C3NTR Data Processing Agreement
Version 1.0 — Effective 10 June 2026
Source (markdown) · Press ⌘P to save this page as a signable PDF.
This Data Processing Agreement (“DPA”) forms part of the agreement between andBeyond.digital Ltd, a company registered in England & Wales, which provides the C3NTR service (“Processor”, “C3NTR”), and the customer school identified in the C3NTR portal (“Controller”, “School”), governing the processing of Personal Data by C3NTR on the School’s behalf in connection with the C3NTR service.
This DPA reflects the parties’ agreement on the processing of Personal Data in accordance with the requirements of the United Kingdom General Data Protection Regulation (“UK GDPR”), the Data Protection Act 2018 (“DPA 2018”), and, where applicable, the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“EU GDPR”). Together these are referred to as “Data Protection Laws”.
1. Definitions
Terms used in this DPA that are defined in the Data Protection Laws (including Personal Data, Processing, Data Subject, Controller, Processor, Sub-processor, Personal Data Breach, Supervisory Authority) have the meanings given in those laws.
Services means the C3NTR mobile application, web portal, and supporting infrastructure made available by the Processor to the Controller under the C3NTR subscription agreement.
School Personal Data means Personal Data Processed by the Processor on behalf of the Controller in the course of providing the Services.
2. Roles and Responsibilities
2.1 The parties acknowledge that, for the purposes of the Data Protection Laws, in respect of School Personal Data:
- the Controller is the School; and
- the Processor is C3NTR.
2.2 The Controller determines the purposes and means of the Processing of School Personal Data. The Processor processes School Personal Data only on the documented instructions of the Controller, including with regard to transfers of Personal Data to a third country, unless required to do otherwise by applicable law.
2.3 Each party will comply with its respective obligations under the Data Protection Laws.
3. Subject Matter and Duration
3.1 Subject matter: the provision of the C3NTR mobile application and web portal as a school knowledge platform to the Controller’s students, instructors, and administrators.
3.2 Duration: this DPA remains in effect for as long as the Processor processes School Personal Data on behalf of the Controller under the C3NTR subscription agreement, and survives termination to the extent necessary for the Processor to comply with its obligations under clause 11 (Return and Deletion).
3.3 Nature and purpose of Processing: hosting, storing, displaying, indexing, and delivering the Controller’s curriculum content and roster to the Controller’s school members; processing aggregate engagement analytics for the Controller’s own use; sending in-app and push notifications on the Controller’s behalf; and supporting authentication and access control.
3.4 Types of Personal Data: identification data (name, phone number, email), school-membership data (role, grade level, status), behavioural data (article and term reading progress, favourites, last-login, notification preferences), and any Personal Data the Controller chooses to include in its curriculum content or roster import.
3.5 Categories of Data Subjects: the Controller’s school members, including students (who may be minors), instructors, assistant instructors, school administrators, and school leaders.
4. Processor Obligations
The Processor shall:
(a) Process School Personal Data only on the documented instructions of the Controller, including with regard to transfers to a third country, unless required to do otherwise by applicable law (in which case the Processor will inform the Controller of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest);
(b) Ensure that persons authorised to Process School Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
(c) Implement the technical and organisational security measures described in Annex II to protect School Personal Data;
(d) Respect the conditions set out in clauses 5 and 6 of this DPA for engaging Sub-processors;
(e) Taking into account the nature of the Processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the Controller’s obligation to respond to requests for exercising Data Subjects’ rights under Chapter III of the UK GDPR;
(f) Assist the Controller in ensuring compliance with the obligations pursuant to UK GDPR Articles 32 to 36 (security of Processing, notification of Personal Data Breaches, data protection impact assessments, and prior consultation), taking into account the nature of Processing and the information available to the Processor;
(g) At the choice of the Controller, delete or return all School Personal Data to the Controller after the end of the provision of Services relating to Processing, and delete existing copies unless applicable law requires storage of the Personal Data (see clause 11);
(h) Make available to the Controller all information necessary to demonstrate compliance with this DPA and the Processor’s obligations under UK GDPR Article 28, and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller (see clause 10).
5. Sub-processors
5.1 General authorisation. The Controller provides general authorisation for the Processor to engage Sub-processors to process School Personal Data, subject to the requirements of this clause.
5.2 Current Sub-processors. The current list of Sub-processors is published at c3ntr.app/subprocessors.html and forms Annex III of this DPA.
5.3 Change notification. The Processor will give the Controller not less than 30 days’ prior written notice of any intended addition or replacement of a Sub-processor by updating the published Sub-processor list and notifying Controllers subscribed to the Sub-processor change-notification mailing list. The Controller may object to the change on reasonable data-protection grounds within that 30-day window. If the parties cannot resolve the objection, the Controller may terminate the affected portion of the Services without penalty.
5.4 Processor obligations. The Processor will impose written terms on each Sub-processor that provide at least the same level of protection for School Personal Data as those required by this DPA, and remains fully liable to the Controller for the performance of each Sub-processor’s obligations.
6. International Transfers
6.1 School Personal Data is hosted in
Google Cloud region europe-west2
(London, United Kingdom) and processed by Cloud
Functions in the same region. No transfer of School Personal
Data outside the United Kingdom or the European Economic Area is
required for the core operation of the Services.
6.2 Where any ancillary infrastructure operated by a Sub-processor incidentally processes Personal Data outside the United Kingdom or the EEA, the Processor relies on the UK International Data Transfer Addendum to the EU Standard Contractual Clauses (or equivalent valid transfer mechanism in force at the relevant time) to ensure an essentially equivalent level of protection.
7. Security of Processing
7.1 The Processor implements the technical and organisational measures described in Annex II to ensure a level of security appropriate to the risk, taking into account the state of the art, the cost of implementation, the nature, scope, context, and purposes of Processing, and the risk to the rights and freedoms of Data Subjects.
7.2 The Processor regularly reviews and updates those measures.
8. Personal Data Breaches
8.1 Notification to Controller. The Processor will notify the Controller’s designated point of contact (the email associated with the schoolLeader account in the C3NTR portal) without undue delay and in any event within seventy-two (72) hours after becoming aware of a Personal Data Breach affecting School Personal Data, providing such information as is reasonably available to the Processor at the time of notification (including the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed).
8.2 Assistance. The Processor will provide reasonable assistance to the Controller, taking into account the nature of the Processing and the information available to the Processor, in:
- Notifying the Supervisory Authority (UK GDPR Art. 33), where the Controller is required to do so;
- Communicating the breach to affected Data Subjects (UK GDPR Art. 34), where required;
- Documenting the breach in accordance with UK GDPR Art. 33(5).
8.3 No admission of fault. Notification of a Personal Data Breach under this clause does not constitute an acknowledgement by the Processor of any fault or liability.
9. Data Subject Rights
9.1 The Processor will assist the Controller, by appropriate technical and organisational measures and insofar as possible, in responding to requests by Data Subjects to exercise their rights under UK GDPR Articles 15 to 22 (access, rectification, erasure, restriction, portability, objection, and rights related to automated decision-making and profiling).
9.2 The Processor will promptly notify the Controller of any request received directly from a Data Subject relating to School Personal Data and will not respond to that request itself except on the documented instructions of the Controller, unless required to do so by applicable law.
10. Audits
10.1 The Processor will make available to the Controller, upon reasonable written request and no more than once in any twelve-month period (unless required more frequently by a Supervisory Authority), the information reasonably necessary to demonstrate compliance with the Processor’s obligations under this DPA, including the most recent independent security audit reports, penetration-test summaries, and the Processor’s privacy and security policies.
10.2 The Controller may, at its own expense and on at least thirty (30) days’ written notice, request to inspect the Processor’s data-processing facilities or commission an independent third-party auditor (subject to confidentiality undertakings) to conduct an inspection. Inspections shall be conducted during normal business hours, with minimum disruption to the Processor’s business operations, and shall not extend to confidential information of other customers of the Processor.
11. Return and Deletion
11.1 At the choice of the Controller, expressed in writing to the Processor no later than thirty (30) days following the termination or expiry of the C3NTR subscription agreement, the Processor will either:
(a) Return all School Personal Data to the Controller in a structured, commonly used, and machine-readable format; or
(b) Delete all School Personal Data from the Processor’s systems, including back-up copies (subject to the routine over-write cycle of the Processor’s back-up systems, in any event no later than ninety (90) days following the date of return or deletion).
11.2 The Processor will provide written confirmation to the Controller that all School Personal Data has been returned or deleted, as applicable.
11.3 The Processor may retain School Personal Data to the extent and for the period required by applicable law, in which case the Processor will continue to ensure the confidentiality of that data and will Process it only as necessary for the purposes specified in that applicable law.
12. Liability
The liability of each party under or in connection with this DPA shall be subject to the limitations of liability set out in the C3NTR subscription agreement. For the avoidance of doubt, this DPA does not increase or vary the aggregate liability of the parties beyond the cap set out in the C3NTR subscription agreement.
13. General
13.1 Order of precedence. In the event of a conflict between this DPA and the C3NTR subscription agreement, this DPA prevails to the extent of the conflict, but only in relation to the Processing of School Personal Data.
13.2 Governing law. This DPA is governed by the laws of England and Wales. The courts of England and Wales have exclusive jurisdiction over any dispute arising out of or in connection with this DPA.
13.3 Amendments. Any amendment to this DPA must be in writing and signed by an authorised representative of each party.
Annex I — Description of Processing
| Subject matter | Provision of the C3NTR knowledge platform to the Controller’s school. |
|---|---|
| Duration | For as long as the Processor processes School Personal Data on the Controller’s behalf under the C3NTR subscription agreement. |
| Nature and purpose | Hosting, storing, displaying, indexing, and delivering curriculum content and roster information; aggregate engagement analytics; in-app and push notifications; authentication and access control. |
| Type of Personal Data | Identification data (name, phone, email), school-membership data (role, grade, status), behavioural data (reading progress, favourites, last-login, notification preferences), and any Personal Data the Controller chooses to include in curriculum content or roster import. |
| Categories of Data Subject | The Controller’s school members: students (who may be minors), instructors, assistant instructors, school administrators, school leaders. |
Annex II — Technical and Organisational Security Measures
The Processor implements at least the following measures:
1. Encryption. All data in transit between user devices and C3NTR servers is encrypted using TLS 1.2 or higher. All data at rest in Cloud Firestore and Cloud Storage is encrypted using AES-256.
2. Authentication. Multi-factor authentication is enforced for all administrative access to Sub-processor consoles. End-user authentication uses phone-number one-time codes and (on the web portal) magic-link email.
3. Access control. Role-based access control enforced at the Firestore-rules layer prevents users from accessing data outside their role and school. The principle of least privilege is applied to internal access.
4. Audit logs. Administrative actions (roster changes, content edits, member removals) are recorded in immutable Cloud Logging and surfaced to school leaders in the C3NTR portal where applicable.
5. Sub-processor management. Sub-processors are vetted for compliance with this DPA before engagement; the list of Sub-processors is published and version-controlled.
6. Data residency. Primary data storage is in the United Kingdom (Google Cloud europe-west2). Where ancillary processing occurs outside the UK or EEA, the UK IDTA / EU SCCs apply.
7. Vulnerability management. Dependencies are scanned for known vulnerabilities; security patches are applied without undue delay.
8. Backup and recovery. Automated daily back-ups of Firestore data with point-in-time recovery within the seven preceding days. Back-ups are encrypted and stored in the same region as the primary data.
9. Breach detection. Cloud Logging alerts on anomalous patterns; Cloud Functions write to an immutable audit log on every privileged action.
10. Personnel. All personnel with access to School Personal Data are subject to confidentiality obligations and receive data-protection awareness training.
Annex III — Sub-processors
The current list of Sub-processors engaged by the Processor for the Processing of School Personal Data is published at c3ntr.app/subprocessors.html. That published list forms part of this DPA. Changes to the list are notified in accordance with clause 5.3.
Annex IV — Signature
This DPA is entered into between the Controller and the Processor and is effective from the date of signature by the Controller, whose acceptance is recorded electronically when the school’s leader accepts these terms through the C3NTR portal, or on the date of countersignature below.
Controller (School)
| School name | |
|---|---|
| Authorised signatory (name) | |
| Title | |
| Signature | |
| Date |
Processor (C3NTR)
| Entity | andBeyond.digital Ltd (operator of C3NTR) |
|---|---|
| Authorised signatory | |
| Title | Director |
| Signature | |
| Date |
Questions about this DPA: info@c3ntr.app.