TripPA Data Processing Agreement (DPA)

This Data Processing Agreement (“Agreement”) is entered into between:

  • TripPA Ltd, registered in England and Wales under company number 15229680 (“Processor”); and
  • Subscribing School (“Controller”).

This Agreement forms part of the Subscription Agreement between the parties.

1. Purpose

TripPA will process personal data on behalf of the School solely to provide access to and use of the TripPA platform for educational trip management purposes.

2. Definitions

  • Controller: The entity determining the purposes and means of processing personal data.
  • Processor: The entity processing personal data on behalf of the Controller.
  • Data Protection Legislation: UK GDPR and the Data Protection Act 2018.
  • Personal Data: Any information relating to an identified or identifiable individual.

3. Scope of Processing

  • Categories of Data Subjects: Students, parents/guardians/carers, school staff.
  • Duration: For the duration of the School’s subscription, with immediate deletion upon termination unless otherwise required by law.
  • Types of Personal Data: the extent of personal data submitted to TripPA by the Subscribing School is determined and controlled by the Subscribing School in its sole discretion, and which may include, but is not limited to, the following categories of Personal Data:
    • Types of Personal Data for Students:
      • Forename and Surname
      • Photograph
      • Student ID
      • Gender
      • Year and Form Group
      • Form Tutor Name
      • Email Address
      • Medical Information
      • Date of Birth
    • Types of Personal Data for School Staff:
      • Forename and Surname
      • Photograph
      • Gender
      • Email Address
      • Medical Information
      • Date of Birth
      • Emergency Contact Information
    • Types of Personal Data for Parents/Guardians/Carers:
      • Forename and Surname
      • Email Address
      • Phone Number
      • Relationship to Student

4. Processor Obligations

TripPA shall:

  • Process personal data only on documented instructions from the School.
  • Implement appropriate technical and organisational measures to ensure data security.
  • Ensure staff handling personal data are bound by confidentiality obligations.
  • Assist the School in responding to data subject requests.
  • Assist with data protection impact assessments if required.
  • Notify the School without undue delay upon becoming aware of a personal data breach.
  • Delete or return personal data at the end of the service provision.

5. Sub-processors

TripPA may engage sub-processors (e.g., Wonde for MIS integration; cloud hosting providers). TripPA will ensure sub-processors comply with equivalent data protection obligations.

TripPA will inform the School of any intended changes to sub-processors and allow objection.

6. International Transfers

TripPA will not transfer personal data outside the United Kingdom without prior written consent of the School and appropriate safeguards.

7. Audit Rights

Upon reasonable notice, the School may audit TripPA’s compliance with this Agreement. TripPA will provide all necessary information to demonstrate compliance.

8. Governing Law

This Agreement shall be governed by the laws of England and Wales.