Skip to main content
BehaviourWellbeingInsightsCommunity
Our StoryBlogFAQContact
ten points
Pricing
Book a callLog in
BehaviourWellbeingInsightsCommunity
Our StoryPricingBlogFAQ
Book a callLog in

Agreement

Data Processing Agreement (DPA)

Last updated: Apr 03, 2026

Main Agreement TermsData Processing Agreement (DPA)Terms of Service (Simplified)

This Data Processing Agreement (“DPA”) forms part of the Agreement between the Customer and Ten Points Education Limited (“Ten Points”) for the provision of software services (the “Agreement”), and governs the processing of personal data by Ten Points on behalf of the Customer in connection with the Agreement.

1. Scope and Term

Governing Legislation

This DPA is governed by the UK General Data Protection Regulation (UK GDPR), regardless of the Customer’s location. Where applicable, this DPA aligns with international privacy frameworks including the EU General Data Protection Regulation (EU GDPR), the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data. These frameworks are referenced for alignment only; UK GDPR shall serve as the primary and legally binding standard.

Term

This DPA shall remain in force for the duration of the Agreement and thereafter for as long as Ten Points processes personal data on behalf of the Customer.

Order of Precedence

In the event of any conflict between this DPA and the Agreement, this DPA shall prevail in relation to personal data processing.

2. Roles and Responsibilities

Children and Sensitive Data

Certain personal data processed under this Agreement may relate to children and/or special categories of data as defined under the UK GDPR. Ten Points applies enhanced safeguards, including encryption, certified personnel access only, and strict data minimisation, to ensure that such data is processed lawfully, fairly, and securely, in line with applicable data protection principles.

Controller and Processor

The Customer is the Data Controller and retains full ownership of all personal data. Ten Points acts solely as a Data Processor and will only process personal data in accordance with the Customer’s documented instructions.

Customer Responsibilities

The Customer is responsible for the accuracy, legality, and provision of all personal data and for ensuring that all necessary consents and notices are in place for lawful processing. This includes obtaining appropriate parental or guardian consent where required under applicable local laws.

Processing Purposes

Ten Points shall process personal data solely to:

  1. Provide the software and related services under the Agreement;
  2. Maintain and support the platform infrastructure;
  3. Resolve technical issues;
  4. Communicate with the Customer and authorised users;
  5. Comply with applicable laws and instructions.

3. Data Hosting and International Transfers

Data Hosting

Personal data is hosted using a combination of Amazon Web Services (AWS) infrastructure in the United States and Microsoft Azure infrastructure in the United Kingdom and the European Union, through Ten Points’ sub-processor Bubble.io and other managed services.

Safeguards

International transfers are subject to the UK International Data Transfer Addendum to the EU Standard Contractual Clauses (UK IDTA), which are incorporated into this DPA by reference. These clauses ensure that data transferred outside the UK is subject to appropriate safeguards under Article 46 of the UK GDPR.

Data Localisation

The Customer acknowledges and accepts that data may be processed or accessed in the US, UK, EU or their local jurisdiction by certified personnel of Ten Points or its sub-processors, subject to the security obligations outlined in this DPA.

4. Sub-Processors

Use of Sub-Processors

Ten Points may engage sub-processors to deliver the Services, including but not limited to those listed in DPA Appendix 1 – Sub-processor Table. Ten Points shall maintain an up-to-date list of sub-processors and provide advance notice of any changes, as set out in this Agreement.

Sub-Processor Obligations

Ten Points shall ensure that sub-processors are bound by data protection obligations no less protective than those set out in this DPA.

Changes to Sub-Processors

Ten Points shall provide the Customer with advance notice of any intended changes to sub-processors. The Customer may object on reasonable grounds and may terminate the Agreement with respect to the affected services if no resolution is achieved.

5. Security and Confidentiality

Technical and Organisational Measures

Ten Points shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk. These include, but are not limited to:

  1. Encryption of data in transit and at rest;
  2. Access control policies;
  3. Regular security assessments and monitoring;
  4. Certified personnel with appropriate training and access only where necessary.

Confidentiality

All staff and contractors with access to personal data shall be bound by confidentiality obligations and will only access data as necessary to fulfil their duties.

6. Rights of Data Subjects

Data Subject Requests

Ten Points shall, where possible, assist the Customer in responding to data subject requests relating to access, rectification, erasure, portability, restriction or objection, in accordance with the UK GDPR. If Ten Points receives a request directly from a data subject or from a parent or legal guardian on behalf of a minor, Ten Points will inform the Customer promptly and cooperate with the Customer in responding to the request in accordance with the Customer’s instructions.

Notifications

Ten Points shall notify the Customer without undue delay of any legally binding request for disclosure, request from a data subject, or data breach.

7. Assistance and Audits

Assistance

Taking into account the nature of the processing, Ten Points shall assist the Customer with its compliance obligations under Articles 32 to 36 of the UK GDPR.

Audits

Upon reasonable notice, the Customer may audit Ten Points’ compliance with this DPA. Ten Points may satisfy audit requests through provision of third-party certifications (e.g. ISO27001, SOC2), security questionnaires, or on-site visits, subject to appropriate safeguards.

8. Return or Deletion of Data

Upon termination of the Agreement, Ten Points shall, at the Customer’s written request, return or securely delete all personal data, unless retention is required by law. Any retained data shall remain subject to the confidentiality and data protection obligations of this DPA.

9. Personal Data Breach Notification

Notification

Ten Points shall notify the Customer without undue delay after becoming aware of a personal data breach. Such notice shall include a description of the breach, its likely consequences, and any mitigation measures taken.

Cooperation

Ten Points shall cooperate with the Customer and provide reasonable assistance to enable the Customer to comply with its breach notification obligations under the UK GDPR.

10. General

Ten Points is committed to complying with UK GDPR. Users have the right to request the removal or modification of their data at any time. For any data protection concerns, please contact our Data Protection Officer (DPO) at [email protected].

DPO Registration Number: ZB716018

Governing Law: This DPA shall be governed by the laws of England and Wales.

Jurisdiction: The courts of England and Wales shall have exclusive jurisdiction over any dispute arising under this DPA.

DPA Appendix 1 – Approved Sub-Processors

The following sub-processors are authorised by Ten Points Education Limited for the provision of the Software Services. These third-party service providers may process personal data on behalf of the Customer, as necessary to deliver the agreed functionality. Each sub-processor is contractually bound to comply with data protection obligations equivalent to those required under the Data Processing Agreement (DPA).

Sub-processorPurposeHosting RegionSafeguards
Bubble.ioApplication platform and databaseUnited StatesUK GDPR-aligned; Standard Contractual Clauses (SCCs); Data Processing Agreement (DPA) in place
Microsoft AzureInfrastructure, cloud hostingUnited States, United Kingdom, EUUK/EU data residency; ISO 27001; Standard Contractual Clauses (SCCs) and UK Addendum
SendGrid (Twilio)Email delivery serviceUnited StatesStandard Contractual Clauses (SCCs), ISO 27001, GDPR-compliant sub-processing agreements
CloudinaryMedia management, image hosting and image optimisationUnited States, EUGDPR-compliant; ISO 27001; secure storage and processing
CloudflareCDN, DNS, caching, cloud hosting and securityGlobal (incl. UK/EU)Standard Contractual Clauses (SCCs), Data Processing Agreement (DPA) in place, ISO 27001, minimal data retention
OpenAIContent moderation and wellbeing message reframing using large language modelsUnited StatesStandard Contractual Clauses (SCCs), Data Processing Agreement (DPA) in place, SOC 2 and ISO 27001 certified. No data is used for training, and all content is processed anonymously.
StripeBilling and subscription management (recurring billing, payment methods, invoices)United StatesStandard Contractual Clauses (SCCs), Data Processing Agreement (DPA), PCI-DSS Level 1 compliant, SOC 1, SOC 2, and ISO 27001 certified. Acts as an independent data controller for payment processing data.
RevolutInvoice payment processing (bank transfers, invoice settlement, financial account management)United Kingdom / European Economic Area (EEA)Data Processing Agreement (DPA), FCA authorised in the UK, PSD2

Ten Points will update this list as necessary and provide notice to Customers of any material changes in accordance with the DPA.

  • Home
  • Behaviour
  • Wellbeing
  • Insights
  • Community
  • Our Story
  • Blog
  • FAQ
  • Pricing
  • Contact
Get started
ten points
Trust CentreAgreement

© 2026 Ten Points Education Ltd