This Data Processing Agreement ("DPA") sets out the terms on which Revision Genie Ltd processes personal data on behalf of a school, multi-academy trust, college or other education institution ("the School") that subscribes to Revision Genie services or that allows its students to use Revision Genie.
It is designed to satisfy Article 28 of the UK GDPR and is incorporated by reference into the Terms and Conditions agreed by the School when it subscribes to a paid plan, allocates school seats, or registers student accounts through a teacher or school admin.
If your School needs a countersigned copy of this DPA for its own records, please contact our Data Protection Officer, Joel Martin, at joel@revisiongenie.com and we will provide one.
1.1 The Processor: Revision Genie Ltd, a company registered in England and Wales (company number 16212210, registered office 45 Fitzroy Street, London W1T 6EB), registered with the Information Commissioner's Office under registration number ZC008367 ("we", "us", "our").
1.2 The Controller: the School that registers, allows or instructs its students or staff to use Revision Genie, as identified in the subscription, school seat allocation, or school admin registration ("the School").
2.1 In respect of personal data processed by Revision Genie for the School's students and staff in the course of providing the service ("School Personal Data"), the School is the Data Controller and Revision Genie Ltd is the Data Processor.
2.2 Where a student creates their own Revision Genie account independently of any school (for example a self-funded student using a personal email), Revision Genie Ltd is the Data Controller for that account, and this DPA does not apply to that processing.
2.3 Where a student is registered through a school but later upgrades to a personal paid plan, the role of controller for the School Personal Data remains with the School, while Revision Genie Ltd is the controller for any additional account, billing and payment data resulting from the personal upgrade.
3.1 Subject matter: the provision of the Revision Genie educational platform to the School's students and staff, including AI tutoring, lesson generation, exam practice, marking, progress tracking and class messaging features.
3.2 Duration: this DPA takes effect when the School first allocates a seat or registers a student account, and continues for as long as Revision Genie processes any School Personal Data, plus any retention period required by the law or set out in our Data Retention Policy.
4.1 Nature: storing, organising, retrieving, analysing, transmitting and deleting School Personal Data in the course of operating the Revision Genie platform.
4.2 Purpose: providing the educational service described in our Terms and Conditions, including delivering AI tutoring, tracking learning progress, providing safeguarding monitoring, and enabling teacher and school admin oversight where authorised by the School.
5.1 Categories of data subjects: students at the School (typically aged 11-18), and teachers, school admins and other staff using Revision Genie on behalf of the School.
5.2 Types of personal data processed (see our Privacy Policy for full detail):
Identity data: name, year group or year of birth, school affiliation.
Contact data: email address, OAuth provider identifier (Google or Microsoft) if used.
Authentication data: hashed passwords (if credentials login is used).
Educational data: study activity, lesson progress, quiz responses, exam-practice attempts, marks and AI feedback, skill ratings, mistakes, memory notes saved by the student.
Class data: class membership, class messages posted by teachers and students, homework and announcements.
AI interaction data: messages sent to AI tutors (not retained by default), files uploaded to chat or to My Genies.
Technical data: IP address, browser and device metadata for security and rate limiting.
Safeguarding data: where a conversation is flagged by our safeguarding systems, the flagged content is retained for review.
5.3 We do not knowingly process special category data (UK GDPR Article 9) on behalf of the School. If a student inadvertently discloses special category information in a chat or file, our safeguarding processes apply.
We will:
6.1 Process School Personal Data only on documented instructions from the School, including in respect of international transfers, except where required by law to do otherwise (in which case we will inform the School first, unless the law prohibits this).
6.2 Ensure that all personnel authorised to process School Personal Data are bound by appropriate confidentiality obligations.
6.3 Implement appropriate technical and organisational security measures as set out in section 9.
6.4 Engage sub-processors only on the terms set out in section 7.
6.5 Taking the nature of the processing into account, assist the School by appropriate technical and organisational measures with responding to requests from data subjects exercising their UK GDPR rights.
6.6 Assist the School in ensuring compliance with its security, breach notification, data protection impact assessment and prior consultation obligations under UK GDPR Articles 32 to 36.
6.7 At the choice of the School, delete or return all School Personal Data after the end of the provision of services relating to processing, and delete existing copies unless UK law requires storage of the personal data.
6.8 Make available to the School all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the School or an auditor mandated by the School (see section 11).
7.1 The School gives general authorisation for Revision Genie to engage the sub-processors listed below, which are essential to providing the service:
Microsoft Azure (United Kingdom / European Union) - AI inference (Azure OpenAI) and text-to-speech (Azure Speech Services). Microsoft contractually commits not to train its foundation models on customer data.
MongoDB Atlas - primary database.
Vercel - hosting and serverless functions.
Vercel Blob - file storage for uploads.
Upstash - Redis caching and rate limiting.
Stripe - payment processing (where the School pays for a subscription directly).
Resend - transactional email delivery.
Google (Google Sign-In) and Microsoft (Microsoft Sign-In) - optional authentication, used only if a user signs in with that provider.
7.2 We will inform the School of any intended changes concerning the addition or replacement of sub-processors, giving the School the opportunity to object on reasonable data-protection grounds. Notification will be made via email to the School's lead contact and an update to this page.
7.3 Where we engage a sub-processor, we will impose data protection terms on the sub-processor that are substantially the same as those in this DPA, including the obligations in UK GDPR Article 28(3).
7.4 We remain fully liable to the School for the performance of each sub-processor's obligations.
8.1 Some sub-processors (notably aspects of Microsoft Azure and Stripe) may transfer or back up School Personal Data outside the United Kingdom and European Economic Area.
8.2 Where data is transferred internationally, we rely on transfer mechanisms recognised under UK GDPR, including the UK International Data Transfer Addendum, EU Standard Contractual Clauses, and equivalent safeguards, supplemented by additional technical measures such as encryption.
We maintain appropriate technical and organisational measures including:
9.1 Encryption of School Personal Data in transit using TLS, and at rest by all sub-processors.
9.2 Role-based access controls for our staff with access to production systems, with access reviewed periodically.
9.3 Multi-factor authentication on administrative accounts.
9.4 Centralised secrets management and prohibition on storing production credentials in source control.
9.5 Automatic backups of the primary database.
9.6 Vulnerability management, including patching and dependency monitoring.
9.7 Logging of administrative access for incident investigation.
9.8 Annual review of these measures, and re-assessment when the nature of processing materially changes.
10.1 We will notify the School's nominated contact without undue delay, and in any event within 72 hours of becoming aware of a personal data breach affecting School Personal Data.
10.2 Notification will include, to the extent known at the time: a description of the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures we have taken or propose to take.
10.3 We will provide further information as it becomes available and assist the School with its own notification obligations to the Information Commissioner's Office and (where applicable) affected data subjects.
10.4 In a safeguarding emergency (for example, an immediate risk to a child), we may notify safeguarding authorities or emergency services directly, as set out in our Safeguarding Policy.
11.1 We will make available to the School all information necessary to demonstrate compliance with the obligations set out in this DPA.
11.2 In addition to compliance information we make available proactively (including this DPA, our Privacy Policy, Data Retention Policy, and DPIA summary), the School may, at its own cost and on at least 30 days' written notice, audit our compliance with this DPA. Audits will be conducted during normal business hours, must not unreasonably disrupt our operations, and must respect the confidentiality of our other customers.
11.3 Where an audit is conducted by a third party on behalf of the School, that third party must enter into a confidentiality agreement with us before any audit activity takes place.
12.1 On termination of the School's subscription, or on the School's written request at any other time, we will, at the School's choice, return or delete all School Personal Data within 90 days, except where retention is required by law (for example, financial records to meet UK accounting obligations) or set out in our Data Retention Policy.
12.2 Anonymised or aggregated data that no longer identifies any individual may be retained for service-improvement purposes.
12.3 Backups containing School Personal Data will be deleted in line with our standard backup-retention cycle.
13.1 Each party's liability under this DPA is subject to the limitations and exclusions set out in the Terms and Conditions between the School and Revision Genie Ltd.
13.2 Nothing in this DPA limits or excludes either party's liability where it cannot lawfully be limited or excluded, including for personal injury or death caused by negligence and for fraud.
14.1 We may amend this DPA from time to time. We will notify the School's lead contact of any material changes by email and update the "Last Updated" date at the top of this page.
14.2 If a change materially reduces the protections provided to School Personal Data, the School may terminate the affected services without penalty by giving us written notice within 30 days of receiving notice of the change.
This DPA is governed by the laws of England and Wales and the courts of England and Wales have exclusive jurisdiction over any disputes arising out of or in connection with it.
For questions about this DPA, to request a countersigned copy, or to give any of the notices contemplated above, please contact our Data Protection Officer, Joel Martin, at joel@revisiongenie.com.