DATA PROCESSING AGREEMENT (UK GDPR – Controller to Processor)

This Data Processing Agreement (“DPA”) is entered into between:

Controller:
The customer entity receiving services from Train Me Now Ltd T/A NoodleNow.

and

Processor:
Train Me Now Ltd (Company No. 09743159)
T/A NoodleNow
30 Upper High Street
Thame
Oxfordshire
OX9 3EZ
ICO Registration: ZB071066

1. Purpose and Scope

1.1 This DPA governs the processing of Personal Data by the Processor on behalf of the Controller in connection with the provision of an online training platform including hosting, learner management and certification services.

1.2 This DPA forms a standalone agreement governing data protection obligations between the parties.

1.3 The parties acknowledge that the Controller is the Data Controller and the Processor is the Data Processor for the purposes of UK GDPR and the Data Protection Act 2018.

2. Definitions

“UK GDPR” means the UK General Data Protection Regulation.
“Personal Data”, “Controller”, “Processor”, “Data Subject”, “Processing”, and “Personal Data Breach” shall have the meanings given in UK GDPR.

3. Processing Obligations

3.1 The Processor shall:
a) Process Personal Data only on documented instructions from the Controller.
b) Ensure that persons authorised to process Personal Data are subject to confidentiality obligations.
c) Implement appropriate technical and organisational measures in accordance with Article 32 UK GDPR.
d) Assist the Controller in responding to Data Subject rights requests.
e) Assist the Controller in ensuring compliance with Articles 32–36 UK GDPR, taking into account the nature of processing.
f) Notify the Controller of any Personal Data Breach without undue delay and, where feasible, within 72 hours of becoming aware.
g) Delete Personal Data in accordance with Clause 9 (Termination).

3.2 The Processor shall not sell Personal Data, process Special Category Data, or process Criminal Offence Data.

3A. Independent Controller Processing

3A.1 The parties acknowledge that the Processor may process certain personal data as an independent controller where such processing is not carried out on behalf of the Controller, including:
a) Processing of business contact details for account management, billing and service communications;
b) Responding to direct enquiries made to the Processor;
c) Marketing of products and services in accordance with applicable law;
d) Compliance with legal obligations;
e) Internal business administration and record keeping.

3A.2 Such processing shall be carried out in accordance with the Processor’s own privacy notice and applicable data protection laws.

3A.3 Nothing in this DPA shall apply to processing undertaken by the Processor in its capacity as an independent controller.

5. Sub-processors

5.1 The Controller provides general authorisation for the Processor to appoint sub-processors.

5.2 The Processor shall ensure any sub-processor is bound by written terms providing equivalent data protection obligations and shall remain fully liable for their performance.

5.3 A list of current sub-processors is set out in Schedule 3.

5.4 The Processor shall notify the Controller of any intended addition or replacement of sub-processors.

6. International Transfers

6.1 Personal Data may be processed within the United Kingdom and the European Economic Area.

6.2 Where Personal Data is transferred outside the United Kingdom to a country without an adequacy decision, the Processor shall ensure appropriate safeguards are implemented, including the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, or any other lawful transfer mechanism recognised under UK GDPR.

7. Security Measures

The Processor shall implement appropriate technical and organisational measures including those described in Schedule 2.

8. Data Subject Rights

The Controller is responsible for responding to Data Subject requests. The Processor shall provide reasonable assistance to the Controller in responding to such requests.

9. Term and Deletion

This DPA remains in effect for the duration of the services.

Upon termination of the services, Personal Data shall be retained for up to 12 months following termination unless the Controller requests earlier deletion. Following the retention period, Personal Data shall be securely deleted or anonymised, except to the extent required by law. Backup copies may be retained in secure systems for a limited technical period before automatic deletion.

10. Audit

The Controller may request reasonable written information demonstrating compliance with this DPA. On reasonable notice and no more than once per year, the Controller may conduct an audit, provided it does not unreasonably disrupt business operations.

11. Liability

11.1 Each party shall be responsible for and liable in respect of breaches of its obligations under UK GDPR and this DPA.

11.2 The Processor’s total aggregate liability arising out of or in connection with this DPA (whether in contract, tort (including negligence), breach of statutory duty or otherwise) shall not exceed 100% of the fees paid by the Controller to the Processor in the six (6) months preceding the event giving rise to the claim.

11.3 Nothing in this DPA shall exclude or limit liability for death or personal injury caused by negligence, fraud or fraudulent misrepresentation, or any liability which cannot lawfully be excluded or limited.

Schedule 1 – Details of Processing

Subject Matter: Provision of an online training platform including hosting, learner management and certification.

Duration: For the duration of services and up to 12 months thereafter.

Categories of Data Subjects: Employees, volunteers, and contractors of the Controller.

Categories of Personal Data: Name, work email address, username/login ID, IP address, course enrolment data, course completion data, assessment results, certification records.

Special Category Data: None.

Criminal Offence Data: None.

Purpose of Processing: To provide online training services and related support.

Schedule 2 – Technical and Organisational Measures

• Hosting within UK or EEA data centres
  • Encryption in transit (TLS)
  • Encryption at rest
  • Role-based access controls
  • Restricted staff access
  • Confidentiality obligations
  • Secure cloud hosting
  • Regular system updates and maintenance
  • Logical separation of customer data
  • Encrypted routine backups

Schedule 3 – Sub-processors

Blossom Educational Ltd T/A Ovivio – UK – Sales, administration, billing, customer support
KidsKonnect B.V. – Netherlands – Hosting, technical infrastructure, platform maintenance
Amazon Web Services (AWS) – EEA – Cloud hosting
HubSpot – EEA/USA – CRM and marketing systems
Zendesk – EEA/USA – Customer support ticketing
Microsoft – EEA/USA – Email and productivity systems
Aircall – EEA/USA – Telephony services