LAST UPDATED: 11 JULY, 2022

Data Agreement

This agreement governs the provision of the School Data by your institution to TrustElevate and identifies the purposes for which that data may be used.

 

TrustElevate is an age verification and consent technology provider, the focus of our work is on making the internet safe through supporting businesses that handle children, young people and adults’ data.

 

TrustElevate operates a zero data model, i.e. a parent provides minimal data points and provides consent for TrustElevate to check these data points against authoritative data sources. The data is encrypted in transit, hashed and checked against authoritative data sources. TrustElevate generates a Yes/No token that does not contain personal information. TrustElevate does not store any data, it resides on the parent's device.

 

TrustElevate (“Company”) means TrustElevate Ltd, a company registered in England and Wales (company number 08046357), with our registered office at 8 Coldbath Square, London, United Kingdom, EC1R 5HL.

 

We are registered with the UK Office of the Information Commissioner ICO Number ZA476685.

 

If there is anything unclear about the Terms and Conditions, please contact us at privacy@trustelevate.com before using our services.

 

You may not access any of the TrustElevate services unless you agree to the Terms and Conditions.

Terms and Conditions 

Definitions

 

In this Schedule, the following terms shall have the meanings ascribed:

  1. “Company” means TrustElevate Ltd., a company registered in England and Wales (company number 08046357), with our registered office at 8 Coldbath Square, London, United Kingdom, EC1R 5HL.

  2. “Controller”, “Processor”, “Personal Data”, “Data Subject”, “Processing”, “Process” have the meaning in the Privacy Laws.

  3. “Applicable Data Protection Laws”  means the Data Protection Act 2018, UK General Data Protection Regulation and other relevant legislation enacted from time to time.

  4. “School” means any educational organisation that is using TrustElevate’s website, product and services.

  5. “Management Information System” means the School database which holds School Data.

  6. “Data” means all data shared and processed by either Data Processor or Data Controller.

  7. “Personal Information” means any information provided to the Data Processor or Data Controller.

  8. “Security Breach” means any act that compromises the security or confidentiality of Personal Information.

  9. “School Data” means all Personal Data related to students, teachers, parents, carers, staff at the School.

  10. “Business Data” means all Personal Data related to staff at the School and TrustElevate, information including but not limited to contracts between the School and TrustElevate, account information, marketing and PR information, and more.

  11. “TrustElevate Privacy Policy” means TrustElevate’s privacy policy which can be found at https://www.trustelevate.com/policies-privacy.

  12. “Services” means the services provided by TrustElevate.

  13. “Product” means TrustElevate’s products including but not limited to TrustElev8 API, TrustElev8 SDK, TrustElevate’s services and the https://www.trustelevate.com/.

General 

By using TrustElevate’s Products under the terms of this Agreement the School agrees to the terms and conditions of this Agreement.

  1. TrustElevate and the School shall comply with all Applicable Data Protection laws, including but not limited to the Data Protection Act 2018, Uk General Data Protection Regulation and other Applicable Data Protection Laws.

  2. The following Agreement governs the provision of the School Data by the School to TrustElevate and identifies the purposes for which that data may be used. Both TrustElevate and the School are individually registered as Data Controllers with the Information Commissioner’s Office, and are both Data Controllers in relation to the pupils’ personal data to be shared under this agreement.

  3. This means that TrustElevate and the School are both separately responsible for compliance with the Applicable Data Protection Laws. TrustElevate is responsible for ensuring it handles the School Data in line with the terms and conditions of this agreement.

  4. TrustElevate shall only Process the Data in accordance with this Agreement when required for the Permitted Purpose except where required by law.

Term of the Agreement

  1. The Agreement shall commence on the first day when the School approves access for TrustElevate to the School Data.

  2. The Agreement shall be automatically renewed until terminated by TrustElevate or the School.

  3. The School and TrustElevate may terminate this Agreement by issuing a written notice.

Transfer of School Data 

  1. The School consents to TrustElevate accessing the School Data via School’s Management Information System. The transfer of data between your institution and TrustElevate will be achieved by TrustElevate’s integration with the School’s Management Information System. TrustElevate generates privacy-preserving tokens that do not contain any Personal Data.

  2. TrustElevate shall ensure no Personal Data is leaving the School premises in relation to the processing of the School data by TrustElevate and its subcontractors.

  3. TrustElevate shall work with the School’s Management Information System and shall ensure the School has access to an online portal whereby the Schools has visibility and control over the data points of the School Data shared with TrustElevate.

Data to be shared 

TrustElevate relies on consent, public task, legitimate interests, and contract, as the lawful bases for processing personal data. The School will provide the following information for participants of each activity:

  • The first name, middle name and surname of each pupil, pupil leaver, parent/guardian, and staff.

  • The home post code of each pupil and pupil leaver.

  • The Date of Birth of each pupil and pupil leaver.

  • Email address and telephone for each pupil, pupil leaver, and parent/guardian.

  • Address for each parent/guardian.

  • The School or Year Group of each pupil and pupil leaver.

  • The name of the school or institution each pupil attends/attended.

Pupil opt out and opt in rights

The following opt out procedures shall be in place:

  1. If a pupil (or their parent/guardian on their behalf) notifies your institution or a staff member of TrustElevate that they object to their information being shared with TrustElevate then their Personal Data will no longer be included. Your institution is responsible for notifying TrustElevate in writing, via email contacting us at privacy@trustelevate.com or writing us at TrustElevate ltd, 8 Coldbath Square, London, United Kingdom, EC1R 5HL and without delay, of its receipt of any such request;

  2. Where a pupil (or their parent/guardian on their behalf) opts out of their participation,

  3. TrustElevate shall ensure that the pupil’s personal data is securely destroyed and no longer processed, without delay; and TrustElevate shall maintain a readily accessible and easy-to-use mechanism for pupils (or their parent/guardians on their behalf) to opt out of having pupils’ personal information being processed by TrustElevate.

Confidentiality and conditions for the processing of the School Data

  1. The School Data shall always remain the property of the School.

  2. With regard to the use of the School Data, TrustElevate shall (on behalf of itself and its data processors):

  • Ensure compliance with its approved Data Protection Policies;

  • Ensure compliance with the its obligations under the Applicable Data Protection Laws;

  • Ensure that all TrustElevate staff processing personal data in connection with their duties, are fully aware of their responsibilities under the Applicable Data Protection Laws  and principles before processing begins;

  • Any data breach that occurs as a direct result of actions by TrustElevate or actions of third parties acting on behalf of TrustElevate, shall result in TrustElevate being liable in law for any consequences; and

  • TrustElevate shall make public via the website the right of pupils or their guardians to make Subject Access Requests and to request the removal of their personal data and TrustElevate will process these requests in accordance with the Applicable Data Protection Laws .

  • The appropriate level of access to systems and information will be determined upon the prospective users’ required business need, job function and role.

  • TrustElevate and its Processors shall only Process the Data in accordance with this Agreement when required for the Permitted Purpose except where required by law.

Security 

  1. Both the School and TrustElevate warrant that all Personal Data checked against under this agreement will be kept secure and protected against loss, unauthorised access, use or disclosure. In particular, information about identifiable pupils will only be made accessible to Data Protection trained individuals who necessarily need access to that information for the purposes specified in this agreement.

  2. If TrustElevate becomes aware of any potential data breach of security, which involves data supplied by your institution, it must be raised with a named, in-school point of contact immediately who, if appropriate, will notify the affected individuals. TrustElevate is also responsible for its reporting requirements to the Information Commissioner following its registration with the ICO.

  3. TrustElevate shall remain vigilant at all times in order to safeguard Personal Information and Data and to protect the security and integrity of all Information and Communications Technology systems. The School’s submission of personal information through the store is governed by TrustElevate’s Privacy Policy. TrustElevate shall ensure it has technical and operational procedures in place to prevent Security Breach and any unauthorised or unlawful interference.

  4. TrustElevate shall provide ongoing education to all Authorised Persons featuring corporate induction programmes, e-learning, line manager training, specific training and awareness programmes must be undertaken by staff to enable them to be aware of their responsibilities towards systems and information security.

  5. TrustElevate shall take all reasonable steps to ensure suppliers abide by all relevant UK legislation regarding Information Security, Storage, Handling and Processing. The requirement to comply with this legislation shall be devolved to all TrustElevate’s employees, contractors, consultants and agents who may be held accountable for any breaches of information security for which they may be responsible.

  6. Both TrustElevate and School shall report any (including potential or suspected) incidents immediately upon becoming aware of them.

  7. The parties shall have a clear incident reporting mechanism in place which details the procedures for the identifying, reporting and recording of security incidents.

  8. TrustElevate shall continue to be proactive in addressing incidents as and when they occur.

Restrictions on the use of information

  1. Except for the provision of data to data processors as permitted at paragraphs 7.2 and 8.1, pupil personal data as provided by your institution to TrustElevate shall not be passed to any third party without the express approval of your institution except that permitted in this Agreement. If a pupil or their guardian wishes TrustElevate to release personal data to a third party, this must be explicitly requested of TrustElevate by the pupil (or their guardian) in question and the release must take place according to the principles of the Applicable Data Protection Laws.

  2. The contact details of pupils or their parents/guardians will only be used to send information that relates directly to the operational aspects of activities or events.

Subcontracting 

TrustElevate may subcontract curtain activities or functions to third parties provided that such parties shall pass TrustElevate’s due diligence process. TrustElevate acknowledges that it is responsible for the actions and errors carried out by subcontractors.

Insurance 

TrustElevate maintains insurance policies with an independently regulated insurance company in respect of the products and services provided by TrustElevate to the School and processing the School Data.

Deletion or return of the School Data

  1. Upon written notice by the School, TrustElevate shall destroy all the Data requested to be removed (please note - TrustElevate operates a zero sensitive data model - we do not store personal data).

  2. TrustElevate will ensure that suitable retention and destruction of data policies are adopted to ensure that the School Data specified in this agreement is securely destroyed once no longer justifiably needed.

  3. TrustElevate shall ensure that any shared Personal School Data are returned to the School or destroyed in the following circumstances:

  • on termination of the Agreement;

  • on expiry of the Term (unless expanded further);

  • once the processing of the School Data is no longer required for the purposes it was originally shared for.

Audit and Information Rights

  1. TrustElevate shall:

  • at reasonable times provide access to the School to review and/or audit its compliance (and compliance of its subcontractors) with this Agreement and Applicable Data Protection Lawsand/or the Cybersecurity Legislation.

  • assist with and contribute to audits conducted by the School in the relation to the processing of the School Data by TrustElevate and its subcontractors.

  1. The School shall give TrustElevate reasonable notice to audit or inspection.

  2. Without notice TrustElevate or its subcontractors are not required to give access to their premises for the purposes of inspection.

Data Subject Rights and Associated Matters

TrustElevate shall provide appropriate technical or organisational assistance when:

  1. A request occurs from a Data Subject to exercise rights under the Applicable Data Protection Laws.

  2. Any other complaint received by the School.

  3. When a complaint or request is made directly to TrustElevate, TrustElevate shall notify the School providing all relevant information to take appropriate action.

  4. If TrustElevate determines high risk to the School Data TrustElevate shall inform the School as soon as such belief or knowledge occurs.

  5. TrustElevate shall conduct regular Data Protection Impact Assessment aligned with Applicable Data Protection Laws.

Liability

To the extent permitted by law, TrustElevate shall have no liability to School for or in connection with:

  • loss of profits and sales;

  • loss of agreements, contracts or partnerships;

  • loss or damage of reputation;

  • any indirect loss.

Rights of Third Parties

  1. A person who is not a party to this Agreement shall have any rights pursuant to the Contracts (Rights to Third Parties) Act 1999 to enforce any term of this Agreement.

  2. Each party confirms it is acting on its own behalf and not for the benefit of any other person or organisation.

Entire Agreement

  1. This Agreement establishes the entire agreement between the Parties in relation to its subject matter and supersedes all previous agreements and assurances.

  2. Nothing in this Agreement shall limit or exclude any liability for fraud.

Force Majeure

Neither party shall be in breach of this agreement nor liable for delay in performing or failure to perform any of these obligations under this Agreement if such delay is the result of events or causes beyond its reasonable control.

Review and publication

  1. This Agreement is to be reviewed one year after coming into effect, and subsequently every one year thereafter.

  2. This Agreement may be shared on request by your institution with schools, institutions, pupils and their parents/guardians.

Variation

Any amendment or variation to this Agreement shall be made in writing and signed by duly authorised representatives of the School and TrustElevate.

Governing Law

  1. This Agreement and any dispute or claim arising out of or in connection with it or its subject matter shall be governed by and construed in accordance with the law of England and Wales.

  2. Each party agrees that the Courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with this Agreement or its subject matter or formation.