skills123 — Data Processing Addendum (DPA) Version 1.0 • Effective 2025-01-01 1. PARTIES This Data Processing Addendum ("DPA") is entered into between the customer identified in the underlying skills123 Subscription Agreement ("Controller") and skills123 ("Processor"). Together, the "Parties". 2. SUBJECT MATTER AND ROLES This DPA governs the Processor's processing of personal data on behalf of the Controller in connection with the skills123 AI-driven training platform (the "Service"). The Parties acknowledge that, for the purposes of the EU General Data Protection Regulation 2016/679 ("GDPR") and the UK Data Protection Act 2018, the Controller is the data controller and the Processor is the data processor. 3. NATURE AND PURPOSE OF PROCESSING The Processor processes personal data solely to: (a) provide, secure and operate the Service; (b) generate AI-driven lessons, transcripts, quizzes and analytics; (c) fulfil the Controller's documented instructions; and (d) comply with applicable law. 4. DURATION Processing continues for the duration of the Subscription Agreement plus any applicable retention period set out in Section 10. 5. CATEGORIES OF DATA SUBJECTS • Controller's authorised end-users (learners, instructors, admins). • Prospective learners submitting contact or newsletter forms. 6. CATEGORIES OF PERSONAL DATA • Identity data: name, email address, account identifier. • Authentication data: hashed credentials, OAuth tokens. • Usage data: lesson progress, quiz attempts, engagement events, IP address. • Content data: notes, tutor chat messages, uploaded assets. • Payment metadata: last-4 and billing period (full card data is handled by Stripe as an independent controller). 7. CONTROLLER INSTRUCTIONS The Processor shall process personal data only on the Controller's documented instructions, including with regard to transfers to a third country, unless required to do so by EU, EEA, UK or Member State law. 8. CONFIDENTIALITY Personnel authorised to process personal data are bound by contractual or statutory confidentiality obligations. 9. SECURITY MEASURES (GDPR Art. 32) The Processor implements appropriate technical and organisational measures, including: • Encryption in transit (TLS 1.2+) and at rest (AES-256 where applicable). • Role-based access control with least-privilege principles. • Managed secrets; no production credentials in source control. • Continuous logging, anomaly detection, and incident response runbooks. • Regular dependency scanning and vulnerability patching. • Annual business-continuity and backup-restore tests. 10. DATA RETENTION, RETURN AND DELETION Upon termination of the Service, the Processor will, at the Controller's choice, return or delete all personal data within ninety (90) days, except where retention is required by law. Backups are purged on their scheduled rotation (no longer than 35 days). 11. SUB-PROCESSORS The Controller provides general authorisation for the Processor to engage sub-processors. A current list is published at /legal/subprocessors and is updated with at least thirty (30) days' notice before any new sub-processor begins processing. The Controller may object on reasonable grounds. Categories include: infrastructure (DigitalOcean), database (managed Postgres), object storage (Cloudflare R2), transactional email (Resend), analytics (PostHog, with consent), payments (Stripe), AI providers (Anthropic, OpenAI, HeyGen, ElevenLabs, Gamma, Deepgram, Mux). 12. INTERNATIONAL TRANSFERS Where personal data is transferred outside the EEA or UK, the Parties rely on the European Commission's Standard Contractual Clauses (2021/914) and, where applicable, the UK International Data Transfer Addendum. A copy is available on request. 13. DATA-SUBJECT RIGHTS The Processor shall, to the extent legally permitted, assist the Controller in fulfilling data-subject requests under GDPR Articles 15–22. 14. PERSONAL DATA BREACHES The Processor will notify the Controller without undue delay — and in any event within seventy-two (72) hours — after becoming aware of a personal data breach affecting the Controller's data, together with available information required under GDPR Art. 33(3). 15. AUDIT RIGHTS Once per calendar year, on thirty (30) days' written notice, the Controller (or a mutually agreed independent auditor bound by confidentiality) may request evidence of compliance. The Processor may satisfy audit obligations via up-to-date third-party certifications and executive summaries of penetration tests in lieu of on-site audits where reasonable. 16. LIABILITY The liability of each Party under this DPA is subject to the limitations of liability set out in the Subscription Agreement. 17. TERMINATION This DPA terminates automatically on termination of the Subscription Agreement. Clauses that by their nature survive termination (e.g. Sections 9–12, 14) continue to apply. 18. CONTACT Data Protection queries: privacy@skills123.com General contact: hello@skills123.com Postal address: available to the Controller on request. This document is a template and does not constitute legal advice. Controllers should have counsel review before execution.