Schedule 1

Education & School Sector Addendum

Last updated: March 2026

This addendum supplements the Arcane Technologies Standard Terms & Conditions and applies to all engagements with schools, academies, multi-academy trusts, and other educational settings in England. Where this addendum conflicts with the standard terms, this addendum takes precedence.

1. Purpose

Schools operate under a distinct and demanding regulatory environment. This addendum sets out the additional obligations, responsibilities, and expectations that apply when Arcane Technologies provides IT support, setup, or consultancy services to an educational setting. It is designed to protect pupils, staff, and the school as an institution; and to make our respective obligations clear from the outset.

2. Safeguarding

2.1 Arcane Technologies acknowledges that safeguarding children is the responsibility of everyone working in or with a school, including contractors. We are committed to supporting the school's safeguarding obligations and will conduct ourselves at all times in a manner consistent with that commitment.

2.2 Where we carry out work on-site at a school, including but not limited to hardware installation, infrastructure work, or IT support visits, we will familiarise ourselves with the school's current safeguarding and child protection policy before or on arrival. The school agrees to make this policy available to us prior to any on-site visit.

2.3 We will comply with the school's site access and visitor procedures at all times, including signing in, wearing identification, and not being left unsupervised with pupils unless a DBS check appropriate to that level of contact is in place and confirmed by the school.

2.4 If, during the course of our work, we witness or become aware of anything that gives us cause for concern about the welfare of a child, we will report it immediately to the school's Designated Safeguarding Lead (DSL). The school agrees to provide us with the name and contact details of the current DSL before any on-site engagement begins.

2.5 We will not photograph, film, or record pupils under any circumstances.

2.6 In the event of a low-level concern being raised about our conduct whilst working at a school, we acknowledge that the school may be required to notify our organisation under KCSiE guidance. We agree to cooperate fully with any such process.

3. DBS and safer recruitment compliance

3.1 The level of DBS check required depends on the nature and frequency of our work at the school. We are committed to meeting the appropriate standard and will confirm our DBS status in writing prior to any on-site engagement.

3.2 For work that involves regular, unsupervised contact with pupils or access to areas where pupils are present without direct supervision, an Enhanced DBS check including Children's Barred List information is required. We will not carry out work in such circumstances without the appropriate check being in place.

3.3 For supervised on-site visits where contact with pupils is incidental and a responsible member of staff is present, an Enhanced DBS check without Barred List information is the minimum standard. The school is responsible for determining which category applies to our work and communicating this before the engagement begins.

3.4 Where remote support only is being provided and no on-site attendance is required, no DBS check is necessary unless the school specifically requires it as a condition of the engagement.

3.5 The school may, at its discretion, require us to be recorded on its Single Central Record (SCR). We agree to provide the information reasonably necessary to facilitate this and to cooperate with any verification process.

3.6 We confirm that, where a DBS check is required, the check has been carried out and is current. We will notify the school immediately if any information comes to our attention that would be relevant to our suitability to work in an educational setting.

4. Data protection: schools

4.1 Schools handle a significant volume of sensitive personal data, including data relating to children and special category data. We recognise that our obligations under UK GDPR and the Data Protection Act 2018 are heightened in this context and we take them seriously.

4.2 Where we access, process, or handle personal data in the course of providing services to a school, we do so strictly as a data processor acting on the school's documented instructions. The school remains the data controller.

4.3 We will:

4.4 Where the school requires a formal Data Processing Agreement (DPA), as is required under Article 28 of UK GDPR where a processor is engaged, we will provide one prior to commencing work. A DPA template is available on request. No processing of personal data will begin until a DPA is in place if the school requires one.

4.5 We will not access pupil records, SIMS or MIS data, safeguarding files, SEN records, or any other sensitive data files beyond what is strictly necessary for the technical task at hand. Where incidental access is unavoidable, for example during server maintenance, we will flag this to the school in advance.

5. Filtering and monitoring

5.1 Schools in England are subject to statutory requirements regarding internet filtering and monitoring under KCSiE and the DfE Filtering and Monitoring Standards. We acknowledge these requirements and will support the school in meeting them.

5.2 Where we are engaged to configure, maintain, or advise on filtering or monitoring systems, we will do so in accordance with the current DfE standards and will flag any gaps or concerns we identify as part of our work.

5.3 We will not alter, disable, bypass, or reconfigure any filtering or monitoring system without the express prior written authorisation of the headteacher or a delegated senior leader. This applies even where such action would temporarily simplify our technical work.

5.4 Where filtering or monitoring changes are required as part of our engagement, we will document all changes made and provide a written record to the school.

6. Cyber security and system access

6.1 We acknowledge that schools are subject to the DfE Cyber Security Standards for Schools and Colleges, a number of which are now statutory. Where we are engaged in a capacity that touches on those standards, we will support the school's compliance and will flag any significant vulnerabilities we identify.

6.2 All system credentials, passwords, and access details provided to us are treated as strictly confidential. We will not store credentials insecurely, share them with unauthorised parties, or retain them beyond the period necessary for the engagement.

6.3 Upon completion of any engagement, we will promptly return, destroy, or confirm deletion of all credentials and access tokens, and will notify the school so that access can be revoked or rotated. It is good practice, and our recommendation, that the school rotates credentials following any third-party access.

6.4 We will carry out all work in accordance with the principle of least privilege: accessing only the systems, accounts, and data required for the specific task, and nothing beyond.

7. Scope of consultancy services in schools

7.1 Where we provide policy scrutiny, IT strategy advice, or governance support, including AUP review, filtering policy review, or GDPR compliance advice, we do so as an IT consultant, not as a solicitor or data protection officer. Our recommendations reflect good professional practice and our knowledge of the relevant frameworks, but should be considered alongside independent legal advice for high-stakes decisions.

7.2 We will not make representations about our services that could be construed as legal, financial, or HR advice. Where our recommendations touch on those areas, we will say so explicitly and recommend the school seeks specialist input.

7.3 Written recommendations produced as part of a consultancy engagement are the school's to use and act upon as they see fit. Arcane Technologies accepts no liability for decisions made by the school on the basis of recommendations provided, except where our advice was demonstrably negligent.

8. Safeguarding in remote and cloud environments

8.1 Where our work involves configuring or administering cloud platforms, including Google Workspace for Education, Microsoft 365 Education, or any other cloud service, we will ensure that configurations do not inadvertently undermine the school's safeguarding controls, monitoring systems, or data protection practices.

8.2 We will not create or retain administrative accounts on the school's systems beyond the period of the engagement unless explicitly authorised to do so as part of an ongoing retainer arrangement.

8.3 Where we identify a configuration, setting, or practice that in our professional judgement presents a safeguarding or data protection risk, we will notify the headteacher and DSL in writing as soon as practicable, regardless of whether remediation falls within our current scope of work.

9. Termination and safeguarding concerns

9.1 Either party may terminate a school engagement immediately and without penalty if a serious safeguarding concern arises that makes continuation of the engagement inappropriate pending investigation. This clause does not affect payment for work already completed.

9.2 Where a school terminates an engagement due to a safeguarding concern about our conduct, we agree to cooperate fully with any investigation, including providing access to relevant records, and to comply with any reasonable request from the school or a relevant authority.

10. Governing framework

This addendum is read alongside the Arcane Technologies Standard Terms & Conditions and is governed by the law of England and Wales. Nothing in this addendum reduces the protections set out in the standard terms.

Relevant statutory frameworks and guidance informing this addendum include:

We keep this addendum under review and will update it in line with changes to statutory guidance.