Data Processing Addendum

Version 1.0 • Effective 2025-01-01

This DPA supplements our Subscription Agreement and Privacy Policy. It sets out the terms on which skills123 (Processor) processes personal data on behalf of customers (Controllers). For questions or a countersigned copy, email privacy@skills123.com.

skills123 — Data Processing Addendum (DPA)
Version 1.0  •  Effective 2025-01-01

1. PARTIES
This Data Processing Addendum ("DPA") is entered into between the customer
identified in the underlying skills123 Subscription Agreement ("Controller")
and skills123 ("Processor"). Together, the "Parties".

2. SUBJECT MATTER AND ROLES
This DPA governs the Processor's processing of personal data on behalf of the
Controller in connection with the skills123 AI-driven training platform (the
"Service"). The Parties acknowledge that, for the purposes of the EU General
Data Protection Regulation 2016/679 ("GDPR") and the UK Data Protection Act
2018, the Controller is the data controller and the Processor is the data
processor.

3. NATURE AND PURPOSE OF PROCESSING
The Processor processes personal data solely to:
  (a) provide, secure and operate the Service;
  (b) generate AI-driven lessons, transcripts, quizzes and analytics;
  (c) fulfil the Controller's documented instructions; and
  (d) comply with applicable law.

4. DURATION
Processing continues for the duration of the Subscription Agreement plus any
applicable retention period set out in Section 10.

5. CATEGORIES OF DATA SUBJECTS
  • Controller's authorised end-users (learners, instructors, admins).
  • Prospective learners submitting contact or newsletter forms.

6. CATEGORIES OF PERSONAL DATA
  • Identity data: name, email address, account identifier.
  • Authentication data: hashed credentials, OAuth tokens.
  • Usage data: lesson progress, quiz attempts, engagement events, IP address.
  • Content data: notes, tutor chat messages, uploaded assets.
  • Payment metadata: last-4 and billing period (full card data is handled by
    Stripe as an independent controller).

7. CONTROLLER INSTRUCTIONS
The Processor shall process personal data only on the Controller's documented
instructions, including with regard to transfers to a third country, unless
required to do so by EU, EEA, UK or Member State law.

8. CONFIDENTIALITY
Personnel authorised to process personal data are bound by contractual or
statutory confidentiality obligations.

9. SECURITY MEASURES (GDPR Art. 32)
The Processor implements appropriate technical and organisational measures,
including:
  • Encryption in transit (TLS 1.2+) and at rest (AES-256 where applicable).
  • Role-based access control with least-privilege principles.
  • Managed secrets; no production credentials in source control.
  • Continuous logging, anomaly detection, and incident response runbooks.
  • Regular dependency scanning and vulnerability patching.
  • Annual business-continuity and backup-restore tests.

10. DATA RETENTION, RETURN AND DELETION
Upon termination of the Service, the Processor will, at the Controller's
choice, return or delete all personal data within ninety (90) days, except
where retention is required by law. Backups are purged on their scheduled
rotation (no longer than 35 days).

11. SUB-PROCESSORS
The Controller provides general authorisation for the Processor to engage
sub-processors. A current list is published at /legal/subprocessors and is
updated with at least thirty (30) days' notice before any new sub-processor
begins processing. The Controller may object on reasonable grounds.
Categories include: infrastructure (DigitalOcean), database (managed
Postgres), object storage (Cloudflare R2), transactional email (Resend),
analytics (PostHog, with consent), payments (Stripe), AI providers
(Anthropic, OpenAI, HeyGen, ElevenLabs, Gamma, Deepgram, Mux).

12. INTERNATIONAL TRANSFERS
Where personal data is transferred outside the EEA or UK, the Parties rely
on the European Commission's Standard Contractual Clauses (2021/914) and,
where applicable, the UK International Data Transfer Addendum. A copy is
available on request.

13. DATA-SUBJECT RIGHTS
The Processor shall, to the extent legally permitted, assist the Controller
in fulfilling data-subject requests under GDPR Articles 15–22.

14. PERSONAL DATA BREACHES
The Processor will notify the Controller without undue delay — and in any
event within seventy-two (72) hours — after becoming aware of a personal
data breach affecting the Controller's data, together with available
information required under GDPR Art. 33(3).

15. AUDIT RIGHTS
Once per calendar year, on thirty (30) days' written notice, the Controller
(or a mutually agreed independent auditor bound by confidentiality) may
request evidence of compliance. The Processor may satisfy audit obligations
via up-to-date third-party certifications and executive summaries of penetration
tests in lieu of on-site audits where reasonable.

16. LIABILITY
The liability of each Party under this DPA is subject to the limitations of
liability set out in the Subscription Agreement.

17. TERMINATION
This DPA terminates automatically on termination of the Subscription
Agreement. Clauses that by their nature survive termination (e.g. Sections
9–12, 14) continue to apply.

18. CONTACT
Data Protection queries: privacy@skills123.com
General contact: hello@skills123.com
Postal address: available to the Controller on request.

This document is a template and does not constitute legal advice. Controllers
should have counsel review before execution.

skills123 — Data Processing Addendum (DPA) Version 1.0 • Effective 2025-01-01 1. PARTIES This Data Processing Addendum ("DPA") is entered into between the customer identified in the underlying skills123 Subscription Agreement ("Controller") and skills123 ("Processor"). Together, the "Parties". 2. SUBJECT MATTER AND ROLES This DPA governs the Processor's processing of personal data on behalf of the Controller in connection with the skills123 AI-driven training platform (the "Service"). The Parties acknowledge that, for the purposes of the EU General Data Protection Regulation 2016/679 ("GDPR") and the UK Data Protection Act 2018, the Controller is the data controller and the Processor is the data processor. 3. NATURE AND PURPOSE OF PROCESSING The Processor processes personal data solely to: (a) provide, secure and operate the Service; (b) generate AI-driven lessons, transcripts, quizzes and analytics; (c) fulfil the Controller's documented instructions; and (d) comply with applicable law. 4. DURATION Processing continues for the duration of the Subscription Agreement plus any applicable retention period set out in Section 10. 5. CATEGORIES OF DATA SUBJECTS • Controller's authorised end-users (learners, instructors, admins). • Prospective learners submitting contact or newsletter forms. 6. CATEGORIES OF PERSONAL DATA • Identity data: name, email address, account identifier. • Authentication data: hashed credentials, OAuth tokens. • Usage data: lesson progress, quiz attempts, engagement events, IP address. • Content data: notes, tutor chat messages, uploaded assets. • Payment metadata: last-4 and billing period (full card data is handled by Stripe as an independent controller). 7. CONTROLLER INSTRUCTIONS The Processor shall process personal data only on the Controller's documented instructions, including with regard to transfers to a third country, unless required to do so by EU, EEA, UK or Member State law. 8. CONFIDENTIALITY Personnel authorised to process personal data are bound by contractual or statutory confidentiality obligations. 9. SECURITY MEASURES (GDPR Art. 32) The Processor implements appropriate technical and organisational measures, including: • Encryption in transit (TLS 1.2+) and at rest (AES-256 where applicable). • Role-based access control with least-privilege principles. • Managed secrets; no production credentials in source control. • Continuous logging, anomaly detection, and incident response runbooks. • Regular dependency scanning and vulnerability patching. • Annual business-continuity and backup-restore tests. 10. DATA RETENTION, RETURN AND DELETION Upon termination of the Service, the Processor will, at the Controller's choice, return or delete all personal data within ninety (90) days, except where retention is required by law. Backups are purged on their scheduled rotation (no longer than 35 days). 11. SUB-PROCESSORS The Controller provides general authorisation for the Processor to engage sub-processors. A current list is published at /legal/subprocessors and is updated with at least thirty (30) days' notice before any new sub-processor begins processing. The Controller may object on reasonable grounds. Categories include: infrastructure (DigitalOcean), database (managed Postgres), object storage (Cloudflare R2), transactional email (Resend), analytics (PostHog, with consent), payments (Stripe), AI providers (Anthropic, OpenAI, HeyGen, ElevenLabs, Gamma, Deepgram, Mux). 12. INTERNATIONAL TRANSFERS Where personal data is transferred outside the EEA or UK, the Parties rely on the European Commission's Standard Contractual Clauses (2021/914) and, where applicable, the UK International Data Transfer Addendum. A copy is available on request. 13. DATA-SUBJECT RIGHTS The Processor shall, to the extent legally permitted, assist the Controller in fulfilling data-subject requests under GDPR Articles 15–22. 14. PERSONAL DATA BREACHES The Processor will notify the Controller without undue delay — and in any event within seventy-two (72) hours — after becoming aware of a personal data breach affecting the Controller's data, together with available information required under GDPR Art. 33(3). 15. AUDIT RIGHTS Once per calendar year, on thirty (30) days' written notice, the Controller (or a mutually agreed independent auditor bound by confidentiality) may request evidence of compliance. The Processor may satisfy audit obligations via up-to-date third-party certifications and executive summaries of penetration tests in lieu of on-site audits where reasonable. 16. LIABILITY The liability of each Party under this DPA is subject to the limitations of liability set out in the Subscription Agreement. 17. TERMINATION This DPA terminates automatically on termination of the Subscription Agreement. Clauses that by their nature survive termination (e.g. Sections 9–12, 14) continue to apply. 18. CONTACT Data Protection queries: privacy@skills123.com General contact: hello@skills123.com Postal address: available to the Controller on request. This document is a template and does not constitute legal advice. Controllers should have counsel review before execution.

Data Processing Addendum

Data Processing Addendum

Learn

Product

Company

Legal

Mobile app