QuorumGovernance platform · WhatLabs← Home
Data processing

Data processing summary

Last updated July 2026

This page is a plain-English summary of the terms under which WhatLabs processes personal data on behalf of a school or trust using Quorum - specifically, the board papers, noticeboard posts and meeting records your board creates in the workspace. It is not the full legal agreement. A full, signable data processing agreement (DPA) is available on request from hello@whatschool.ai, and we would encourage you to ask for it before relying on this summary for anything formal.

This page does not cover the public-record board and school intelligence Quorum compiles from Companies House, GIAS, Ofsted and WhatSchool - for that, WhatLabs is the controller, not your processor, and it is covered in our privacy notice instead.

TO CONFIRM: WhatLabs legal entity name, company registration number, registered address and ICO registration number, to complete the signature block of the full DPA.

At a glance

ControllerYour school, academy or trust
ProcessorWhatLabs (Quorum)
DataBoard papers, noticeboard posts, comments, meeting records and attendance created in your workspace
PurposeTo run your board's governance workspace, and for no other purpose
Sub-processorsResend (email delivery); a cloud hosting provider
On terminationDeleted, or returned first on request

Who is who

For board content, your school, academy or multi-academy trust is the data controller - you decide what goes into a board paper or a noticeboard post, and who your trustees and governors are. WhatLabs is the data processor - we hold and process that content only to provide the service, and only on your instructions.

What we process, and why

Board papers and the comments on them, noticeboard posts and replies, meeting records and RSVPs or attendance - whatever your board puts into the Quorum workspace. The purpose is narrow: running your board's governance activity. We do not use board content to train models, sell it, or share it with anyone outside your board without your instruction.

We only act on your instructions

We process board content to provide the Quorum service as you have configured it, and otherwise only on your documented instructions, or where UK law requires something different - in which case we will tell you, unless the law says we cannot.

Confidentiality

Access to board content is limited to WhatLabs staff who need it to build, run or support Quorum, and to your own board members, according to the roles you set. Anyone with access is bound by confidentiality.

Security

We encrypt data in transit, keep each board's content logically separate from every other board's, and restrict internal access on a need-to-know basis.

TO CONFIRM: sign-in and per-board access control are still being built - the current backend has no auth layer yet (see backend/README.md: "Auth - the scaffold is open"). This needs to be resolved, and the security description above re-checked against the real build, before this page is relied on for a live customer.

Sub-processors

We use Resend to deliver email - confirmation links and notifications - and a cloud hosting provider to run Quorum. We will not add a new sub-processor with access to your board content without telling you first, and you may object on reasonable grounds.

TO CONFIRM: the definitive, named sub-processor list - the cloud hosting provider, and anything else (analytics, error-tracking, support tooling) that touches board content.

International transfers

Where a sub-processor handles data outside the UK, we put standard contractual safeguards in place.

TO CONFIRM: data-residency and hosting location, so this can state a country or region rather than speak generally.

Helping you meet your own obligations

If one of your trustees, governors or staff asks you to access, correct or delete something in your board's workspace, we will help you respond - including giving you the tools to do it directly where we can, and support where we cannot.

Breach notification

If we become aware of a personal data breach affecting your board's content, we will tell you without undue delay, with what we know at the time and what we are doing about it, so you can meet your own notification duties.

Audit

You can ask us reasonable questions about how we handle your board's content, and request evidence of the security measures above. For anything beyond that, the full DPA sets out formal audit rights.

Deletion on termination

When your subscription ends, we delete your board's content from Quorum, or return it to you first if you ask before the account closes.

TO CONFIRM: exact deletion period after termination (for example, 30 days), and backup-purge timing, if you want a fixed number in this summary rather than the general description above.

Want the full, signable DPA?

This page is a summary, written to be read rather than parsed by a lawyer. If your trust needs a formal, signable data processing agreement - for a funding agreement, a procurement process, or your own governance file - write to hello@whatschool.ai and we will send it over.