Smarter Analytics logo Book a Demo

Data Sharing Agreement (DSA)

Last updated: 27th June 2025

Plain-English Summary

This summary explains the key points of the Data Sharing Agreement (DSA) in simple terms. It is provided for convenience only — the full Agreement below is the binding legal document.

  • You remain the Data Controller and decide what data we can access.
  • We only process your data to provide dashboards and analytics services.
  • We access data only through authorised channels such as GroupCall, Wonde, APIs, or secure uploads.
  • Your MIS or source system is always the official source of truth — any errors must be fixed at source.
  • You must review dashboards during the feedback phase to confirm accuracy.
  • Data is stored securely in the UK and accessed only by authorised personnel.
  • We will never share data with third parties without your consent unless required by law.
  • We notify you of any data breach within 72 hours.
  • We delete data within 30 days of contract end or sooner if you request.
  • We are not liable for decisions or outcomes based on dashboards or reports.

1. Introduction & Purpose

This Data Sharing Agreement (“Agreement”) is entered into between:

Controller: [School / Multi-Academy Trust]
Registered address: [School/MAT address]

Processor: Smarter Analytics Solutions Ltd
Registered address: 18 Hyde Gardens, Eastbourne, England, BN21 4PT
Contact for data protection: [email protected]

This Agreement sets out the data sharing principles between the Parties for the provision of Smarter Analytics dashboards and related services, which enable schools and MATs to visualise and report on their operational, academic, and other approved datasets.

Smarter Analytics will access and process data solely for the purposes of creating and maintaining dashboards and analytics reports. Data access will typically be via GroupCall Xporter or Wonde, but may include direct MIS, HR or Finance system APIs, or the secure transfer of CSV/Excel files from the Controller.

This Agreement ensures that all personal data is handled securely and in compliance with the UK GDPR and Data Protection Act 2018, and that the Controller remains the owner and custodian of its data.

2. Data Sharing Principles & Controller Authority

Controller Responsibilities

  • You remain the Data Controller for all shared data.
  • You decide which datasets are shared via authorised channels.
  • You are responsible for the accuracy and lawful collection of the data.
  • You must review dashboards during the feedback phase to verify accuracy.
  • The MIS or source system remains the system of record and must be corrected at source.

Processor Responsibilities

  • We act as a Data Processor only for the purposes of delivering dashboards and analytics.
  • We do not use data for marketing or unrelated purposes.
  • We do not share data with third parties without consent unless legally required.
  • We support accurate reporting, but long-term accuracy is the Controller's responsibility after review.

Shared Understanding

  • Data may include special category information requiring enhanced security.
  • Both Parties will ensure data flows are authorised, secure, and documented.

3. Categories of Data and Usage

Pupil Data: name, DOB, year group, attendance, assessment, attainment, SEN status, and similar educational fields.

Staff Data: name, role, work email, timetable or teaching assignments where required.

Operational Data: school/MAT identifiers, HR and finance data where authorised.

Data is used to generate dashboards and reports for authorised staff. Data provided manually through CSV/Excel remains the Controller’s property. Additional datasets may be added with Controller approval.

Special Category Data (e.g., SEN or sensitive HR fields) will be processed with encryption and strict access controls.

4. Access, Security & Confidentiality

Smarter Analytics will:

  • Host data securely within Microsoft Azure UK South.
  • Encrypt data in transit and at rest.
  • Restrict access to authorised personnel under confidentiality obligations.
  • Provide platform access via SSO (Microsoft/Google) or equivalent secure methods.
  • Require the Controller to manage accounts, permissions, and leaver access removal.
  • Maintain audit trails and strong organisational security controls.
  • Never share data with third parties without consent unless required by law.

5. Data Lifecycle: Retention, Accuracy & Deletion

  • Data is retained only for the duration of the subscription or project.
  • The Controller must verify accuracy during the feedback phase.
  • After the feedback phase, discrepancies not reported cannot be attributed to Smarter Analytics.

Upon termination or written request, we will:

  • Return data if requested.
  • Delete all personal data within 30 days.

Physical printouts will be minimal and securely destroyed; digital files will be hard-deleted.

6. Data Subject Rights & Breach Notification

  • We will assist the Controller with data subject requests related to data we process.
  • We will notify the Controller of any data breach within 72 hours.
  • We will support the Controller with any required ICO reporting.

7. Sub-Processors

The Controller provides general authorisation for Smarter Analytics to use the sub-processors listed in Annex 1. All sub-processors operate under equivalent GDPR-level protections. We will notify the Controller of any material changes.

8. Liability & Governing Law

  • Our total liability is limited to direct losses arising from proven processor breaches.
  • We are not liable for:
    • Indirect or consequential losses.
    • Errors in inaccurate or incomplete source data.
    • Failures to review dashboards during the feedback phase.
    • Decisions or outcomes based on dashboard information.
  • Nothing in this Agreement limits liability that cannot be excluded by law.

This Agreement is governed by English law, under the exclusive jurisdiction of the English courts.