Data Protection Impact Assessment
Last updated: April 2026
DATA PROTECTION IMPACT ASSESSMENT
This DPIA has been prepared by Chalkie AI to support schools, groups, and Multi-Academy Trusts (MATs) in their procurement and data governance due diligence. It assesses the privacy risks associated with deploying Chalkie across schools and documents the technical and organisational measures in place to mitigate those risks.
1. Overview and Purpose of This DPIA
This Data Protection Impact Assessment (DPIA) has been prepared in accordance with Article 35 of the UK General Data Protection Regulation (UK GDPR) and the guidance published by the Information Commissioner's Office (ICO). It is intended to assist Multi-Academy Trusts (MATs) and their Data Protection Officers (DPOs) in evaluating the privacy implications of deploying Chalkie AI across their schools.
A DPIA is required where processing is likely to result in a high risk to individuals. While Chalkie AI is a teacher-facing tool that does not process student personal data as part of its core function, this DPIA documents all relevant data flows, the legal bases for processing, the risks identified, and the mitigations in place - enabling MATs to make an informed procurement decision and satisfy their own governance obligations.
1.1 Scope
This DPIA covers the processing of personal data that occurs when Chalkie AI is deployed within a Multi-Academy Trust, including:
- Registration and account management for teaching staff
- Use of the lesson-planning product, including AI content generation
- Product analytics, error monitoring, and support communications
- Payment processing for subscriptions
- Data transfers to third-party sub-processors
1.2 What Chalkie AI Does
Chalkie AI is an AI-powered lesson planning tool designed for teachers. Teachers enter a topic, year group, and curriculum standard, and the product generates structured lesson content. There are no student accounts, no student logins, and no student data collection within the product.
2. Controller and Processor Details
2.1 Data Controller
| Organisation | Chalkie AI |
| Role | Data Controller (for teacher account data); Data Processor (acting on behalf of the MAT for staff data entered during use) |
| Registration | Registered in the United Kingdom |
| Privacy Policy | https://Chalkie.ai/privacy |
| Contact | hello@chalkie.ai |
| AI Safety Lead | Chief Technology Officer (CTO) |
2.2 Data Processing Agreement (DPA)
Chalkie AI offers a Data Processing Agreement (DPA) to MATs on request. The DPA formalises the controller–processor relationship for staff personal data and sets out the obligations of each party. To request a DPA, contact hello@chalkie.ai
3. Description of Processing Activities
3.1 Categories of Data Subjects
| Data Subject Category | Notes |
|---|---|
| Teaching staff (registered users) | Primary data subjects - account holders who use the product |
| School / Trust administrators | May hold admin roles within the platform to manage staff accounts |
| Students | NOT data subjects - no student data is collected, processed, or stored by Chalkie AI |
3.2 Categories of Personal Data Processed
| Data Category | Examples | Purpose |
|---|---|---|
| Identity data | Name, email address | Account registration, authentication, support |
| Account credentials | Hashed password | Authentication and session management |
| Usage / analytics data | Feature interactions, page views (no autocapture) | Product improvement and support |
| Payment data | Billing name, email, card details (processed by Stripe) | Subscription management |
| Error / diagnostic data | Error traces (no PII intentionally included) | Bug fixing and reliability monitoring |
| Prompt content | Text entered by teachers into the lesson planner | AI content generation - not linked to identity before AI processing |
Important: Account information (names, email addresses) is never sent to AI model providers. Only the anonymised prompt content is transmitted.
3.3 Special Category Data
Chalkie AI does not collect or process special category data (Article 9 UK GDPR). Teachers are instructed via the Terms of Service not to enter student personal information or special category data. Real-time PII detection warns users if input resembles personal information (e.g. email addresses, phone numbers, ID numbers).
3.4 Legal Bases for Processing
| Processing Activity | Legal Basis | Article Reference |
|---|---|---|
| Account registration and management | Contract (Article 6(1)(b)) - necessary to provide the service | Art. 6(1)(b) |
| Product analytics | Legitimate interests (Art. 6(1)(f)) - improving the product; minimal privacy impact given no autocapture and EU processing | Art. 6(1)(f) |
| Error monitoring | Legitimate interests - ensuring service reliability | Art. 6(1)(f) |
| Email communications | Contract / Legitimate interests | Art. 6(1)(b)(f) |
| Payment processing | Contract - necessary for subscription billing | Art. 6(1)(b) |
4. Data Flows and Sub-Processors
4.1 Infrastructure and Hosting
| Component | Provider & Location | Data Stored / Processed |
|---|---|---|
| Application & database hosting | DigitalOcean - Amsterdam, Netherlands (EU) | All application data including teacher accounts and lesson content |
| File storage | DigitalOcean Spaces - Amsterdam, Netherlands (EU) | Uploaded and generated files |
| Frontend delivery | Vercel - Global CDN | Static assets only; no personal data stored |
| CDN / DDoS protection | Cloudflare - Global | Traffic routing; minimal data retention |
Primary data jurisdiction: European Union (Netherlands). All primary personal data is stored within the EU.
4.2 Sub-Processor Register
| Provider | Location | Purpose | Transfer Mechanism |
|---|---|---|---|
| DigitalOcean | Netherlands, EU | Hosting, database, file storage | EU - no transfer |
| Google Vertex AI | Belgium, EU | AI content generation | EU - no transfer |
| OpenRouter | United States | AI model routing | Standard Contractual Clauses (SCCs) |
| OpenAI | United States | Content moderation | Standard Contractual Clauses (SCCs) |
| Stripe | United States | Payment processing | Standard Contractual Clauses (SCCs) |
| Cloudflare | Global | CDN, DDoS protection | Standard Contractual Clauses (SCCs) |
| Brevo | France, EU | Transactional email delivery | EU - no transfer |
| Sentry | United States | Error monitoring | Standard Contractual Clauses (SCCs) |
| PostHog | EU | Product analytics | EU - no transfer |
Note: Where data is transferred outside the UK/EU (to US-based providers), transfers are governed by Standard Contractual Clauses (SCCs) under UK GDPR Schedule 21 / EU GDPR Chapter V, supplemented by transfer impact assessments where required.
4.3 AI Processing and Data Minimisation
- Account identity data (name, email) is never included in prompts sent to AI providers.
- Only the teacher-entered lesson prompt content is transmitted to AI services.
- AI inputs and outputs are not logged by Chalkie AI.
- Under the API terms of all AI providers used, data transmitted via API is not used for model training.
- Content moderation (via OpenAI API) screens all user input before it reaches generative AI models.
5. Necessity and Proportionality Assessment
5.1 Is the Processing Necessary?
The processing activities described in Section 3 are each necessary to deliver the Chalkie AI service. Specifically:
- Teacher account data (name, email) is the minimum required for authentication, communication, and account management.
- Usage analytics use a privacy-preserving configuration (no autocapture, EU-only processing, IP-based geolocation disabled) and are necessary for product improvement and support.
- Prompt content is necessary to generate AI lesson content but is deliberately de-linked from identity before transmission to AI providers.
- Payment data is processed by Stripe solely for billing purposes and is not accessible to Chalkie AI in raw form.
5.2 Data Minimisation
Chalkie AI applies data minimisation principles throughout its architecture:
- No student data of any kind is collected. The product is teacher-facing by design.
- PII detection warns teachers in real time if they appear to be entering personal information into the lesson planner.
- Analytics data does not use autocapture - only specific, intentional events are tracked.
- IP-based geolocation is disabled in the analytics configuration.
- AI providers receive only prompt content, not account identity data.
5.3 Retention and Deletion
| Data Type | Retention Period | Deletion Process |
|---|---|---|
| Account personal data | Duration of account | Anonymised on account deletion; third-party records removed within 90 days |
| Lesson content | Duration of account | Permanently deleted on account deletion (within 90 days) |
| Payment records | As required by financial regulations | Retained by Stripe per their terms; removed from Chalkie records on deletion |
| Analytics / error data | Rolling retention windows per sub-processor terms | Automatically aged out per sub-processor retention policies |
MATs can request full deletion of data associated with a former staff member by emailing hello@chalkie.ai. Organisation admins can also remove members from the trust organisation directly within the platform.
6. Risk Identification and Assessment
The table below identifies the key privacy risks associated with deploying Chalkie AI and assesses their likelihood and impact before and after mitigations are applied.
| Risk | Likelihood | Impact | Initial | Key Mitigations | Residual |
|---|---|---|---|---|---|
| Teacher inadvertently inputs student personal data into the lesson planner | Low | Medium | Low | Real-time PII detection warns teachers; ToS prohibits student data entry; no student accounts exist | Low |
| Unauthorised access to teacher account data (data breach) | Low | Medium | Low | Encrypted at rest and in transit (HTTPS/SSL); OWASP-aligned password hashing; Google SSO with MFA support; rate limiting and lockout; annual penetration testing (OneLeet, March 2026) | Low |
| AI model provider uses prompt content for training | Low | Medium | Low | All AI processing uses API endpoints (not consumer products); API terms prohibit training on submitted data; account identity data never transmitted to AI providers | Low |
| AI generates harmful, biased, or inaccurate lesson content | Low | Medium | Low | Content moderation on all inputs; stricter thresholds for education-sensitive categories; quarterly AI Impact Assessments; designated AI Safety Lead (CTO); safety testing prior to major releases | Low |
| Prompt injection / jailbreak attack via teacher-entered content | Low | Medium | Low | Input validation and sanitisation; content moderation pre-processing; jailbreak testing before releases; quarterly security reviews | Low |
| International data transfer to US sub-processors is inadequate | Low | Medium | Low | All US transfers covered by Standard Contractual Clauses (SCCs); primary data hosting in EU (Netherlands); transfer impact assessments conducted where required | Low |
| Former staff member retains access to MAT account after leaving | Low | Low | Low | Organisation admins can remove members immediately; MATs can request full deletion via hello@chalkie.ai; session invalidation on account removal | Low |
| Marketing /conversion tracking collects data from school networks | Low | Low | Low | Tracking is conversion-focused (not student-facing); can be blocked at school firewall level; MATs can request tracking exclusion via hello@chalkie.ai | Low |
| Security vulnerability in application or dependencies | Low | High | Medium | Annual third-party pen testing (OneLeet); continuous automated vulnerability scanning; quarterly access control and authorisation reviews; parameterised queries; security headers applied | Low |
7. Technical and Organisational Security Measures
7.1 Encryption
- In transit: All traffic is served over HTTPS (TLS). Database connections use SSL.
- At rest: Database and file storage are encrypted at rest using industry-standard algorithms.
7.2 Authentication and Access Control
- Passwords are securely hashed using industry-standard algorithms aligned with OWASP recommendations.
- Sessions use HTTP-only cookies with CSRF protection on all endpoints.
- Login attempts are rate-limited with lockout after repeated failures.
7.3 Input Protection and Application Security
- All user input is validated and sanitised before processing.
- Database queries use parameterised statements to prevent SQL injection.
- Security headers are applied across the application: framing protection, content type enforcement, referrer policy, and permissions policy.
- AI generation and API requests are rate-limited.
7.4 Content Moderation and AI Safety
- Content moderation screens all user input in real time before it reaches any AI model.
- Stricter moderation thresholds apply to education-sensitive categories (e.g., sexual content, content involving minors).
- A designated AI Safety Lead (CTO) is responsible for risk assessment, safety guidelines, and AI system monitoring.
- AI Impact Assessments are conducted quarterly, covering content accuracy, inappropriate content, bias, data exposure, and prompt injection.
- Safety and jailbreak testing is performed prior to all major releases.
7.5 Security Testing
- Annual penetration testing is conducted by OneLeet, an independent third-party security firm. Most recent test: March 2026.
- Automated vulnerability scanning of infrastructure and dependencies runs continuously.
- Access control, rate limiting, and authorisation are reviewed quarterly.
7.6 Incident Response
In the event of an AI safety or security incident, Chalkie AI will:
- Investigate and contain the issue within 24 hours of identification.
- Notify affected users if their data or safety has been impacted.
- Document the incident, root cause, and preventive measures taken.
- Notify the ICO within 72 hours where required under UK GDPR Article 33.