Data Protection Addendum and General Data Protection Regulation Compliance
Please note: If you require a signed copy of the agreement, please request one via email to support@gonurture.com.
This Data Processing Agreement ("DPA") governs the processing of Customer Personal Data by Nurture Technology Ltd ("Nurture", "Processor") on behalf of a school, education authority, or other customer ("Customer", "Controller") in connection with the Services.
This DPA is intended to be a standard template. It applies where Nurture processes Customer Personal Data as a processor on behalf of a Controller. It does not apply to data that Nurture processes as an independent controller (for example, billing, sales enquiries, or website analytics not linked to Customer Personal Data).
This DPA forms part of, and is incorporated into, the agreement between Nurture and the Customer for the Services (the "Agreement"). In the event of a conflict between this DPA and the Agreement on matters of personal data processing, this DPA prevails.
In this DPA:
3.1 Controller and Processor. The Customer is the Controller of Customer Personal Data. Nurture acts as Processor and processes Customer Personal Data only to provide and support the Services.
3.2 Controller instructions. Nurture will process Customer Personal Data only on documented instructions from the Controller, including as set out in this DPA and the Controller’s configuration and use of the Services, unless required by law.
The subject matter, duration, nature and purpose of processing, types of Customer Personal Data, and categories of data subjects are described in Appendix 1.
5.1 Confidentiality. Nurture will ensure that persons authorised to process Customer Personal Data are subject to appropriate confidentiality obligations.
5.2 Security. Nurture will implement appropriate technical and organisational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. A summary of measures is in Appendix 2.
5.3 Data minimisation. Nurture will design and operate the Services to minimise the processing of personal data and to avoid including additional account profile fields in AI prompts beyond a first name, unless configured otherwise by the Controller.
5.4 Personnel access. Nurture limits access to Customer Personal Data to trained personnel who require access for support, security, reporting, and service administration.
5.5 Intellectual property and use of Customer Data. As between the parties, the Controller retains all right, title, and interest (including intellectual property rights) in Customer Data, including student-submitted work. Nurture does not acquire any ownership rights in Customer Data. The Controller grants Nurture a limited, non-exclusive licence to process Customer Data solely to provide and support the Services in accordance with this DPA and the Controller’s documented instructions. The Controller represents that it has (and will maintain) the rights and permissions necessary to provide Customer Data to Nurture for processing on the Controller’s behalf.
5.6 No training on Customer Data. Nurture will not use Customer Data (including student-submitted work) to train, fine-tune, or improve general-purpose artificial intelligence models. Where Nurture uses AI providers to deliver AI-assisted features, Nurture will configure those services so that Customer Data is not used by Nurture to train or improve general-purpose models.
6.1 Authorisation. The Controller provides general authorisation for Nurture to appoint Subprocessors to process Customer Personal Data, provided that Nurture maintains an up-to-date list of Subprocessors.
6.2 Subprocessor list. Nurture publishes its list of Subprocessors and key suppliers at: https://gonurture.com/security (or successor page).
6.3 Changes. Nurture may update the Subprocessor list from time to time. Where a Subprocessor change materially increases risk to Customer Personal Data, the Controller may contact Nurture with reasonable objections.
6.4 Flow-down terms. Nurture will impose written terms on Subprocessors that provide at least the same level of protection for Customer Personal Data as this DPA, including appropriate confidentiality and security obligations.
6.5 Liability. Nurture remains responsible for the performance of its Subprocessors under this DPA.
Where Applicable Data Protection Law requires safeguards for transfers of Customer Personal Data outside the EEA/UK/Switzerland, Nurture will implement appropriate transfer mechanisms (such as standard contractual clauses) and supplementary measures where appropriate.
Controller acknowledges that, depending on configuration and the Subprocessors used for a given request (including AI providers), Customer Personal Data may be processed in locations outside the EEA/UK/Switzerland as identified in the Subprocessor list.
8.1 Data subject rights. Taking into account the nature of processing, Nurture will assist the Controller by appropriate technical and organisational measures, insofar as possible, to fulfil the Controller’s obligation to respond to requests to exercise data subject rights.
8.2 DPIAs and prior consultation. Nurture will provide reasonable information to assist the Controller with data protection impact assessments and prior consultations, to the extent relevant to the Services and available to Nurture.
8.3 Records. Nurture will maintain records of processing as required by law for processors.
9.1 Notification. Nurture will notify the Controller without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data.
9.2 Information. Nurture will provide available information in phases as it becomes known, including the nature of the breach, likely consequences, and measures taken or proposed to address it.
9.3 Australia (NDB). For Australian customers, Nurture will provide reasonable assistance to support the Controller’s assessment and notification obligations under the Notifiable Data Breaches scheme, where applicable.
10.1 During the term. On the Controller’s verified request, Nurture will delete or de-identify requested Customer Personal Data from Nurture-controlled active systems within 30 days, except where retention is required or permitted by law or for security, audit, or backup purposes. For customer-tenant deployments, deletion of data stored in the Controller’s tenant is managed by the Controller.
10.2 On termination. Following termination or expiry of the Services, Nurture will delete or return Customer Personal Data from Nurture-controlled systems within 30 days, subject to the same limitations (legal retention, security, audit, backups).
11.1 Information. Upon reasonable written request, Nurture will make available information reasonably necessary to demonstrate compliance with this DPA, including summaries of security measures and, where available, relevant third-party assurance reports.
11.2 No on-site audits. The parties agree that Controller audit rights are satisfied by the information and documentation described above, and this DPA does not grant a right to on-site audits or inspections.
For Australian deployments, Nurture configures the Services so that Account PII and Customer Data are hosted and processed in Australia. Limited de-identified technical telemetry may be processed by operational tooling (for example, monitoring or code hosting) as described in the Subprocessor list. This telemetry is configured to exclude Account PII and Customer Data.
13.1 Order of precedence. If there is a conflict between the main Agreement and this DPA on the processing of Customer Personal Data, this DPA prevails.
13.2 Updates. Nurture may update this DPA to reflect changes in law, regulatory guidance, or the Services. Updated versions will be published on Nurture’s website with an updated effective date.
13.3 Governing law. The governing law and venue are as set out in the main Agreement unless otherwise agreed in writing.
Subject matter: provision of the Services (Microsoft Teams and Canvas integrations, and Nurture web application) to support educational workflows including assessment creation, student submissions, teacher feedback, and reporting.
Duration: for the term of the Agreement, plus the periods set out in Section 10 (Deletion and return).
Nature of processing: collection, recording, organisation, structuring, storage, retrieval, consultation, use, disclosure by transmission within the Service, and deletion. AI-assisted processing may occur where enabled.
Purpose of processing: to provide, secure, support, maintain, and improve the Services; to generate requested outputs (including AI-assisted outputs) for educational use; and to provide customer support and reporting.
Categories of data subjects: teachers and other school staff; students; school administrators; and authorised support contacts.
Types of Customer Personal Data:
Nurture maintains an information security program designed to protect Customer Personal Data. Measures may include:
Specific measures may vary by Deployment Model and customer configuration.
The current list of Subprocessors and key suppliers (including data locations and whether they process Account PII and/or Customer Data) is published at: https://gonurture.com/security
Save time and deliver higher-quality feedback.
Help your students fulfil their potential.
Helping schools make the shift from summative to formative.
