This website uses cookies

This website uses cookies to analyse traffic and remember website choices and settings. You can review your cookie preferences at any time by visiting our cookie policy Learn more

Necessary
Statistics
Accept all cookies
Accept necessary cookies only
Request a callback

Data Processing Addendum

Last updated: [insert date]

This Data Processing Addendum (“DPA”) forms part of the agreement between Caterlytix Ltd and the customer or Integration Partner receiving services through Trac.

1. Definitions

In this DPA:

  • “Data Protection Laws” means the UK GDPR, Data Protection Act 2018, and all applicable UK data protection and privacy laws.
  • “Controller”, “Processor”, “Sub-processor”, “Personal Data”, “Data Subject”, and “Processing” have the meanings given in Data Protection Laws.
  • “Agreement” means the applicable agreement, order form, or terms governing use of Trac.

2. Scope

This DPA applies where Caterlytix processes Personal Data on behalf of a Controller in connection with Trac.

It does not apply where Caterlytix acts as an independent Controller, including where Caterlytix processes business contact data for account administration, billing, security monitoring, analytics, or legal compliance.

3. Roles

Where a school, trust, caterer, or other organisation uses Trac directly, that organisation is the Controller and Caterlytix is the Processor.

Where an Integration Partner uses Trac to process data on behalf of an organisation, the organisation remains the Controller, the Integration Partner acts as Controller, Processor, or Sub-processor depending on its relationship with that organisation, and Caterlytix acts as Processor or Sub-processor as required by the relevant data flow and agreements.

Where data originates from third-party systems, processing must also comply with the relevant third-party terms and permissions.

4. Subject matter and duration

The subject matter of processing is the provision, support, security, maintenance, and improvement of Trac and related integration services.

Processing continues for the duration of the Agreement and for any additional period required for deletion, return, anonymisation, legal retention, dispute resolution, or audit purposes.

5. Nature and purpose of processing

Processing may include:

  • collection;
  • receipt;
  • storage;
  • structuring;
  • transformation;
  • enrichment;
  • transmission;
  • retrieval;
  • consultation;
  • hosting;
  • deletion;
  • anonymisation;
  • security monitoring;
  • support investigation;
  • integration between systems.

The purpose of processing is to provide Trac, operate integrations, support customers and partners, secure the platform, and comply with contractual and legal obligations.

6. Categories of Personal Data

Personal Data may include:

  • pupil identifiers and profile data;
  • school, site, and organisation data;
  • staff data;
  • parent or guardian contact data where relevant;
  • meal, transaction, eligibility, attendance, or operational data where relevant;
  • finance, payment, or account reference data where relevant;
  • technical data, logs, and usage data;
  • support and account administration data.

The exact categories depend on the integrations enabled and data scopes authorised.

7. Categories of Data Subjects

Data Subjects may include:

  • pupils;
  • parents and guardians;
  • school staff;
  • catering staff;
  • customer personnel;
  • partner personnel;
  • authorised users;
  • support contacts.

8. Controller obligations

The Controller is responsible for ensuring:

  • it has a lawful basis for processing;
  • appropriate notices are provided to Data Subjects;
  • Personal Data is accurate and lawful;
  • integrations are properly authorised;
  • instructions given to Caterlytix comply with Data Protection Laws.

9. Processor obligations

Caterlytix shall:

  • process Personal Data only on documented instructions, unless required by law;
  • ensure personnel with access to Personal Data are subject to confidentiality obligations;
  • implement appropriate technical and organisational measures;
  • assist the Controller with Data Subject rights requests, where reasonably required;
  • assist with data protection impact assessments and regulatory consultation where required;
  • notify the Controller of Personal Data breaches in accordance with this DPA;
  • maintain records required by Data Protection Laws;
  • return, delete, or anonymise Personal Data in accordance with the Agreement.

10. Security measures

Caterlytix shall maintain appropriate technical and organisational measures, including where appropriate:

  • access controls;
  • authentication and credential management;
  • encryption in transit;
  • safeguards for data at rest;
  • logging and monitoring;
  • role-based access;
  • least privilege access;
  • backup and continuity measures;
  • incident management procedures;
  • supplier and subprocessor controls.

11. Subprocessors

Caterlytix may appoint Sub-processors to support delivery of Trac.

Caterlytix shall ensure Sub-processors are subject to appropriate written obligations that provide equivalent protection for Personal Data.

A current list of Sub-processors is available at:

www.caterlytix.com/legal/subprocessors

Caterlytix may update the list from time to time.

12. International transfers

Caterlytix shall not transfer Personal Data outside the UK unless the transfer complies with Data Protection Laws and appropriate safeguards are in place, such as an adequacy decision, UK International Data Transfer Agreement, relevant Standard Contractual Clauses, or other lawful transfer mechanism.

13. Personal Data breaches

Caterlytix shall notify the Controller without undue delay after becoming aware of a Personal Data breach affecting Personal Data processed on behalf of the Controller.

Where reasonably practicable, notification will be provided within 24 hours.

The notification shall include available information about the nature of the breach, categories of data affected, likely consequences, and steps taken or proposed to address the breach.

14. Data Subject rights

Caterlytix shall provide reasonable assistance to the Controller in responding to Data Subject requests.

Caterlytix shall not respond directly to Data Subjects unless authorised by the Controller or required by law.

15. Audit and compliance

Caterlytix shall make available reasonable information necessary to demonstrate compliance with this DPA.

Any audit must be subject to reasonable notice, confidentiality obligations, security restrictions, and measures to avoid disruption to Caterlytix’s business or other customers.

16. Return, deletion, and retention

At the end of the Agreement, Caterlytix shall delete, return, or anonymise Personal Data in accordance with the Agreement, unless retention is required by law.

Certain backups and logs may remain for a limited period as part of ordinary business continuity and security processes, subject to appropriate safeguards.

17. Liability

Each party is responsible for its own compliance with Data Protection Laws.

Liability is subject to the limitations and exclusions in the applicable Agreement, except where liability cannot be limited by law.

18. Precedence

If there is a conflict between this DPA and other terms, this DPA prevails in relation to data protection matters.