FeedbackFlow
Get StartedStart
Back to Home

Data Processing Agreement (DPA)

Last updated: January 24, 2026

This Data Processing Agreement applies when a school or educational institution ("Customer") uses FeedbackFlow.AI (Feedback Flow) to process student work. It sets out how FeedbackFlow.AI processes personal data on behalf of the Customer under UK GDPR and EU GDPR.

Processor: FeedbackFlow.AI (Daniel). Contact: [email protected]

Download: DPA Template (PDF)

Governance summary: Privacy and Governance Summary

1. Roles and Scope

Customer (School): Data Controller for student data uploaded to the service.

FeedbackFlow.AI: Data Processor for student data; Data Controller for account and billing data.

This DPA covers processing of student work, feedback, and related metadata provided by the Customer.

The Customer is responsible for determining the lawful basis for processing student data and for providing any notices, permissions, or consent required by its own policies or applicable law.

2. Processing Details

  • Subject matter: Student work, teacher feedback, and assessment artifacts.
  • Duration: For the term of the Customer's account, plus defined retention periods in the Privacy Policy.
  • Nature and purpose: Transcription, marking assistance, and educational feedback workflows.
  • Data subjects: Students and teachers.
  • Categories of data: Student names (if provided), handwritten essays (PDF), transcribed text, grades, feedback, and class metadata.

FeedbackFlow.AI applies name minimisation before AI processing where technically possible: known student names are replaced with temporary placeholders in text prompts and AI upload display names are generic. This does not remove names that are visible within the content of an uploaded PDF or image, so Customers should apply local minimisation or redaction practices before upload where needed.

3. Processor Obligations

  • Process personal data only on documented instructions from the Customer.
  • Ensure staff and contractors are bound by confidentiality.
  • Implement appropriate technical and organizational security measures.
  • Assist the Customer with data subject rights requests.
  • Notify the Customer without undue delay of any personal data breach.
  • Allow audits or provide evidence of compliance on request.

4. Sub-Processors

FeedbackFlow.AI uses the following sub-processors for infrastructure and processing:

  • Supabase (EU-West-2): Database and storage hosting.
  • Cloudflare (EU-West-2): Hosting and edge functions.
  • Google Gemini API: AI transcription and marking assistance. For billing-enabled API use, Google states that prompts, files, and responses are not used to improve Google products or models; limited logs may be retained for abuse detection, safety, and legal or regulatory purposes. Text prompts use student-name placeholders where known names are detected.
  • Stripe: Payment processing.

We will notify Customers of material changes to sub-processors via the Privacy Policy and service updates.

5. International Transfers

If processing involves transfers outside the UK/EU (e.g., Google Gemini), we rely on Standard Contractual Clauses and applicable UK Addendum safeguards, as described in the Privacy Policy.

6. Security Measures

  • Encryption in transit (TLS 1.2+).
  • Encryption at rest for database and file storage.
  • Row Level Security for tenant isolation.
  • Access controls with least privilege.

7. Data Retention & Deletion

On termination, FeedbackFlow.AI will delete or return personal data in accordance with the Privacy Policy and Customer instructions, unless retention is required by law.

8. Contact

For DPA questions or requests, email [email protected].