Data Trackers Logo

Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Data Trackers terms of service and governs the processing of personal data by Data Trackers ("Processor") on behalf of the Customer ("Controller").

1. Definitions

  • Personal data -- any information relating to an identified or identifiable natural person processed under this DPA.
  • Processing -- any operation performed on personal data, including collection, storage, retrieval, use, disclosure and deletion.
  • Data subject -- the individual to whom personal data relates.
  • Sub-processor -- any third party engaged by Data Trackers to process personal data on behalf of the Controller.
  • GDPR -- the UK GDPR and the EU General Data Protection Regulation (EU) 2016/679.
  • Supervisory authority -- the ICO in the UK, or an equivalent authority in another jurisdiction.

2. Scope and purpose of processing

Data Trackers will process personal data only:

  • For the purpose of providing the Data Trackers service to the Controller
  • In accordance with the Controller's documented instructions
  • As necessary to comply with applicable law

2.1 Categories of data subjects

  • End users / learners who interact with e-learning courses created by the Controller
  • Course administrators and instructional designers employed by the Controller (if applicable)

2.2 Categories of personal data

  • Learner identifiers (name, email, employee ID or other identifiers as configured by the Controller)
  • Learning performance data (quiz scores, completion status)
  • Behavioural data (time on content, navigation patterns, interaction logs)
  • Technical data (IP address, browser information, device data)

2.3 Duration of processing

Processing continues for the duration of the service agreement plus the applicable data retention period (see the Privacy policy for tier-specific retention).

3. Obligations of the Processor

Data Trackers agrees to:

  • Process personal data only on documented instructions from the Controller, unless required by applicable law
  • Ensure that persons authorised to process personal data are bound by confidentiality
  • Implement appropriate technical and organisational security measures
  • Respect the conditions for engaging sub-processors (section 6)
  • Assist the Controller in responding to data subject requests
  • Assist the Controller with security, breach notification and data-protection impact assessments
  • Delete or return all personal data upon termination, at the Controller's choice
  • Make available all information necessary to demonstrate compliance and allow for audits

4. Obligations of the Controller

The Controller agrees to:

  • Ensure it has a valid legal basis for collecting and processing personal data through the service
  • Provide appropriate privacy notices to data subjects
  • Obtain any necessary consents from data subjects
  • Ensure that instructions given to the Processor comply with applicable data-protection law
  • Be responsible for the accuracy, quality and legality of personal data provided to the Processor

5. Security measures

5.1 Technical measures

  • Encryption in transit (TLS 1.2+) and at rest (AES-256)
  • Secure authentication and access control systems
  • Regular security testing and vulnerability management
  • Intrusion detection and monitoring
  • Automated backup systems
  • Client-side parsing of Storyline source files (they never reach our servers)

5.2 Organisational measures

  • Staff background checks and security training
  • Role-based access (principle of least privilege)
  • Documented information security policies
  • Incident response procedures
  • Regular security awareness training

6. Sub-processors

The Controller authorises Data Trackers to engage the sub-processors listed below. We will notify the Controller before adding or replacing a sub-processor. The Controller may object to changes within 30 days of notification.

Sub-processorPurposeLocation
Google Cloud / FirebaseInfrastructure hosting, auth, cloud functionsEU / USA (configurable)
BigQueryLearner data warehouseEU / USA (configurable)
FivetranWebhook ingestion pipelineEU / USA
StripePayment processingEU / USA
Anthropic (Claude API)AI recommendations (Tier 2+ only)USA
Mailgun / HubSpotEmail deliveryEU / USA

7. Data subject rights

Data Trackers will assist the Controller in responding to data subject requests by:

  • Providing tools for data export and deletion
  • Forwarding any data subject requests received to the Controller
  • Providing information necessary to respond to requests within reasonable timeframes

8. Breach notification

In the event of a personal data breach, Data Trackers will:

  • Notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a breach
  • Provide all information necessary for the Controller to assess the breach and notify supervisory authorities or data subjects as required
  • Cooperate with the Controller in investigating and mitigating the breach
  • Document all breaches and remediation actions taken

9. International transfers

Where personal data is transferred outside the UK or EEA, appropriate safeguards are in place:

  • Standard Contractual Clauses approved by the European Commission, plus UK Addendum
  • Supplementary measures where required based on transfer impact assessments
  • Due diligence on the recipient country's legal framework

10. Audit rights

Data Trackers will make available all information necessary to demonstrate compliance with this DPA and allow for audits by the Controller or an appointed auditor. Audits shall be subject to reasonable notice, conducted during normal business hours, and the Controller shall bear its own audit costs.

11. Termination and data return

On termination of the service:

  • Data Trackers will delete or return all personal data at the Controller's instruction
  • The Controller may request a data export before deletion
  • Deletion will be completed within 30 days of termination
  • Data Trackers may retain copies where required by law, subject to confidentiality obligations

12. Liability

Each party's liability under this DPA is subject to the limitations and exclusions in the main terms of service.

13. Governing law

This DPA is governed by the laws of England and Wales, without regard to conflict-of-laws principles.

Annex A -- Technical and organisational measures

  • Access control -- multi-factor authentication, role-based access, session management
  • Encryption -- AES-256 at rest, TLS 1.2+ in transit, key management procedures
  • Network security -- firewalls, intrusion detection, DDoS protection
  • Physical security -- certified Google Cloud data centres
  • Operational security -- change management, vulnerability management, penetration testing
  • Incident management -- 24/7 monitoring, documented response procedures
  • Business continuity -- automated backups and disaster recovery procedures