OMNIAInclusion

International Data Transfer Addendum

Last updated · 1 June 2026Version 1.1OMNIA Inclusion Ltd · Co. no. 17228173
Ask a question

International Data Transfer Addendum

To the OMNIA Inclusion Ltd Data Processing Agreement

Last updated: 1 June 2026 Version: 1.1 (template draft — UK solicitor review pending before first international paying contract)

Plain-English summary (not legally binding.)

  • What this is: the contractual safeguard required when OMNIA (UK) processes pupil data for a School outside the UK.
  • What it does: incorporates the UK IDTA (for UK-equivalent protection) and the EU SCCs (for EU/EEA-equivalent protection) by reference, so a single addendum covers both bases.
  • Who is bound: OMNIA Inclusion Ltd + the School.
  • What's unusual: nothing. This is a standard SaaS transfer addendum based on UK ICO + EU Commission published templates.
  • What it does not cover: jurisdiction-specific overrides (e.g. UAE PDPL — see UAE addendum).

This addendum is the default contractual safeguard OMNIA Inclusion Ltd applies when providing the OMNIA platform to schools located outside the United Kingdom and the European Economic Area ("EEA"). It sits alongside the master Data Processing Agreement (DPA) and is supplemented, where applicable, by jurisdiction-specific addenda (for example the UAE Jurisdiction Addendum at /legal/uae-addendum).

1. Scope

1.1 This addendum applies where the School is established outside the UK and the EEA, or where pupil data of data subjects outside the UK and EEA is processed through the platform.

1.2 The master DPA continues to apply in full. This addendum adds the provisions required to make the transfer of personal data from the School's jurisdiction to OMNIA Inclusion Ltd's processing locations lawful and contractually safeguarded.

1.3 Where a jurisdiction-specific addendum has been signed by both parties (for example, the UAE Jurisdiction Addendum), the jurisdiction-specific addendum takes precedence over this addendum for that School.

2. Roles and processing locations

2.1 OMNIA Inclusion Ltd acts as data processor on behalf of the School, which acts as data controller, for all pupil, parent, and staff personal data entered into the platform.

2.2 Personal data is hosted in:

  • Primary database and storage: Supabase managed PostgreSQL, in the EEA (Ireland, AWS eu-west-1), via Lovable Cloud.
  • Application edge: Cloudflare Workers — request bodies are processed in memory only and are not persisted at the edge.
  • AI inference (standard mode): the Lovable AI Gateway, routing to Google (Gemini) and OpenAI in EU regions where available, with a server-side PII scrubber applied to all outbound payloads.
  • AI inference (BYOK opt-in): where the School elects Bring Your Own Key on the Connected tier, AI inference for that School's traffic is routed instead to the School's own Anthropic or Azure OpenAI tenancy, in the Azure region elected by the School (for example uksouth or uaenorth). The elected region may sit outside the UK and EEA; residency for that processing leg is the School's controller decision, taken under the School's own DPA with the AI provider. PII scrubbing is still applied to outbound payloads. OMNIA stores the School's API key only in AES-256-GCM-encrypted form and never returns the plaintext key to the browser.

A full sub-processor list is maintained at /legal/sub-processors.

3. Transfer mechanism

3.1 Primary mechanism — Standard Contractual Clauses. Where the export of personal data from the School's jurisdiction to the UK or EEA requires a contractual transfer mechanism, the parties incorporate by reference:

a. the UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (the "UK IDTA"), Version B1.0 issued by the UK Information Commissioner; and / or b. the EU Standard Contractual Clauses (Module Two: controller-to- processor) issued by the European Commission under Decision (EU) 2021/914.

The School is the data exporter and OMNIA Inclusion Ltd is the data importer. The Annexes to the SCCs are deemed completed by reference to the master DPA (subject matter, duration, nature, purpose, categories of data, categories of data subjects), the sub-processor list, and the security measures published at /legal/security.

3.2 Jurisdiction-specific overrides. Where a jurisdiction has its own mandatory transfer-mechanism regime (for example the UAE PDPL transfer provisions, or Singapore PDPA transfer requirements), the jurisdiction-specific addendum governs the transfer basis and supersedes this clause 3.

3.3 School authorisation. The School, as data controller, authorises and instructs the transfer of personal data to OMNIA Inclusion Ltd's processing locations as a necessary part of using the platform, and confirms the transfer is consistent with its obligations under local law.

4. School warranties

The School warrants that:

a. it has a valid lawful basis under its local data-protection law to process the personal data entered into the platform, and to instruct OMNIA Inclusion Ltd to process that data on its behalf; b. it has provided appropriate privacy notices to pupils, parents, and staff, covering the cross-border transfer to OMNIA Inclusion Ltd and its sub-processors; c. it has obtained any consent required by local law for the processing of special-category data (including SEND, health, and welfare data); and d. it has registered with its local data-protection authority where such registration is required.

5. Sub-processors and onward transfers

5.1 OMNIA Inclusion Ltd will flow down the obligations of this addendum and the master DPA to any sub-processor that processes personal data subject to this addendum.

5.2 Where a sub-processor is located outside the UK and EEA, OMNIA Inclusion Ltd will ensure that an appropriate transfer mechanism (SCCs, UK IDTA, or equivalent) is in place with that sub-processor.

5.3 OMNIA Inclusion Ltd will give the School at least 30 days' prior written notice of any change to the sub-processor list that affects pupil personal data, in line with the master DPA.

6. Breach notification

6.1 OMNIA Inclusion Ltd will notify the School of any personal-data breach affecting the School's data without undue delay, and in any event within 72 hours of becoming aware of it, as set out in the master DPA.

6.2 Where the School has a duty to notify a local supervisory authority (beyond the UK ICO), OMNIA Inclusion Ltd will provide the information reasonably necessary for the School to meet that duty.

7. Audit

7.1 The School's audit rights set out in the master DPA apply to processing under this addendum.

7.2 On request, OMNIA Inclusion Ltd will provide the most recent versions of its security overview (/legal/security), DPIA (/legal/dpia), and sub-processor list (/legal/sub-processors), together with reasonable written responses to security questionnaires.

8. Governing law and dispute resolution

8.1 This addendum is governed by English law.

8.2 Disputes are subject to the exclusive jurisdiction of the courts of England and Wales, except where a jurisdiction-specific addendum varies this (for example, the UAE Jurisdiction Addendum routes disputes to DIFC-LCIA arbitration).

9. Term and termination

9.1 This addendum takes effect when signed by both parties and continues for the duration of the School's subscription to the OMNIA platform.

9.2 On termination, the data-return and deletion provisions of the master DPA apply.

Version history

VersionDateChange
1.018 May 2026Initial publication.

Questions, corrections or a formal data-protection request? Email hello@omnia-inclusion.com. We aim to respond within 5 working days; statutory rights requests are answered within 30 days.

Back to all policies

© 2026 OMNIA Inclusion Ltd. Registered in England & Wales · Company no. 17228173 · 169 High Street, Marske-by-the-Sea, Redcar & Cleveland, TS11 7LN, United Kingdom.