Template version 1.1 (4 July 2026). This is eViva's standard form, published at eviva.tech/dpa (which renders this document). Fields in {{double braces}} are completed per school at signature; the agreement is executed through eViva's ordinary signature process, not by downloading this page. Changes to this template are versioned here.
Between:
{{SCHOOL_NAME}} of {{SCHOOL_ADDRESS}} (the "Controller" or "School")
and:
Copeland Digital Ltd, a company incorporated in England and Wales (Company No. 17207220), of {{COPELAND_DIGITAL_REGISTERED_ADDRESS}}, trading as eViva (the "Processor" or "eViva")
Each a "Party" and together the "Parties".
Effective date: {{DPA_EFFECTIVE_DATE}}
1.1 The Parties have entered into a {{COMMERCIAL_AGREEMENT_NAME}} (the "Principal Agreement") under which the Processor provides the eViva service to the Controller.
1.2 This Data Processing Agreement ("DPA") forms part of the Principal Agreement and governs the Processor's processing of Personal Data on behalf of the Controller in connection with the provision of the Service. In the event of conflict between this DPA and the Principal Agreement on data-protection matters, this DPA prevails.
1.3 Capitalised terms not otherwise defined in this DPA have the meanings given in the GDPR or the PDPL, as applicable.
1.4 "Applicable Data Protection Law" means, in respect of each Party, all laws relating to the protection of Personal Data that apply to that Party's processing under this DPA, including: - the EU General Data Protection Regulation (Regulation (EU) 2016/679) and any implementing law in the United Kingdom or any EU member state (collectively, "GDPR"); and - the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) and its executive regulations (collectively, "PDPL").
1.5 "Service" means the eViva oral-assessment platform provided by the Processor to the Controller under the Principal Agreement.
1.6 "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller in connection with the Service.
1.7 "Personal Data Breach" has the meaning given in GDPR Art. 4(12) and includes any "breach of Personal Data" as defined in PDPL Art. 1.
2.1 The subject matter, nature, purpose, duration, types of Personal Data, and categories of data subject are set out in Annex I.
2.2 The Processor processes Personal Data only on the documented instructions of the Controller as set out in the Principal Agreement, this DPA, and any further written instructions the Controller may give from time to time. The Controller's use of the Service through the operator UI constitutes documented instruction for the operations the UI exposes.
2.3 The Processor will inform the Controller without undue delay if, in the Processor's opinion, an instruction infringes Applicable Data Protection Law.
3.1 The Controller is the data controller and the Processor is the data processor in respect of all Personal Data processed under this DPA, except that:
(a) the Controller's relationship with its own cloud-storage platform (which holds the recording files themselves) is governed by the Controller's own contract with that platform provider, being Google (for Google Workspace / Google Drive tenancies) or Microsoft (for Microsoft 365 / OneDrive tenancies), in respect of which the Processor is not a party; and
(b) the Controller's relationship with Stripe (which processes payment data where the Principal Agreement involves payment) is governed by Stripe's terms of business and Stripe's own DPA, to which the Controller assents on first use of Stripe Checkout.
The Processor will:
4.1 Lawfulness. Process Personal Data only on the Controller's documented instructions and only for the purposes set out in Annex I, except where the Processor is required by law to process otherwise (in which case the Processor will notify the Controller before processing unless prohibited by law).
4.2 Confidentiality. Ensure that any person authorised to process Personal Data has committed themselves to confidentiality or is under an appropriate statutory obligation of confidentiality.
4.3 Security. Implement and maintain the technical and organisational measures set out in Annex II to ensure a level of security appropriate to the risk.
4.4 Sub-processors. Engage Sub-processors only in accordance with clause 6 and Annex III.
4.5 Data subject rights. Taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as possible, in fulfilling the Controller's obligations to respond to requests from data subjects exercising their rights under Applicable Data Protection Law. The Service exposes self-service export and deletion functions that the Controller can use without separate Processor involvement; for requests not satisfiable through those functions, the Processor will respond to a written request from the Controller within 10 working days.
4.6 Assistance with controller obligations. Assist the Controller in ensuring compliance with the Controller's obligations under GDPR Arts. 32-36 and PDPL Arts. 7-10 (security, breach notification, DPIA, prior consultation), taking into account the nature of processing and the information available to the Processor.
4.7 Breach notification. Notify the Controller without undue delay, and in any event within 24 hours, after the Processor becomes aware of a Personal Data Breach affecting the Controller's Personal Data. The notification will include the information set out in clause 7 below, to the extent then known. Further details and updates will follow as the investigation progresses.
4.8 Return or deletion of data. On termination of the Principal Agreement, at the Controller's choice, delete or return all Personal Data to the Controller and delete existing copies, unless retention is required by applicable law. The Service exposes a self-service export of all metadata held by the Processor in a portable JSON format. Recordings themselves reside in the Controller's own cloud storage (Google Drive or OneDrive, per the Controller's tenancy) and are not affected by the Service's termination.
4.9 Records of processing. Maintain a record of all categories of processing activities carried out on behalf of the Controller, as required by GDPR Art. 30(2).
4.10 Audit. Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, in accordance with clause 8.
5.1 The Controller warrants that:
(a) it has the right to disclose the Personal Data to the Processor, and that the Processor's processing as described in this DPA will not breach Applicable Data Protection Law;
(b) it has obtained, or will obtain, all necessary consents and authorisations (including, where applicable, parental consent for minors) and has provided, or will provide, all necessary notices to data subjects;
(c) its instructions to the Processor comply with Applicable Data Protection Law; and
(d) it has carried out (or will carry out) any data protection impact assessment required of it before commencing processing.
5.2 The Controller is responsible for the content of any prompts, assignment titles, free-text fields, uploaded reference images, or other inputs that teachers may enter into the Service, and for ensuring that such content does not solicit or contain special-category data within the meaning of GDPR Art. 9 or PDPL Art. 6.
6.1 The Controller authorises the Processor to engage the Sub-processors listed in Annex III.
6.2 The Processor will notify the Controller by email at least 30 days before any addition or replacement of a Sub-processor takes effect. The notice will identify the Sub-processor, the processing operations to be performed, and the location of the processing.
6.3 The Controller may object to any new Sub-processor on reasonable data-protection grounds by written notice given within 30 days of the Processor's notice. If the Parties cannot agree a resolution within a further 30 days, the Controller may terminate the Principal Agreement with effect from the proposed Sub-processor change date, without penalty, with a pro-rata refund of any prepaid fees for the unexpired term.
6.4 The Processor will impose on each Sub-processor obligations no less protective than those imposed on the Processor by this DPA. The Processor remains fully liable to the Controller for the performance of each Sub-processor's obligations.
7.1 A breach notification from the Processor to the Controller under clause 4.7 will include, to the extent then known:
(a) the nature of the Personal Data Breach, including where possible the categories and approximate number of data subjects concerned and the categories and approximate number of Personal Data records concerned;
(b) the likely consequences of the Personal Data Breach;
(c) the measures taken or proposed to be taken by the Processor to address the Personal Data Breach, including measures to mitigate its possible adverse effects;
(d) the name and contact details of the Processor's incident-response contact; and
(e) a written confirmation of the Processor's intention to provide further information as the investigation progresses, at intervals no longer than every 48 hours until the matter is closed.
7.2 The Controller is responsible for any onward notification to the UAE Data Office (PDPL Art. 9), the Information Commissioner's Office or another supervisory authority (GDPR Art. 33), and to affected data subjects (GDPR Art. 34 / PDPL Art. 10). The Processor's 24-hour notification window is calibrated to give the Controller sufficient time to meet its own 72-hour ceiling under those laws.
7.3 The full Processor incident-response procedure is set out in docs/dpia/incident-response-procedure.md, which is incorporated by reference.
8.1 The Processor will, on no fewer than 30 days' written notice and no more than once per 12-month period (unless required by a supervisory authority or following a Personal Data Breach affecting the Controller), make available to the Controller (or its mandated auditor) such information as is reasonably necessary to demonstrate compliance with this DPA.
8.2 The Controller may satisfy its audit rights by:
(a) reviewing the Processor's then-current audit reports, certifications, or attestations (including any SOC 2 reports the Processor or its Sub-processors hold);
(b) submitting a written questionnaire to be answered by the Processor within 30 days; or
(c) (where the above do not adequately address the Controller's reasonable audit need) requesting an on-site or remote audit, conducted during normal business hours and at the Controller's cost (except where the audit reveals a material breach by the Processor, in which case the Processor will bear reasonable cost).
8.3 The Controller will not exercise audit rights in a manner that disrupts the Service or compromises the confidentiality, security, or availability of other Processor customers' data.
9.1 The Processor processes the Controller's Personal Data in the European Union (Frankfurt, Germany) as detailed in Annex I and Annex III. The transfer of Personal Data from the United Arab Emirates to the European Union is governed by the safeguards in Annex IV.
9.2 If the law applicable to either Party changes such that the safeguards in Annex IV become insufficient, the Parties will negotiate in good faith to put alternative safeguards in place within 60 days.
10.1 Each Party's liability under this DPA is subject to the limits and exclusions set out in the Principal Agreement.
10.2 Nothing in this DPA excludes or limits liability that cannot lawfully be excluded or limited under Applicable Data Protection Law, including liability under GDPR Art. 82.
11.1 This DPA takes effect on the Effective Date and continues until the Principal Agreement terminates or expires, except that clauses imposing obligations that survive termination of the Principal Agreement (including clauses 4.7, 4.8, 7, and 8) continue for as long as the Processor holds any Personal Data of the Controller.
11.2 On termination, the Processor will perform its obligations under clause 4.8.
12.1 This DPA is governed by {{GOVERNING_LAW}}. The Parties submit to the exclusive jurisdiction of the courts of {{JURISDICTION}} in respect of any dispute arising out of or in connection with this DPA, save that either Party may seek interim or injunctive relief in any court of competent jurisdiction.
12.2 Nothing in this clause affects a data subject's right to bring proceedings in the courts of the data subject's country of habitual residence as provided by Applicable Data Protection Law.
| For the Controller | For the Processor |
|---|---|
Name: {{SCHOOL_SIGNATORY_NAME}} | Name: Anthony Copeland |
Role: {{SCHOOL_SIGNATORY_ROLE}} | Role: Director |
Organisation: {{SCHOOL_NAME}} | Organisation: Copeland Digital Ltd |
| Signature: | Signature: |
| Date: | Date: |
Subject matter: Provision of the eViva oral-assessment service to the Controller.
Duration: From the Effective Date until termination of the Principal Agreement, plus any post-termination retention period set out in clause 4.8 of this DPA.
Nature and purpose: As described in §§2.1, 2.2, 2.6 of the accompanying DPIA.
Types of Personal Data:
Categories of data subject:
Frequency of processing: Continuous during the term.
Location of processing: eu-central-1 (Frankfurt, Germany) for metadata and reference images held in Supabase (Postgres and Storage respectively). Stripe processing primarily in Ireland for payment data (paid agreements only). Recording files reside in the Controller's own Google Workspace or Microsoft 365 tenancy.
The Processor implements the following measures, reviewed at least annually:
Access control:
anthonycopeland.com domain.Encryption:
Network and platform security:
vercel.json git.deploymentEnabled restricted to main).Logging and monitoring:
Backup and recovery:
eviva.tech/compliance).Vulnerability management:
admin@eviva.tech.eviva.tech/security (and eviva.tech/.well-known/security.txt).Incident response:
docs/dpia/incident-response-procedure.md.Personnel:
The Processor is authorised to engage the following Sub-processors on the Effective Date:
| Sub-processor | Entity | Service | Processing location |
|---|---|---|---|
| Supabase | Supabase Inc. (US) | Database, authentication, file storage (reference images; demo recordings) | eu-central-1 (Frankfurt, Germany) |
| Google (Google-tenancy Controllers only) | Google LLC (US) / Google Ireland Ltd | OAuth, Drive API, Classroom API | Controller's own Google Workspace tenancy region |
| Microsoft (Microsoft-tenancy Controllers only) | Microsoft Corporation (US) / Microsoft Ireland Operations Ltd | Entra ID sign-in (OAuth), Microsoft Graph API (orchestration of uploads into the Controller's own OneDrive) | Controller's own Microsoft 365 tenancy region |
| Vercel | Vercel Inc. (US) | Application hosting, edge functions, scheduled jobs, basic visitor analytics | fra1 (Frankfurt, Germany) |
| Resend | Resend Inc. (US) | Transactional email | EU region |
| Stripe (paid agreements only) | Stripe Payments Europe Ltd (Ireland) | Subscription billing, Checkout, Customer Portal, tax | Ireland (EU primary); US for some operational data under Stripe SCCs |
Storage-platform engagement is per-tenancy and mutually exclusive: for a Controller on Google Workspace the Processor engages Google and never Microsoft in respect of that Controller's Personal Data, and vice versa for a Controller on Microsoft 365. The selection follows the Controller's own identity platform and does not change without the Controller changing platform.
A current Sub-processor list is maintained at eviva.tech/compliance. The Processor will notify the Controller of any change in accordance with clause 6.
For transfers of Personal Data from the United Arab Emirates to the European Union, the Parties rely on the layered safeguards set out below, pursuant to PDPL Art. 22:
1. Contractual safeguards (PDPL Art. 22(2)(b)). The Parties incorporate by reference the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), Module 2 (Controller-to-Processor), as the substantive standard for the protections accorded to the transferred data. The Parties further agree to:
(a) treat the choices in Annex I.A, I.B, and II of the EU SCCs as the equivalent details set out in Annex I and Annex II of this DPA;
(b) treat the Controller as the data exporter and the Processor as the data importer;
(c) treat the optional docking clause and onward-transfer clause as engaged on the same terms as the EU SCCs.
2. Express data subject consent (PDPL Art. 22(2)(c)). The Controller obtains, and the Processor relies upon, the express consent of data subjects (or their parents/guardians where required) for the international transfer of their Personal Data to the European Union for the purpose of the Service.
3. Contract necessity (PDPL Art. 22(2)(d)). The transfer is necessary for the performance of the Principal Agreement between the Parties.
4. Adequacy contingency. If, during the term, the UAE Data Office issues an adequacy decision in respect of the European Union (or relevant member state), the Parties agree that adequacy will become the primary transfer mechanism without further amendment to this DPA.
For onward transfers from EU Sub-processors to other jurisdictions, the relevant Sub-processor's own SCCs and supplementary measures apply, as described in Annex III.