Apply Intelligence← Back to site
Last updated May 2026

Data Processing Agreement

Notice to administrator: this is a public-facing summary only. The signed DPA between Apply Intelligence Ltd and your school is the contractual document. Have this page and the underlying DPA reviewed by counsel before public launch. Email hello@applyintel.ai to request the full DPA in advance of contracting.

Roles

Where you use Apply Intelligence as a customer, your school is the data controller for personal data of pupils, parents, agents and staff processed in the platform. Apply Intelligence Ltd acts as the data processor, processing personal data only on your documented instructions, in accordance with UK GDPR Art. 28.

Subject matter and duration

We process personal data to provide the Apply Intelligence admissions CRM for the duration of the customer agreement plus any agreed transition or export period.

Categories of data and data subjects

  • Data subjects: prospective and current pupils, parents and guardians, school staff, agency contacts.
  • Personal data: contact details, school and admissions records, application history, communications, financial information related to fees and commissions, and any data the school chooses to enter.
  • Special-category data: only where the school configures it explicitly (e.g. medical or learning-support flags). Encrypted at rest and access-logged.

Sub-processors

Our current sub-processors are listed below. We give 30 days' notice of any new sub-processor; you may object on reasonable data-protection grounds.

  • Google Cloud (London region): hosting, storage, backup.
  • Resend: outbound transactional email.
  • Keycloak (self-hosted on Google Cloud): authentication.

Security

We implement technical and organisational measures appropriate to the risk, including encryption in transit (TLS) and at rest, role-based access control, audit logging with IP attribution, principle-of-least-privilege access for staff, and regular backup and restore testing. See /security for the current detail.

International transfers

Customer data is hosted in the United Kingdom (Google Cloud London region). Where any onward transfer occurs (e.g. for support tooling), we rely on the UK International Data Transfer Addendum to the EU SCCs.

Data breach

We will notify affected customers without undue delay, and in any event within 72 hours of becoming aware of a personal data breach affecting their data, with the information needed to meet their own UK GDPR Art. 33 obligations.

Audit and assistance

On reasonable request we will provide all information necessary to demonstrate compliance with this DPA, including by sharing audit reports from our hosting and security providers, and by supporting Data Protection Impact Assessments and rights-of-data-subjects requests.

Return and deletion

On termination, we return personal data to the school in CSV or via the REST API and delete remaining copies within 30 days, except where retention is required by law.

Contact

For DPA queries email hello@applyintel.ai.