Data Processing Addendum (DPA)
Rodocodo.com
Effective Date: Feb 24, 2026
Version: 1.4
This Data Processing Addendum (DPA) forms part of the Rodocodo Terms & Conditions for School & Business Users.
1. Roles
School & Business User = Data Controller.
Rodocodo = Data Processor.
2. Processing Instructions
Rodocodo shall process personal data only on documented instructions from the School & Business User, unless required to do so by applicable law.
3. Scope of Processing
Processing is limited to providing and operating the Rodocodo platform, including storage and display of student progress data.
4. Categories of Data
- Student first name (or pseudonym);
- Student last name (or pseudonym);
- Optional gender;
- Progress data;
- Authorised personnel contact details.
5. Confidentiality
Rodocodo shall ensure that persons authorised to process personal data are subject to appropriate confidentiality obligations.
6. Controller Responsibilities
The School & Business User shall:
- Ensure only authorised personnel are granted access to the platform;
- Maintain and control access credentials;
- Notify Rodocodo without undue delay where authorised administrators or users leave the organisation or no longer require access;
- Ensure personal data is lawfully collected and that instructions provided to Rodocodo are lawful.
7. Security Measures
Rodocodo implements appropriate technical and organisational measures including:
- Role-based access controls;
- Encrypted transmission (HTTPS);
- Secure cloud infrastructure;
- Incident detection and response procedures.
8. Subprocessors
Rodocodo may appoint subprocessors under written agreements imposing equivalent data protection obligations. Rodocodo remains responsible for subprocessors in accordance with applicable law.
9. International Transfers
Where data is transferred outside the UK, appropriate safeguards including UK IDTA or adequacy decisions are implemented.
10. Data Subject Rights & DPIA Assistance
Schools & Business Users are responsible for responding to data subject requests.
Rodocodo shall provide reasonable assistance to enable the School & Business User to comply with its data protection obligations, including assistance with data protection impact assessments where appropriate and proportionate.
11. Personal Data Breach
Rodocodo shall notify the School & Business User without undue delay and in any event no later than forty-eight (48) hours after becoming aware of a personal data breach affecting data processed under this DPA.
12. Audit Rights
Upon reasonable written request, Rodocodo shall make available information necessary to demonstrate compliance with this DPA. Any audit shall be proportionate, subject to confidentiality obligations, and not unreasonably disruptive to Rodocodo’s business operations.
13. Deletion
Student personal data is deleted immediately upon termination unless legally required otherwise.
14. Entire Agreement
This DPA forms part of the Rodocodo Terms & Conditions and constitutes the entire agreement between the parties in relation to the subject matter of data processing, superseding any prior agreements relating to that subject matter.
15. Severability
If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.
16. Waiver
No failure or delay by either party in exercising any right under this DPA shall constitute a waiver of that right.
17. Third Party Rights
A person who is not a party to this DPA shall have no rights under the Contracts (Rights of Third Parties) Act 1999 to enforce its terms.
18. Amendments
We may update this DPA to reflect changes in law, regulatory guidance, subprocessors, or security measures. Material updates will be notified in advance. Nothing in this clause reduces the level of protection required under applicable data protection law.