Data Processing Addendum
Last updated · 3 June 2026
This is a template prepared for the Spark marketing site. Review and adapt it with qualified legal counsel before launch — it is not legal advice.
This Data Processing Addendum ("DPA") forms part of, and is incorporated into, the Master Services Agreement between Spark Education Ltd ("Spark") and the customer ("Customer") wherever Spark processes personal data on the Customer's behalf.
Roles of the parties
The Customer is the controller and Spark is the processor in respect of personal data processed through the Spark product. Spark runs on the Customer's own Microsoft 365 tenant.
Subject-matter and duration
The subject-matter is the provision of the Spark attendance and engagement software. Processing continues for the term of the Master Services Agreement and ends on its termination, subject to the deletion and return obligations below.
Nature and purpose of processing
Spark processes personal data to register attendance, manage events, issue digital passes and produce compliance records, strictly to deliver the contracted service.
Categories of data subjects and personal data
- Data subjects: students, staff, parents/guardians and visitors.
- Personal data: names, roles, institutional identifiers, attendance records, contact details and, where relevant, safeguarding flags.
Processor obligations (Art. 28 UK GDPR)
- process personal data only on the Customer's documented instructions;
- ensure personnel are bound by confidentiality;
- implement appropriate technical and organisational security measures (Art. 32);
- engage sub-processors only with authorisation and flow down equivalent obligations;
- assist the Customer with data-subject requests and DPIAs;
- notify the Customer of a personal-data breach without undue delay and within 72 hours of becoming aware;
- delete or return personal data on termination; and
- make available information and allow for audits.
Sub-processors
| Sub-processor | Purpose | Location |
|---|---|---|
| Microsoft (Customer's own tenant) | Email, identity and storage | UK / EU |
| GOV.UK Notify | UK SMS notifications | UK |
| Hosting provider | Application hosting | UK (London) |
| Resend | Transactional email for sales enquiries (marketing site only) | UK / EU |
International transfers
Customer and student data is held under UK data residency. Where any transfer outside the UK is required, Spark relies on UK adequacy regulations, Standard Contractual Clauses or the UK International Data Transfer Agreement (IDTA) as applicable.
Security measures
Spark applies encryption in transit and at rest, least-privilege access controls, audit logging, regular vulnerability testing and documented incident response, proportionate to the risk to data subjects.
Contact
For data-processing matters, contact our Data Protection Officer at dpo@sparkfe.co.uk. Security concerns can be reported to security@sparkfe.co.uk.