Skip to content
Willowfolio
Legal

Data processing addendum

If your organisation needs a controller-to-processor agreement to use the home-ed app at scale, we have a template ready. Here is who needs it and how to ask.

A note on this addendum. We have drafted this in good faith without paid solicitor review yet. It reflects how we actually process data on a controllers behalf today. Procuring organisations can ask for the standard template and we will flag material updates at the top of this page when they happen.

What this means in plain English. Most readers wont need this page. It exists for organisations (a local authority partnership, a school, a charity buying seats) that need a signed data processing addendum before they can use the Willowfolio app with their members.

When this DPA applies

Under UK GDPR Article 28, a controller using a processor must put a written contract in place that meets specific requirements. A DPA between you and Willowfolio applies when:

  • Your organisation determines the purposes and means of processing personal data of your members or pupils, and
  • Your organisation procures the Willowfolio app, or related services, to process that personal data on your behalf.

It does not apply to individual parents or carers using the marketing site or signing up to the app for a single household; in that scenario you are the data subject and Anam & Choudhury Limited is the controller. The privacy notice covers that route.

How to request a signed DPA

Email [email protected] with:

  • Your organisations legal name and registered address.
  • The role you are buying for (council, school, charity, other) and the rough number of seats.
  • The named data protection contact at your organisation.
  • Any specific requirements you have (e.g. UK-only data residency, approved sub-processor list, audit rights wording).

We will reply within 10 working days with our standard DPA template for review. The standard template covers Article 28 obligations: scope, duration, processing instructions, confidentiality, security, sub-processors, data subject rights assistance, breach notification, audit, deletion or return at end of contract, and international transfers.

Sub-processors

About our infrastructure. Our analytics, error reporting, search index, and database all run on our own infrastructure in the UK / EEA. They are software we operate, not independent legal entities processing on our behalf, and so are not sub-processors for the purposes of Article 28 UK GDPR. The underlying VPS hosting (OVH) is named in the list below.

We use the same vendors named in the privacy notice:

  • Cloudflare: content delivery, public tunnel, and Turnstile bot challenges.
  • OVH (France): the underlying VPS hosting on which our application, database, analytics, and search index run.
  • Mailgun for transactional email.
  • Google: Google Analytics 4 (used only when end users accept analytics cookies; configurable off where required) and Google Sign-In / OAuth on the Willowfolio app.
  • Microsoft: Microsoft Clarity for heatmaps and session recording on the marketing site (used only when end users accept analytics cookies; configurable off where required).
  • Stripe for payment processing on the Willowfolio app. PCI-DSS Level 1 processor handling card data directly; we never touch card numbers.
  • Brevo (Sendinblue SAS, France) for marketing email, with EU data residency option selected.

We will give you reasonable prior notice of any new sub-processor and a reasonable opportunity to object on legitimate data protection grounds, in line with the standard template.

International transfers

Where personal data leaves the United Kingdom or the European Economic Area, we rely on the UK Addendum to the EU Standard Contractual Clauses, or another transfer tool recognised under Article 46 UK GDPR. The standard DPA documents which sub-processors rely on which transfer tool.

Most processing happens in the EU. Cloudflare, Google (GA4 + OAuth), Microsoft (Clarity), Mailgun, and Stripe may transfer data outside the UK / EEA under SCCs and the UK Extension; the standard DPA names them.

Security

Our standard DPA describes the technical and organisational measures we take, in line with Article 32, including encryption in transit, access control on the admin SDK, separation of marketing-site and app data, server-side rate limits, bot-mitigation on public forms, encrypted at-rest backups with off-site retention, and a PII-redaction policy in error reporting that is applied once the production Sentry deployment is fully provisioned at M5. We do not currently hold an ISO 27001 certification or commission third-party penetration tests; the full TOMs annex sits alongside the standard DPA template.

Breach notification

We will notify your nominated contact without undue delay on becoming aware of a personal data breach affecting data we process on your behalf, in line with Article 33(2). The standard DPA sets out the information we will provide and how we will support your own notifications to the ICO and to data subjects where required.

Contact

Email [email protected] for the DPA template, a signed copy, or any related question. Postal address: Anam & Choudhury Limited, Kemp House, 124 City Road, London EC1V 2NX.

Last updated: 7 May 2026.