Data processing addendum
If your organisation needs a controller-to-processor agreement to use the Willowfolio app at scale, we have a template ready. Here is who needs it and how to ask.
What this means in plain English. Most readers won’t need this page. It exists for organisations (a local authority partnership, a school, a charity buying seats) that need a signed data processing addendum before they can use the Willowfolio app with their members.
When this DPA applies
Under UK GDPR Article 28, a controller using a processor must put a written contract in place that meets specific requirements. A DPA between you and Willowfolio applies when:
- Your organisation determines the purposes and means of processing personal data of your members or pupils, and
- Your organisation procures the Willowfolio app, or related services, to process that personal data on your behalf.
It does not apply to individual parents or carers using the marketing site or signing up to the app for a single household; in that scenario you are the data subject and Anam & Choudhury Limited is the controller. The privacy notice covers that route.
Note on commercial structure. The Willowfolio app is licensed per family account. An organisation procuring at scale typically holds one account per member family, so each family controls its own records and is not visible to other families on the same procurement. Per-seat pricing and volume tiers are agreed separately; this addendum covers data-protection obligations only.
How to request a signed DPA
Email [email protected] with:
- Your organisation’s legal name and registered address.
- The role you are buying for (council, school, charity, other) and the rough number of seats.
- The named data protection contact at your organisation.
- Any specific requirements you have (e.g. UK-only data residency, approved sub-processor list, audit rights wording).
We will reply within 10 working days with our standard DPA template for review. The standard template covers Article 28 obligations: scope, duration, processing instructions, confidentiality, security, sub-processors, data subject rights assistance, breach notification, audit, deletion or return at end of contract, and international transfers.
Sub-processors
About our infrastructure. Our analytics, error reporting, search index, and database all run on our own infrastructure in the UK / EU. They are software we operate, not independent legal entities processing on our behalf, and so are not sub-processors for the purposes of Article 28 UK GDPR. The underlying VPS hosting (OVH and Hetzner) is named in the list below.
We use the same vendors named in the privacy notice:
- Cloudflare: content delivery, public tunnel, and Turnstile bot challenges.
- OVH (France) and Hetzner(Germany) for VPS hosting (primary infrastructure on OVH; encrypted offsite backups on Hetzner).
- Mailgun for transactional email (printable delivery, contact replies, magic-link logins, password resets, and other system emails).
- Google: Google Analytics 4 (used only when end users accept analytics cookies; configurable off where required) and Google Sign-In / OAuth on the Willowfolio app.
- Microsoft: Microsoft Clarity for heatmaps and session recording on the marketing site (used only when end users accept analytics cookies; configurable off where required).
- Stripe for payment processing on the Willowfolio app. PCI-DSS Level 1 processor handling card data directly; we never touch card numbers.
- Brevo (Sendinblue SAS, France) for marketing email, with EU data residency option selected.
We will give you reasonable prior notice of any new sub-processor and a reasonable opportunity to object on legitimate data protection grounds, in line with the standard template.
Where data lands and how transfers are made lawful
The table below summarises, for each external sub-processor, the country where the data physically lands and the lawful transfer mechanism we rely on under Article 46 UK GDPR. Our database, analytics, error monitoring, and search index run on the infrastructure listed in the OVH and Hetzner rows; they are not separate sub-processors and are covered by those rows.
| Vendor | Role | Where data lands | Transfer mechanism |
|---|---|---|---|
| Cloudflare | CDN, public tunnel, Turnstile anti-bot. | Global edge network (US-headquartered). | UK Addendum to the EU SCCs. |
| OVH | Primary VPS hosting (the marketing site and Willowfolio app run here). | France (Gravelines, EU). | UK adequacy decision. |
| Hetzner | Encrypted off-site backups. | Germany (EU). | UK adequacy decision. |
| Mailgun | Transactional email (printables, magic links, contact replies). | United States. | UK Addendum to the EU SCCs. |
| Brevo (Sendinblue SAS) | Newsletter delivery. | France (EU residency option selected). | UK adequacy decision. |
| Google Analytics 4 (consent-gated) and Google Sign-In / OAuth on the Willowfolio app. | United States. | UK Addendum to the EU SCCs. | |
| Microsoft | Clarity heatmaps and session recording on the marketing site (consent-gated). | United States. | UK Addendum to the EU SCCs. |
| Stripe | Payment processing on the Willowfolio app. PCI-DSS Level 1 processor; card data handled by Stripe directly. | United States. | UK Addendum to the EU SCCs. |
International transfers
Where personal data leaves the United Kingdom or the European Economic Area, we rely on the UK Addendum to the EU Standard Contractual Clauses, or another transfer tool recognised under Article 46 UK GDPR. The standard DPA documents which sub-processors rely on which transfer tool.
Most processing happens in the EU. Cloudflare, Google (GA4 + OAuth), Microsoft (Clarity), Mailgun, and Stripe may transfer data outside the UK / EU under SCCs and the UK Extension; the standard DPA names them.
Security
Our standard DPA describes the technical and organisational measures we take, in line with Article 32, including encryption in transit, access control on the admin SDK, separation of marketing-site and app data, server-side rate limits, bot-mitigation on public forms, encrypted at-rest backups with off-site retention, and a PII-redaction policy applied to outgoing events in our self-hosted error-monitoring tool. We do not currently hold an ISO 27001 certification or commission third-party penetration tests; the full TOMs annex sits alongside the standard DPA template.
Breach notification
We will notify your nominated contact without undue delay on becoming aware of a personal data breach affecting data we process on your behalf, in line with Article 33(2). The standard DPA sets out the information we will provide and how we will support your own notifications to the ICO and to data subjects where required.
Contact
Email [email protected] for the DPA template, a signed copy, or any related question. Postal address: Anam & Choudhury Limited, Kemp House, 124 City Road, London EC1V 2NX.
Last updated: 12 May 2026.