Legal
Data Processing Agreement
Provided to all clients as standard, before any data is shared with us.
Under UK GDPR Article 28, any organisation that processes personal data on behalf of another must do so under a written contract — a Data Processing Agreement (DPA). This document binds the processor (Northbridge Analytics) to operate only within the instructions of the controller (the school or MAT), and sets out the rights and obligations of both parties.
We provide a signed DPA to every client before onboarding begins. No pupil data is transferred to us before this agreement is in place.
Key provisions
Nature and purpose of processing
The DPA defines the specific data types Northbridge processes on behalf of the school, the purpose of each processing activity, and the outputs that processing produces. Processing is limited strictly to dashboard build, insight reporting, and quarterly presentation delivery.
Lawful basis and controller status
The school or MAT is identified as the data controller. Northbridge Analytics Ltd acts solely as data processor, operating under documented controller instructions. The lawful basis for processing is confirmed and recorded in the agreement.
Data retention and deletion
The agreement specifies the retention period for each data category. On contract end, all client data is securely deleted within 30 days. We provide written confirmation of deletion, and we do not retain copies in any backup system beyond that point.
Sub-processors
Any sub-processors used in the delivery of services (for example, cloud storage or visualisation platforms) are listed in the DPA. We obtain client consent before adding new sub-processors and notify clients of any changes.
Security measures
Technical and organisational security measures are documented in full — covering encryption, access controls, vulnerability management, and incident response procedures. Our practices are aligned with the NCSC 10 Steps framework.
Breach notification
In the event of a personal data breach, Northbridge will notify the affected school without undue delay and no later than 48 hours of becoming aware. We will provide the information required to support any ICO notification the school is obliged to make.
Data subject rights
The DPA includes provisions for assisting the data controller in responding to data subject rights requests — including access, rectification, erasure, and portability — within timeframes that allow the controller to meet their UK GDPR obligations.
Audit rights
Clients have the right to audit Northbridge's data processing activities and to request evidence of compliance with the DPA. We cooperate fully with any reasonable audit request and with any inspection by the ICO.
Request our DPA template
Email us and we will send you our standard DPA template. Most schools return a signed copy within one working day.