Union (or relevant member state), the Parties agree that adequacy will become the primary transfer mechanism without further amendment to this DPA.

For onward transfers from EU Sub-processors to other jurisdictions, the relevant Sub-processor's own SCCs and supplementary measures apply, as described in Annex III.