SafeKid AISign In

Data Processing Agreement

Last updated: 12 April 2026

1. Scope & Parties

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you (the "Controller") and SafeKid AI Ltd (the "Processor"). This DPA applies where we process personal data on your behalf in connection with the SafeKid AI platform, as required under UK GDPR Article 28.

2. Subject Matter & Duration

The Processor processes personal data for the purpose of providing AI content safety analysis, moderation, and reporting services. Processing continues for the duration of the service agreement and for the retention periods specified in our Privacy Policy.

3. Categories of Data Subjects

  • Students using AI-enabled educational tools
  • Teachers and school staff submitting content for moderation
  • Parents accessing transparency features
  • EdTech platform end-users

4. Types of Personal Data

  • Pseudonymised student identifiers
  • Text content submitted for safety analysis
  • Safety scores and moderation outcomes
  • Behavioural pattern assessments
  • Timestamps of interactions

5. Processor Obligations

The Processor shall:

  • Process personal data only on documented instructions from the Controller
  • Ensure persons authorised to process have committed to confidentiality
  • Implement appropriate technical and organisational security measures
  • Not engage sub-processors without prior written authorisation
  • Assist the Controller with data subject rights requests
  • Delete or return all personal data upon termination
  • Make available all information necessary to demonstrate compliance
  • Allow and contribute to audits conducted by the Controller

6. Sub-Processors

We maintain a list of approved sub-processors. We will notify you of any intended changes to sub-processors, giving you the opportunity to object. Current sub-processors include our cloud infrastructure provider and AI model provider, both subject to equivalent data protection obligations.

7. International Transfers

The Processor shall not transfer personal data outside the UK without appropriate safeguards as required by UK GDPR Chapter V, including the UK International Data Transfer Agreement (IDTA) or Addendum to the EU SCCs.

8. Data Breach Notification

The Processor shall notify the Controller without undue delay (and in any event within 72 hours) upon becoming aware of a personal data breach. Notification shall include the nature of the breach, categories of data affected, likely consequences, and measures taken to mitigate.

9. Data Protection Impact Assessments

The Processor shall assist the Controller in carrying out Data Protection Impact Assessments (DPIAs) and prior consultations with the ICO where required under UK GDPR Articles 35-36.

10. Contact

For DPA enquiries, contact our Data Protection Officer at dpo@safekidai.co.uk.