Legal
School Agreement
About this agreement
This School Agreement (“Agreement”) is between Senha Ltd trading as myBursary (“myBursary”, “we”, “our” or “us”), a company registered in England and Wales (Company No. 16718889), and the school, college or other institution (“Institution”, “you” or “your”) that has subscribed to the myBursary platform.
The Agreement has two parts. Part 1 sets out the service terms governing access to and use of the platform. Part 2 is the data processing agreement required under Article 28 UK GDPR, which governs how myBursary processes personal data on your behalf. The Annexes to Part 2 set out the subject matter, nature and scope of processing and the security measures we maintain.
The specific subscription details - i.e. commencement date, term, fees and any agreed variations - are set out in a separate Order Form which, together with this Agreement, forms the binding contract between the parties. This Agreement takes effect when an authorised representative of the Institution signs the Order Form or otherwise confirms acceptance in writing.
Definitions
In this Agreement:
- “Applicable Law” means all legislation, regulations and guidance applicable to either party, including UK GDPR, the Data Protection Act 2018, the Bribery Act 2010, the Modern Slavery Act 2015 and all DfE guidance applicable to the 16–19 Bursary Fund.
- “Authorised Users” means staff and administrators at the Institution who are authorised to access the platform on its behalf.
- “Business Day” means any day other than a Saturday, Sunday or English public holiday.
- “Commencement Date” means the date specified in the Order Form.
- “Controller”, “Processor”, “Data Subject”, “Personal Data”, “Processing” and “Special Category Personal Data” have the meanings given in UK GDPR.
- “DPA” means Part 2 of this Agreement and its Annexes, constituting the data processing agreement between the parties.
- “Fees” means the subscription and other fees set out in the Order Form.
- “Initial Term” means the subscription period stated in the Order Form.
- “Multi-Year Price Lock” means an option, where selected on the Order Form, under which the Institution commits to an Initial Term of three years or more in exchange for fixed Fees throughout that Initial Term, as set out in the Fees and payment clause.
- “Order Form” means the order form signed by the parties incorporating and referencing this Agreement. Each Order Form shall incorporate this Agreement by reference. In the event of any conflict between an Order Form and this Agreement, this Agreement shall prevail, except to the extent the Order Form expressly and specifically states that it varies a named clause of this Agreement.
- “Platform” means the myBursary software-as-a-service platform, together with related APIs, support and documentation, provided under this Agreement.
- “Renewal Term” means each successive period of the same length as the Initial Term, unless a different period is agreed in the Order Form.
- “Student Data” means personal data relating to students at the Institution that is processed through the platform in connection with bursary applications.
- “Subscription Term” means the Initial Term and any Renewal Terms.
- “UK GDPR” means the UK General Data Protection Regulation as retained in UK law under the European Union (Withdrawal) Act 2018, as amended.
Part 1 Service Terms Access and permitted users
Subject to payment of the Fees and compliance with this Agreement, myBursary grants the Institution a non-exclusive, non-transferable, revocable right to access and use the platform during the Subscription Term solely for the purpose of administering the 16–19 Bursary Fund on behalf of the Institution.
The Institution may permit Authorised Users to access the platform. The Institution is responsible for the acts and omissions of its Authorised Users as if they were its own, and must ensure Authorised Users comply with this Agreement. Access credentials must not be shared outside the Institution.
The Institution must not sub-license, resell or otherwise make the platform available to any third party without our prior written consent.
Restrictions
The Institution shall not, and shall not permit any Authorised User or third party to:
- Copy, modify, translate or create derivative works of the platform or its documentation
- Reverse engineer, decompile or disassemble the platform, except to the extent permitted by law
- Rent, lease, sublicense, resell or otherwise commercially exploit the platform
- Use the platform to provide services to any third party other than its own students and their parents or guardians
- Introduce any virus, malware or other harmful code into the platform
- Attempt to gain unauthorised access to any part of the platform or its supporting infrastructure
- Use the platform in breach of any Applicable Law or third-party right
- Use the platform in a way that places an unreasonable or disproportionate load on the platform or its infrastructure, or that adversely affects the performance of the platform for other users
- Use the platform for any purpose other than the administration of the 16–19 Bursary Fund for the Institution’s own students
Institution’s obligations
The Institution agrees to:
- Administer its 16–19 Bursary Fund in accordance with DfE guidance and its own published bursary policy, and make all decisions about eligibility, awards and payments; the Institution remains the responsible body under the DfE framework and myBursary has no responsibility for the outcome of any bursary claim or DfE audit
- Be solely responsible for the accuracy, completeness and legality of all data entered into the platform by the Institution or its students, and for ensuring that information submitted to the DfE accurately reflects that data
- Ensure that information entered into the platform is accurate and kept up to date
- Appoint a primary administrator and notify myBursary of any changes to that contact
- Ensure that Authorised Users are issued unique credentials and that those credentials are kept secure; promptly deactivate access for leavers
- Obtain all consents and provide all privacy notices required for the Institution to lawfully provide Student Data to myBursary for processing
- Promptly notify us of any suspected security incident or data breach involving the platform
- Not interfere with or attempt to circumvent any security measure or access control
- Comply with all Applicable Law in connection with its use of the platform
- Co-operate with myBursary in its delivery of the platform and provide such information as is reasonably required
Our obligations
myBursary agrees to:
- Provide access to the platform with reasonable skill and care and substantially in accordance with its documentation
- Use commercially reasonable efforts to maintain target availability of 99.5%, measured calendar-monthly, excluding scheduled maintenance, force majeure and third-party failures outside our control
- Provide support by email during UK Business Hours (09:00–17:30, Monday to Friday, excluding public holidays); target response times are set out in the Order Form
- Implement and maintain appropriate technical and organisational security measures as described in Part 2 and Annex 2
- Notify the Institution without undue delay and within 72 hours of any personal data breach affecting Student Data (see Breach notification)
- Give reasonable advance notice of scheduled maintenance that may affect platform availability; scheduled maintenance will normally take place outside UK school hours
- Not make any material change to the platform that significantly reduces its functionality without reasonable notice
- Designate a data protection contact (which may be a Data Protection Officer where one is appointed) for queries relating to this Agreement and our data processing practices, and notify the Institution promptly of any change to that contact's details.
We do not warrant that the platform will be uninterrupted or error-free, or that it will detect every fraudulent or inaccurate application. The platform is provided on an “as available” basis: the availability target above is a service objective only, not a warranty, service level agreement or guarantee, and does not create any additional right to compensation. Except to the extent liability cannot lawfully be excluded, myBursary has no liability for any failure, delay, suspension, interruption or non-delivery of the platform, including where this causes the Institution to miss a deadline or lose funding, grants or bursary awards (including DfE funding); the Institution’s sole and exclusive remedy for any such failure to deliver the platform is as set out in Warranties.
Fees and payment
The Institution shall pay the Fees set out in the Order Form. All Fees are quoted exclusive of VAT. VAT is not currently charged, as myBursary is not currently VAT-registered; if that changes, VAT will be added at the prevailing rate with prior written notice to the Institution.
Unless the Order Form states otherwise, myBursary will invoice annually in advance. Invoices are payable within 30 days of the invoice date by BACS to the account specified on the invoice.
Without prejudice to its other rights, myBursary may charge interest on overdue amounts at 4% per annum above the Bank of England base rate, accruing daily, and may suspend the platform on 14 days’ written notice if any undisputed amount remains unpaid.
If the Institution in good faith disputes an invoice, it shall notify myBursary in writing within 21 days of the invoice date, setting out the basis of the dispute. The parties shall use reasonable endeavours to resolve any disputed amount promptly. The Institution shall pay any undisputed portion when due.
myBursary may increase Fees with effect from any Renewal Term on at least 60 days’ written notice. Any increase will be no greater than the higher of (a) the percentage increase in the Consumer Prices Index (CPI) over the preceding 12 months and (b) 5%, unless the Institution agrees otherwise. Where the Institution has selected a Multi-Year Price Lock under the Order Form, no Fee increase will apply during the Initial Term.
Where myBursary reduces its standard subscription rates applicable to new customers during a Subscription Term, it will credit the Institution with the difference for the remainder of the then-current billing period. The Institution will never pay more than a new customer for an equivalent subscription.
Where Fees are calculated by reference to the number of bursary-eligible students (being students in Year 12, plus students continuing a bursary award into Year 13), the Institution’s banding will be confirmed at the Commencement Date based on the figure stated in the Order Form. Banding will be reconciled annually at each renewal based on the Institution’s actual bursary-eligible headcount for that academic year. Where the Institution’s actual headcount during a Subscription Term exceeds its banded threshold by more than 10%, myBursary may invoice the difference at the per-student overage rate stated in the Order Form for the remainder of the then-current term.
No separate implementation, onboarding or setup fee applies unless expressly stated in the Order Form.
Duration and termination
This Agreement begins on the Commencement Date and continues for the Initial Term. It will automatically renew for successive Renewal Terms unless either party gives at least 60 days’ written notice of non-renewal before the end of the then-current term.
Either party may terminate this Agreement with immediate effect by written notice if the other:
- Commits a material breach which is not capable of remedy, or which (if capable of remedy) is not remedied within 30 days of written notice
- Becomes insolvent, has a receiver or administrator appointed, enters into a voluntary arrangement with its creditors, or ceases or threatens to cease trading
If myBursary makes a material change to the platform that significantly reduces its functionality and the Institution does not agree to that change, the Institution may terminate this Agreement on 30 days’ written notice given within 60 days of the change taking effect. In that case, myBursary will provide a pro rata refund of pre-paid Fees for the period after termination.
myBursary may suspend or terminate the Institution’s access immediately where there are reasonable grounds to believe that continued access poses a security risk or that the Institution is in material breach of this Agreement.
Effect of termination
On termination or expiry of this Agreement:
- All rights granted to the Institution to access the platform cease immediately
- The Institution shall pay all Fees due up to the effective date of termination
- Each party shall return or destroy the other’s confidential information, except where retention is required by law
- myBursary will provide reasonable export tools and access to Student Data in a machine-readable format (at minimum CSV) for at least 30 days after termination; after that period we will delete Student Data from active systems within 60 days and from backups within 90 days, unless Applicable Law requires longer retention
Provisions that by their nature should survive termination including confidentiality, intellectual property, warranties, limitation of liability and the data processing provisions in Part 2 will remain in force.
Intellectual property
As between the parties, myBursary owns all intellectual property rights in the platform (including its design, code and documentation) and any improvements or modifications thereof. No rights are granted to the Institution except as expressly set out in this Agreement.
As between the parties, the Institution owns all intellectual property rights in Student Data and any other content uploaded to the platform by the Institution or its students. The Institution grants myBursary a non-exclusive, royalty-free licence to host, copy, transmit and process that content solely as necessary to provide the platform under this Agreement.
myBursary may use anonymised and aggregated data derived from the platform that does not identify the Institution or any individual to operate, develop, improve and benchmark the platform.
myBursary will indemnify the Institution against losses, damages and reasonable costs arising from any third-party claim that the Institution’s authorised use of the platform infringes that third party’s intellectual property rights in the United Kingdom, provided the Institution promptly notifies myBursary, gives myBursary sole control of the defence and settlement, and provides reasonable co-operation. This indemnity does not apply to claims arising from Student Data, modifications not made by myBursary, or use of the platform in breach of this Agreement.
Warranties
Each party warrants that it has full power and authority to enter into and perform this Agreement and that doing so does not breach any other agreement to which it is bound.
myBursary warrants that it will provide the platform with reasonable skill and care and substantially in accordance with its documentation. As the Institution’s sole and exclusive remedy for breach of this warranty, myBursary will use commercially reasonable efforts to correct any non-conformity at no charge or, if it cannot do so within a reasonable time, refund the Fees paid for the affected portion of the platform.
The Institution warrants that it has and will maintain all rights, consents and lawful bases necessary for myBursary to process Student Data in accordance with this Agreement and the DPA.
myBursary does not warrant that use of the platform will ensure the Institution’s compliance with DfE guidance, result in a successful bursary claim or award, or prevent any finding of non-compliance by the DfE or any other regulatory body. The Institution remains solely responsible for all eligibility decisions, award amounts, payment decisions and claims submitted to the DfE, and for ensuring its use of the platform accords with DfE guidance current from time to time. myBursary will use reasonable endeavours to reflect material updates to DfE guidance in the platform but does not warrant that the platform will reflect all guidance changes at any particular time.
Except as expressly set out in this Agreement, all warranties, conditions and representations, whether express or implied by statute, common law or otherwise, are excluded to the maximum extent permitted by law.
Limitation of liability
Nothing in this Agreement limits or excludes either party’s liability for: death or personal injury caused by its negligence; fraud or fraudulent misrepresentation; or anything else that cannot lawfully be excluded or limited.
Subject to the above, neither party is liable to the other for any loss of profit, revenue, business, goodwill, opportunity or anticipated savings, loss of data, loss of funding, grants or awards (including any DfE bursary funding), or for any indirect, special or consequential loss, however arising - including any such loss arising from suspension, delay, unavailability, interruption or failure to deliver the platform.
Subject to the above, each party’s total aggregate liability under or in connection with this Agreement in any 12-month period shall not exceed 100% of the Fees paid or payable by the Institution in the 12 months immediately preceding the event giving rise to the claim. This cap does not apply to the Institution’s payment obligations, either party’s indemnification obligations, or liability arising under the DPA (which is governed by the liability provisions of the DPA itself).
Insurance
myBursary will maintain throughout the Subscription Term: appropriate professional indemnity insurance and cyber liability insurance. Evidence of cover will be provided on reasonable request.
Force majeure
Neither party shall be liable for any failure or delay in performance to the extent caused by an event beyond its reasonable control, including acts of God, war, terrorism, pandemic, industrial action, failures of telecommunications networks or third-party hosting infrastructure, or unavailability of government systems (including DfE portals) relied upon in connection with the 16–19 Bursary Fund. The affected party shall notify the other promptly. If the event continues for more than 60 consecutive days, either party may terminate this Agreement on written notice.
Compliance with laws
Each party shall comply with all Applicable Law in performing its obligations under this Agreement, including the Bribery Act 2010, the Modern Slavery Act 2015, the Equality Act 2010 and all applicable data protection laws. The Institution shall administer the 16–19 Bursary Fund in accordance with DfE guidance current from time to time, and shall be solely responsible for all eligibility decisions, award amounts, payment decisions and claims submitted to the Department for Education.
Confidentiality
Each party agrees to keep the other’s confidential information (“Confidential Information”) confidential and not to disclose it to any third party without prior written consent, except: to its employees, contractors and professional advisers who need to know it for the purposes of this Agreement and who are bound by equivalent obligations of confidence; or as required by law or regulatory authority, including under the Freedom of Information Act 2000 (in which case the receiving party shall, where lawful, give prompt notice and use reasonable endeavours to protect the confidentiality of any information that may be exempt from disclosure).
Confidential Information does not include information that is or becomes publicly available other than through breach of this clause, or that the receiving party already held before disclosure, or that is independently developed without reference to the disclosing party’s information.
Student Data is not Confidential Information of the Institution for the purposes of this clause; it is instead governed by the DPA in Part 2.
General
Notices. Any notice under this Agreement shall be in writing and sent to the address or email shown in the Order Form (or as later notified). Notices sent by email are deemed received on the next Business Day after sending.
Variation. No variation of this Agreement shall be effective unless in writing and signed (or agreed by email) by both parties.
Assignment. Neither party may assign or transfer this Agreement without the other’s prior written consent (not to be unreasonably withheld), save that myBursary may assign to an affiliate or to a successor in connection with a merger, acquisition or sale of substantially all of its assets.
Subcontracting. myBursary may subcontract any of its obligations but shall remain responsible for the acts and omissions of its subcontractors. Sub-processors of personal data are governed by the DPA.
Entire agreement. This Agreement, the Order Form and the DPA constitute the entire agreement between the parties in relation to its subject matter and supersede all prior negotiations, representations and agreements. Neither party has relied on any representation not expressly set out here.
Order of precedence. In the event of any conflict: (1) the DPA prevails in respect of data protection matters; (2) the body of this Agreement prevails; (3) the Order Form applies (except where it expressly amends this Agreement).
Severability. If any provision is held invalid or unenforceable, the remainder continues in full force. A failure or delay in exercising any right is not a waiver of that right. Nothing in this Agreement creates a partnership, joint venture or agency. A person who is not a party has no rights under the Contracts (Rights of Third Parties) Act 1999 to enforce any term.
Platform development. myBursary may update, modify, add to or remove features of the platform at any time, provided that: (a) we give reasonable advance notice of any change that materially reduces existing functionality; and (b) the Institution’s termination right on material changes set out in the Duration and termination clause is not affected. Minor improvements, bug fixes, security updates and changes that do not materially reduce functionality may be made without notice.
Feedback. If the Institution or any Authorised User provides suggestions, ideas or feedback about the platform, myBursary may use that feedback freely without restriction or obligation to the Institution.
Publicity. myBursary may include the Institution’s name in its customer lists and refer to the Institution as a customer in marketing materials, unless the Institution notifies myBursary in writing that it objects.
Governing law. This Agreement is governed by the law of England and Wales. The parties submit to the exclusive jurisdiction of the courts of England and Wales.
Part 2 Data Processing Agreement Roles and responsibilities
This Part 2 constitutes the data processing agreement required between the Institution (as Controller) and myBursary (as Processor) under Article 28 of UK GDPR, in relation to the processing of Student Data through the platform. In the event of any conflict between this Part 2 and any other part of this Agreement in respect of data protection, this Part 2 prevails.
The Institution is the Controller of Student Data: it determines the purposes for which and the means by which that data is processed, and it is responsible for ensuring it has a lawful basis for that processing under UK GDPR.
myBursary is a Processor: we process Student Data only on the documented instructions of the Institution, as set out in this Agreement and as supplemented by any written instructions the Institution provides from time to time. We treat this Agreement (including the Order Form) as constituting the Institution’s documented instructions for the processing necessary to provide the platform.
Scope of processing
myBursary processes Student Data for the following purposes:
- Enabling students to submit, update and track applications to the 16–19 Bursary Fund
- Enabling Authorised Users at the Institution to review, assess and make decisions on those applications in accordance with DfE guidance
- Storing evidence documents uploaded by students in support of their applications
- Maintaining records of decisions, awards and payments made under the bursary fund, including records required to be retained for DfE audit purposes
- Generating reports and data extracts for the Institution’s administrative and compliance purposes
- Providing technical support and maintaining the platform
The categories of data subjects are: students enrolled at the Institution who submit or are invited to submit a bursary application; parents, guardians and household members whose information is included in an application; and Authorised Users.
The categories of personal data processed may include: name, date of birth, contact details, National Insurance number, household income and financial information, details of receipt of means-tested benefits (including Universal Credit, Income Support, DLA and PIP), care leaver status, bank account details where recorded for payment purposes, and copies of supporting evidence. Some of this information may constitute Special Category Personal Data (in particular, information relating to health or disability status). Further detail is set out in Annex 1.
The Institution, as Controller, is responsible for identifying and maintaining a valid lawful basis and, where Special Category Personal Data is processed, an appropriate condition under Article 9 UK GDPR. The likely applicable condition for processing health or disability-related data in connection with the 16–19 Bursary Fund is Article 9(2)(g) (substantial public interest) under Schedule 1 of the Data Protection Act 2018. The Institution must satisfy itself that the relevant condition applies before submitting Special Category Personal Data through the platform.
Processor obligations
myBursary agrees to:
- Process Student Data only on the documented instructions of the Institution, unless required to do otherwise by Applicable Law (in which case we will, where lawful, inform the Institution before processing)
- Promptly inform the Institution if, in our opinion, an instruction from the Institution would breach UK GDPR or other applicable data protection law
- Ensure that all personnel authorised to process Student Data are bound by appropriate obligations of confidentiality and have received appropriate data protection training
- Implement and maintain the technical and organisational security measures set out in Annex 2
- Assist the Institution in meeting its obligations to respond to data subject rights requests (access, rectification, erasure, restriction, portability and objection), insofar as this is possible given the nature of the processing
- Assist the Institution in meeting its obligations in relation to data security, breach notification, data protection impact assessments and prior consultation with the ICO
- Make available to the Institution all information necessary to demonstrate compliance with Article 28 UK GDPR and allow for and contribute to audits in accordance with the Audit clause
Controller obligations
The Institution agrees to:
- Comply with its obligations as a controller under data protection laws, including providing appropriate privacy notices to students and other data subjects about how their personal data will be processed
- Identify and maintain valid lawful bases for processing Student Data (and, for Special Category Personal Data, a condition under Article 9 UK GDPR)
- Ensure that its instructions to myBursary comply with data protection laws
- Be solely responsible for the accuracy, quality and legality of Student Data and the means by which the Institution obtained it
- Configure user permissions appropriately and manage the issuing and revoking of access for Authorised Users promptly
- Not provide to myBursary any personal data that the Institution is not lawfully entitled to provide for the purposes of the platform
Sub-processors
The Institution grants general written authorisation for myBursary to engage sub-processors to process Student Data. We will maintain an up-to-date list of our principal sub-processors (see Annex 3).
myBursary will give the Institution at least 30 days’ prior written notice (by email or in-platform notification) of any intended addition or replacement of a sub-processor. The Institution may object on reasonable data protection grounds within that notice period.
If the Institution objects, the parties will discuss the objection in good faith. If myBursary is unable to make alternative arrangements that address the Institution’s reasonable concerns within 30 days of the objection, the Institution may terminate this Agreement in respect of the affected part of the platform on written notice, with a pro rata refund of pre-paid Fees for the period after termination.
myBursary imposes data protection obligations on each sub-processor that are equivalent in substance to those in this Part 2, and remains fully liable for the performance of each sub-processor’s obligations.
Security measures
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, we implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk. These include:
- Encryption of data in transit using TLS 1.2 or higher
- Encryption of data at rest using AES-256 or equivalent
- Strong one-way password hashing (PBKDF2-SHA256)
- Multi-factor authentication required for all Authorised Users (staff and administrators)
- Access-controlled private object storage for evidence files, accessible only via short-lived signed URLs
- Strict per-tenant data isolation at the database level
- Role-based access control with the principle of least privilege; privileged access reviewed at least quarterly
- Audit logging of access to Student Data, retained for at least 12 months
- Periodic penetration testing by an independent party; material findings tracked to remediation
- Daily encrypted backups, retained for at least 30 days, verified by periodic restore testing
Full detail of our security measures is set out in Annex 2 and in our Security overview. We may update those measures from time to time, provided the level of protection is not materially reduced.
Data subject rights
Where myBursary receives a request directly from a data subject exercising a right in relation to Student Data (access, rectification, erasure, restriction, portability or objection), we will promptly forward that request to the Institution. We will not respond to such a request except on the instructions of the Institution or as required by law.
We will provide reasonable technical assistance to the Institution in responding to data subject rights requests within the legally required timescales.
DPIA assistance
Taking into account the nature of the processing and the information available to us, myBursary will provide reasonable assistance to the Institution in carrying out data protection impact assessments and prior consultations with the ICO under Articles 35 and 36 UK GDPR, where the Institution reasonably considers them to be required in connection with the platform.
Breach notification
If we become aware of a Personal Data Breach affecting Student Data, we will notify the Institution without undue delay and in any event within 72 hours of becoming aware of the breach. Our notification will include, to the extent then known:
- A description of the nature of the breach, including where possible the categories and approximate number of data subjects and records affected
- The name and contact details of our data protection contact
- A description of the likely consequences of the breach
- The measures taken or proposed to address the breach and mitigate its effects
myBursary will provide reasonable assistance to the Institution in investigating, mitigating and remediating any breach. The Institution is responsible for assessing whether the breach must be notified to the ICO and/or to affected data subjects, and for making any such notification within the timescales required by law.
International transfers
Some of our sub-processors operate outside the United Kingdom. Where we transfer Student Data outside the UK, we do so only where an appropriate transfer mechanism applies under UK GDPR including adequacy regulations, the International Data Transfer Agreement (IDTA), or the UK Addendum to the EU Standard Contractual Clauses. Details of the transfer mechanisms applicable to each sub-processor are set out in Annex 3 and are available on request.
Audit
myBursary will make available to the Institution, on reasonable written request, such information as is reasonably necessary to demonstrate compliance with this Part 2 and Article 28 UK GDPR, including any relevant independent audit reports or certifications (such as ISO 27001 or SOC 2 reports) where available.
No more than once in any 12-month period (and additionally without limit following a Personal Data Breach), the Institution may conduct an audit of myBursary’s compliance with this Part 2 on at least 30 days’ written notice. Audits must be conducted during normal business hours in a manner that minimises disruption, by the Institution or by an independent third-party auditor agreed with myBursary and bound by appropriate confidentiality obligations. Audit costs are borne by the Institution unless the audit reveals material non-compliance, in which case myBursary shall bear the reasonable cost.
Where myBursary shares an audit report, certification or equivalent assurance documentation, the Institution must keep it confidential.
Return and deletion
On termination or expiry of this Agreement, myBursary will, at the Institution’s election, return or delete all Student Data and existing copies, unless Applicable Law requires continued retention. Unless the Institution instructs otherwise within 30 days of termination, myBursary will:
- Make Student Data available for export for at least 30 days after termination
- Delete Student Data from active systems within 60 days after termination
- Delete Student Data from backups within 90 days after termination, in accordance with our standard backup rotation schedule
Where we are required by law to retain Student Data after termination, we will inform the Institution of that requirement, limit our processing to what the law requires, and delete the data as soon as that requirement ceases to apply. We will provide written confirmation of deletion on request.
DPA liability
Each party’s liability arising out of or in connection with this Part 2 is governed by, and subject to, the limitations and exclusions set out in Part 1 of this Agreement, except that nothing in this Agreement or Part 2 limits or excludes either party’s liability to the extent that such limitation or exclusion is prohibited by data protection laws including the right of a data subject to receive compensation under Article 82 UK GDPR. Where both parties are responsible for damage caused by processing in breach of data protection laws, each party shall be liable for its share of responsibility for that damage.
Duration
This Part 2 takes effect on the Commencement Date and continues for as long as myBursary processes Student Data on behalf of the Institution. Provisions intended to survive termination including those relating to confidentiality, deletion, audit and liability shall do so.
Annex 1 Description of processing
| Subject matter | Provision of the myBursary platform for the administration of applications to the 16–19 Bursary Fund. |
|---|---|
| Duration | For the duration of this Agreement, plus any post-termination retention period set out in the Return and deletion clause. |
| Nature of processing | Collection, storage, structuring, retrieval, disclosure to authorised users of the Institution, transmission, restriction, erasure, backup and deletion as required to provide the platform. |
| Purpose | Enabling the Institution to receive, assess, decide upon and administer student applications to the 16–19 Bursary Fund in accordance with DfE guidance, including management of supporting evidence, post-award expense requests and records required for DfE audit. |
| Categories of data subjects |
|
| Categories of personal data | Identity data (name, date of birth, sex, year group, student ID); contact data (address, email, telephone); household composition; financial and benefits information (household income, Universal Credit or Income Support details, DLA/PIP/ESA award letters); bank account details where recorded for payment purposes; copies of supporting evidence (benefit letters, payslips, P60s, looked after child documentation, free school meals confirmation, identity documents, receipts, travel passes); application and award decisions; expense requests; account credentials; audit logs. |
| Special category data | Information about health or disability where relevant to a vulnerable group bursary award (e.g. DLA/PIP/ESA); information about racial or ethnic origin or religious beliefs may incidentally appear in supporting documents; information about criminal offences may appear in respect of care leavers or applicants on probation. |
| Frequency | Continuous, throughout the academic year. |
| Retention | As determined by the Institution in line with DfE guidance and the Institution’s own retention schedule. DfE requires institutions to retain application records and supporting evidence for 6 years from the end of the academic year for audit purposes. |
Annex 2 Technical and organisational security measures
The following measures may be updated from time to time, provided the level of protection is not materially reduced.
Organisational measures
- Documented information security policies, reviewed annually
- Designated information security lead with executive accountability
- Mandatory data protection and information security training on induction and annually thereafter
- Written confidentiality obligations binding on all personnel with access to Student Data
- Documented incident response and business continuity plans, tested at least annually
- Security practices informed by the Cyber Essentials and ISO/IEC 27001 frameworks
Access controls
- Role-based access control with the principle of least privilege; no shared accounts
- Multi-factor authentication required for all administrative access and for all Authorised Users
- Joiners/movers/leavers process ensuring timely provisioning and revocation of access
- Privileged access reviewed periodically
- Audit logging of access to Student Data, retained for at least 12 months
Encryption
- Encryption of data in transit using TLS 1.2 or above
- Encryption of data at rest using AES-256 or equivalent
- Encryption of backups; cryptographic key management with periodic rotation
Network and application security
- Hosting in UK or EEA data centres with recognised security certifications
- Network segmentation, firewalls and intrusion detection
- Secure software development lifecycle, including code review and dependency scanning
- Periodic vulnerability scanning; critical vulnerabilities remediated promptly
- Periodic penetration testing by an independent party; findings tracked to remediation
- Private object storage for evidence files, accessible only via short-lived signed URLs
- Strict per-tenant data isolation at the database level
Resilience and backups
- Daily encrypted backups, retained for at least 30 days, with periodic restore testing to verify integrity
- Documented disaster recovery plan with defined recovery point and time objectives
- High-availability architecture for production systems
Sub-processor management
- Due diligence assessments before engaging sub-processors
- Written contracts imposing equivalent data protection obligations
- Periodic review of sub-processor performance and security posture
Data minimisation
- Application forms configured to collect only data required for the bursary process
- Production data not used in development or test environments
Annex 3 Authorised sub-processors
The following sub-processors are authorised as at the date of this Agreement. An up-to-date list is available on request. Material changes are notified in accordance with the Sub-processors clause.
| Sub-processor | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Cloudflare, Inc. | Content delivery network; private object storage for evidence files and static assets (Cloudflare R2) | US-headquartered; data served from UK/EEA edge nodes | UK Addendum to EU Standard Contractual Clauses |
| Amazon Web Services, Inc. | Transactional email notifications via Simple Email Service (password resets, account invitations, application status updates) | US-headquartered; EU (Ireland) region used where possible | UK Addendum to EU Standard Contractual Clauses |
| VPS / dedicated server infrastructure provider | Dedicated server infrastructure for hosting the platform application, PostgreSQL database, and Redis cache | United Kingdom | N/A (UK-based; no international transfer) |
| Wonde (Arbor Education Partners Ltd) | MIS integration: retrieving student and staff data from the Institution’s school information system on the Institution’s documented instruction. Only active for institutions that have enabled MIS integration. | United Kingdom | N/A (UK-based; no international transfer). Wonde processes data under a data-sharing agreement with the Institution and a sub-processing agreement with myBursary. |
| Google LLC and/or Microsoft Corporation | Single sign-on (SSO) identity verification: authenticating Authorised Users via their institutional Google or Microsoft account where the Institution has enabled SSO. Only active for institutions that have configured SSO. | US-headquartered | UK Addendum to EU Standard Contractual Clauses. myBursary receives only the user’s name, institutional email address and a unique account identifier; no passwords are received or stored. |
| Sentry (Functional Software, Inc.) | Error monitoring and performance diagnostics: detecting and diagnosing technical faults in the platform | US-headquartered | UK Addendum to EU Standard Contractual Clauses. Configured
with send_default_pii=False; no Student Data is
intentionally transmitted. Only error metadata and stack traces
are processed. |
myBursary may also engage professional advisers (lawyers, accountants, auditors) bound by professional duties of confidence; such advisers are not treated as sub-processors for the purposes of the Sub-processors clause.
Contact
For queries about this Agreement or our data processing practices, please contact us:
Senha Ltd t/a myBursary71–75 Shelton Street, Covent Garden, London WC2H 9JQ
Company No. 16718889 · Registered in England & Wales
ICO registration: ZC012206
Email: [email protected]