DPIA Summary
Version 1.0 — 10 June 2026
Source (markdown) · Press ⌘P to save this page as a PDF.
This document is a redacted, public-facing summary of the Data Protection Impact Assessment (DPIA) conducted by andBeyond.digital Ltd, the company that operates C3NTR, for the C3NTR knowledge platform, in accordance with UK GDPR Article 35. The full internal DPIA is available to school leaders under NDA on written request to info@c3ntr.app.
1. Why a DPIA is required
A DPIA is required under UK GDPR Article 35(3) because C3NTR processes, on a large scale, Personal Data relating to children (school students who may be under 16). The processing falls within the indicative list maintained by the Information Commissioner’s Office (ICO) of operations likely to result in a high risk to the rights and freedoms of natural persons, specifically the use of biometric or quasi-identifying data of children in the context of educational service provision.
C3NTR has therefore conducted this DPIA before commencing large-scale Processing.
2. Description of Processing
2.1 Nature
C3NTR is a school knowledge platform: a mobile application and web portal that schools use to deliver structured curriculum content (articles, glossary terms, video, audio) to their members and to manage their roster.
2.2 Scope
Each School is the data controller for its own members’ Personal Data. C3NTR (the Processor) provides shared infrastructure. Data is segregated per school by school identifier at the Firestore-rules layer.
2.3 Context
- Schools choose to subscribe to C3NTR; students join because their school has done so.
- Most schools using C3NTR are martial-arts, dance, music, fitness, or academic enrichment schools.
- A meaningful proportion of student users are under 18; some are under 16.
2.4 Purposes
Limited to: delivering curriculum content; tracking individual reading progress for the student’s own resume-where-you-left-off experience; providing aggregate engagement analytics to school leaders; sending announcements; authentication.
C3NTR does not process student data for:
- profiling for advertising,
- automated decision-making with legal or similarly significant effect,
- third-party data resale or analytics syndication,
- any purpose outside the school’s documented instructions.
3. Necessity and Proportionality
3.1 Lawful basis (the School’s responsibility as Controller)
The School relies on UK GDPR Article 6(1)(b) (performance of a contract) for its instructor and administrator members, and on Article 6(1)(f) (legitimate interests) — with explicit parental notice for students under 16 — for its students. C3NTR provides the technical means; the legal basis assessment is the School’s.
3.2 Data minimisation
C3NTR collects only the data described in the DPA Annex I. It explicitly does not collect: geolocation; payment-card details; contacts or photos outside the C3NTR app; data from anyone under 13 (account creation is gated at the eligibility check).
3.3 Retention
Reading-progress and engagement data are retained for as long as the user has an active membership in the school. Inactive memberships (no login for 18+ months) are flagged for review and deleted after a 30-day grace period. School leaders can shorten retention windows per school.
3.4 Data subject rights
The Right of Access (Art. 15), Rectification (Art. 16), Erasure (Art. 17), Portability (Art. 20), and Objection (Art. 21) are honoured. The mobile app’s Edit-Profile screen provides a self-service Delete Account flow that hard-deletes user data within minutes; export of data is available on written request to info@c3ntr.app.
4. Risks Identified
| # | Risk | Likelihood | Severity | Inherent risk |
|---|---|---|---|---|
| R1 | Unauthorised access to student data via account-takeover | Low | High | Medium |
| R2 | Excessive data collection / function creep over time | Medium | Medium | Medium |
| R3 | Profile photo of identifiable minor disclosed unintentionally | Low | High | Medium |
| R4 | Behavioural data (reading patterns) used for evaluation without consent | Low | Medium | Low |
| R5 | Sub-processor data breach (e.g. Sub-processor compromise) | Low | High | Medium |
| R6 | International transfer outside UK/EEA without valid mechanism | Very low | High | Low |
| R7 | Failure to deliver Data Subject Rights within statutory window | Low | Medium | Low |
| R8 | Personal-data breach undetected for extended period | Very low | High | Low |
5. Mitigations Applied
| # | Risk | Mitigation | Residual risk |
|---|---|---|---|
| R1 | Account-takeover | Phone-number OTP authentication; multi-factor on web portal; rate-limiting on auth attempts; immediate sign-out from active sessions on password reset. | Low |
| R2 | Function creep | Annual review of data inventory by the Data Protection Lead; quarterly review of any new fields added to the user model; documented data-minimisation policy. | Low |
| R3 | Photo disclosure | Profile photos are optional and visible only to members of the same school; on-screen disclosure at upload time (planned, Tier B); School leader cannot extract photos in bulk. | Low |
| R4 | Behavioural data | Aggregated engagement only — never per-student reports for school leaders; no third-party analytics SDK; on-device semantic search runs entirely on the user’s device. | Low |
| R5 | Sub-processor breach | Sub-processors limited to Google (Firebase / GCP) — major hyperscaler with mature security posture; SCCs / UK IDTA in place; published Sub-processor list with 30-day change notice. | Low |
| R6 | International transfer | Primary data residency in europe-west2 (London). Where ancillary processing routes outside the UK, the UK IDTA applies. | Very low |
| R7 | DSR delivery | One-month statutory response window tracked in the Data Protection Lead’s mailbox queue; documented internal SLA of 14 days. | Low |
| R8 | Undetected breach | Cloud Logging alerts on anomalous patterns; immutable audit log on privileged operations; 72-hour breach SLA to school leaders documented in the DPA. | Low |
6. Conclusion
The DPIA concludes that the Processing of Personal Data, including that of children, by the C3NTR platform can be conducted in a manner consistent with UK GDPR after application of the mitigations described above. Residual risks have been assessed and accepted by the Data Protection Lead on behalf of andBeyond.digital Ltd.
No prior consultation with the ICO under UK GDPR Art. 36 is currently required because no residual risk remains high after mitigation.
This DPIA will be reviewed at least annually, or whenever a material change to Processing is proposed (including: a new Sub-processor, a new data category, a change in data residency, or a new purpose).
7. Sign-off
| Data Protection Lead | andBeyond.digital Ltd (operator of C3NTR) |
|---|---|
| Date of assessment | 10 June 2026 |
| Next scheduled review | 2 June 2027 |
| DPIA reference | C3NTR-DPIA-2026-01 |
Questions about this DPIA: info@c3ntr.app.