CV
Choice Voting·Governance Toolkit
← Back to Governance Toolkit
Legal

Governance Toolkit — Data Processing Agreement

Last updated: 27 May 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Use between RDT Systems Limited (trading as Choice Voting) ("Processor", "we", "us") and the school, trust, or educational organisation using the Governance Toolkit ("Controller", "you", "your").

1.Definitions

In this DPA:

  • "Data Protection Law" means the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR), as amended from time to time.
  • "Personal Data" means any personal data processed by us on your behalf through the Governance Toolkit.
  • "Special Category Data" means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning a person's sex life or sexual orientation, as defined in Article 9 of UK GDPR.
  • "Sub-processor" means any third party engaged by us to process Personal Data on your behalf.
  • "Security Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.

2.Scope and roles

When you use the Governance Toolkit to store and manage governance data about individuals (such as governor names, contact details, DBS records, declarations of interest, skills assessments, training records, and meeting minutes), you are the Controller of that data.

We process that data on your behalf as a Processor, solely to provide the Governance Toolkit service to you.

This DPA applies to all Personal Data processed through the Governance Toolkit. It does not apply to data we collect as a Controller in our own right (such as your account registration details), which is covered by our Privacy Policy.

3.Categories of data subjects and personal data

The categories of data subjects whose data may be processed through the Toolkit include:

  • School governors and trustees
  • Clerks to governors
  • Headteachers and other school leaders (where referenced in governance records)
  • Candidates in governor elections
  • Other individuals referenced in meeting minutes, visit reports, or governance correspondence

The categories of personal data may include:

  • Names, titles, and roles
  • Contact details (email, phone, address)
  • DBS check dates, levels, and status (but not certificate numbers, which we advise against storing)
  • Declarations of pecuniary and personal interests
  • Skills, qualifications, and professional background
  • Training and CPD records
  • Terms of office, appointment and expiry dates
  • Meeting attendance records
  • Content of meeting minutes, action items, and visit reports
  • Election nomination and voting records (where applicable)

Some of this data may constitute Special Category Data (for example, where meeting minutes record discussions about health, religion, or political matters, or where declarations of interest reveal political affiliations).

4.Our obligations as Processor

We will:

  • Process Personal Data only on your documented instructions, unless required to do so by law (in which case we will inform you before processing, unless legally prohibited from doing so)
  • Ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
  • Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:
    • (a) Encryption of sensitive governance data at rest using AES-256-GCM encryption derived from the account holder's password
    • (b) Encryption of all data in transit using TLS/SSL
    • (c) Restricted and logged access to production systems
    • (d) Regular security reviews
    • (e) Cyber Essentials certification
  • Not engage another processor (sub-processor) without your prior general written authorisation. Where general authorisation is given, we will inform you of any intended changes concerning the addition or replacement of sub-processors, giving you the opportunity to object
  • Taking into account the nature of the processing, assist you by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of your obligation to respond to requests for exercising data subjects' rights under Data Protection Law
  • Assist you in ensuring compliance with your obligations regarding security of processing, notification of Security Incidents, data protection impact assessments, and prior consultation with the ICO, taking into account the nature of processing and the information available to us
  • At your choice, delete or return all Personal Data to you after the end of the provision of the service, and delete existing copies unless storage is required by law
  • Make available to you all information necessary to demonstrate compliance with our obligations under this DPA and allow for and contribute to audits, including inspections, conducted by you or an auditor mandated by you

5.Data storage and transfers

Our primary application data is hosted by Vercel. Sensitive governance data (governor names, contact details, DBS records, declarations of interest, and related records) is encrypted at rest using AES-256-GCM encryption before it leaves your browser, meaning our hosting provider and sub-processors cannot read this data.

Some of our sub-processors are based in the United States. Where Personal Data is transferred outside the United Kingdom, we ensure that appropriate safeguards are in place, including:

  • The UK Extension to the EU-US Data Privacy Framework, where the recipient is certified under the framework
  • UK International Data Transfer Agreements (UK IDTAs) or the UK Addendum to EU Standard Contractual Clauses, where applicable
  • Data Processing Agreements with each sub-processor that include appropriate data protection commitments

We do not transfer your encrypted governance data outside the United Kingdom. International transfers are limited to operational data (such as email addresses for transactional emails, request metadata for security and CDN services, and anonymised usage analytics).

6.Sub-processors

As at the date of this DPA, we use the following sub-processors:

  • Vercel Inc. (United States) — Application hosting and deployment. Vercel processes request data and may cache content at edge locations globally. Data Processing Agreement in place.
  • Resend Inc. (United States) — Transactional email delivery (account notifications, password resets, service notices). Processes email addresses and message content. Data Processing Agreement in place.
  • Cloudflare Inc. (United States) — DNS, CDN, DDoS protection, and web application firewall. Cloudflare processes request metadata (IP addresses, headers) at edge locations globally. Data Processing Agreement in place.
  • PostHog Inc. (United States) — Product analytics to understand how the Toolkit is used. Processes usage data and anonymised interaction data. Data Processing Agreement in place.

We will maintain an up-to-date list of sub-processors and make it available on request. If we intend to add or replace a sub-processor, we will give you at least 14 days' notice. If you have reasonable grounds to object, you may do so in writing within that period, and we will work with you to find a resolution.

7.Security incidents

If we become aware of a Security Incident affecting Personal Data processed on your behalf, we will:

  • Notify you without undue delay, and in any event within 48 hours of becoming aware of the incident
  • Provide you with sufficient information to enable you to meet any obligations to report the incident to the ICO or to affected data subjects under Data Protection Law
  • Cooperate with you and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of the incident
  • Not inform any third party of the incident without first obtaining your prior written consent, unless required to do so by law

Our notification of a Security Incident is not an acknowledgement of fault or liability.

8.Data subject requests

If we receive a request directly from a data subject in relation to Personal Data we process on your behalf, we will promptly redirect the data subject to you and notify you of the request.

We will provide you with reasonable assistance to respond to data subject requests, including by providing data exports, deletion confirmations, or other technical support as needed.

9.Data retention and deletion

We will process Personal Data for the duration of your use of the Governance Toolkit. When your account is deleted (whether by you or by us in accordance with the Terms of Use):

  • All governance data associated with your account will be permanently deleted within 30 days
  • Server logs and technical data will be retained for up to 12 months for security and operational purposes
  • Backup copies will be deleted in accordance with our standard backup rotation schedule, which does not exceed 90 days

10.Audit rights

You may audit our compliance with this DPA by:

  • Requesting our most recent Cyber Essentials certificate or other relevant security certification
  • Requesting a written summary of our technical and organisational security measures
  • Requesting confirmation of our current sub-processor list

If you require an on-site audit or a more detailed assessment, we will cooperate on reasonable terms, including agreeing on scope, timing, and any confidentiality requirements. We may charge a reasonable fee for on-site audits to cover our costs.

11.Liability

Each party's liability under this DPA is subject to the limitations and exclusions set out in the Terms of Use. Nothing in this DPA limits either party's liability for breaches of Data Protection Law where such limitation is not permitted by law.

12.Duration and termination

This DPA comes into effect when you create an account and accept the Terms of Use, and remains in effect for as long as we process Personal Data on your behalf.

The obligations in this DPA that by their nature should survive termination (including data deletion, confidentiality, and cooperation with audits in respect of processing that occurred during the term) will survive termination of this DPA.

13.Governing law

This DPA is governed by the laws of England and Wales. Any disputes will be subject to the exclusive jurisdiction of the courts of England and Wales.

14.Contact

For data protection queries relating to this DPA:

  • Email: [email protected]
  • Phone: 01202 078866
  • Address: Lytchett House, 13 Freeland Park, Wareham Road, Poole, Dorset, BH16 6FA
  • ICO registration number: ZA462087
Questions about data processing?
Contact us at [email protected]
Get in touch

We use essential cookies to keep the Toolkit working. See our Cookie Policy for details.