Data Protection Provisions
We last updated our policy on 15th April 2025.
1. Compliance with Data Protection Laws
1.1. Each party shall comply with all applicable Data Protection Laws in connection with the performance of its obligations and the exercise of its rights under these provisions.
1.2. Without limiting the generality of the above, the parties shall ensure that any Personal Data processed under this provision is handled in accordance with the UK GDPR, the Data Protection Act 2018, and any successor or supplementary legislation.
2. Roles and Responsibilities
2.1. The parties acknowledge that, in respect of the Personal Data shared under these provisions, the Customer shall act as the Controller and 6 Bit shall act as the Processor.
2.2. Each party shall be responsible for ensuring that it has a valid lawful basis for any Processing it undertakes, and that any required notifications to relevant data protection authorities have been made.
3. Instructions and Limitations
3.1. 6 Bit shall process Personal Data only on documented instructions from the Customer and strictly for the Permitted Purpose as set out in the Data Sharing Agreement (In a signed agreement).
3.2. 6 Bit shall not determine the purpose or means of the Processing of Personal Data.
4. AI Model Training and Data Use
4.1. Graide uses AI-assisted grading to suggest feedback based on historical grading inputs from assessors. Each question is associated with its own distinct AI model, trained solely on:
- The student response
- The feedback given to that specific response
4.2. No personally identifiable information is used in the training of these AI models. All data used for training is anonymised immediately after grading.
4.3. Data used for AI model training is retained:
- For the duration of the Customer’s use of the platform
- For one additional year after the end of the customer relationship, unless consent is provided for further retention
4.4. Data used to generate real-time feedback suggestions remains under full editorial control of human assessors. No automated decisions are made that produce legal or similarly significant effects on individuals.
5. Security and Confidentiality
5.1. 6 Bit shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including protection against unauthorised or unlawful Processing, accidental loss, destruction, or damage of Personal Data.
5.2. 6 Bit shall ensure that all personnel with access to Personal Data are subject to confidentiality obligations and have received appropriate data protection training.
6. Subprocessing
6.1. 6 Bit shall not engage any sub-processor without the prior written consent of the Customer.
6.2. Any sub-processing must be governed by a written contract imposing data protection obligations no less protective than those set out in these provisions and the Data Sharing Agreement.
7. Data Subject Rights and Breach Notification
7.1. 6 Bit shall provide reasonable assistance to the Customer to enable it to respond to any request from a Data Subject exercising their rights under Data Protection Laws.
7.2. In the event of a Personal Data Breach, 6 Bit shall notify the Customer without undue delay and, in any event, within 24 hours of becoming aware of the breach.
8. Audit and Inspection
8.1. Upon reasonable notice, the Customer shall have the right to audit 6 Bit’s compliance with these Data Protection Provisions and the Data Sharing Agreement.
8.2. 6 Bit shall cooperate fully with such audits and provide access to relevant personnel, records, and systems.
9. Data Retention and Return
9.1. Upon termination or expiry of the Agreement, or earlier upon the Customer’s written request, 6 Bit shall securely return or delete all Personal Data processed on the Customer’s behalf, unless required by law to retain such data.