Trust & transparency
Our sub-processors
NeuroKids relies on a small set of trusted third parties to deliver the service. Each one has a contractual GDPR Article 28 Data Processing Agreement with us, is reviewed annually, and is listed publicly below.
Last updated: 01 Feb 2026. Existing customers receive at least 30 days' notice before we add or change a sub-processor — managed via privacy@neuro-kids-space.co.uk.
| Sub-processor | Role | Data processed | Region | Contractual basis | DPA |
|---|---|---|---|---|---|
| MongoDB Atlas | Primary database (kid profiles, progress, settings) | All personal data and activity logs | UK (eu-west-2) | GDPR Art. 28 Data Processing Agreement | Link |
| Stripe | Payment processing | Billing email, plan, payment method (Stripe holds card numbers — we never see them) | EU/UK | GDPR Art. 28 DPA + PCI-DSS Level 1 | Link |
| Resend | Transactional email delivery | Recipient email, subject, message body | EU (Frankfurt) | GDPR Art. 28 DPA | Link |
| Twilio | SMS delivery (optional — only if SMS notifications enabled) | Recipient phone number, message body | EU (Dublin) | GDPR Art. 28 DPA | Link |
| OpenAI (via Emergent LLM gateway) | AI-generated content (social stories, EHCP drafts, therapy goals) | Prompts (anonymised). Never trained on. 30-day retention. | US (with EU SCCs) | OpenAI Enterprise DPA + Standard Contractual Clauses | Link |
| Google (via Emergent LLM gateway) | AI-generated illustrations (Nano Banana image model) | Image prompts (anonymised). Never trained on. | EU (Belgium) | Google Cloud DPA + Standard Contractual Clauses | Link |
| Cloudflare | CDN, DDoS protection, DNS | IP addresses, request metadata (no message bodies) | Global edge (encrypted in transit) | GDPR Art. 28 DPA | Link |
| Sentry | Application error monitoring (opt-out in /settings) | Stack traces, browser metadata. No personal data is sent. | EU (Frankfurt) | GDPR Art. 28 DPA | Link |
| Wonde | School MIS roster sync (only if your school approves it) | Pupil name, DOB, year group, SEND status, staff role | UK | GDPR Art. 28 DPA + per-school authorisation | Link |
Frequently asked by school data leads
Are any pupils' data sent to AI providers for model training?
No. All AI calls (OpenAI / Google) are made under enterprise contracts that contractually exclude our prompts from training data. Retention is capped at 30 days.
Where is pupil data stored at rest?
The primary database (MongoDB Atlas) is hosted in the UK (eu-west-2). Backups are encrypted and kept in the same region.
Can our school request removal of all pupil data?
Yes. Email privacy@neuro-kids-space.co.uk with a Subject Access / Erasure Request — we action within 30 days per UK GDPR.
What changes trigger a sub-processor notice?
Adding a new sub-processor, changing the hosting region of an existing one, or replacing one with another. Customers on the Professional / School plans receive an email at least 30 days in advance.
Need this in your due-diligence pack?
We can supply our DPA, sub-processor list as PDF, and supplier assurance questionnaire responses on request. Most schools' data leads have what they need within one working day.
Request the due-diligence pack →