Data Processing Agreement

Effective Date: March 30, 2026 · Last Updated: March 30, 2026
GDPR Article 28 Compliant • UK GDPR • Schrems II Safeguards
Who needs this DPA? This Data Processing Agreement is required for EU, UK, and EEA schools operating under GDPR or UK GDPR. It formalizes the school-as-Controller, PageBloom-as-Processor relationship. US schools operating under FERPA are covered by the Terms of Service school official provisions.

1. Parties & Scope

Data Controller

The school or educational institution subscribing to PageBloom. You determine the purposes and means of processing student data.

Data Processor

PageBloom Inc., the platform operator. We process data only on your instructions, for the purpose of operating the QR-based photo collection platform.

This DPA is incorporated into and forms part of the PageBloom Terms of Service. It supplements the Privacy Policy for GDPR purposes.

This agreement applies to all personal data of EU, UK, or EEA data subjects that PageBloom processes on behalf of your school.

2. Processing Activities

ActivityData TypeLegal Basis (Controller)Duration
Event photo collection & storageEvent photos, upload metadataSchool's lawful basis (consent or public interest)Duration of subscription + 60 days post-account-deletion
Admin event managementAdmin names, emails, event dataService delivery (contract)Duration of subscription + 30 days
Anonymous contributor uploadIP address, session token, uploaded photosProcessor's legitimate security interestSession duration (IP: 90 days for security)
Backup & recoveryAll school dataData security / integrityPer retention schedule
Security & fraud detectionIP addresses, access logsProcessor's legitimate security interest90 days
Legal complianceAny data as requiredLegal obligationAs required by law

Processing Strictly Prohibited

  • Commercial use of student data
  • Behavioral profiling or targeted advertising
  • Combining student data across different schools
  • Retention beyond contractual period plus 30 days

3. Controller Obligations (School)

Lawful Basis

The school must establish and document a lawful basis for processing student data:

  • Consent (Article 6(1)(a)): Parental/student consent for photo collection
  • Public Interest (Article 6(1)(e)): Event photo collection as integral school activity (narrow interpretation)
  • Legal Obligation (Article 6(1)(c)): Where school regulations require documented school events or activities

Privacy Notices

Schools must provide a privacy notice to students and parents that includes: identity of the school and PageBloom; purpose of processing (event photo collection); data categories; recipients; retention period; data subject rights; contact information.

Consent Management

If using consent as the lawful basis, the school must obtain verifiable, dated consent; maintain consent records; and obtain separate consent for any use beyond the core event photo collection (e.g., external publication, social media sharing).

Photo Consent Acknowledgment

Before enabling contributor uploads via QR code for events involving students under 13, school administrators must confirm they have obtained appropriate parental consent. This is recorded with a timestamp in PageBloom's admin system.

4. Processor Obligations (PageBloom)

Instructions Only

PageBloom processes personal data only per your written instructions. We will inform you if we believe an instruction violates GDPR. We maintain records of all processing instructions.

Security Measures

  • Encryption: AES-256 at rest; TLS 1.2+ in transit
  • Access Control: Role-based access; multi-factor authentication for admin accounts; session timeouts; principle of least privilege
  • Monitoring: Access logging; intrusion detection; automated alerts for suspicious activity
  • Personnel: All staff with data access have signed confidentiality agreements and completed privacy training
  • Incident Response: Documented breach detection, response, and reporting procedures

Data Subject Rights Assistance

PageBloom assists the school in responding to data subject rights requests:

  • Data export: Within 15 days (structured, machine-readable format)
  • Data deletion: Within 7 days of school instruction
  • Processing restriction: Pause processing per school direction

5. Sub-Processors

PageBloom uses the following sub-processors. All have executed GDPR-compliant Data Processing Agreements with PageBloom:

VendorFunctionLocationDPA Status
Cloudflare R2Photo & media storageUS / Global CDN✅ GDPR DPA signed
RenderApplication infrastructureUS (Oregon)✅ GDPR DPA signed
SendGrid (Twilio)Transactional emailUS / Global✅ GDPR DPA signed
StripePayment processingUS / Global✅ PCI DSS + GDPR terms
Google Cloud Vision AIAI photo quality analysis & smart sorting (Pro tier only)US / Global✅ GDPR-compliant terms

PageBloom will provide 30 days' notice of changes to this sub-processor list. You may object on reasonable grounds (security concerns, jurisdiction changes).

6. Cross-Border Data Transfers

Schrems II Compliant PageBloom operates on US infrastructure. For EU/UK schools, all transfers are covered by Standard Contractual Clauses (SCCs) with supplementary safeguards.

Transfer Mechanism

  • EU Schools: EU Standard Contractual Clauses (2021/914/EU) — Controller-to-Processor Clauses (Module 2)
  • UK Schools: UK International Data Transfer Agreement (IDTA)

Supplementary Safeguards (Post-Schrems II)

  • AES-256 encryption prevents unauthorized access during US bulk surveillance
  • PageBloom will challenge overbroad government surveillance requests
  • No compliance with surveillance orders without valid court process
  • School notification before any government data disclosure (where legally permitted)
  • UK server option available upon request (avoids US transfer)

7. Data Breach Notification

TimelineActionResponsible Party
Immediate (0–2 hours)Contain breach; preserve evidencePageBloom
Within 24 hoursNotify school via email + phone callPageBloom
Within 72 hoursNotify supervisory authority (if high risk)School (Controller)
Without undue delayNotify affected data subjects (if high risk)School (Controller)
OngoingForensic investigation; remediation reportPageBloom

PageBloom's notification to the school will include: nature of the breach; categories and approximate number of affected records; contact point for further information; likely consequences; measures taken to address the breach.

8. Audit Rights

  • Frequency: Once per calendar year (more often if material security incident)
  • Method: Remote documentation review and questionnaire
  • Notice required: 15 business days in advance
  • Scope: Security measures, sub-processor compliance, retention procedures
  • Confidentiality: NDA required for audit findings

PageBloom provides annual SOC 2 Type II reports and an up-to-date sub-processor list on request.

9. Data Deletion

Post-Termination Deletion

  • All event photos: transitioned to read-only on downgrade; deleted within 60 days of account deletion
  • All event collection data and metadata: deleted within 60 days of account deletion
  • Admin accounts: deleted within 30 days of account deletion request
  • Anonymous contributor session data: purged at session end; IP logs deleted after 90 days
  • Backup copies: securely wiped within 30 days of account deletion
  • Billing records: retained 7 years per tax requirements

Deletion Method

Data is deleted per NIST SP 800-88 standards (secure overwrite). PageBloom provides a written certification of deletion upon request.

Requesting Early Deletion

Schools may request deletion of all data at any time via the admin dashboard or by emailing privacy@pagebloom.app. Deletion is completed within 30 days.

10. Liability

PageBloom's liability to the school for data processing breaches is capped at the fees paid in the preceding 12 months. No cap applies to breaches of data confidentiality, GDPR violations, or data subject rights breaches.

School responsibilities: The school is responsible for establishing lawful basis, obtaining consent, complying with data subject rights requests, and security of credentials.

Both parties may be jointly liable to data subjects under GDPR Article 82.

11. Term & Termination

This DPA is effective for the duration of the school's subscription to PageBloom. It terminates automatically upon subscription termination.

Post-termination, PageBloom deletes all school data per the schedule in Section 9 and continues to comply with GDPR regarding the lawfulness of past processing.

12. Governing Law

  • EU Schools: GDPR and the law of the relevant EU member state
  • UK Schools: UK GDPR and the Data Protection Act 2018 (English law)

Data subject rights under GDPR Articles 15–22 are non-waivable. Nothing in this DPA limits or qualifies those rights.

To request a signed copy of this DPA for your school's records, email legal@pagebloom.app with subject "DPA Signature Request."