Amadoo Data Processing Agreement (DPA)
Last Updated: June 2026
This Data Processing Agreement (“DPA”) forms part of the Terms and Conditions between Amadoo (“Processor”, “we”, “our”, “us”) and the Customer (“Controller”, “you”, “your”).
This DPA applies where Amadoo processes Personal Data on behalf of the Customer in connection with the use of the Amadoo platform.
1. Definitions
For the purposes of this Agreement:
- Controller
- — the organisation that determines the purposes and means of processing Personal Data.
- Processor
- — the organisation that processes Personal Data on behalf of the Controller.
- Personal Data
- — has the meaning given under UK GDPR.
- Data Subject
- — the individual to whom Personal Data relates.
- UK GDPR
- — the United Kingdom General Data Protection Regulation.
- Processing
- — includes collecting, recording, storing, organising, using, transmitting, deleting, or otherwise handling Personal Data.
2. Roles of the Parties
The Customer acts as the Data Controller.
Amadoo acts as the Data Processor.
The Customer determines:
- What data is collected
- Why data is collected
- How data should be used
Amadoo processes Personal Data solely on behalf of the Customer and in accordance with documented instructions.
3. Nature and Purpose of Processing
Amadoo provides nursery management software and processes Personal Data for the purposes of:
- Child administration
- Attendance tracking
- Observations and learning journeys
- Parent communication
- Staff administration
- Invoicing and payments
- Funding management
- Incident and accident records
- Compliance reporting
- AI-assisted drafting and administrative support
Processing is limited to what is necessary to provide the services requested by the Customer.
4. Categories of Personal Data
Depending on how the platform is used, Personal Data may include:
Child Information
- Name
- Date of birth
- Gender
- Learning records
- Attendance records
- Medical information
- Dietary information
- Allergy information
- Development assessments
- Observation records
- Incident and accident reports
- Photographs and uploaded files
Parent and Guardian Information
- Name
- Address
- Email address
- Telephone number
- Emergency contact details
- Payment information
Staff Information
- Name
- Email address
- Telephone number
- Employment records
- Attendance records
- Qualification records
- Training records
- DBS status information
- Uploaded documents
5. Special Category Data
The Customer acknowledges that Personal Data may include Special Category Data, including:
- Health information
- Medical information
- Allergy information
- Dietary requirements
- SEND information
- Safeguarding-related information where uploaded by the Customer
Amadoo shall apply appropriate technical and organisational measures to protect such data.
6. Processor Obligations
Amadoo shall:
- Process Personal Data only on documented instructions from the Customer
- Ensure confidentiality of authorised personnel
- Maintain appropriate security measures
- Assist the Customer in complying with UK GDPR obligations where reasonably required
- Notify the Customer of any Personal Data Breach without undue delay
- Cooperate with supervisory authorities where legally required
- Keep records of processing activities where required by law
7. Security Measures
Amadoo implements appropriate technical and organisational measures including:
- Encrypted data transmission using HTTPS/TLS
- Password-protected user accounts
- Role-based access controls
- Secure cloud infrastructure
- Access logging and monitoring
- Regular software updates and security patches
- Secure data backups
- Restricted employee access to production systems
Security measures may be updated from time to time to reflect industry standards and technological developments.
8. AI Processing (Ami)
Where the Customer chooses to use Ami, Amadoo's AI assistant, Personal Data may be processed to:
- Draft observations
- Generate reports
- Draft communications
- Provide administrative assistance
Amadoo does not use Customer Data to train public AI models.
The Customer remains responsible for reviewing and approving all AI-generated content before use.
9. Sub-Processors
The Customer authorises Amadoo to engage sub-processors where necessary to provide the services.
Current sub-processors may include:
Supabase
Purpose: Data hosting and database infrastructure.
Stripe
Purpose: Payment processing and financial transactions.
Email Service Providers
Purpose: Transactional email delivery and notifications.
Amadoo shall ensure that any authorised sub-processor is subject to appropriate contractual obligations regarding Personal Data protection.
A current list of sub-processors may be updated from time to time.
10. International Transfers
Amadoo will not transfer Personal Data outside the United Kingdom unless:
- Adequate safeguards are in place; and
- Such transfer complies with applicable data protection laws.
Where required, appropriate transfer mechanisms shall be implemented.
11. Data Subject Rights
Where a Data Subject exercises rights under UK GDPR, including requests relating to:
- Access
- Rectification
- Erasure
- Restriction
- Portability
- Objection
Amadoo shall provide reasonable assistance to the Customer where necessary.
The Customer remains responsible for responding to Data Subject requests.
12. Personal Data Breaches
If Amadoo becomes aware of a Personal Data Breach affecting Customer Data, Amadoo shall:
- Notify the Customer without undue delay
- Provide available information regarding the incident
- Take reasonable steps to mitigate risks
- Cooperate with the Customer in investigating the incident
13. Data Retention and Deletion
Upon termination of services and upon written request from the Customer, Amadoo shall:
- Return Customer Data where technically feasible; or
- Securely delete Customer Data
Amadoo may retain data where required by law or for legitimate legal, regulatory, accounting, or security purposes.
14. Audits and Information Requests
Upon reasonable written request, Amadoo shall provide information necessary to demonstrate compliance with this DPA.
Any audit request must:
- Be reasonable
- Not disrupt operations
- Be subject to confidentiality obligations
- Occur no more than once per calendar year unless required by law
15. Liability
Each party's liability under this DPA shall be subject to the liability limitations contained within the Amadoo Terms and Conditions.
Nothing in this DPA excludes liability where such exclusion is prohibited by law.
16. Governing Law
This DPA shall be governed by and interpreted in accordance with the laws of England and Wales.
Any disputes arising from this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales.
17. Contact Details
Amadoo
Email: info@amadooapp.com
For privacy, GDPR, or data protection enquiries, please contact us using the details above.
