The school or program is the controller; Whispr is the processor
The customer organisation defines the purpose, lawful basis, retention, escalation, and policy. Whispr operates the platform.
Trust Center
Data processing roles, scope, and the signed DPA path
This page explains how Whispr EDU is typically positioned in a Data Processing Agreement (DPA) discussion. It is informational. The authoritative document is the signed DPA. Where this page and the signed DPA diverge, the signed DPA controls.
Limited to the product the customer signs for
The DPA covers the Whispr EDU product only. Other BackPR products have their own data processing terms.
The signed DPA is requested during onboarding
We do not publish negotiated language, fixed timelines, or universal liability terms on this page.
This DPA scope is the Whispr EDU product, not the BackPR group
The Whispr EDU product is one of several distinct product lines under the BackPR umbrella (backpr.com). Each product is built and operated by a separate team with separate sub-processor scope, retention practice, and contract terms. The Whispr Compliance Italy product at whispr.backpr.com is a sibling product with its own DPA path. A signed DPA covering one product does not extend to another and is not assignable across products without our explicit written acceptance.
Allocation of responsibility
For standard Whispr EDU deployments, the customer organisation (the school, district, youth program, or other entity holding the account) acts as the data controller for the personal data collected through its configured channel. Whispr operates as the processor (or service provider) for hosted platform functions. The customer determines: the purpose of the channel; the lawful basis for any processing; the categories of reporter; the roles, scope, and retention model; the response, escalation, and any reporter follow-up; and any notification, safeguarding, or external-reporting path. Whispr is not the controller and does not act on its own behalf in respect of the customer's reports.
What the signed DPA normally covers
- Subject matter, duration, nature, and purpose of the processing.
- Categories of data subjects and personal data (as configured by the customer).
- Controller and processor obligations under applicable data protection law.
- Sub-processor authorisation (general written authorisation, with a change-notification mechanism).
- Security measures appropriate to the platform and the risk profile.
- Personal-data breach notification path and timing as defined in the signed DPA.
- Assistance with data-subject requests within the scope of the signed agreement.
- International transfer mechanism (standard contractual clauses or equivalent) where applicable.
- Return, deletion, or export of personal data on termination, on the terms set in the signed agreement.
- Audit assistance scope and any reasonable conditions on inspection.
General written authorisation
The customer provides a general written authorisation for our use of sub-processors. The current list is published on the subprocessors page. We may add, remove, or change sub-processors. Where required by the signed DPA, we will provide reasonable advance notice. The customer's sole remedy in respect of an objection to a sub-processor change is the remedy set out in the signed DPA.
The customer remains responsible
Where the product is used in an environment involving minors, the customer is solely responsible for: (a) determining whether use of the product is lawful for that environment under applicable children-online or student-data law; (b) obtaining any parental, guardian, or institutional consent that the law requires; (c) configuring the channel to minimise collection of identifying data; and (d) implementing the safeguarding response to any disclosure made through the channel. Whispr does not adjudicate the merits or urgency of reports involving minors, does not contact reporters, and does not provide any clinical or safeguarding function.
Technical and organisational measures
The platform applies a set of technical and organisational measures appropriate to the risk, described in summary on the security page and in more detail in the signed agreement. Whispr does not claim formal certifications or custom cryptographic controls on this page. Measures evolve over time. Specific assurance materials are provided under the signed DPA and any procurement-level review.
Capped, qualified, and aligned with the signed agreement
Liability arising from processing under the signed DPA is governed by the limitation-of-liability terms of the master agreement and the DPA together. To the maximum extent permitted by law, Whispr's aggregate liability is capped at the lower of the figure set out in the signed agreement or, in the absence of a signed agreement, the lesser of (i) fees paid in the preceding twelve months or (ii) one hundred euros (EUR 100). Mandatory data-protection law governs to the extent and only to the extent it requires.
How to start
The signed DPA is provided during procurement, onboarding, or privacy diligence. To request the current DPA package or a procurement review:
Contact: privacy@backpr.com or BackPR contact. We acknowledge correspondence as practical and respond on terms aligned with the signed agreement. No commitment is implied outside that scope.
What this page does not do
This page does not: (i) constitute a DPA; (ii) bind Whispr to any specific clauses, timelines, audit rights, return windows, transfer mechanism, breach-notification timing, indemnification, or pricing; (iii) waive any limitation, defence, or right reserved by Whispr under the signed agreement or applicable law; or (iv) replace the controller's own privacy notice and lawful-basis assessment. Where this page and the signed DPA diverge, the signed DPA controls.