Scope and Purpose
This Data Processing Addendum ("DPA") forms part of the agreement between TrainMeUK Ltd ("TrainMeUK", "Processor") and the customer organisation ("Customer", "Controller") for the provision of the Service.
This DPA applies where TrainMeUK processes Personal Data on behalf of the Customer in connection with the Service and sets out the parties' data protection obligations under applicable UK data protection law.
Roles of the Parties
- Customer as Controller: Customer determines the purposes and means of processing Customer Personal Data.
- TrainMeUK as Processor: TrainMeUK processes Customer Personal Data only on documented instructions from the Customer, unless otherwise required by law.
Nature of Processing
TrainMeUK processes personal data to deliver and secure the Service, including user authentication, training delivery, compliance reporting, support, and related operational functions.
Data categories may include account data, training/compliance records, external certificate evidence, and Learner Verify data where enabled by the Customer.
Processor Obligations
- Process personal data only on Customer instructions and for the agreed service purposes
- Ensure personnel with access to personal data are under confidentiality obligations
- Implement appropriate technical and organisational security measures
- Assist Customer with data subject requests and compliance obligations where reasonably required
- Notify Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data
Subprocessors
Customer authorises TrainMeUK to use subprocessors to support delivery of the Service (for example hosting, storage, AI, and email providers), provided TrainMeUK imposes data protection obligations on such subprocessors that are materially equivalent to those in this DPA.
The current list of subprocessors is published at trainmeuk.co.uk/subprocessors. TrainMeUK will update that list when subprocessors change and will notify Customer in accordance with this DPA where required before engaging a new subprocessor that processes Customer Personal Data.
International Transfers
Where Customer Personal Data is transferred outside the UK, TrainMeUK will apply appropriate safeguards required by applicable law, including adequacy regulations and/or standard contractual clauses (or equivalent approved transfer mechanisms).
Security Measures
TrainMeUK maintains a risk-based security program designed to protect Customer Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage.
- Encryption in transit and at rest where applicable
- Role-based access controls
- Tenant-aware segregation controls
- Security monitoring and incident response procedures
Audit and Information Rights
Upon reasonable request, TrainMeUK will make available information reasonably necessary to demonstrate compliance with this DPA, subject to confidentiality, security, and proportionality controls.
Return and Deletion
Upon termination or expiry of the Service, TrainMeUK will delete or return Customer Personal Data in accordance with the agreement, applicable law, and documented retention requirements.
Order of Precedence
If there is a conflict between this DPA and the Terms of Service regarding data protection matters, this DPA prevails for those matters.
Contact
For DPA and data protection queries:
Email: privacy@trainmeuk.co.uk
Address: TrainMeUK Ltd, 8 George Myers Close, Ash, Guildford, Surrey, GU12 6FW
Phone: 01252 929213
Need Help?
If you have any questions about this policy or our practices, please don't hesitate to contact us.