Last updated: April 2026
This Data Processing Agreement ("DPA") is entered into between the Customer (the nursery, early years setting, or childcare provider) acting as the data controller, and Koios Innovations Ltd (company number 17186461), trading as nursery.click, acting as the data processor.
This DPA forms part of, and is incorporated into, the Terms of Service. In the event of any conflict between this DPA and the Terms of Service in respect of data protection matters, this DPA shall prevail.
1. Scope and Purpose
This DPA applies to the processing of personal data by nursery.click on behalf of the Customer in connection with the provision of the platform. nursery.click processes personal data only for the purposes of providing the nursery management platform and in accordance with the Customer's documented instructions.
2. Data Processed
The platform processes the following categories of personal data on behalf of nurseries:
- Child data: names, dates of birth, age groups
- Health and medical data (special category): allergies, dietary requirements, medical notes
- Parent/guardian data: names, email addresses, phone numbers
- Emergency contact data: names, phone numbers, relationships
- Staff data: names, email addresses, roles
- Attendance data: check-in/out times, session records
- Financial data: invoices, payments, funding entitlements
- Communication data: messages between nursery and parents
3. Security Measures
We implement appropriate technical and organisational measures including:
- Encryption at rest (AES-256) and in transit (TLS 1.3)
- Separate authentication systems for staff and parents (AWS Cognito)
- Tenant isolation at the database level using partition-key separation
- Family-level data isolation within each nursery
- Role-based access control
- Point-in-time recovery for all data
- All primary data stored in AWS eu-west-2 (London, UK)
4. Sub-processors
We use the following sub-processors to provide the platform:
Amazon Web Services (AWS)
Location: eu-west-2 (London, UK) unless otherwise noted.
| Service | Purpose | Data processed |
|---|---|---|
| DynamoDB | Database storage | All platform data (child records, family data, attendance, bookings, invoices, funding, messages, staff records) |
| Cognito | User authentication | Email addresses, password hashes, custom attributes (nurseryId, familyId, role), passkey credentials |
| SES | Transactional email delivery | Recipient email addresses, email content (invoices, notifications, invitations) |
| SNS | Push notification routing | Device tokens, notification metadata |
| Lambda | Compute (application logic) | All platform data (in-memory during processing only) |
| CloudWatch | Logging and monitoring | Application logs (PII redaction in progress) |
| CloudFront | Content delivery (static assets) | IP addresses, user agents, request metadata. Location: global (edge locations). |
| AppSync | Real-time event delivery | Attendance event data (nurseryId, childId, session, timestamps) |
| Bedrock | AI-assisted features (observation drafting, curriculum planning, report narratives, chat assistant) | Text content from staff notes, observation descriptions, child development context. No photographs, videos, or biometric data. Location: global (cross-region inference). AWS Bedrock does not retain input or output data. |
Other sub-processors
| Sub-processor | Purpose | Data processed | Location |
|---|---|---|---|
| Stripe | Payment processing and subscription management | Stripe customer ID, subscription ID, payment method tokens. No card numbers stored by nursery.click. | EU/UK |
| Google Firebase Cloud Messaging | Android push notifications | Device tokens, notification content (generic, no PII) | Global |
| Apple Push Notification Service | iOS push notifications | Device tokens, notification content (generic, no PII) | Global |
Sub-processor list last updated: April 2026
We will notify customers with at least 30 days' notice before adding or replacing any sub-processor. Customers may object to a new sub-processor within 14 days of receiving notice.
5. Data Breach Notification
We will notify the Customer without undue delay, and in any event within 24 hours, upon becoming aware of a personal data breach affecting Customer data. The notification will include the nature of the breach, categories of data affected, likely consequences, and measures taken to address it.
6. Data Subject Rights
We assist customers in fulfilling data subject requests by providing data export functionality, correction capabilities, deletion mechanisms, and restriction of processing through the platform's features.
7. Data Return and Deletion
On termination of the agreement:
- Customers have 30 days to export their data in JSON or CSV format
- After the export period, all data is deleted within 90 days
- Financial records are retained for 7 years as required by HMRC
8. International Transfers
All primary data processing and storage takes place in AWS eu-west-2 (London, UK). Push notification services may route device tokens through global infrastructure. Where data is transferred outside the UK, appropriate safeguards (UK IDTA or UK Addendum to EU SCCs) are in place.
9. Liability
Each party's total aggregate liability arising out of or in connection with this DPA shall not exceed 2 times the total fees paid or payable by the Customer in the 12-month period immediately preceding the claim.
10. Full Agreement
The full Data Processing Agreement, including detailed annexes covering processing details and security measures, is available on request by contacting us at support@nursery.click.
Contact
For questions about this DPA or our data processing practices, please contact us at support@nursery.click.