Data Processing Agreement

1. Definitions

• "Applicable Data Protection Law" means the UK GDPR, the Data Protection Act 2018, and any successor legislation.
• "Controller" means the organisation that determines the purposes and means of processing personal data via the Service.
• "Data Subject" means the identified or identifiable natural person to whom the personal data relates (typically students and teachers).
• "Personal Data" means any information relating to a Data Subject that is processed by the Processor on behalf of the Controller.
• "Processor" means Tête-à-Tête, which processes personal data on behalf of the Controller.
• "Service" means the Tête-à-Tête AI-powered French speaking practice platform.
• "Sub-Processor" means a third party engaged by the Processor to process personal data on the Controller's behalf.

2. Scope and Purpose of Processing

2.1 Subject Matter

The Processor shall process personal data on behalf of the Controller solely for the purpose of providing the Service — an AI-powered educational platform for French speaking practice and assessment.

2.2 Categories of Data Subjects

• Students (including those under 18)
• Teachers and school administrators

2.3 Types of Personal Data

• Account information (name, email, school affiliation)
• Educational data (practice session transcripts, scores, feedback, progress records)
• Voice data (audio streamed in real time for AI processing — not permanently stored)
• Technical data (device type, IP address, session timestamps)

2.4 Duration

Processing shall continue for the duration of the Controller's use of the Service, plus the retention periods specified in section 8, unless the Controller requests earlier deletion.

3. Obligations of the Processor

The Processor shall:

• Process personal data only on documented instructions from the Controller, unless required to do so by law.
• Ensure that persons authorised to process personal data are subject to confidentiality obligations.
• Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in section 6.
• Not engage another processor (sub-processor) without prior written authorisation from the Controller. The Controller authorises the sub-processors listed in section 5.
• Assist the Controller in responding to requests from Data Subjects exercising their rights under Applicable Data Protection Law.
• Assist the Controller in ensuring compliance with obligations relating to security of processing, notification of personal data breaches, data protection impact assessments, and prior consultation with the ICO.
• At the Controller's choice, delete or return all personal data after the end of the provision of the Service, and delete existing copies unless storage is required by law.
• Make available to the Controller all information necessary to demonstrate compliance with this DPA.

4. Obligations of the Controller

The Controller shall:

• Ensure it has a lawful basis for processing personal data and for instructing the Processor to process data on its behalf.
• Where students are under 18, obtain appropriate parental or guardian consent before directing students to use the Service, in accordance with the Controller's own policies and Applicable Data Protection Law.
• Provide Data Subjects (students, parents, staff) with appropriate privacy notices explaining how the Service is used.
• Notify the Processor promptly of any data subject request it receives that requires the Processor's assistance.

5. Sub-Processors

The Controller authorises the Processor to engage the following sub-processors:

The Processor shall notify the Controller of any intended changes to sub-processors, giving the Controller the opportunity to object. Where personal data is transferred internationally, the Processor ensures appropriate safeguards are in place, including Standard Contractual Clauses approved by the UK government.

6. Security Measures

The Processor implements the following technical and organisational measures:

• Encryption: Data encrypted in transit (TLS 1.2+) and at rest
• Access control: Access to personal data restricted to authorised personnel only
• Log redaction: Transcript and audio content excluded from application logs and error monitoring systems
• No biometric processing: No voice prints, biometric templates, or biometric identification performed on audio data
• Incident response: Documented procedures for identifying and responding to data breaches
• Account security: Password-protected accounts with enforced complexity requirements

7. Data Breach Notification

The Processor shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting the Controller's data. The notification shall include:

• A description of the nature of the breach, including the categories and approximate number of Data Subjects affected
• The likely consequences of the breach
• The measures taken or proposed to address the breach
• Contact details for the Processor's privacy point of contact

8. Data Retention and Deletion

• Transcripts and scores: Retained for the duration of the student's account plus up to 2 years after account closure
• Audio: Not permanently stored; processed in real time and discarded
• Account data: Retained while the account is active plus up to 2 years
• Technical logs: Up to 90 days (no transcript or audio content)

The Controller may request earlier deletion of all student data at any time. Upon termination of the Service, the Processor shall delete all personal data within 90 days unless retention is required by law.

9. Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligations to respond to Data Subject requests under Applicable Data Protection Law, including requests for access, rectification, erasure, restriction, portability, and objection.

Where a Data Subject contacts the Processor directly, the Processor shall promptly redirect the request to the Controller, unless the Processor is the data controller for that individual's data.

10. Audit Rights

The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA. The Controller may request an audit of the Processor's data processing activities, provided that such audit:

• Is conducted with reasonable notice (at least 30 days)
• Does not unreasonably interfere with the Processor's business operations
• Is limited to the Controller's own data and processing activities
• Is conducted no more than once per year, unless a breach has occurred

11. Liability

Each party's liability under this DPA shall be subject to the limitations of liability set out in the Terms of Service. Nothing in this DPA limits either party's liability for breaches of Applicable Data Protection Law to the extent that such limitation is prohibited by law.

12. Governing Law

This DPA is governed by the laws of England and Wales. Any disputes arising under this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales.

13. Contact

To execute this DPA or discuss data processing requirements: