The short version: Before any school gives students access to Pekanga, a Data Processing Agreement must be signed. The DPA sets out Pekanga's obligations as a data processor under UK GDPR — including strict limits on how student data can be used, security requirements, breach notification, and deletion on termination. Request it below.
Our commitments
What Pekanga commits to as your data processor
Under UK GDPR Article 28, any organisation that processes personal data on behalf of a school must operate under a formal written agreement. Pekanga's DPA is drafted to comply with UK GDPR, the Data Protection Act 2018, and the Data (Use and Access) Act 2025.
✓
Purpose limitation
We process student data only to provide the Pekanga platform. We will never use it for AI model training, product development, advertising, or any other purpose.
✓
UK data residency
All personal data is processed and stored within the United Kingdom. We will not transfer data outside the UK without your prior written consent.
✓
48-hour breach notification
In the event of a personal data breach, we will notify you within 48 hours with full details of the breach, affected records, and remediation steps.
✓
No sharing with third parties
We will never share student personal data with employers, universities, advertisers, or any commercial third party. Your students' data is not a product.
✓
Deletion on termination
On termination of the agreement, we will delete or return all personal data within 30 days and provide written certification that deletion is complete.
✓
Sub-processor transparency
All sub-processors are listed in Schedule 4 of the DPA. We provide 30 days' notice before adding or replacing any sub-processor, with a right to object.
What the DPA covers
Scope of the agreement
DPA sections and schedules
- Definitions and scope of processing
- Processor obligations (confidentiality, security)
- Sub-processor authorisation and change notice
- Data subject rights assistance
- DPIA support and cooperation
- Audit rights (annual, on notice)
- International transfer restrictions
- Liability and limitation provisions
- Schedule 1: Controller (school) details
- Schedule 2: Description of processing
- Schedule 3: Security measures (TLS, AES-256, MFA, AWS UK)
- Schedule 4: Approved sub-processors
Sub-processors
Who processes data on our behalf
The following sub-processors are approved under the DPA. All operate within the UK or under UK adequacy arrangements.
Amazon Web Services (AWS)
UK Region
Cloud hosting and infrastructure. Processes all data at rest and in transit. Encrypted using AES-256 at rest and TLS 1.2+ in transit.
Anthropic (Claude API)
UK Adequacy
AI content generation. Processes subject choice inputs to generate career pathway content. No personal data is stored by Anthropic beyond the API request lifecycle.
Analytics provider
Privacy-preserving
Privacy-preserving platform analytics (e.g. Plausible). Processes only anonymised, aggregated usage data — cannot identify individual users.
Request the DPA
Ready to go live with your school?
Email us and we'll send you the full Data Processing Agreement, pre-populated with Pekanga's details, for your Data Protection Officer or legal team to review. We aim to respond within one working day.
The DPA has been drafted to comply with UK GDPR Article 28, the Data Protection Act 2018, and the Data (Use and Access) Act 2025. It should be reviewed by your school's Data Protection Officer or a qualified data protection solicitor before execution. This page does not constitute legal advice. Version 1.0 — May 2026.