Data Processing Agreement (DPA)

Last Updated: October 26, 2023

This Data Processing Agreement ("DPA") forms part of the Terms of Service ("Principal Agreement") between educatinvesuk.digital ("Company," "we," "us," "our") and you ("Customer," "you," "your"), the user of our services.

This DPA applies where and to the extent that Company processes Personal Data on behalf of Customer as a Data Processor in the course of providing the Services. This DPA is intended to satisfy the requirements of Article 28(3) of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the UK General Data Protection Regulation ("UK GDPR").

1. Definitions

Capitalized terms not otherwise defined herein shall have the meaning given to them in the Principal Agreement. In this DPA, the following terms shall have the following meanings:

  • "Data Protection Laws" means all applicable laws relating to data protection and privacy including (without limitation) the GDPR, the UK GDPR, and any other national implementing laws, regulations, and secondary legislation, as amended or updated from time to time.
  • "Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
  • "Processing", "Processes" or "Process" means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  • "Data Controller", "Data Processor", "Data Subject", "Supervisory Authority" shall have the meanings set out in the GDPR or UK GDPR as applicable.

2. Processing of Personal Data

2.1 Roles of the Parties

The parties acknowledge and agree that with regard to the Processing of Personal Data, Customer is the Data Controller and Company is the Data Processor. Each party will comply with the obligations applicable to it under Data Protection Laws with respect to the processing of Personal Data.

2.2 Customer's Processing of Personal Data

Customer shall, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws. Customer's instructions to Company for the Processing of Personal Data shall comply with Data Protection Laws. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data.

2.3 Company's Processing of Personal Data

Company shall only Process Personal Data on behalf of and in accordance with Customer’s documented instructions for the following purposes: (i) Processing in accordance with the Principal Agreement and applicable order forms; (ii) Processing initiated by users in their use of the Services; and (iii) Processing to comply with other documented reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Principal Agreement. Company will not Process Personal Data for any other purpose unless required by applicable law to which Company is subject; in such a case, Company shall inform Customer of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.

2.4 Details of the Processing

  • Subject matter of Processing: The Personal Data Processed by Company is subject to the Services provided pursuant to the Principal Agreement.
  • Duration of Processing: For the term of the Principal Agreement and as set out in section 8 (Return and Deletion of Personal Data).
  • Nature and purpose of Processing: To provide the Services as initiated by Customer and its authorized users. This may include storing, managing, and providing access to Personal Data to enable Customer to use the features of the Services.
  • Types of Personal Data: Personal Data submitted to the Services by Customer, which may include, but is not limited to, names, email addresses, contact details, and any other Personal Data Customer chooses to upload or provide through the Services.
  • Categories of Data Subjects: Data Subjects are individuals whose Personal Data is submitted to the Services by Customer, which may include Customer's employees, contractors, clients, or other individuals.

3. Data Subject Rights

Company shall, to the extent legally permitted, promptly notify Customer if Company receives a request from a Data Subject to exercise the Data Subject's right of access, right to rectification, restriction of Processing, erasure ("right to be forgotten"), data portability, object to the Processing, or its right not to be subject to an automated individual decision making ("Data Subject Request"). Taking into account the nature of the Processing, Company shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to a Data Subject Request under Data Protection Laws. To the extent Customer, in its use of the Services, does not have the ability to address a Data Subject Request, Company shall upon Customer’s request provide commercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent Company is legally permitted to do so and the response to such Data Subject Request is required under Data Protection Laws.

4. Confidentiality

Company shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. Company shall ensure that such confidentiality obligations survive the termination of the personnel engagement.

5. Security

Company shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR and UK GDPR. In assessing the appropriate level of security, Company shall take account in particular of the risks that are presented by Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise Processed.

6. Sub-processing

6.1 Authorized Sub-processors

Customer agrees that Company may engage third-party sub-processors in connection with the provision of the Services. Company will make available to Customer a current list of sub-processors upon request. Company shall ensure that any sub-processor it engages is subject to data protection obligations comparable to those imposed on Company under this DPA.

6.2 Objections to Sub-processors

Customer may object in writing to Company’s appointment of a new sub-processor within thirty (30) days of receiving notice, provided that such objection is based on reasonable grounds relating to data protection. If Customer objects to a new sub-processor, Company will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s configuration or use of the Services to avoid Processing of Personal Data by the objected-to new sub-processor without unreasonably burdening the Customer. If Company is unable to make available such change within a reasonable period of time, which shall not exceed sixty (60) days, Customer may terminate the applicable Order Form(s) with respect to only those Services which cannot be provided by Company without the use of the objected-to new sub-processor by providing written notice to Company.

7. Data Breach Notification

Company shall notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, providing Customer with sufficient information to allow Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws. Company shall co-operate with Customer and take such reasonable commercial steps as are directed by Customer to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

8. Return and Deletion of Personal Data

Upon termination of the Principal Agreement, Company shall, at Customer’s choice, delete or return all Customer Personal Data to Customer, and delete existing copies unless applicable law requires storage of the Personal Data. This requirement shall not apply to the extent that Company has a legal right or obligation to retain some or all of the Personal Data, or to Personal Data archived on back-up systems, which Company shall securely isolate and protect from any further processing, except to the extent required by applicable law.

9. Audits and Certifications

Company shall make available to Customer on request all information necessary to demonstrate compliance with this DPA, and shall allow for and contribute to audits, including inspections, by Customer or an auditor mandated by Customer in relation to the Processing of Customer Personal Data by Company. Such audits shall be conducted during reasonable business hours, with reasonable advance notice to Company, and subject to confidentiality obligations. Customer shall use its best efforts to minimize disruption to Company’s business operations.

10. International Transfers

To the extent that the Processing of Personal Data by Company involves a transfer of Personal Data outside the European Economic Area (EEA) or the UK, Company shall ensure that such transfers are made in compliance with Data Protection Laws, including, where applicable, by entering into Standard Contractual Clauses (SCCs) as approved by the European Commission or the UK Information Commissioner's Office, or by relying on other appropriate transfer mechanisms.

11. General Terms

This DPA will terminate automatically upon the termination of the Principal Agreement. This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Principal Agreement, unless required otherwise by Data Protection Laws.

12. Contact Information

If you have any questions about this DPA, please contact us: