Terms of Service and Data Processing Agreement
These Terms form a legally binding agreement between your school (the "School") and the provider of EOLAS (Evidence of Learning Across School) ("EOLAS", "we", "us"). By ticking "I accept these Terms" on the EOLAS sign-up page, the person accepting on behalf of the School confirms they are authorised to do so and binds the School to these Terms.
Note for the School: Under data protection law, your School is the Data Controller for the pupil, staff and parent information you put into EOLAS, and EOLAS is the Data Processor, acting only on your instructions. This is the same controller/processor relationship your School already has with its other school systems. The data-protection detail is set out in the Data Processing Agreement in Schedule 1 below.
1. Definitions
- Personal Data, Data Controller, Data Processor, Data Subject and Personal Data Breach have the meanings given to them in Data Protection Law.
- Data Protection Law means the General Data Protection Regulation (EU) 2016/679 (GDPR), the Data Protection Acts 1988โ2018, and any other applicable law relating to the processing of personal data, as amended from time to time.
- DPC means the Data Protection Commission, the supervisory authority for data protection in Ireland.
- School Data means the data entered into EOLAS by the School, its staff, or its pupils, or imported on the School's instruction, for the purpose of using the Services.
- Services means the EOLAS formative assessment platform and all associated features, reports, and support provided to the School.
- Users means staff members and pupils of the School who are given access to the Services.
2. The Services
2.1 EOLAS is a digital formative assessment platform for Irish primary schools. It assesses literacy and numeracy across the eight primary year groups, tracks pupil progress over time, and produces reports for teachers, principals, and parents.
2.2 EOLAS is a formative tool. It is designed to inform teaching and to identify strengths and areas for development at pupil, class, and whole-school level. EOLAS reports are intended to support a teacher's professional judgement and are not a substitute for it.
2.3 We will provide the Services with reasonable skill and care. We will use reasonable endeavours to keep the Services available, but we do not warrant that the Services will be uninterrupted or error-free.
2.4 We may improve or modify the Services from time to time. We will give the School reasonable notice of any material change that reduces functionality.
3. Responsibilities of the School
3.1 The School shall:
- (a) use the Services only for its internal educational purposes;
- (b) ensure that each User keeps their login credentials secure and confidential;
- (c) be responsible for the accuracy of the School Data it enters or imports;
- (d) ensure it has a valid lawful basis under Data Protection Law for entering pupil, staff and parent data into EOLAS, and for informing those individuals (or their parents/guardians) as required (see clause 5 and Schedule 1);
- (e) allocate appropriate access levels to staff, so that each User only sees the data appropriate to their role; and
- (f) notify us promptly of any unauthorised access to or misuse of the Services of which it becomes aware.
3.2 The School controls which data is imported into EOLAS. Where the School imports data from another school system, EOLAS imports only the minimum fields necessary to operate the Services (pupil name, class, teacher, enrolment dates) and does not import sensitive categories such as health or family information.
4. Ownership of data
4.1 The School owns all right, title, and interest in the School Data. EOLAS claims no ownership of it.
4.2 EOLAS owns the EOLAS platform, software, question banks, and reports format. The School is granted a non-exclusive, non-transferable right to use the Services for the duration of these Terms.
4.3 On termination, the School may export its School Data, and EOLAS will then delete it, in accordance with clause 8 and Schedule 1.
5. Data protection
5.1 In respect of all Personal Data processed through the Services, the School is the Data Controller and EOLAS is the Data Processor. The detailed terms governing this relationship are set out in the Data Processing Agreement at Schedule 1, which forms part of these Terms and satisfies the requirements of Article 28 GDPR.
5.2 All School Data is hosted within the European Economic Area. EOLAS does not transfer School Data outside the EEA.
5.3 If there is any conflict between the body of these Terms and Schedule 1, Schedule 1 prevails in respect of data protection matters.
6. Charges
6.1 The charges for the Services are as set out in the price list provided to the School at sign-up or as otherwise agreed in writing.
6.2 Where the Services are provided on a free trial basis, no charge applies for the trial period, and either party may end the trial at any time on written notice.
7. Liability
7.1 Nothing in these Terms limits either party's liability for death or personal injury caused by negligence, for fraud, or for any liability that cannot be limited by law.
7.2 Subject to clause 7.1, neither party is liable to the other for loss of profits, loss of business, loss of goodwill, or any indirect or consequential loss.
7.3 Subject to clauses 7.1 and 7.2, each party's total liability arising under these Terms in any twelve-month period is limited to the greater of (a) the charges paid by the School in that period, or (b) โฌ1,000.
7.4 The School is responsible for ensuring it has a lawful basis for the data it places in EOLAS and for informing the relevant individuals. EOLAS is not liable for any breach of Data Protection Law that results from the School's failure to do so.
8. Term and termination
8.1 These Terms begin when the School accepts them and continue until terminated.
8.2 Either party may terminate on 30 days' written notice. Either party may terminate immediately if the other commits a material breach that it fails to remedy within 20 days of written notice.
8.3 On termination, for a period of 30 days the School may export its School Data using the export function in the Services. After that period, EOLAS will securely delete the School Data, except for any copies it is required by law to retain, and will confirm deletion in writing on request.
9. General
9.1 EOLAS may update these Terms from time to time. We will give the School reasonable notice of any material change. Continued use of the Services after a change takes effect constitutes acceptance of the updated Terms.
9.2 These Terms are governed by the laws of the Republic of Ireland, and the parties submit to the exclusive jurisdiction of the Irish courts.
9.3 If any provision of these Terms is found to be unenforceable, the remaining provisions continue in full force.
Schedule 1 โ Data Processing Agreement
This Data Processing Agreement ("DPA") governs the processing of Personal Data by EOLAS (the Data Processor) on behalf of the School (the Data Controller), in compliance with Article 28 GDPR.
A. Subject matter and roles
A.1 The School is the Data Controller. EOLAS is the Data Processor.
A.2 EOLAS processes Personal Data only on the documented instructions of the School. The School's acceptance of these Terms, and its configuration and use of the Services, constitute its general written instructions.
B. Details of the processing
| Subject matter | Provision of the EOLAS formative assessment Services |
|---|---|
| Duration | For the term of the Terms, plus the deletion period in clause 8.3 |
| Nature and purpose | Storing and processing pupil assessment data to produce formative reports for teachers, principals, and parents |
| Categories of data subject | Pupils; school staff |
| Categories of personal data | Pupil first name, last name, date of birth, class, year group, enrolment dates, and assessment results; staff name and work email |
| Special category data | None. EOLAS does not request, import, or store health, family, or other special category data |
C. Obligations of EOLAS as Data Processor
EOLAS shall:
- C.1 process Personal Data only on the School's documented instructions, and not for any other purpose;
- C.2 ensure that all personnel authorised to process the Personal Data are bound by an appropriate duty of confidentiality;
- C.3 implement appropriate technical and organisational security measures to protect the Personal Data against unauthorised access, loss, or disclosure (summarised in Section F);
- C.4 not engage another processor (sub-processor) without the School's general authorisation under Section D, and remain fully liable for any sub-processor's performance;
- C.5 assist the School, taking into account the nature of the processing, in responding to requests from individuals exercising their data protection rights (such as access, correction, or erasure);
- C.6 assist the School in complying with its obligations relating to security, breach notification, and data protection impact assessments;
- C.7 notify the School without undue delay, and in any event consistent with the School's obligation to notify the DPC within 72 hours, after becoming aware of any Personal Data Breach affecting the School Data, and provide the information the School reasonably needs to meet its own breach obligations;
- C.8 on termination, delete or return all Personal Data in accordance with clause 8.3;
- C.9 make available to the School the information necessary to demonstrate compliance with Article 28 GDPR, and allow for and contribute to audits on reasonable notice; and
- C.10 not transfer Personal Data outside the EEA.
D. Sub-processors
D.1 The School provides general authorisation for EOLAS to use the following sub-processor:
- Render (Render Services, Inc.) โ application and database hosting, in the EU. Data is stored within the European Economic Area.
D.2 EOLAS will maintain an up-to-date list of sub-processors and will give the School reasonable notice of any intended change, giving the School the opportunity to object on reasonable data protection grounds.
D.3 EOLAS will ensure any sub-processor is bound by data protection obligations no less protective than those in this DPA.
E. Hosting and data location
E.1 All School Data is hosted within the European Economic Area, in Render's EU region.
E.2 EOLAS will not move School Data to a hosting location outside the EEA. If EOLAS changes hosting provider or region, it will remain within the EEA and EOLAS will give the School advance notice.
F. Security measures (summary)
EOLAS applies the following measures, appropriate to the data held:
- all connections to the Services are encrypted in transit (HTTPS/TLS);
- access to School Data is restricted by role, so staff see only the data appropriate to their role;
- pupil login uses age-appropriate credentials and never exposes a pupil's full credential to other Users;
- regular, tested backups of the database are maintained;
- administrative access to the production system is limited to authorised EOLAS personnel; and
- special category data (health, family information) is not collected or stored.
G. Breach notification
G.1 EOLAS will inform the School of any Personal Data Breach affecting School Data without undue delay after becoming aware of it.
G.2 EOLAS will provide sufficient information to allow the School, as Data Controller, to meet its obligation to notify the DPC within 72 hours where required, and to inform affected individuals where the breach is likely to result in a high risk to their rights.
This document is a plain-English processor agreement provided for the operation of the EOLAS Services. It is not legal advice. A school with specific concerns should consult its own data protection advisor.
← Back to EOLAS