How Llamaroo processes data on your behalf

In this Agreement, the terms "personal data", "data subject", "processing", "controller", "processor", "sub-processor", and "personal data breach" have the meanings given to them in the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (together, the "Data Protection Legislation").

"Service Agreement" means the agreement between the Parties for the provision of the Llamaroo platform.

"Customer Personal Data" means any Personal Data processed by Llamaroo or its sub-processors on behalf of and under documented instructions of the Customer in connection with the Services.

"Processing Instructions" means the Customer's documented instructions regarding the processing of personal data, as set out in Annex 1 and any subsequent written instructions.

"Applicable Data Protection Laws" means all UK and (where applicable) EU legislation and regulations protecting the fundamental rights and freedoms of individuals with respect to the processing of personal data, including the UK GDPR, the Data Protection Act 2018, and the Age Appropriate Design Code.

This Agreement applies to Llamaroo's processing of personal data on behalf of the Customer in connection with the provision of the Llamaroo platform.

The details of the processing (subject matter, duration, nature, purpose, types of personal data, and categories of data subjects) are set out in Annex 1.

Llamaroo is an AI-powered educational gamification platform used by schools and teachers to create and deliver interactive learning courses. The platform is designed to minimise the processing of personal data. Students access courses through a teacher-set class PIN and a first name only. The platform does not require student email addresses, passwords, or personal device identifiers during normal classroom use.

Llamaroo may process de-identified and aggregated information derived from platform usage ("Service Data") solely for analytics, security, billing, and product improvement purposes. Service Data cannot be used to identify any individual data subject.

The Customer shall serve as a single point of contact for Llamaroo in all matters under this DPA.

In its capacity as a controller, the Customer confirms that it is entitled to provide access to Customer Personal Data, maintains all necessary rights and lawful bases for Llamaroo's processing, and is responsible for the accuracy, quality, and legality of that data.

The Customer shall comply with all applicable Data Protection Laws. The Customer acknowledges it is responsible for platform configuration decisions (such as what students are named, which courses are assigned, and how classrooms are structured) and for implementing those decisions in a manner consistent with applicable law.

The Customer agrees not to upload, input, or otherwise provide any special category data (as defined in Article 9 of the UK GDPR) to Llamaroo, including health data, biometric data, or government identifiers.

The Customer is solely responsible for securing account authentication credentials and devices used to access the platform.

Llamaroo shall:

• Process personal data only on documented instructions from the Customer, unless required by law to do otherwise, in which case Llamaroo shall inform the Customer of that legal requirement before processing (unless prohibited from doing so).
• Ensure that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including: encryption of data in transit and at rest; ongoing confidentiality, integrity, availability, and resilience of processing systems; the ability to restore availability and access to personal data in a timely manner following an incident; and a process for regularly testing and evaluating the effectiveness of such measures.
• Not engage a sub-processor without the prior general written authorisation of the Customer (see Section 7).
• Assist the Customer in responding to requests from data subjects exercising their rights under Data Protection Legislation, including rights of access, rectification, erasure, and portability.
• Assist the Customer in ensuring compliance with its obligations regarding security, breach notification, data protection impact assessments, and prior consultation with supervisory authorities.
• At the choice of the Customer, delete or return all personal data to the Customer after the end of the provision of services, and delete existing copies unless storage is required by law.
• Make available to the Customer all information necessary to demonstrate compliance and allow for and contribute to audits and inspections.
• Immediately inform the Customer if, in its opinion, an instruction from the Customer infringes Data Protection Legislation.

Llamaroo shall maintain appropriate administrative, physical, technical, and organisational security measures for the processing of personal data, designed to protect against accidental or unauthorised loss, destruction, alteration, disclosure, or access.

The platform uses Clerk for teacher authentication (with multi-factor authentication available), Supabase with row-level security policies for data storage, and Vercel for hosting with TLS encryption on all connections.

Student data is minimised by design: students are represented as roster entries (a first name and a teacher-assigned identifier) rather than full user accounts. No student passwords or email addresses are stored.

Llamaroo will notify the Customer of material changes to its security measures that may adversely affect the security of Customer Personal Data.

Llamaroo shall notify the Customer without undue delay (and in any event within 72 hours) after becoming aware of a personal data breach affecting Customer Personal Data.

Such notification shall include: a description of the nature of the breach; the categories and approximate number of data subjects and records concerned; the likely consequences; and the measures taken or proposed to address the breach and mitigate its effects.

Llamaroo shall cooperate with the Customer and take reasonable steps to assist in the investigation, mitigation, and remediation of each such breach.

Llamaroo's notification of a breach shall not be construed as an acknowledgement of fault or liability.

If the Customer determines to notify any supervisory authority, data subjects, or the public of a breach, and such notification refers to Llamaroo, the Customer agrees to notify Llamaroo in advance and consider in good faith any corrections Llamaroo may reasonably request.

The obligations above do not apply to the extent that a breach is caused by the Customer's own actions, configurations, or personnel.

The Customer provides general authorisation for Llamaroo to engage sub-processors. Llamaroo shall maintain a current list of sub-processors and make it available to the Customer upon request.

As of the effective date of this DPA, Llamaroo uses the following sub-processors:

• Supabase Inc. (database and backend infrastructure, AWS eu-west-2, London)
• Clerk Inc. (teacher authentication and identity management)
• Vercel Inc. (application hosting, global edge network with EU processing)

Llamaroo shall inform the Customer of any intended changes concerning the addition or replacement of sub-processors, giving the Customer the opportunity to object within 20 business days.

If the Customer objects on reasonable data protection grounds, the parties shall work together in good faith to find a mutually acceptable resolution. If no resolution is reached, the Customer may terminate the Agreement and receive a refund of any prepaid fees.

Where Llamaroo engages a sub-processor, it shall impose the same data protection obligations as set out in this Agreement by way of a written contract. Llamaroo shall remain fully liable to the Customer for the performance of any sub-processor's obligations.

Llamaroo stores Customer Personal Data within the United Kingdom and European Economic Area. Database infrastructure is hosted in AWS eu-west-2 (London) via Supabase.

Llamaroo shall not transfer personal data outside the United Kingdom or EEA without ensuring appropriate safeguards are in place as required by Data Protection Legislation, such as the UK International Data Transfer Agreement or UK Addendum to the EU Standard Contractual Clauses.

Where sub-processors are based outside the UK or EEA (for example, Clerk Inc. in the United States), transfers are covered by the UK Addendum to the EU Standard Contractual Clauses and/or the EU-US Data Privacy Framework, as applicable.

If any transfer mechanism relied upon becomes invalid, the parties will cooperate in good faith to implement an alternative lawful mechanism. Llamaroo may suspend affected transfers until such mechanism is in place.

Llamaroo shall not use any Customer Personal Data for the purpose of training, retraining, fine-tuning, or otherwise developing any AI or machine learning models.

AI-assisted course generation within the platform uses teacher-provided prompts and curriculum content. All AI-generated output is reviewed and published by a teacher before any student sees it. Students never interact directly with a language model.

Llamaroo may process de-identified and aggregated Service Data for statistical reporting, security analysis, or operational insights, provided such information cannot be used to identify any individual.

Llamaroo shall make available to the Customer all information reasonably necessary to demonstrate compliance with Data Protection Legislation and this Agreement.

Llamaroo shall allow for and contribute to audits and inspections conducted by the Customer or an auditor mandated by the Customer, subject to reasonable notice of 30 days and during normal business hours.

Where audit assistance exceeds two person-hours, Llamaroo may charge the Customer its reasonable, documented costs at its then-current professional services rate.

Upon termination of the Agreement, Llamaroo shall immediately discontinue all processing of Customer Personal Data other than secure storage.

Within 30 calendar days after termination, the Customer may instruct Llamaroo in writing to return or delete all Customer Personal Data. If no such instruction is received, Llamaroo may permanently delete or irreversibly anonymise the data in accordance with its documented retention schedule.

The provisions of this Section, together with Sections 12 and 13, shall survive termination for so long as Llamaroo retains any Customer Personal Data.

Each Party's liability under this Agreement shall be subject to the limitations and exclusions set out in the Service Agreement.

Neither Party shall have an obligation to indemnify the other for any administrative fines imposed by a supervisory authority under Applicable Data Protection Legislation.

In no event shall either Party be liable to the other for any loss of profits, revenue, goodwill, or for any indirect, special, incidental, or consequential damages, regardless of the theory of liability.

This Agreement is governed by the laws of England and Wales. The courts of England and Wales shall have exclusive jurisdiction in relation to any dispute arising out of or in connection with this Agreement.

• Subject matter: Provision of the Llamaroo AI-powered educational gamification platform.
• Duration: For the term of the Service Agreement.
• Nature and purpose: Account management, teacher authentication, classroom administration, course delivery, billing, platform analytics, and customer support.
• Types of personal data: Administrator and teacher names, email addresses, job titles, authentication credentials (managed by Clerk), IP addresses, billing information. Student roster entries (first names and teacher-assigned identifiers) are not linked to personal accounts.
• Categories of data subjects: Authorised administrators, teachers, and billing contacts of the Customer. Student roster entries are minimal identifiers controlled entirely by the teacher.