Skip to main content

Legal

School Agreement

May 2026 Senha Ltd t/a myBursary Download .docx

About this agreement

This School Agreement (“Agreement”) is between Senha Ltd trading as myBursary (“myBursary”, “we”, “our” or “us”), a company registered in England and Wales (Company No. 16718889), and the school, college or other institution (“Institution”, “you” or “your”) that has agreed to access the myBursary platform.

The Agreement has two parts. Part 1 sets out the service terms governing access to and use of the platform. Part 2 is the data processing agreement required by UK GDPR, which governs how myBursary processes personal data on your behalf.

This Agreement takes effect when an authorised representative of the Institution accepts it electronically or otherwise confirms acceptance in writing. By doing so, the Institution confirms it has authority to enter into a binding contract.

Definitions

In this Agreement:

  • "Applicable Law" means all legislation, regulations and guidance applicable to either party in the performance of this Agreement, including UK GDPR and the Data Protection Act 2018.
  • "Authorised Users" means staff and administrators at the Institution who are authorised to access the platform on its behalf.
  • "Controller", "Processor", "Data Subject", "Personal Data", "Processing" and "Special Category Personal Data" have the meanings given in UK GDPR.
  • "Platform" means the myBursary software as a service platform and all related services provided under this Agreement.
  • "Student Data" means personal data relating to students at the Institution that is processed through the platform in connection with bursary applications.
  • "UK GDPR" means the UK General Data Protection Regulation as retained in UK law under the European Union (Withdrawal) Act 2018, as amended.

Part 1 — Service Terms Access and permitted users

Subject to this Agreement, myBursary grants the Institution a non-exclusive, non-transferable right to access and use the platform solely for the purpose of administering the 16–19 Bursary Fund on behalf of the Institution during the term of this Agreement.

The Institution may permit Authorised Users to access the platform. The Institution is responsible for ensuring that Authorised Users comply with this Agreement and with any acceptable use requirements communicated by myBursary from time to time. Access credentials must not be shared outside the Institution.

The Institution must not sub-license, resell or otherwise make the platform available to any third party without our prior written consent.

Institution’s obligations

The Institution agrees to:

  • Use the platform only for its lawful purpose — administering the 16–19 Bursary Fund in accordance with DfE guidance and the Institution’s own funding agreement with the DfE
  • Ensure that information entered into the platform is accurate and kept up to date
  • Maintain adequate information security practices on its side, including appropriate access management for Authorised Users and prompt deactivation of leavers’ accounts
  • Promptly notify us of any suspected security incident or data breach involving the platform
  • Not interfere with or attempt to circumvent any security measure or access control
  • Comply with all Applicable Law in connection with its use of the platform
  • Ensure that students are informed of how their personal data will be processed and by whom, in accordance with the Institution’s own privacy notice

Our obligations

myBursary agrees to:

  • Provide access to the platform in accordance with this Agreement and with reasonable skill and care
  • Implement and maintain appropriate technical and organisational security measures as described in Part 2 and in our Security overview
  • Notify the Institution without undue delay of any personal data breach affecting Student Data (see Part 2)
  • Provide reasonable support to assist Authorised Users in using the platform effectively
  • Give reasonable advance notice of scheduled maintenance that may affect platform availability
  • Not make any material change to the scope of the service that is likely to adversely affect the Institution without reasonable notice

We do not guarantee uninterrupted or error-free access to the platform. We will endeavour to restore service promptly following any outage.

Fees and payment

The fees payable by the Institution for access to the platform are as agreed between the parties in writing (including by email or in an order form). Where no fee has been agreed, access is provided on the basis described in the relevant offer or communication from myBursary.

We reserve the right to revise our fees on reasonable notice. Where fees are increased, we will give the Institution not less than [30 days’] notice. If the Institution does not agree to the revised fees, it may terminate this Agreement in accordance with the termination provisions below.

Duration and termination

This Agreement commences on the date of acceptance and continues until terminated by either party. Either party may terminate this Agreement on [30 days’] written notice to the other.

Either party may terminate this Agreement immediately by written notice if:

  • The other party commits a material breach of this Agreement and, if the breach is capable of remedy, fails to remedy it within 14 days of written notice requiring it to do so
  • The other party becomes insolvent, enters administration, or has a receiver or liquidator appointed

myBursary may suspend or terminate the Institution’s access immediately where we have reasonable grounds to believe that continued access poses a security risk or that the Institution is in material breach of its obligations under this Agreement.

Effect of termination

On termination of this Agreement:

  • The Institution’s right to access the platform ceases immediately (or at the end of any notice period)
  • Each party must return or securely destroy the other’s confidential information, except where retention is required by law
  • myBursary will make Student Data available for export by the Institution for a period of [30 days] following termination, after which we will securely delete or anonymise it unless required by law to retain it for longer
  • Any outstanding fees become immediately due and payable

Clauses that by their nature should survive termination — including confidentiality, intellectual property, limitation of liability and the data processing provisions in Part 2 — will remain in force.

Intellectual property

All intellectual property rights in the platform (including its design, code and documentation) belong to myBursary or our licensors. This Agreement does not transfer any of those rights to the Institution.

All intellectual property rights in the Institution’s data (including Student Data and any data uploaded to the platform by the Institution or its students) belong to the Institution or the relevant data subjects. We claim no ownership over that data.

The Institution grants us a limited licence to process its data for the purposes of providing the service under this Agreement.

Confidentiality

Each party agrees to keep the other’s confidential information (“Confidential Information”) confidential and not to disclose it to any third party without the prior written consent of the disclosing party, except as required by law or to the extent necessary to perform obligations under this Agreement (in which case the receiving party must ensure any third-party recipient is subject to equivalent confidentiality obligations).

Confidential Information does not include information that is or becomes publicly available other than through breach of this clause, or that the receiving party already knew before disclosure.

Student Data is not Confidential Information of the Institution for the purposes of this clause, but is instead governed by the data processing provisions in Part 2.

Limitation of liability

Nothing in this Agreement limits or excludes either party’s liability for: death or personal injury caused by its negligence; fraud or fraudulent misrepresentation; or anything else that cannot lawfully be excluded or limited.

Subject to the above, neither party is liable to the other for any indirect, consequential or special loss, including loss of profit, loss of revenue, loss of data, or damage to reputation, arising out of or in connection with this Agreement.

Our total liability to the Institution under or in connection with this Agreement in any 12-month period is limited to the greater of £1,000 and the total fees paid by the Institution to us in that period.

General

This Agreement constitutes the entire agreement between the parties in relation to its subject matter and supersedes any prior representations, warranties or agreements. Each party acknowledges it has not relied on any representation not expressly set out in this Agreement.

We may update this Agreement from time to time by publishing a revised version. Continued use of the platform after notice of material changes constitutes acceptance of the revised terms.

This Agreement is governed by the law of England and Wales. Any dispute will be subject to the exclusive jurisdiction of the courts of England and Wales.

If any provision of this Agreement is found to be unenforceable, the remaining provisions continue in full force. A waiver of any right under this Agreement is only effective if given in writing.

Part 2 — Data Processing Agreement Roles and responsibilities

This Part 2 constitutes the data processing agreement required between the Institution (as Controller) and myBursary (as Processor) under Article 28 of UK GDPR, in relation to the processing of Student Data through the platform.

The Institution is the Controller of Student Data: it determines the purposes for which and the means by which that data is processed, and it is responsible for ensuring it has a lawful basis for that processing under UK GDPR.

myBursary is a Processor: we process Student Data only on the documented instructions of the Institution, as set out in this Agreement and as supplemented by any written instructions the Institution provides from time to time.

Scope of processing

myBursary processes Student Data for the following purposes:

  • Enabling students to submit, update and track bursary applications
  • Enabling Authorised Users at the Institution to review, assess and process those applications
  • Storing evidence documents uploaded by students in support of their applications
  • Maintaining records of decisions, awards and payments made under the bursary fund
  • Providing the Institution with access to reports and data extracts
  • Providing technical support and maintaining the platform

The categories of data subjects whose data is processed are: students enrolled at the Institution who submit or are invited to submit a bursary application.

The categories of personal data processed may include: name, date of birth, contact details, National Insurance number, household income and financial information, details of receipt of means-tested benefits, care leaver status or other eligibility circumstances, and any other information submitted as part of or in support of a bursary application. Some of this information may constitute Special Category Personal Data (in particular, information revealing health or disability status).

Processor obligations

myBursary agrees to:

  • Process Student Data only on the documented instructions of the Institution, unless required to do otherwise by law (in which case we will inform the Institution before processing, unless the law prohibits us from doing so)
  • Ensure that persons authorised to process Student Data are subject to appropriate confidentiality obligations
  • Implement the technical and organisational security measures described in the section below
  • Assist the Institution in meeting its obligations to respond to data subject rights requests (access, correction, erasure, restriction, portability and objection), insofar as this is possible given the nature of the processing
  • Assist the Institution in meeting its obligations in relation to data security, breach notification, data protection impact assessments and prior consultation with the ICO, insofar as possible given our role as Processor
  • Promptly inform the Institution if, in our opinion, an instruction would breach UK GDPR or other applicable data protection law

Sub-processors

The Institution provides general written authorisation for myBursary to engage sub-processors to assist in processing Student Data. We will maintain an up-to-date list of our sub-processors, which is available on request. Our current principal sub-processors include:

  • Cloudflare, Inc. — content delivery network and private object storage for evidence files and static assets (US-headquartered; data transferred under the UK Addendum to the EU Standard Contractual Clauses)
  • [Hosting provider] — cloud infrastructure for hosting the platform application and database (UK/EEA infrastructure)
  • Amazon Web Services, Inc. (Simple Email Service) — transactional email notifications (US-headquartered; data transferred under the UK Addendum to the EU Standard Contractual Clauses)

We will give the Institution reasonable advance notice of any intended change to our sub-processors (including additions or replacements) by email or by updating the sub-processor list. The Institution may object to any new sub-processor on reasonable data protection grounds within 14 days of notice; if the objection cannot be resolved, the Institution may terminate this Agreement.

We impose data protection obligations on sub-processors equivalent to those in this Part 2 by contract.

Security measures

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing, we implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. These include:

  • Encryption of data in transit using TLS 1.2 or higher
  • Strong one-way password hashing (PBKDF2-SHA256)
  • Mandatory multi-factor authentication for all Authorised Users (staff and administrators)
  • Access-controlled private object storage for evidence files, accessible only via short-lived signed URLs
  • Strict per-tenant data isolation at the database level
  • Internal access controls limiting access to Student Data to authorised personnel operating the platform
  • Procedures for detecting and responding to security incidents

For further detail, see our Security overview.

Data subject rights

Where myBursary receives a request directly from a data subject exercising a right in relation to Student Data (access, correction, erasure, restriction, portability or objection), we will promptly forward that request to the Institution. We will not respond to such a request in relation to Student Data except on the instructions of the Institution or as required by law.

We will provide reasonable technical assistance to the Institution in responding to data subject rights requests within the legally required timescales.

Data breach notification

If we become aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Student Data, we will notify the Institution without undue delay after becoming aware of the breach.

Our notification will include, to the extent we are able to provide it at the time:

  • A description of the nature of the breach, including the categories and approximate number of data subjects and records affected
  • The name and contact details of our data protection contact
  • A description of the likely consequences of the breach
  • The measures taken or proposed to address the breach and mitigate its effects

The Institution is responsible for assessing whether the breach must be notified to the ICO and/or to affected data subjects, and for making any such notification, within the timescales required by law.

International transfers

Some of our sub-processors (including Cloudflare and Amazon Web Services) operate outside the United Kingdom. Where we transfer Student Data outside the UK, we do so only where an appropriate transfer mechanism applies under UK GDPR — including adequacy decisions, the International Data Transfer Agreement (IDTA), or the UK Addendum to the EU Standard Contractual Clauses. Details of the transfer mechanisms applicable to each sub-processor are available on request.

Audit rights

On reasonable written notice (and no more than once per year unless the Institution has reasonable grounds to suspect a breach of this Part 2), the Institution may audit myBursary’s compliance with its obligations under this Part 2, either directly or via a third-party auditor agreed with us. Audit costs are borne by the Institution unless the audit reveals a material breach by myBursary.

Where we share an audit report, certification or equivalent assurance documentation, we may require the Institution to keep it confidential.

Duration and data deletion

This Part 2 applies for as long as myBursary processes Student Data on behalf of the Institution. On termination of the Agreement, myBursary will, at the Institution’s election, return or securely delete Student Data (subject to the data export window in the effect of termination clause above), unless Applicable Law requires continued retention.

Where we are required by law to retain Student Data after termination, we will inform the Institution of that requirement, limit our processing to what the law requires, and delete the data as soon as that requirement ceases to apply.

Contact

For queries about this Agreement or our data processing practices, please contact us:

Senha Ltd t/a myBursary
71–75 Shelton Street, Covent Garden, London WC2H 9JQ
Company No. 16718889 · Registered in England & Wales
ICO registration: ZC012206
Email: [email protected]