Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the agreement between TrainMeUK Ltd ("TrainMeUK", "Processor") and the customer organisation ("Customer", "Controller") for the provision of the Service.

This DPA applies where TrainMeUK processes Personal Data on behalf of the Customer in connection with the Service and sets out the parties' data protection obligations under applicable UK data protection law.

• Customer as Controller: Customer determines the purposes and means of processing Customer Personal Data.
• TrainMeUK as Processor: TrainMeUK processes Customer Personal Data only on documented instructions from the Customer, unless otherwise required by law.

TrainMeUK processes personal data to deliver and secure the Service, including user authentication, training delivery, compliance reporting, support, and related operational functions.

Data categories may include account data, training/compliance records, external certificate evidence, and Learner Verify data where enabled by the Customer.

• Process personal data only on Customer instructions and for the agreed service purposes
• Ensure personnel with access to personal data are under confidentiality obligations
• Implement appropriate technical and organisational security measures
• Assist Customer with data subject requests and compliance obligations where reasonably required
• Notify Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data

Customer authorises TrainMeUK to use subprocessors to support delivery of the Service (for example hosting, storage, AI, and email providers), provided TrainMeUK imposes data protection obligations on such subprocessors that are materially equivalent to those in this DPA.

Where Customer Personal Data is transferred outside the UK, TrainMeUK will apply appropriate safeguards required by applicable law, including adequacy regulations and/or standard contractual clauses (or equivalent approved transfer mechanisms).

TrainMeUK maintains a risk-based security program designed to protect Customer Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage.

• Encryption in transit and at rest where applicable
• Role-based access controls
• Tenant-aware segregation controls
• Security monitoring and incident response procedures

Upon reasonable request, TrainMeUK will make available information reasonably necessary to demonstrate compliance with this DPA, subject to confidentiality, security, and proportionality controls.

Upon termination or expiry of the Service, TrainMeUK will delete or return Customer Personal Data in accordance with the agreement, applicable law, and documented retention requirements.

If there is a conflict between this DPA and the Terms of Service regarding data protection matters, this DPA prevails for those matters.

For DPA and data protection queries: