Terms and conditions for contracts signed from March 1st 2024 onwards can be found at communitybrands.uk/terms.
For contracts signed prior to March 1st 2024, terms can be found below.

 

TERMS OF SERVICE

 

Please read these Terms of Service carefully and in full before using any of our services. In conjunction with this document, you should also read the Glossary of Terms. All documents linked or referred to in these Terms are incorporated into these Terms and enforceable as a part of these Terms. If you do not agree to these Terms of Service, you should not use the Assembly Platform.

While this is an important and legally-binding document, we’ve tried to keep these Terms of Service as readable and user-friendly as possible. We have, however, stuck to some conventional legal document practices (such as capitalisation of ‘You’ and ‘Us’ in relation to each party) where it’s helpful for clarity.

What is Assembly?

Assembly is a secure, cloud-based Platform that connects to your school’s Management Information System (MIS), extracts key elements of your school’s data, and stores it in a way that allows you to connect other applications to your data. These applications allow you to extend, analyse and aggregate data you collect and store in school. These Terms of Service explain how we process your data, how we protect your data, and what we expect from you when you use our Platform.

Who do these terms apply to?

These Terms of Service are between You, a school or MAT, and Us, Assembly. These terms do not apply to third parties such as developers, pupils or parents. Whilst using the Assembly Platform You will send data to Us about Your school for Us to process on Your behalf. As a school, You are the Data Controller and Assembly is the Data Processor/Sub-Processor, and You will remain Data Controller at all times. As a Data Controller it is therefore Your responsibility to ensure that You are able to engage with Assembly on these terms , and are able to allow us to process the data you control on behalf of Your Data Subjects. You must not connect to the platform if You do not agree with these Terms of Service. These Terms of Service apply only to the Assembly Connector and the Assembly Platform. The Assembly Platform stores the MIS data You send Us, and also stores data which is passed back to it from Assembly Applications. However, these terms do not apply to the processing of data by the Assembly Applications that you can connect to the Assembly Platform.

Assembly Applications, whether created by Assembly or a Third Party, are subject to their own Terms and Conditions and Policies. Before You connect Assembly Applications to the Assembly Platform You must also ensure that You read, and agree to, each Assembly Application’s individual Terms and Conditions and Policies.

Summary Terms of Service

To start with, here’s a brief summary of the things that we think are particularly important, both in terms of Our key commitments to You and Your responsibilities as a platform user:

You agree to:

  • Only connect to the Assembly platform with the authorisation of the person with data protection responsibilities within your school (a role commonly referred to as ‘data protection lead’, likely to be the head teacher or a senior leader)
  • Retain Your responsibility as the Data Controller, and comply with the legal responsibilities it brings, over the data held within the platform, including its accuracy and completeness
  • Have full responsibility for Your account, and the credentials related to Your account, and ensure no unauthorised access to it
  • Only connect to the platform if You are able to do so in accordance with Data Protection Legislation
  • Have full responsibility for who You choose to share Your data with, and not connect to any third party applications unless satisfied with their terms and conditions, and the privacy policies which govern them

You agree not to:

  • Copy or share any of Our tools or content
  • Use Our Intellectual Property (code, trademarks or other material) without Our consent
  • Do anything which adversely affects the security of the Platform, for example infecting it with viruses, Trojan horses or other similar harmful components that could affect or delay delivery of our services
  • Access, attempt to access, or inspect any data for which You do not have permission

We agree to:

  • Process the personal data only on the documented instructions from the data controller for the purposes of education and school improvement only, and only for those purposes necessary to provide the service explicitly offered to you
  • Adhere strictly to the terms of all Data Protection Legislation and any future amendments or applicable legislation
  • Only store and process the minimum data required to provide Our services, and to inform you in advance of using any of our services what data that service requires
  • Take an approach to building and maintaining the Assembly Platform that involves privacy by design and privacy by default
  • Transport and store all personal data originating from schools using modern and best practice encryption technologies, with pseudonymisation where appropriate. This includes Secure Socket Layers (SSL/TLS) for encrypted data transfer over the internet, encryption of all data at rest, field-level encryption for personally identifiable data and password-protected identities for all end users
  • Comply with all Subject Access Requests made relating to the data we store
  • Comply with the exercise of data subjects rights and requests made relating to the data we store
  • Ensure the data We hold about You is correct
  • Only retain data for as long as required, and delete all data if you ask us to do so. We will delete all Your personal and sensitive data after a period of 12 months of inactivity. We will also delete all personal and sensitive data relating to former students automatically on their 25th birthday, regardless of whether You have asked us to do so
  • Ensure that all data is held securely by taking steps so that data is not corrupted or lost
  • Ensure that all staff having access to personal data hold a valid Disclosure and Barring Service certificate
  • Always maintain adequate liability insurance
  • We shall co-operate with the data controller to demonstrate compliance as stated in Article 28.3 (h) and allow for and contribute to audits, including inspections conducted by or on behalf of the data controller.
  • Report any significant breaches of security without undue delay and within 72 hours to The Data Controller, the Information Commissioner’s Office (ICO) and, in cooperation with the Data Controller, to Data Subjects
  • Always notify You prior to connecting an Assembly Application which data that Assembly Application needs access to, and allow You to accept or reject that request
  • Make Terms of Service and Privacy Policies clearly and publicly available on our website
  • Assist the data controller in carrying out data protection impact assessments and consulting with relevant supervisory authorities where such assessments and/or consultations are required pursuant to the Data Protection Legislation (as mentioned in Article 28.3(e & f), provided that the scope of such assistance shall be agreed by the parties in advance.
  • Assist the data controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 taking into account the nature of processing and the information available to us.
  • Abide by the conditions set out under Article 28 (2) and (4) if we engage another processor

We agree not to:

  • Store or transport personal or sensitive data outside of the EEA or outside of countries which are granted to have Adequate Levels of Protection as defined by the European Commission
  • Share Your data with any third parties except where explicitly requested by you or required by law.
  • Use Your data, made available via the Assembly platform, for the purposes of advertising or marketing, or for any purpose other than the service explicitly provided to You
  • Transport personal data originating from schools in a a non-encrypted format
  • Claim ownership or exclusive rights over any of the data processed or created as part of services provided to You
  • Share information with other third parties except where specifically agreed by the Data Controller or where required by law
  • Change any applicable terms of service without giving You the opportunity to opt-out of such changes

Detailed Terms of Service

Now, here’s a bit more detail on Our full terms in each area:

Restrictions and Responsibilities

1. Connecting your MIS to the Platform: In order to use Our service, You will be providing access to information about Your school through Your Management Information System (MIS). It is Your responsibility to connect to the Platform in a properly authorised way. Assembly has access to Your school data only as requested by You, and only for the purposes of performing services on Your behalf. All processing will be covered by a Data Access Request, which lays out what data is being accessed, and for what purpose. We can only process data on your behalf with your consent to a Data Access Request. Data Access Requests are open-ended, and you can revoke your consent at any point from within the Assembly platform.

2. Usage: Assembly exists to assist You in extending, analysing and aggregating Your data for the purposes of school improvement. You agree to use Our services for this purpose only.

3. Data Ownership: When You decide to use Our Platform You as the school will remain the Data Controller. We process the data on Your behalf, in the manner You have requested. You remain responsible for your data, including any inaccuracies or changes that need to be made, and You are responsible for the processing being lawful at all times . Your responsibility as Data Controller covers all of Your school’s data on the platform.

4. Account Security: If You decide to use the Assembly platform then You are responsible for maintaining the security of Your account and are fully responsible for all of the actions in relation to it. The platform is for the sole use of those who have the necessary permission to access this data, and it is Your responsibility to ensure that Your account is secure and that access is restricted solely to those with the required permission. You must immediately notify Us in the event of unauthorised access to Your account or any other breaches of security.

5. Ownership of IP: Unless We specifically designate an aspect of the Platform as open source, the Assembly platform and all associated Intellectual Property remain the property of Assembly, a divison of GroupCall Limited.

6. Modification of Services: As an organisation that is constantly growing and improving, it may sometimes be necessary to modify Our services. We may occasionally pause or remove particular tools or services at Our sole discretion and we will give notice of any modifications before implementation where practicable or as soon afterwards as practicable.

7. Payment: Assembly offers a combination of free and paid‐for services. Unless otherwise agreed in writing, paid‐for services are non‐refundable.

8. Disclaimer of Warranties: You accept that tools are provided on an “as is” and “as available” basis. They are provided without guarantees or warranties. Assembly makes no guarantee that the website or any of the tools are error free or that access will be continuous and uninterrupted.

9. Liability: We shall not, under any circumstances, be liable to You, whether in contract, tort (including negligence), breach of statutory duty, or otherwise, arising under or in connection with this agreement for: loss of profits, sales, business, or revenue (direct or indirect); business interruption; loss of anticipated savings; loss or corruption of data or information; loss of business opportunity, goodwill or reputation; or, any indirect or consequential loss or damage. We are not excluding liability for death or personal injury caused by negligence, breach of any implied term and any other matter for which it would be unlawful to exclude liability.

10. Third Party Assembly Applications: The Assembly Platform allows You to connect Your data to Third Parties. We have strict privacy and security criteria and require all Third Party Application Developers to sign up to our Developer Agreement. As the Data Controller You are responsible for ensuring that You understand and agree to the terms of any Third Party Applications. These Third Party Application terms will be made available to You on our Data Access Requests (the part of the Assembly Platform used to authorise apps), which must be agreed by You, and which list the categories of data that are shared with a given Third Party. You can see a full log of your school’s Third Party authorisations and de-authorisations – including the scopes included in each authorisation – in the Assembly Platform. Whilst We aim to ensure strict standards of security and privacy within Third Party Applications, We are not liable for any Third Party Applications. We also accept no responsibility for any sums payable by You to any Third Party Application providers.

11. Termination: We will suspend or restrict Your access to Our services if We have reason to believe You may have breached the conditions of this agreement.

12. Scopes: All our scopes that the Data Controller can authorise are listed here

Security and Privacy

Your privacy is our top priority, and We will not use Your data for anything other than what is set out in this agreement.

1. Data Storage and Access: All Assembly data is stored within the EEA or in countries which have Adequate Levels of Protection as defined by the European Commission. Internal access to information is limited to only those who require it to perform their jobs. Other security safeguards include firewalls and physical building access controls. We use role-based identities and password protection on all platform services and apps.

2. Security and Encryption: We have invested heavily in security and we use a suite of modern encryption methods to secure the data held within the Assembly Platform. All Platform data is encrypted at rest. We use additional field level encryption within the platform where We deem it necessary to protect the integrity of the data We store (for example, UPN). All external data transmissions to and from the Assembly Platform are encrypted using modern SSL/TLS protocols and ciphers. We capture IP addresses to ensure that our service is secure, for example from denial of service attacks.

3. Third Parties: We will share information if required to do so by law. We will never rent or sell Your data for marketing purposes. We will not share any personal, sensitive or confidential information with third parties except in instances where We are specifically requested to do so by You. For example, some services on our Platform allow the sharing of Your data with third parties such as school improvement charities and curriculum providers. In such circumstances, information is only shared if You give permission, and You control these permission settings through Data Access Requests. Access to data is managed via “bearer tokens”. These can be revoked at any time and must be refreshed frequently to remain active. Third party Applications on the platform are subject to the Terms of Service and Privacy Policy of the relevant third party, and it is important You read and understand these before engaging with any third party services through Our Platform.

4. Data sharing permissions for Third Party Applications: Scopes are small groups of related data. Where an application requires data from the Assembly Platform, We require Third Party Applications to request only the minimum number of scopes that are necessary and We only share the scopes of data that are required by the particular application. For example, if a particular application only needs pupil lists, then this is the only scope of data to which a Third Party Application will have access. We will always separate sensitive data into a defined scope so you are specifically aware if sensitive data is being requested by an Assembly Application. When you first install the connector it will gather some non-sensitive metadata about your school, e.g. number of yeargroups. This data is non-sensitive and non-identifiable, and is necessary for the connector to function.

We also allow Third Party Applications to check Your School Connection Status before You authorise the Application to access any of your data. Your School Connection Status does not contain any personal data, and is necessary for certain parts of the Assembly Platform to function, and is solely a confirmation to the Application that you are a School that uses the Assembly Platform, and that the Application will be able to transfer your data to the Assembly Application via the Assembly Platform if you give the permission to do so.

5. IP Addresses: We only ever collect users’ full IP addresses for essential security management (for example, the prevention of Distributed Denial of Service attacks) and essential user support (for example, browser session tracking in order to spot and fix errors). Where possible, we opt to collect masked IP addresses.

6. Data sharing permissions relating to the platform: In some limited circumstances We may collect data through third party services. For example, we may use website analytics traffic providers to analyse metadata such as platform usage. Where We do this, We audit the service to ensure they have a similarly high level of commitment to security and privacy, and comply with all Data Protection Legislation. Assembly may also collect, analyse or make available non-personal and non-sensitive data to third parties (for example aggregated or non-identifiable data) for school improvement purposes. We do not use or analyse this aggregate data in any way which would make data identifiable at an individual or school level. See our Data Privacy FAQs for an up-to-date list of third party services currently used by Assembly to collect data.

7. Staff Security: All Our staff and contractors are required to agree that they will abide by the Security and Data Protection Policy at all times and sign a Confidentiality and Non-Disclosure Agreement. Our staff and contractors are provided with information upon induction of our Information Security and Data Protection Policy. We also require all staff who spend time in school to undergo an enhanced Disclosure and Barring Service (DBS) check. From time to time, we may have staff or contractors who are occasionally or permanently based outside of the EEA, we ensure that no data is stored or transported outside of the EEA using appropriate and secure technologies.

8. Support: As a Data Processor, Assembly does not look ‘under the hood’ or inspect any of the data to which the platform connects. The only exceptions to this are where You have explicitly given us permission to inspect Your data; for example, to provide technical support to correct a technical problem. This permission is given on an ‘as needed’ basis by clicking a button in the platform. You can revoke this permission at any time, or we will turn off the permission ourselves when the technical work is complete.

9. Deleting and Retaining Data: We retain Your data on Our platform for as long as necessary to provide Our services. The connector will pull data from the moment You authorise an application until the moment You deauthorise it. This historical data is then held within the platform to allow Us to provide You with analysis over time. If You ask us to delete Your data then We will do so in a timely manner and in no more than 5 working days. We will also delete all Your personal and sensitive data should We detect that Your account has been inactive for a long period of time. We will always notify You before We delete Your data so You have the option to reactivate Your account should You wish to. In addition to the above, You also have the right to have all Your data removed from the Assembly platform at any point in time. If you wish to do this then You should give us notice by emailing [email protected] with the relevant details, and We will delete the data within 5 working days. Please note that this will not cause the deletion of data that You have authorised to be transported to a Third Party Application’s database, or the data that was created within an application and is stored in a third party database. You should refer to the relevant third party’s privacy policy for further information on this and should not connect to the application if You are not in agreement with their terms.

10. Permission: As the Data Controller, it is Your responsibility to ensure that You can engage with Assembly in accordance with the Data Protection Act and that Data Subjects are suitably informed about Data Processing services such as Assembly, that the school chooses to use. This should include an explanation of how personal and sensitive personal data is processed lawfully, fairly and in a transparent manner. You should also be clear on Your basis for collecting and sharing data, and must satisfy the relevant permission standards in each case

11. Cookies: A cookie is a string of information that a website stores on a visitor’s computer. Assembly uses cookies for purposes such as helping us to identify and track visitors’ usage and preferences. You can disable cookies in Your browser if you wish to, although this may mean that some features of our website do not work as they should.

12. Communication: If You are a registered user of the Assembly website, or have expressed interest in Assembly on the Assembly website and have supplied Your email address, we may occasionally send You an email to tell you about new features, ask for feedback or keep You up to date with our products. If You no longer wish to be included on these communications, then You can opt out using the links on those communications or email [email protected] and we will remove You from the list.

13. Privacy or Security Breaches: We take all reasonable, necessary precautions to ensure that your data is secure and to recognise and then mitigate the risks to security and privacy. However, it is not possible to 100% guarantee the security of any data transmitted or stored electronically. In the event that a significant breach of security or privacy did occur, Assembly will contact the Data Controller, and inform the Information Commissioner’s Office (ICO) and other authorities without undue delay and within 72 hours.

Questions and Grievances

If you have any questions or grievances in relation to security or privacy, please email us on [email protected].

Information for students and parents/guardian

Assembly as the Data Processor only has access to pupil data as requested by the school as Data Controller and only for the purposes of performing services on a school’s behalf. The school is responsible at all times for processing information lawfully, fairly and transparently. Your child’s school remains the Data Controller of any individual’s data we process. If you have questions about your or your child’s data or how your school is making use of services like Assembly, please contact the school directly. Any pupil or parent/guardian enquiries we receive will be directed to the relevant school as the Data Controller for that child’s or parent’s/guardian’s data.

Changes to the Terms of Service

We are constantly updating and expanding our services. This means that sometimes we have to add to or modify the terms under which we offer our services. If we make material changes, we will let you know via email before these changes take effect. We also keep a full log of changes on GitHub. The email will designate a reasonable period of time after which the new terms will take effect.

If you disagree with the changes then you must discontinue your use of our service. Continuing to use our services constitutes agreement to the new terms, and your continued use will be subject to these terms.

General

If You do not comply with any part of this agreement, We reserve the right to suspend or terminate Your access to the Assembly platform with immediate effect.

We and You both agree:

  • that no failure or delay to exercise any right or remedy under this agreement or by law shall constitute a waiver of that right or any other right or remedy.
  • that if any part of this agreement becomes invalid it will be modified to the minimum extent necessary to make it valid. If we cannot agree this with you, the relevant provision shall be deleted. Any modification to or deletion of a provision shall not affect the validity of the rest of the agreement.
  • All documents linked or referred to in these Terms are incorporated into these Terms and enforceable as a part of these Terms.
  • that any dispute or claim arising out of or relating to this agreement that cannot be resolved by negotiation within 14 days shall be resolved through arbitration. Either party shall give notice of seeking a resolution through arbitration using the CEDR procedure and English law. Either party may seek an interim remedy in court if necessary.
  • that any dispute or claim arising out of or relating to this agreement shall be governed by the law of England and that the courts of England shall have exclusive jurisdiction provided that we can take action in other places if You are in breach of this agreement.