Security and Data Processing Agreement

Updated 29th January 2019

1. Introduction


The customer agreeing to these terms (“The Customer”), and Blutick, have entered into an agreement under which Blutick has agreed to provide educational services, data processing services and related technical support to The Customer.


The GDPR makes written contracts between controllers and processors a general requirement. These terms are designed to ensure that processing carried out by a processor meets all the requirements of the GDPR, they reflect the agreement, in regard to the terms governing the processing and security of Customer Data, between Blutick and The Customer.

2. Definitions

The following definitions will be used throughout this document.

Customer Data

means data provided by or on behalf of Customer or Customer End Users via the Services under the Account.

Customer Personal Data

means the personal data contained within the Customer Data. The terms “personal data”, “data subject”, “processing”, “controller”, “processor” and “supervisory authority” as used in these terms have the meanings given in the GDPR.

Data Incident

means a breach of Blutick security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Data on systems managed by or otherwise controlled by Blutick. “Data Incidents” do not include unsuccessful attempts to compromise the security of Customer Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks.

Notification Email Address

means the email address(es) designated by Customer in the Customer Control Panel, or in the Order Process to receive certain notifications from Blutick.


means the period from the Terms Effective Date until the end of Bluticks provision of the Services, including, if applicable, any period during which provision of the Services may be suspended and any post-termination period during which Blutick may continue providing the Services for transitional purposes.

3. Duration

These Terms will take effect on the Terms Effective Date and, even in the event of expiry of the Term, will remain in effect until, and automatically expire upon, deletion of all Customer Data by Blutick as described in these Terms. All user data will removed permanently from our data either if requested by the Customer, or when a contract period expires.

4. Processing of Data

4.1 Processor and Controller Responsibilities

The European Data Protection Legislation applies to the processing of Customer Personal Data and the parties acknowledge and agree that:

    Blutick is a processor of Customer Personal Data under the General Data Protection Regulation

    The Customer is a controller or processor, as applicable, of that Customer Personal Data under the General Data Protection Regulation.

    Each party will comply with the obligations applicable to it under the General Data Protection Regulation with respect to the processing of that Customer Personal Data.

    The types of personal data include data relating to individuals provided or uploaded to Blutick via the Service, by (or at the direction of) Customer or by Customer End Users.

    Typically, Blutick will store the names and usernames or email addresses of users, along with their progress in the topics and details of their classes, school and teachers. Passwords are also stored, and are encrypted so that they are not readable, even by Blutick staff.


4.2 Authorisation by a Third Party Controller

The Customer confirms that The Customer’s instructions and actions in regard to that Customer Personal Data, including its engagement of Blutick as another processor, have been authorised by the relevant controller under the General Data Protection Regulation.

5. Scope of Processing

5.1 The Customers Instruction

By entering into these Terms, The Customer instructs Blutick to process Customer Personal Data in order to:

    provide educational Services.

    Process data as specified via Customer’s use of (including other functionality of the Services).

    Process data as documented in these Terms.


5.2 Blutick Compliance with Instructions

Blutick will comply with the instructions described under “The Customer’s Instructions”.

6. Data Deletion

6.1 Deletion By Customer

Blutick will enable The Customer to delete Customer Data during the Term via instruction in writing, by phone or via the use of Customer Control Panel. Infrastructure backups may remain on Blutick servers for up to 30 days after this request.

6.2 Deletion on Cancellation

On expiry of the Term, The Customer instructs Blutick to delete all Customer Data (including existing copies) from Blutick systems. Infrastructure backups may remain on Blutick servers for up to 30 days after this request.

7. Data Security

7.1 Blutick Security Measures

Blutick will implement and maintain technical and organizational measures to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure

7.2 Staff Security Compliance

Blutick will take appropriate steps to ensure compliance with the Security Measures by its employees, contractors and sub processors including ensuring that all persons authorised to process Customer Personal Data have committed themselves to confidentiality.

7.3 Data Incidents

7.3.1 Incident Notification

If Blutick becomes aware of a Data Incident, Blutick will:

    Notify The Customer of the Data Incident promptly and without undue delay after becoming aware of the Data Incident.

    Take reasonable steps to minimise harm and secure Customer Data.


7.3.2 Details of Data Incident

Data Incident notifications will include details of the Data Incident including steps taken to mitigate the potential risks and steps Blutick recommends The Customer take to address the Data Incident.

7.3.3 Delivery of Notification

Notifications of any data incident will be made via the Support Ticket System. Notification of a support ticket update will be sent to the Notification Email Address provided by the customer. It is the responsibility of the customer to ensure that this email address is kept current and up to date.

7.3.4 No Assessment of Customer Data

Blutick will not assess the contents of Customer Data in order to identify information subject to any specific legal requirements. The Customer is solely responsible for complying with incident notification laws applicable to The Customer and fulfilling any third party notification obligations related to any Data Incident.

7.3.5 No Acknowledgement of Fault

Notification of or response to a Data Incident will not be construed as an acknowledgement of fault or liability.

7.3.6 Audit Rights

Blutick will provide all information necessary to demonstrate compliance and allow for and contribute to audits, including inspections, requested by The Customer, carried out by the ICO Blutick will inform The Customer immediately if it is asked to do something infringing the GDPR or other data protection law of the EU or a member state.

8. Subprocessors

8.1 Consent to Sub Processors

The Customer specifically authorises the engagement of Blutick third-party suppliers as Subprocessors. In addition, The Customer generally authorises the engagement of any other third parties as Subprocessors.

8.2 Process to Engage New Subprocessors

Blutick will provide notice via this policy of updates to the list of sub processors that are utilised or which Blutick proposes to utilise to deliver its Services. Blutick undertakes to keep this list updated regularly to enable The Customer to stay informed of the scope of subprocessing associated with the Blutick Services. The Customer can object in writing to the processing of its Personal Data by a new subprocessor within thirty (30) days after updating of this policy and shall describe its legitimate reasons to object. If The Customer does not object during such time period the new subprocessor(s) shall be deemed accepted. If The Customer objects to the use of a subprocessor pursuant to the process provided under the DPA, Blutick shall have the right to resolve the objection through one of the following options (to be selected at the sole discretion of Blutick):

    Blutick will cease to use the subprocessor with regard to Personal Data or;

    Blutick will take the corrective steps requested by The Customer in its objection and proceed to use the subprocessor to process Personal Data or;

    Blutick may cease to provide or The Customer may agree not to use (temporarily or permanently) the particular aspect of an Blutick Service that would involve use of the subprocessor to process Personal Data or;

    Blutick may cease to offer services to The Customer entirely

The list of Blutick third party sub processors is maintained here.

9. Blutick Data Protection Officer

In the case of any complaint regarding our handling of your data, our privacy policy or our adherence to it, please contact our data protection officer listed below. This individual will carry out a full investigation on your behalf in the event that you feel there is a problem.

    Name Rob Percival

    Address 109 Birdwood Road, Cambridge, CB1 3TB, UK

    Email Address