Data Processing Agreement

1. Parties to This Agreement

This Data Processing Agreement ("DPA") is entered into between the following parties and takes effect upon the subscribing school or practitioner completing the Arena Hub onboarding process or executing a separate written agreement.

Data Controller

The subscribing school, academy, AP setting, or practitioner organisation.

The Controller determines the purposes and means of processing student personal data within the Arena Hub platform. The Controller bears full legal responsibility as Data Controller under UK GDPR and the Data Protection Act 2018.

Data Processor

The Arena Hub Ltd

Registered in England and Wales
Company No. CH#1708605
D-U-N-S: 234652645
Tel: 01618702916
Email: compliance@thearenahub.co.uk

2. Subject Matter, Nature, and Duration

Subject matter: The provision of the Arena Hub Sovereign Hybrid evidence management platform — including the Staff Vault (evidence capture, curriculum mapping, and SEND portfolio management), the Welfare Suite (DSL safeguarding chronology and welfare case management), and the Arena Intelligence Engine (AI-assisted evidence multiplier and NODE insights layer) — to schools and practitioners working in Alternative Provision and SEMH educational contexts.

Nature of processing: Storage, retrieval, structured organisation, and automated cross-referencing of student educational evidence data within the Data Controller's own Google Workspace environment. All student Personally Identifiable Information (PII) is processed and stored exclusively within the Controller's own Google Workspace tenant (Google Shared Drive). The Arena Hub Ltd's Cloud Run infrastructure (GCP europe-west2, London) processes only anonymised operational telemetry and licence validation handshakes — no student PII transits or resides on Arena Hub Ltd servers during normal operation.

Duration: This DPA remains in force for the duration of the active subscription between the parties. Upon termination, Processor obligations relating to data destruction take effect as set out in Clause 11.

3. Purpose of Processing

Personal data is processed for the following specific educational purposes only:

Capture, organisation, and forensic structuring of student evidence against statutory educational taxonomies (including EYFS Development Matters, AQA Unit Award Scheme, OCR, Pearson, City & Guilds, and equivalent frameworks).
SEND portfolio management, EHCP progress tracking, and Graduated Approach documentation (Assess–Plan–Do–Review).
Safeguarding chronology management, DSL welfare case recording, and KCSIE-aligned incident logging.
Attendance and engagement monitoring, including resilience indicator scoring.
AI-assisted evidence cross-referencing (AI Evidence Multiplier) — subject to mandatory human practitioner review before any AI suggestion is committed to the student's formal record.
Automated gap analysis, LA-ready PDF report generation, and statutory disclosure preparation.

4. Types of Personal Data and Data Subjects

Data Subjects

The primary data subjects are students (children and young people) enrolled at the subscribing school or AP setting. Secondary data subjects include teaching and support staff whose identity is recorded in practitioner attribution fields.

Standard Personal Data (UK GDPR Article 6)

Student name, Unique Pupil Number (UPN), date of birth, year group, cohort, key stage, enrolment dates. Staff name, school email address, job role, and practitioner attribution within evidence records.

Special Category Data (UK GDPR Article 9)

The following special category data may be processed where the Data Controller determines it is necessary for the provision of education and support:

Health and neurodevelopmental data: SEND category, EHCP status, relevant diagnoses where recorded by the practitioner as necessary for curriculum planning.
Welfare and safeguarding data: Welfare chronology entries, DSL case records, safeguarding referral logs, and KCSIE-aligned concern records. Processed under DPA 2018 Schedule 1, Part 1 (safeguarding children).
Mental health and wellbeing data: SEMH indicators, engagement scores, welfare flags, and NODE insights (AI-assisted welfare pattern observations requiring mandatory human DSL review before any formal record is created).

Lawful basis — Standard data: Article 6(1)(e) — processing necessary for the performance of a task carried out in the public interest (education provision under the Education Act 1996, Children and Families Act 2014, SEND Code of Practice 2015, and DfE Alternative Provision statutory guidance).

Lawful basis — Special category data: Article 9(2)(g) — substantial public interest. Grounded in DPA 2018 Schedule 1, Part 2 (health or social care purposes) and Part 1, paragraph 18 (safeguarding children and individuals at risk).

5. Processor Obligations — Article 28 UK GDPR

The Arena Hub Ltd, as Data Processor, commits to the following obligations:

5.1 Process only on documented instructions

The Processor shall process personal data only on the documented instructions of the Controller. This DPA, together with any written subscription agreement and the platform's technical architecture (Sovereign Hybrid v7.0.0), constitutes those instructions. Where the Processor considers an instruction to infringe UK GDPR or the Data Protection Act 2018, it shall immediately inform the Controller.

5.2 Confidentiality

All persons authorised to process personal data under this DPA are bound by appropriate confidentiality obligations. Access to Controller data is restricted to personnel with a specific operational requirement and is subject to role-based access controls.

5.3 Security

The Processor shall implement appropriate technical and organisational security measures (see Clause 8) in accordance with UK GDPR Article 32, ensuring a level of security appropriate to the risk — taking into account the nature, scope, context, and purposes of processing, and the rights and freedoms of natural persons.

5.4 Sub-processors

The Processor shall not engage any sub-processor without the prior specific or general written authorisation of the Controller. Where general authorisation is granted (as it is by acceptance of this DPA), the Processor shall inform the Controller of any intended changes to sub-processors, giving the Controller opportunity to object. See Clause 7 for the current authorised sub-processor schedule.

5.5 Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligations to respond to requests from data subjects exercising their rights under UK GDPR (access, rectification, erasure, portability, restriction, and objection). Because all student data resides in the Controller's own Google Workspace, the Controller can action the majority of Subject Access Requests directly. Where technical assistance is required from the Processor, this will be provided within 48 hours of written request.

5.6 DPIA and Prior Consultation Support

The Processor shall assist the Controller in ensuring compliance with obligations relating to data security, data breach notification, Data Protection Impact Assessments (DPIAs), and prior consultation with the ICO. A completed DPIA (ARENA-DPIA-2026-001, v1.1, approved 2 May 2026) is available from the Processor upon written request.

5.7 Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and shall allow for — and contribute to — audits and inspections conducted by the Controller or an auditor mandated by the Controller. The Processor shall provide written responses to compliance questionnaires within 10 working days. On-site technical inspections may be arranged by written agreement.

6. Automated Processing and UK GDPR Article 22

The Arena Hub platform includes AI-assisted components. The following statement of compliance with Article 22 (automated decision-making) applies to all automated processing within the platform:

FIFA Score (Forensic Intelligence Framework Assessment): A composite progress indicator derived from six pillars (Resilience, Velocity, Engagement, Attendance, Welfare, and Wins), each scored 0–100. The FIFA Score constitutes profiling under UK GDPR Article 4(4). It is presented to practitioners as a decision-support tool only. No automated action — including placement decisions, EHCP updates, or safeguarding escalations — is taken on the basis of the FIFA Score alone. Mandatory human practitioner review is enforced at the system level.

NODE Insights (AI welfare pattern detection): Gemini AI analyses observed behavioural signals to surface welfare patterns for DSL review. NODE outputs are flagged as advisory only and require explicit DSL authorisation before any formal record is created. NODE does not infer emotional state, neurological profile, or predictive risk in isolation — this is constitutionally prohibited under the Forensic Firewall (Addendum XVII of the Sovereign Constitution).

AI Evidence Multiplier: Cross-references submitted evidence against adjacent taxonomy criteria. Suggestions are presented to the practitioner with a confidence score and mandatory review requirement. No AI suggestion is committed to the student's statutory record without authenticated human approval. Auto-credit threshold is ≥85% confidence, but remains visible in the Close of Play report for practitioner review.

No decision producing legal or similarly significant effects on a data subject is made solely by automated means. The platform is a Decision-Support Infrastructure. The practitioner is the Decision Authority. This separation is constitutionally absolute under Article VI of the Sovereign Educational Infrastructure Constitution.

7. Authorised Sub-Processors

The Controller authorises the Processor to engage the following sub-processors. The Processor has entered into data processing agreements with each sub-processor imposing equivalent data protection obligations to those in this DPA.

Sub-Processor	Purpose	Data Processed	Transfer Mechanism
Google LLC Google Workspace	All student and staff data is stored exclusively within the Controller's own Google Workspace tenant (Shared Drive). Google provides the hosting infrastructure under the Controller's own GWS terms of service.	All student PII, evidence records, safeguarding logs, staff records (Controller-held). Arena Hub Ltd does not hold copies.	UK–US Data Privacy Framework. Google Workspace terms of service. Controller is primary customer.
Google LLC Google Cloud Platform (europe-west2, London)	Anonymised operational telemetry, licence validation (HMAC-authenticated handshake containing no student PII), and Cloud Run processing layer for transient evidence write operations.	Anonymised event logs only. No student PII is stored at rest on GCP infrastructure. HMAC handshake contains practitioner email and licence key only.	UK–US Data Privacy Framework. Data residency: United Kingdom (London region, europe-west2).
Twilio Inc.	DSL two-factor authentication (2FA) SMS delivery only. Used exclusively to verify the identity of Designated Safeguarding Leads accessing the Welfare Silo.	DSL mobile telephone number only. Not linked to student data. Not stored beyond the SMS session.	UK Standard Contractual Clauses (UK SCCs). Twilio's GDPR Data Processing Addendum.
Google Gemini AI (via Google Cloud AI API)	NODE insights: AI-assisted welfare pattern detection for DSL advisory flagging. Inference is stateless — no student data is submitted to AI training pipelines.	Anonymised behavioural signal summaries only. No student names, UPNs, or identifiable data are included in API requests. All inference is stateless.	Google Cloud API Terms of Service. Data residency: europe-west2 (London). Not used for AI model training.

The Processor shall notify the Controller by email of any intended change to this sub-processor schedule no less than 30 days before the change takes effect, giving the Controller the opportunity to object to the change.

8. Technical and Organisational Measures (TOMs)

The following technical and organisational measures are implemented and maintained by the Processor in accordance with UK GDPR Article 32:

Sovereign Data Anchoring

All student PII is stored exclusively within the Controller's Google Workspace tenant (school-owned Shared Drive). Arena Hub Ltd holds zero copies of student data at rest. The school retains unconditional physical control of all data at all times.

Role-Based Access Control

GWS-native role-based permissions govern all access to STAFF_VAULT, student records, and evidence ledgers. Access is granted at the minimum level necessary for each role. Role assignments are managed by the Controller's Google Workspace administrator.

Welfare Silo — Revoked Inheritance

The Welfare Suite operates within a GWS subfolder with folder permission inheritance explicitly revoked. Only the Controller's designated DSL(s) are on the access list. Arena Hub Ltd has no access to this silo at any time.

VAR Sentry — Immutable Audit Trail

Every cell edit, evidence commit, and safeguarding entry is captured by VAR Sentry with a WHO / WHAT / WHEN / WHERE record. The audit trail is immutable — it cannot be altered or deleted by any school staff member or by Arena Hub Ltd.

HMAC-Authenticated Perimeter

The only data that transits outside the school's GWS boundary is a cryptographically signed HMAC-authenticated licence validation handshake. This exchange contains no student PII under any circumstances.

DSL Two-Factor Authentication

Access to the Welfare Silo requires DSL 2FA verification via Twilio SMS in addition to GWS OAuth authentication. This ensures that even a compromised GWS credential cannot access safeguarding records without possession of the registered DSL device.

Forensic Firewall

The Forensic Firewall (Addendum XVII, Sovereign Constitution) constitutionally prohibits automated emotional state classification, neurological profiling, and predictive risk scoring applied to individual data subjects without mandatory human-in-the-loop review.

SYSTEM_AUDIT_LOG

Every automated action — AI suggestions, multiplier credits, welfare flags, attendance alerts — is recorded with: AUDIT_ID, authenticated STAFF_EMAIL, STUDENT_ID, ACTION_TYPE, INPUT_DATA, OUTPUT_GENERATED, CONFIDENCE_SCORE, RULE_VERSION_ID, and millisecond-accurate timestamp.

Stateless AI Inference

All Gemini AI API calls are stateless. No student data is retained by Google AI infrastructure between calls. No student data is used for model training. API requests contain only anonymised signal summaries, never identifiable student information.

Zero Third-Party Analytics

No student PII is transmitted to any analytics platform, advertising network, or commercial data warehouse. The public marketing website (thearenahub.co.uk) deploys no tracking or advertising cookies.

9. Data Breach Notification

In accordance with UK GDPR Article 33 and this DPA (Clause 4 of ARENA-DPA-2026-PILOT), the Processor shall:

Notify the Controller within 12 hours of becoming aware of any confirmed or suspected personal data breach affecting data processed under this DPA.
Provide a written incident report within 48 hours containing: the nature of the breach; the categories and approximate number of data subjects affected; the categories and approximate volume of records concerned; the likely consequences of the breach; and the measures taken or proposed to address the breach.
Not notify the ICO on the Controller's behalf, except where the Controller expressly instructs the Processor to do so. The Controller retains full responsibility for its own ICO notifications under Article 33.
Cooperate fully with the Controller's breach investigation and provide all technical information required to assess and remediate the breach.

Given the Sovereign Hybrid architecture (all student data in Controller's own GWS), the Processor's breach notification obligation relates primarily to any compromise of the Processor's GCP infrastructure, licence validation systems, or Processor personnel who may have had authorised access to Controller data under Clause 10 (V1 Pilot Conditions).

10. V1 Pilot Conditions — Disclosed Access

⚠ V1 Pilot Disclosure — Required Reading

During the V1 Pilot phase, the Arena Hub platform operates with developmentMode: true. Under this configuration, the Processor Director (Jonathan Baguley, compliance@thearenahub.co.uk) holds range-level access to the Controller's deployed Google Spreadsheet for the purposes of technical debugging, configuration, and pilot support.

This access is: (a) formally disclosed to the Controller in this DPA; (b) time-limited to the V1 Pilot period only; (c) subject to the same VAR Sentry audit trail obligations as all other system access; and (d) governed by the confidentiality obligations in Clause 5.2 of this DPA.

This access does not extend to the Welfare Silo, which remains under DSL-exclusive control at all times, regardless of pilot phase.

This condition must be resolved before production deployment beyond the Pilot phase. At transition to production, developmentMode will be set to false and Processor Director access will be revoked. The Controller will be notified in writing 14 days before this transition. A revised DPA reflecting production-phase conditions will be issued at that time.

11. Return and Deletion of Data

Because all student and operational data resides within the Controller's own Google Workspace environment, the Controller retains unconditional physical control of all data at all times. Upon termination of the subscription:

The Controller's student data (STUDENT_VAULT, GAP_INTERVENTIONS ledger, DAILY_REGISTER, WELFARE_CHRONOLOGY, and all associated evidence artefacts) remains entirely within the Controller's GWS. No action by the Processor is required or possible — the Controller simply revokes the platform's GWS API authorisation.
The Processor shall destroy all configuration data, licence records, and any copies of Controller data held on Processor systems within 30 days of termination and provide written confirmation of destruction upon request.
Account and licence data held by the Processor (practitioner email, name, school name, licence record) is retained for a maximum of 30 days post-termination for query resolution purposes, then permanently deleted.

Data retention obligations that fall upon the Controller as Data Controller include: safeguarding chronologies (25 years, per statutory guidance); student performance records (6 years); and SYSTEM_AUDIT_LOG entries (7 years). These obligations are the Controller's alone — the Processor has no role in their management after termination.

12. International Data Transfers

All primary student data processing occurs within the United Kingdom. The Arena Hub Ltd's GCP infrastructure operates exclusively within the europe-west2 (London) region. No student PII is transferred outside the United Kingdom during normal platform operation.

Where sub-processors operate under US law (Google LLC, Twilio Inc.), data transfers are governed by the UK–US Data Privacy Framework and, where applicable, UK Standard Contractual Clauses. These mechanisms are documented in Clause 7 (Sub-Processor Schedule). No transfers of student PII occur to countries without an adequate level of data protection under UK GDPR Chapter V without prior written Controller authorisation.

13. Governing Law and Disputes

This DPA is governed by and construed in accordance with the laws of England and Wales. Any dispute arising under or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales.

This DPA is incorporated into and forms part of the Arena Hub subscription agreement. In the event of any conflict between this DPA and the subscription terms, this DPA shall prevail in respect of the processing of personal data.

14. Data Protection Impact Assessment

A full Data Protection Impact Assessment has been completed in accordance with UK GDPR Article 35. The DPIA (reference ARENA-DPIA-2026-001, version 1.1, approved 2 May 2026) confirms that all mandatory ICO criteria are met and that the processing described in this DPA may proceed subject to the V1 Pilot Conditions disclosed in Clause 10.

The DPIA Evidence Support Pack (reference ARENA-DPIA-ESP-001) is available to DPOs and Data Controllers upon written request. All criteria in the DPIA Evidence Matrix have been assessed as COMPLIANT.

The Arena Hub Ltd is registered with the Information Commissioner's Office (ICO) as a Data Controller for its own operational data. ICO Registration Certificate is available upon request. For ICO regulatory guidance, visit ico.org.uk.