Legal

Data Processing Agreement

Summary of Classfolio's data processing commitments, and how to request a signed DPA for your school or trust.

Request a signed DPA GDPR & Data Protection

A full, signed DPA is available on request for schools and trusts. Email privacy@classfolio.co.uk

Data roles

Controller and Processor

Under UK GDPR, there is a clear distinction between who controls data and who processes it on behalf of a controller.

Data Controller

Your School or Trust

Decides the purposes for which student and teacher data is processed
Determines which classes, students and teachers are enrolled
Is responsible for obtaining appropriate consent and informing data subjects
Remains accountable for how Classfolio is used within the organisation
Owns all educational data created in Classfolio

Data Processor

Classfolio

Processes personal data only on documented instructions from the school
Provides the platform and services your school has configured
Does not use school data for any purpose other than delivering the service
Ensures appropriate technical and organisational security measures are in place
Notifies the school without undue delay in the event of a data breach

DPA commitments

What the DPA covers

The Classfolio Data Processing Agreement sets out our commitments as a processor. Below is a summary of the key areas covered.

Data ownership

All educational data created in Classfolio — lessons, assessments, student work, and resources — remains the property of your school. Classfolio does not claim ownership of any educational data.

Purpose limitation

Classfolio processes personal data solely to deliver the educational services your school has configured. Data is not used for advertising, marketing, research, or any purpose beyond service delivery.

Security measures

Classfolio implements appropriate technical and organisational measures to protect personal data, including access controls, encryption in transit and at rest, and database-level security rules.

Data subject rights

Classfolio assists schools in responding to data subject access requests, deletion requests, and data portability requests within the timeframes required by UK GDPR.

Subprocessors

Classfolio uses a limited set of sub-processors to deliver the service (see below). Schools are notified of any changes to sub-processors that may affect personal data processing.

Breach notification

In the event of a personal data breach, Classfolio will notify affected schools without undue delay, providing information to assist the school in meeting its own reporting obligations.

Data deletion

On termination of the service, or upon school request, Classfolio will delete or return personal data as specified in the DPA. Soft-deleted data is permanently removed after 90 days.

Confidentiality

Classfolio ensures that anyone with access to personal data is bound by appropriate confidentiality obligations.

Compliance assistance

Classfolio provides schools with information and assistance necessary to demonstrate compliance with UK GDPR obligations relating to processing carried out by Classfolio.

Subprocessors

Subprocessors engaged by Classfolio

Classfolio uses the following sub-processors to deliver the platform. All sub-processors are bound by appropriate data processing agreements.

Sub-processor	Purpose	Data involved
Firebase / Google Cloud	Core platform infrastructure — hosting, database, file storage, authentication, and server-side functions.	All platform data
Google Gemini	AI-assisted lesson, assessment, and resource generation. Used only when a teacher explicitly activates an AI feature.	Teacher-created content; student answer text (no PII) for AI marking
Google Authentication	Google OAuth sign-in for teachers and students using school Google Workspace accounts.	Identity assertion (name, email address, unique identifier). No passwords.
Microsoft Authentication	Microsoft OAuth sign-in for teachers and students using school Microsoft 365 accounts.	Identity assertion (name, email address, unique identifier). No passwords.

GDPR & Data Protection

Full details on data controller, processor, student privacy and subprocessors

Security & Infrastructure

Authentication, access controls, encryption and infrastructure overview

Safeguarding

What Classfolio does and does not do in a safeguarding context

Full privacy policy for Classfolio users

Request a signed DPA

Get a signed Data Processing Agreement

Schools and trusts requiring a signed Data Processing Agreement for procurement, DPIA, or compliance purposes can request one by email. We will respond within 5 working days.

privacy@classfolio.co.uk Procurement FAQ

Please include your school or trust name, your role, and any specific requirements for the DPA in your email.