Data Processing Agreement
v1.1.0
March 19, 2026
This Data Processing Agreement ("Agreement") governs AcornCloud's processing of personal data on behalf of the Customer in connection with the provision of the AcornCloud platform and services. This Agreement forms part of and is incorporated into the Principal Agreement between the parties.
1. Definitions
Term
Definition
Scope and Background
2.1 AcornCloud provides childcare management software services to the Customer under the Principal Agreement. In doing so, AcornCloud will process Customer Data on behalf of the Customer solely to deliver those services.
2.2 This Agreement supplements and is incorporated into the Principal Agreement. In the event of conflict between this Agreement and the Principal Agreement on data protection matters, this Agreement shall take precedence.
2.3 The Customer is the Controller of all Customer Data. AcornCloud acts exclusively as a Processor and shall not determine the purposes or means of processing Customer Data other than as strictly necessary to provide the Platform services.
2.4 AcornCloud shall not process Customer Data for any purpose other than those expressly set out in this Agreement and Schedule 1. AcornCloud shall not sell, license, share, or otherwise make available Customer Data to any third party for the third party's own commercial purposes.
Processing Instructions and Compliance
3.1 AcornCloud shall process Customer Data only in accordance with the Customer's documented instructions, including as set out in this Agreement and Schedule 1. AcornCloud shall not deviate from those instructions without the Customer's prior written consent, except where required to do so by Applicable Data Protection Law, in which case AcornCloud shall (unless prohibited by law) notify the Customer before complying.
3.2 AcornCloud shall promptly notify the Customer if, in AcornCloud's reasonable assessment, any instruction given by the Customer would breach Applicable Data Protection Law. AcornCloud may decline to act on that instruction until the Customer provides written confirmation amending or withdrawing it.
3.3 The Customer warrants that it has a valid legal basis for sharing Customer Data with AcornCloud and that such sharing complies with Applicable Data Protection Law. The Customer is solely responsible for maintaining its own privacy notices and informing Data Subjects about the processing of their Personal Data, including the identity of AcornCloud as a Processor.
3.4 AcornCloud shall have no liability for any non-compliance arising from the Customer's failure to provide lawful, accurate, or complete instructions, or from the Customer's failure to maintain adequate legal bases for the underlying processing.
3.5 AcornCloud shall cooperate fully and in good faith with the Customer and with any Supervisory Authority in relation to the performance of AcornCloud's obligations under this Agreement.
6. Security of Processing
6.1 AcornCloud shall implement and maintain appropriate technical and organisational security measures to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or unauthorised access. Such measures shall be proportionate to the risk, having regard to the nature of the data processed, and shall meet or exceed the requirements of Article 32 GDPR.
6.2 The security measures currently in place are described in Schedule 2. AcornCloud shall review and update these measures regularly and shall not materially reduce the level of security without giving the Customer not less than 60 days' prior written notice.
6.3 AcornCloud shall conduct independent external penetration tests on the Platform at least annually and shall provide the Customer with a summary of findings on request, subject to the Customer executing a confidentiality undertaking in a form reasonably acceptable to AcornCloud.
6.4 AcornCloud shall undergo at least one independent third-party audit of its information security and data protection practices annually and shall, upon written request from the Customer, provide a copy of the audit report or executive summary, subject to the same confidentiality undertaking described in Clause 6.3.
6.5 The Customer acknowledges that it has reviewed the security measures described in Schedule 2 and accepts that, subject to AcornCloud maintaining those measures in accordance with this Agreement, such measures are appropriate to the nature of the Customer Data and the risks of the processing.
7. Sub-Processors
7.1 The Customer grants AcornCloud general written authorisation to engage Sub-Processors as listed in Schedule 3 for the purposes described therein. By executing this Agreement (or by the Customer's continued use of the Platform following notification of an update to Schedule 3), the Customer is deemed to have consented to those Sub-Processors.
7.2 AcornCloud shall give the Customer not less than 30 days' prior written notice of any proposed addition to, or replacement of, a Sub-Processor. The Customer may object in writing within 14 days of receiving such notice, provided the objection is based on reasonable, documented data protection grounds.
7.3 AcornCloud shall consider any objection made under Clause 7.2 in good faith and shall use reasonable endeavours to find an alternative arrangement. If no reasonable alternative is available and the Customer maintains its objection, the Customer may terminate the Principal Agreement by giving 14 days' written notice to AcornCloud. In such circumstances, AcornCloud shall refund a pro-rated portion of any prepaid fees for the period following the effective date of termination. This shall be the Customer's sole remedy in connection with such termination.
7.4 AcornCloud shall impose on each Sub-Processor data protection obligations no less protective than those set out in this Agreement, including (where required) by means of a written contract incorporating standard contractual clauses or equivalent Transfer Mechanism.
7.5 AcornCloud shall remain fully liable to the Customer for the acts and omissions of each Sub-Processor as if they were AcornCloud's own acts and omissions, subject to the limitations of liability set out in Clause 14.
7.6 Sub-Processors shall only be granted access to the minimum volume of Customer Data strictly necessary for them to perform their designated function. AcornCloud shall contractually prohibit Sub-Processors from processing Customer Data for their own purposes or disclosing it to third parties without AcornCloud's prior written consent.
8. International Data Transfers
8.1 Customer Data shall be hosted and primarily processed within the European Economic Area, unless the Customer has separately elected to use a feature requiring processing elsewhere, as described in Schedule 3.
8.2 AcornCloud shall not transfer Customer Data to a country outside the EEA or the United Kingdom unless: (a) that country benefits from an adequacy decision; (b) AcornCloud has entered into, and maintains, an appropriate Transfer Mechanism with the relevant recipient; or (c) another legal exception under Applicable Data Protection Law applies.
8.3 Where AcornCloud relies on a Transfer Mechanism, it shall conduct and document a transfer impact assessment prior to the transfer and shall implement any supplementary measures identified as necessary by that assessment.
8.4 AcornCloud shall ensure that the Transfer Mechanism in place with each Sub-Processor in a third country is current, valid, and enforceable. On request, AcornCloud shall provide the Customer with copies of the relevant Transfer Mechanisms, subject to redaction of commercially sensitive information.
9. Data Breach Notification and Response
9.1 Upon becoming aware of a Data Breach within AcornCloud's scope of responsibility, AcornCloud shall notify the Customer without undue delay and, in any event, within 48 hours. Notification shall include, to the extent then known: (a) a description of the nature of the Data Breach; (b) the approximate number and categories of Data Subjects and records affected; (c) the likely consequences; and (d) the measures taken or proposed to address and mitigate the breach.
9.2 Where full information cannot be provided within 48 hours, AcornCloud shall provide what is available without undue delay and furnish further details in supplementary notifications as they become available.
9.3 AcornCloud shall promptly take all reasonable steps to contain and remediate the Data Breach and shall cooperate fully with the Customer in connection with the Customer's notification obligations to the Supervisory Authority and affected Data Subjects.
9.4 AcornCloud shall not notify any Supervisory Authority, affected Data Subject, or any other third party of a Data Breach on the Customer's behalf without the Customer's prior written authorisation, except where required to do so by Applicable Data Protection Law or by order of a competent authority.
9.5 AcornCloud shall maintain records of all Data Breaches, including those not required to be notified, and shall make these available to the Customer on request.
10. Retention, Return, and Deletion of Customer Data
10.1 AcornCloud shall not retain Customer Data beyond what is necessary for the performance of the Platform services, except where retention is required by Applicable Data Protection Law.
10.2 The Customer may delete Customer Data at any time using the deletion functionality within the Platform. Where deletion is not possible via the Platform interface, AcornCloud shall, upon written request, perform the deletion within 30 days.
10.3 Upon expiry or termination of the Principal Agreement, AcornCloud shall, within 60 days and upon the Customer's written election: (a) return all Customer Data in a structured, commonly used, and machine-readable format; or (b) irreversibly delete all Customer Data including copies held by Sub-Processors, and provide written certification of deletion.
10.4 Following the 60-day period referred to in Clause 10.3, AcornCloud shall have no obligation to retain Customer Data and shall not be liable for any loss of Customer Data not exported within that period. Data retained by operation of law shall be securely isolated and not used for any other purpose.
11. Audit Rights
11.1 The Customer may, on reasonable written notice of not less than 14 days, request documentation and records demonstrating compliance with this Agreement. AcornCloud shall provide such documentation within 30 days of receiving the request.
11.2 Where documentation under Clause 11.1 is insufficient, the Customer may (acting reasonably) request an on-site audit. Any such audit shall be conducted during normal business hours, shall not disrupt AcornCloud's operations unreasonably, shall be conducted by an auditor that is not a direct competitor of AcornCloud, and shall be subject to a confidentiality undertaking by the auditor.
11.3 The Customer shall bear its own costs and shall reimburse AcornCloud's reasonable internal costs of facilitating the audit, unless the audit reveals a material breach by AcornCloud, in which case AcornCloud shall bear its own costs and shall promptly remedy the breach at its expense.
11.4 AcornCloud may, in substitution for an on-site audit, provide the Customer with the most recent report from its annual independent third-party audit, provided such report is sufficiently detailed to address the Customer's concerns. The Customer may exercise its right to an on-site audit only where such a report is unavailable, insufficiently detailed, or where there is a documented and reasonable suspicion of a material breach.
12. Data Protection Impact Assessments
12.1 AcornCloud shall, upon written request and to the extent information within AcornCloud's control is required, provide reasonable assistance to the Customer in completing a data protection impact assessment (DPIA) as required by Applicable Data Protection Law.
12.2 AcornCloud shall, upon written request, provide reasonable assistance to the Customer in any prior consultation with a Supervisory Authority required following a DPIA.
12.3 AcornCloud may charge the Customer its reasonable costs for assistance under this Clause 12 where the request is of unusual scope or requires disproportionate effort, provided AcornCloud gives the Customer a cost estimate prior to commencing such work.
13. Term
13.1 This Agreement shall commence on the Effective Date and shall continue in force for the duration of the Principal Agreement and, thereafter, until the later of: (a) 60 days following expiry or termination of the Principal Agreement; or (b) the completion of AcornCloud's obligations under Clause 10.3.
13.2 Obligations under this Agreement that by their nature survive termination — including confidentiality obligations, obligations regarding outstanding Data Subject requests, and Clause 10 — shall continue in force after termination.
14. Liability
14.1 Each party's liability under this Agreement shall be subject to the exclusions and limitations set out in the Principal Agreement, except that neither party shall exclude liability for death or personal injury caused by its own negligence, for its own fraud or wilful misconduct, or for any fine imposed by a Supervisory Authority solely as a result of its own breach of Applicable Data Protection Law.
14.2 AcornCloud shall have no liability under this Agreement in respect of: (a) processing carried out by the Customer in its capacity as Controller; (b) any instructions given by the Customer that AcornCloud has notified are non-compliant and which the Customer has nonetheless confirmed in writing; or (c) the Customer's failure to fulfil its own obligations as Controller under Applicable Data Protection Law.
14.3 AcornCloud shall indemnify and hold harmless the Customer against any fine imposed by a Supervisory Authority or any court award directly attributable to AcornCloud's own breach of this Agreement, provided the Customer gives AcornCloud prompt written notice of any claim, makes no admission without AcornCloud's prior written consent, and gives AcornCloud the right to participate in the defence of the claim.
15. General Provisions
15.1 Entire Agreement. This Agreement, together with the Principal Agreement and its Schedules, constitutes the entire agreement between the parties in relation to the processing of Customer Data.
15.2 Amendments. AcornCloud may update this Agreement to reflect changes in Applicable Data Protection Law or the Platform, giving the Customer not less than 30 days' written notice of any material amendment. Continued use of the Platform following the notice period constitutes the Customer's acceptance.
15.3 Severability. If any provision of this Agreement is held invalid, unlawful, or unenforceable, the validity and enforceability of the remaining provisions shall not be affected.
15.4 Precedence. In the event of conflict, the following order applies: (i) any applicable Transfer Mechanism; (ii) any jurisdiction-specific schedule; (iii) this Agreement; (iv) the Principal Agreement.
15.5 Governing Law. This Agreement shall be governed by the laws of Ireland. The parties submit to the exclusive jurisdiction of the Irish courts for all disputes arising out of or in connection with this Agreement, without prejudice to either party's right to seek urgent injunctive relief in any competent jurisdiction.
15.6 Notices. All notices under this Agreement shall be given in writing (including by email with confirmed receipt). AcornCloud's designated contact for data protection matters is privacy@acorncloud.net.
15.7 Data Protection Officer. AcornCloud has appointed a Data Protection Officer, contactable at privacy@acorncloud.net.
Schedule 1. Details of Processing
Nature and Purpose of Processing
AcornCloud processes Customer Data solely to provide, operate, maintain, support, and improve the Platform services for the Customer. Processing activities include: storing and displaying child enrolment records; generating attendance and funding reports (including for TUSLA, Pobal, NCS, ECCE, and Core Funding compliance); facilitating parent and guardian communications; enabling invoicing and billing functionality; and providing administrative tools for childcare managers and room staff.
Categories of Personal Data
Data Subjects
Category of Data and Purpose
Retention
Customer Data is retained for the duration of the Principal Agreement and for a period not exceeding 60 days following termination, unless earlier deletion is requested or retention is required by Applicable Data Protection Law. Platform access logs are retained for a minimum of 6 months and a maximum of 7 months for security and compliance purposes.
Schedule 2. Technical and Organisational Security Measures
AcornCloud maintains the following technical and organisational measures. AcornCloud reserves the right to update these measures provided the overall level of protection is not materially reduced. Where material reductions are proposed, 60 days' prior written notice shall be given to the Customer.
Physical Security
No Customer Data is stored on local employee devices or at AcornCloud's office premises. All data is held exclusively in the designated cloud data centre.
Data centres benefit from physical access controls including multi-factor authentication for entry, CCTV, intrusion detection, 24/7 security personnel, and full visitor logging.
Physical media, if ever generated, is stored in locked cabinets and destroyed by secure shredding when no longer required.
Access Controls and Authentication
All AcornCloud personnel access the Platform via encrypted connections (VPN or HTTPS with TLS 1.2 minimum) and are required to use multi-factor authentication.
Role-based access controls are enforced. Personnel are granted the minimum access necessary for their function. Access rights are reviewed at minimum semi-annually.
A password management policy requires unique, complex passwords of at least 10 characters. A password manager is used by all personnel.
Accounts are automatically suspended after 3 months of inactivity. Failed login attempts trigger automatic lockout.
Encryption and Data Transfer
All data in transit is encrypted using TLS 1.2 or higher. All data at rest is encrypted using AES-256 or equivalent.
Backup data is encrypted with a private key held exclusively by AcornCloud before transmission to the backup provider.
Removable storage media (USB drives, external hard drives) are prohibited for Customer Data.
Availability and Business Continuity
Full and incremental backups are performed multiple times daily. Backups are geographically distributed across at least two independent facilities.
Backup restoration is tested regularly to verify integrity and recoverability.
Data centres maintain redundant power (UPS and diesel generators), redundant network connectivity, and climate-controlled server environments.
Testing and Monitoring
Annual independent external penetration testing is conducted on the Platform.
Annual independent external audit of information security and data protection controls.
All access to Customer Data by AcornCloud personnel is logged in the Application Log, retained for 6–7 months.
Product development and bug-fixing activities are conducted on anonymised or synthetic test data rather than live Customer Data wherever possible.
Schedule 3. Authorised Sub-Processors
The following Sub-Processors are authorised as at the Effective Date. AcornCloud will provide 30 days' notice of any changes in accordance with Clause 7.2.
Sub processor
Details
Note: Where a Sub-Processor is located outside the EEA, data transfers are governed by the Standard Contractual Clauses (EC Decision 4 June 2021) or equivalent Transfer Mechanism. Details are available on request to privacy@acorncloud.net.
Schedule 4. Jurisdiction-Specific Provisions
Part A - United Kingdom
To the extent AcornCloud processes Customer Data subject to UK GDPR:
A.1 References to the GDPR shall be read as references to UK GDPR as defined in the UK Data Protection Act 2018.
A.2 The Supervisory Authority shall be the UK Information Commissioner's Office.
A.3 International transfers from the UK shall use the International Data Transfer Agreement (IDTA) or International Data Transfer Addendum issued by the ICO, as applicable.
Part B - California (CCPA / CPRA)
To the extent AcornCloud processes Personal Information of California residents on behalf of a Customer that is a "business" as defined under the CCPA:
B.1 AcornCloud is a "service provider" as defined by the CCPA and shall not retain, use, or disclose Customer Data for any purpose other than delivering the Platform services, or as otherwise permitted by the CCPA.
B.2 AcornCloud shall not sell or share Customer Data within the meaning of the CCPA.
B.3 AcornCloud shall not combine Customer Data with personal information obtained from other sources except as expressly permitted by the CCPA for service providers.
B.4 AcornCloud shall promptly notify the Customer if it determines it can no longer meet its obligations under the CCPA.
Part C - Republic of Ireland
All processing governed by this Agreement shall comply with GDPR as given effect in Irish law by the Data Protection Acts 1988–2018 and any related regulations or guidance issued by the Data Protection Commission. AcornCloud is registered with the Data Protection Commission as required by law.
Schedule 5. Supplemental Transfer Safeguards
The following supplemental safeguards apply to all international transfers of Customer Data:
All Customer Data is encrypted in transit (TLS 1.2+) and at rest (AES-256 or equivalent) at all times, including during transfer to Sub-Processors.
AcornCloud will, to the extent permitted by applicable law, resist any governmental or third-party request for access to Customer Data that it considers to be overly broad, unlawful, or inconsistent with its obligations under this Agreement.
AcornCloud will use all legally available mechanisms to challenge demands for access to Customer Data through national security or law enforcement processes, and will notify the Customer of any such demand as promptly as permitted by law.
AcornCloud's Data Protection Officer has oversight of all international transfer arrangements and reviews Transfer Mechanisms for continued validity on at least an annual basis.
Contact
For questions or concerns about this Privacy Policy or our data practices, please email legal@acorncloud.com.