Purpose of this agreement
When a school or college (the Controller) uses myBursary to manage 16–19 bursary applications, Senha Ltd t/a myBursary (the Processor) processes personal data — including students' identities, financial circumstances, and supporting documents — on the Controller's behalf.
UK GDPR Article 28 requires that this processing relationship is governed by a written contract. This Data Processing Agreement (DPA) is that contract. It sets out what data myBursary processes, for what purpose, under what conditions, and with what safeguards.
Parties & definitions
In this agreement:
- "Controller" means the subscribing school, college, or other educational institution that has entered into a myBursary subscription agreement, acting as data controller for its students' bursary application data.
- "Processor" means Senha Ltd t/a myBursary, registered in England and Wales, acting as data processor on behalf of the Controller.
- "Data Protection Law" means the UK GDPR (as it forms part of domestic law by virtue of section 3 of the European Union (Withdrawal) Act 2018) and the Data Protection Act 2018, as amended or replaced from time to time.
- "Personal Data", "Processing", "Data Subject", "Special Category Data", and "Supervisory Authority" have the meanings given in Data Protection Law.
- "Services" means the myBursary bursary management platform provided to the Controller under the subscription agreement.
- "Sub-processor" means any third party engaged by the Processor to process Personal Data in connection with the Services.
Subject matter & duration
The Processor shall process Personal Data on behalf of the Controller solely for the purpose of providing the Services described in the subscription agreement and in accordance with this DPA.
This DPA comes into force on the date the Controller activates its myBursary subscription and remains in force until the later of: (a) the termination of the subscription agreement; or (b) the date on which the Processor has completed the deletion or return of all Personal Data in accordance with clause 11.
Processing details
Nature and purpose of processing
| Attribute | Detail |
|---|---|
| Subject matter | Processing of personal data to operate the 16–19 Bursary Fund application, assessment, and payment management system |
| Duration | For the term of the subscription agreement plus any post-termination retention period required by law or this DPA |
| Nature | Collection, storage, retrieval, consultation, use, disclosure (to authorised Controller staff), erasure, destruction |
| Purpose | To enable the Controller to receive, assess, decide upon, and make payments under 16–19 bursary applications in compliance with DfE/ESFA guidance |
| Legal basis (Controller's) | Public task / legal obligation (administration of the 16–19 Bursary Fund under DfE guidance); substantial public interest for special category data (Schedule 1 DPA 2018, Part 2) |
Types of personal data processed
- Identity data: full name, date of birth, student ID, National Insurance number
- Contact data: email address, phone number, home address
- Education data: course, year of study, programme type
- Financial data: household income, benefits received, bank statement metadata
- Documentary evidence: scanned copies of identity documents, benefit letters, financial statements
- Assessment data: assessor notes, award decisions, payment amounts and dates
- System data: login timestamps, activity logs, audit trail entries
Categories of data subjects
- Students and bursary applicants enrolled at the Controller's institution (aged 16–19, some legally minors)
- The Controller's staff who use the myBursary admin portal (bursary managers, finance staff, designated safeguarding leads)
Processor obligations
The Processor shall, in relation to Personal Data processed on behalf of the Controller:
- Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or an international organisation — unless required to do so by Data Protection Law, in which case the Processor shall notify the Controller before processing, unless prohibited from doing so by law
- Ensure that all personnel authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
- Implement the technical and organisational security measures described in Schedule 2
- Not engage any Sub-processor without prior written authorisation from the Controller (general authorisation is granted for the Sub-processors listed in Schedule 3; any changes require 30 days' notice)
- Take all reasonable steps to assist the Controller in ensuring compliance with the Controller's obligations under Articles 32–36 of the UK GDPR
- At the Controller's choice, delete or return all Personal Data to the Controller after the end of the provision of Services, and delete existing copies unless required by law to retain them
- Make available to the Controller all information necessary to demonstrate compliance with the obligations set out in this clause, and allow for and contribute to audits conducted by the Controller or an auditor mandated by the Controller
- Immediately inform the Controller if, in the Processor's opinion, an instruction infringes Data Protection Law
Controller instructions
The Controller's instructions to the Processor are set out in the subscription agreement and in this DPA. The Controller may issue additional written instructions from time to time, provided they are consistent with this DPA and Data Protection Law.
Instructions may be communicated via: (a) configuration of the myBursary platform settings; (b) written request to [email protected]; or (c) any documented support ticket within the platform.
The Processor shall not process Personal Data for any purpose other than in accordance with the Controller's instructions and this DPA. Where an instruction would require the Processor to act in a manner inconsistent with Data Protection Law, the Processor shall notify the Controller promptly.
Sub-processors
The Controller grants the Processor general authorisation to engage the sub-processors listed in Schedule 3. The Processor shall:
- Notify the Controller at least 30 days in advance before engaging any new sub-processor or replacing an existing sub-processor that processes student Personal Data
- Enter into a written agreement with each sub-processor that imposes equivalent data protection obligations to those set out in this DPA
- Remain fully liable to the Controller for the acts and omissions of each sub-processor as if those acts or omissions were the Processor's own
If the Controller objects to a new sub-processor within the 30-day notice period, the parties shall work in good faith to resolve the objection. If no resolution is reached, the Controller may terminate the subscription agreement without penalty.
Data subject rights assistance
Taking into account the nature of the processing, the Processor shall assist the Controller by appropriate technical and organisational measures to fulfil the Controller's obligations to respond to requests from data subjects exercising their rights under Data Protection Law (Articles 15–22 UK GDPR).
Where a data subject exercises a right directly with the Processor (e.g. by contacting myBursary directly), the Processor shall forward the request to the Controller within 3 working days and shall not respond substantively without the Controller's authorisation, except where required to do so by law.
The Processor shall provide the following assistance to the Controller:
- Access requests (Article 15): Export of all Personal Data held for a named student, available via the admin portal's data export feature
- Rectification (Article 16): Authorised staff can edit application data via the admin portal; audit log entries are immutable but can be annotated
- Erasure (Article 17): Deletion functionality available in the admin portal, subject to any legal retention obligations notified to the Controller
- Restriction (Article 18): Processing restriction flags can be applied by the Controller's admin; restricted data will not be used for any other purpose
- Portability (Article 20): Export of student application data in CSV format available via the admin portal
Security measures
The Processor shall implement and maintain the technical and organisational security measures described in Schedule 2 of this DPA, taking into account:
- The state of the art and costs of implementation
- The nature, scope, context, and purposes of the processing
- The risks to the rights and freedoms of natural persons, in particular arising from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed
The Processor shall review and update these measures at least annually and in response to material changes in the threat landscape or applicable guidance from the ICO or NCSC.
Data breaches
The Processor shall notify the Controller without undue delay and in any event within 24 hours after becoming aware of a Personal Data breach affecting Personal Data processed on the Controller's behalf.
Notification shall include, to the extent then known:
- A description of the nature of the breach, including the categories and approximate number of individuals affected
- The name and contact details of the Processor's data protection contact
- A description of the likely consequences of the breach
- A description of measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects
The Processor shall cooperate fully with the Controller and provide any further information reasonably requested to enable the Controller to comply with its own notification obligations under UK GDPR Article 33 (to the ICO, within 72 hours) and Article 34 (to affected individuals, where required).
Audit & inspection rights
The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations in this DPA, and shall allow for and contribute to audits and inspections conducted by the Controller or an auditor mandated by the Controller.
In practice, the Processor shall satisfy audit requests via:
- Provision of the Processor's most recent ISO 27001 certificate or equivalent third-party security assessment (on request)
- Completion of a written information security questionnaire (within 15 working days of receipt)
- On-site or remote audit access, on not less than 30 days' written notice, during normal business hours, at the Controller's cost for any third-party auditor fees
Audit requests must be exercised no more than once per calendar year unless there has been a confirmed data breach or a material change in the Processor's security posture.
International transfers
The Processor shall not transfer Personal Data outside the United Kingdom without the prior written consent of the Controller, except where:
- The transfer is to a country covered by UK adequacy regulations; or
- The Processor has entered into UK Standard Contractual Clauses or another approved transfer mechanism with the recipient
The approved transfers for the Sub-processors listed in Schedule 3 are documented therein. All student Personal Data is stored on UK-hosted infrastructure. The Processor shall notify the Controller before making any change to the storage location.
Termination & data return / deletion
On termination of the subscription agreement (for any reason), the Processor shall, at the Controller's election (notified in writing within 30 days of termination):
- Return: Provide the Controller with a full export of all Personal Data in machine-readable format (CSV/JSON) within 30 days of the election notice; or
- Delete: Securely destroy all Personal Data (including backup copies) within 60 days of the election notice, and provide written confirmation of deletion.
The Processor may retain Personal Data beyond this period only where retention is required by applicable law (e.g. HMRC record-keeping requirements for payment records). Any such retention shall be notified to the Controller, limited to the minimum necessary, and subject to the technical and organisational measures in Schedule 2.
If the Controller makes no election within 30 days of termination, the Processor will delete all Personal Data in accordance with the retention periods set out in the Privacy Policy.
Liability
Each party shall be liable to the other for loss or damage caused by its failure to comply with its obligations under this DPA and Data Protection Law, subject to the limitations and exclusions set out in the subscription agreement.
Where both parties are responsible for a data breach or infringement of Data Protection Law, liability shall be apportioned according to the degree of responsibility of each party for the damage caused.
Nothing in this DPA limits liability for fraud, death or personal injury caused by negligence, or any other liability that cannot be limited by law.
Technical & organisational security measures
The Processor maintains the following measures as a minimum baseline, reviewed annually:
Access control
- Role-based access control (RBAC); institution staff may only access their own students' data
- Multi-factor authentication available for all admin accounts; enforced for Processor staff with production access
- Privileged access management; myBursary staff with production database access require separate approval per session
- Automatic session expiry after 30 minutes of inactivity
Encryption
- TLS 1.2 or higher for all data in transit; TLS 1.0 and 1.1 disabled
- AES-256 encryption at rest for all database storage
- File-level encryption for all uploaded documents (identity, financial evidence)
- Encryption keys managed via a dedicated key management service with automatic rotation
Infrastructure and availability
- Hosting on UK-region cloud infrastructure with ISO 27001 certification
- Daily encrypted backups with 30-day retention; restore tests conducted quarterly
- Automated vulnerability scanning; critical patches applied within 24 hours
Monitoring and logging
- Centralised security information and event management (SIEM) logging
- All access to Personal Data logged with user identity, timestamp, and action
- Log retention: 12 months live, 6 years archived
- Anomalous access alerts with 24/7 on-call response
Organisational measures
- All Processor staff who access Personal Data undergo DBS-checked pre-employment screening
- Mandatory data protection training on joining and annually; records maintained
- Incident response procedure
- Data protection impact assessments (DPIAs) conducted for any new high-risk processing activity
Approved sub-processors
The following sub-processors are approved as at the version date of this DPA. The Processor will provide 30 days' advance notice of any changes.
| Sub-processor | Location | Purpose | Transfer mechanism |
|---|---|---|---|
| Cloud infrastructure provider [Name disclosed on request] |
United Kingdom | Hosting, compute, storage, backups | UK data residency; no transfer required |
| Transactional email provider [Name disclosed on request] |
EU (adequacy) | Sending confirmation and status emails to students and staff | UK adequacy regulations apply to EU |
| Payment processor [Name disclosed on request] |
United Kingdom / EU | Processing subscription payments from institutions only (no student data) | No student Personal Data transferred |
| Error monitoring service [Name disclosed on request] |
EU (adequacy) | Application error detection and performance monitoring | Personal data scrubbed at source before transmission; UK SCC in place |
The identity of each sub-processor (beyond the generic description above) is disclosed to Controllers on request. Contact [email protected].
Signatures
This DPA is entered into as of the date the Controller activates their myBursary subscription. By activating the subscription, the authorised signatory of the Controller agrees to the terms of this DPA on behalf of their institution.
If a wet-ink or DocuSign countersigned copy is required for your institution's procurement or data protection records, please email [email protected] and we will arrange execution within 5 working days.