Data Processing Agreement
Last updated: 2 March 2026
This Data Processing Agreement ("DPA") forms part of the agreement between JKRSP LTD, trading as Rafyo ("Processor", "Rafyo"), and the school or educational institution ("Controller", "School") that has registered an account on the Rafyo platform. This DPA is entered into automatically when a School creates an account and applies for the duration of the service.
1. Definitions
- "UK GDPR" — the UK General Data Protection Regulation (as retained under the Data Protection Act 2018)
- "Personal Data" — any information relating to an identified or identifiable individual, as defined in UK GDPR
- "Processing" — any operation performed on Personal Data, as defined in UK GDPR
- "Data Subject" — the individual to whom Personal Data relates
- "Sub-processor" — a third party engaged by the Processor to process Personal Data on behalf of the Controller
2. Roles and responsibilities
The School is the Controller. The School determines the purposes and means of processing personal data about its pupils, parents, and staff through the Rafyo platform.
Rafyo is the Processor. Rafyo processes personal data only on behalf of and in accordance with the School's documented instructions (i.e. the School's use of the Platform's features).
3. Subject matter and duration
| Subject matter | Provision of school management software (canteen ordering, pupil records, parent portals, bus route management, payments, audit logging) |
| Duration | For the duration of the School's use of the Rafyo platform |
| Nature of processing | Collection, storage, organisation, retrieval, use, disclosure by transmission, and erasure |
| Purpose | To enable the School to manage canteen operations, pupil information, parent communications, payments, and regulatory record-keeping |
4. Categories of data subjects
- School administrators and staff
- Parents and guardians
- Pupils (children)
5. Types of personal data
| Category | Data processed |
|---|---|
| School staff | Name, email, role, login activity (IP address, user-agent) |
| Parents/guardians | Name, email, parent-child links, order history, payment records, login activity |
| Pupils | First name, last name, class/year group, dietary notes (may include allergy and health-related information), parent links, order history |
Special category data: Dietary notes may reveal information about a pupil's health conditions or religious beliefs. The School is responsible for ensuring an appropriate lawful basis for processing this data (typically substantial public interest under Schedule 1 of the Data Protection Act 2018, or explicit consent from parents).
6. Obligations of the Processor
Rafyo shall:
- Process Personal Data only on the documented instructions of the Controller (i.e. as directed through the Platform's features), unless required by law
- Ensure that persons authorised to process Personal Data are bound by confidentiality obligations
- Implement appropriate technical and organisational security measures (see Section 7)
- Not engage another processor (sub-processor) without the Controller's prior general authorisation (see Section 8)
- Assist the Controller in responding to data subject requests (access, rectification, erasure, portability)
- Assist the Controller in ensuring compliance with data protection impact assessments and prior consultations with the ICO, where required
- Delete or return all Personal Data to the Controller at the end of the service, at the Controller's choice (see Section 10)
- Make available to the Controller all information necessary to demonstrate compliance with this DPA
7. Security measures
Rafyo implements the following technical and organisational measures:
- Encryption in transit — all data transmitted over TLS 1.2 or higher
- Encryption at rest — database and file storage encrypted using AWS-managed keys
- Access control — role-based access control with capability-based permissions per school
- Authentication — passwords stored as one-way hashes (bcrypt); tokens hashed (SHA-256) before storage
- Data isolation — all queries scoped to the School's data; no cross-school data access
- Audit logging — tamper-evident, append-only logs of all significant actions
- Infrastructure — hosted on AWS in London, UK (eu-west-2); public access blocked at infrastructure level
- Personnel — access to production systems restricted to authorised Rafyo personnel
8. Sub-processors
The Controller provides general authorisation for the Processor to engage sub-processors. The current list of sub-processors is:
| Sub-processor | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure hosting (compute, database, storage) | London, UK (eu-west-2) |
| Postmark (ActiveCampaign, LLC) | Transactional email delivery (account verification, password reset, notifications) | USA |
| Stripe | Payment processing (each School connects their own Stripe account) | UK/EEA |
Rafyo will notify the Controller by email at least 30 days before adding or replacing a sub-processor. If the Controller objects, the parties will work in good faith to resolve the objection. If no resolution is reached, the Controller may terminate the agreement.
9. Data breach notification
In the event of a personal data breach, Rafyo will notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach. The notification will include:
- A description of the nature of the breach, including categories and approximate number of data subjects affected
- The name and contact details of Rafyo's point of contact
- A description of the likely consequences of the breach
- A description of the measures taken or proposed to address the breach
10. Data deletion and return
Upon termination of the service or at the Controller's request:
- Rafyo will provide a complete export of the Controller's data in CSV format within 14 days of request
- Rafyo will permanently delete all Controller data within 30 days of termination
- Audit logs may be retained in anonymised form for up to 7 years to comply with Ofsted and DfE record-keeping requirements
- Rafyo will confirm deletion in writing upon request
11. International transfers
All primary data storage and processing occurs in the United Kingdom (AWS London, eu-west-2 region).
For transactional email delivery, limited personal data (email addresses and names) is transferred to Postmark (ActiveCampaign, LLC) in the United States. This transfer is protected by the UK-US Data Bridge, which provides an adequate level of protection for personal data transferred to certified US organisations.
If our data transfer arrangements change, Rafyo will notify the Controller and ensure appropriate safeguards (such as UK International Data Transfer Agreements) are in place before any transfer occurs.
12. Audits
Rafyo will make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA. The Controller may conduct audits (or appoint an independent auditor) with reasonable advance notice, during business hours, and no more than once per year unless a data breach has occurred. Rafyo will cooperate with such audits and provide reasonable access to relevant systems and personnel.
13. Liability
Each party's liability under this DPA is subject to the limitations set out in the Terms of Service.
14. Governing law
This DPA is governed by the laws of England and Wales and is subject to the exclusive jurisdiction of the courts of England and Wales.
15. Contact
For questions about this DPA or to exercise your rights as a Controller, contact us at privacy@rafyo.com.