Data Processing Agreement

This Data Processing Agreement forms part of the WAIA Terms of Service or other written agreement between Nineteen Point Two and the Customer.

It applies where Nineteen Point Two processes Customer Personal Data on behalf of the Customer in connection with WAIA.

1. Definitions

Controller, processor, data subject, personal data, processing, personal data breach and special category data have the meanings given in applicable data protection laws.

Customer Personal Data means personal data processed by Nineteen Point Two on behalf of the Customer through WAIA.

Data Protection Laws means all applicable data protection and privacy laws, including the UK GDPR, Data Protection Act 2018 and, where applicable, the EU GDPR.

Subprocessor means a third party appointed by Nineteen Point Two to process Customer Personal Data on behalf of Nineteen Point Two.

2. Roles of the parties

For Customer Personal Data processed through WAIA:

• the Customer is controller
• Nineteen Point Two is processor

The Customer determines the purposes and lawful basis for processing Customer Personal Data.

Nineteen Point Two processes Customer Personal Data only to provide, secure, support and maintain WAIA, and in accordance with the Customer’s documented instructions.

3. Processing details

The details of processing are set out in Schedule 1.

4. Customer instructions

The Customer instructs Nineteen Point Two to process Customer Personal Data as necessary to:

• provide WAIA
• create and manage user accounts
• invite learners
• assign learning
• display organisation guidance
• record progress and completion
• record guidance acknowledgements
• provide administrator reporting
• provide support
• maintain platform security and reliability
• comply with agreed contractual obligations

The Customer may issue additional documented instructions where consistent with the agreement and applicable law.

Nineteen Point Two will inform the Customer if it believes an instruction breaches Data Protection Laws, unless prohibited by law.

5. Customer responsibilities

The Customer is responsible for:

• complying with Data Protection Laws
• having a lawful basis for processing Customer Personal Data
• providing privacy information to learners and administrators where required
• ensuring the accuracy of Customer Personal Data
• ensuring only appropriate users are invited
• managing administrator permissions
• avoiding unnecessary special category data
• deciding how WAIA records are used internally
• responding to data subject requests where the Customer is controller

6. Nineteen Point Two responsibilities

Nineteen Point Two will:

• process Customer Personal Data only on documented instructions
• ensure authorised personnel are subject to confidentiality obligations
• implement reasonable technical and organisational security measures
• assist the Customer with data subject requests where reasonably required
• assist with security, breach notification and DPIA obligations where reasonably required
• use subprocessors only in line with this DPA
• delete or return Customer Personal Data at the end of the relationship as agreed
• make reasonable information available to demonstrate compliance with this DPA

7. Confidentiality

Nineteen Point Two will ensure that people authorised to process Customer Personal Data are subject to appropriate confidentiality obligations.

8. Security measures

Nineteen Point Two will maintain reasonable technical and organisational measures appropriate to the nature of the processing and the risk to individuals.

These may include:

• role-based access controls
• authentication controls
• administrator permission controls
• supplier security controls
• database and infrastructure security measures provided by hosting and backend providers
• encryption in transit where supported by relevant infrastructure
• logging and monitoring
• secure development and deployment practices
• backup and recovery processes where supported by relevant providers
• operational access limitation
• incident response procedures

A more detailed security summary may be provided on request.

9. Subprocessors

The Customer gives Nineteen Point Two general written authorisation to appoint subprocessors to provide, host, maintain, secure, monitor and support WAIA.

Nineteen Point Two will:

• maintain a subprocessor list
• ensure subprocessors are subject to written data protection obligations appropriate to their role
• remain responsible for subprocessors’ processing of Customer Personal Data, subject to the agreement
• notify the Customer of material changes to subprocessors through the published subprocessor list, email notice or other reasonable method

The Customer may object to a new subprocessor on reasonable data protection grounds within a reasonable period after notice. The parties will work in good faith to resolve the objection. If the objection cannot reasonably be resolved, the Customer may terminate the affected service.

10. International transfers

Nineteen Point Two and its subprocessors may process Customer Personal Data outside the UK or EEA where needed to provide WAIA.

Where restricted transfers occur, Nineteen Point Two will use appropriate safeguards required by Data Protection Laws. These may include adequacy regulations, standard contractual clauses, the UK International Data Transfer Addendum or equivalent lawful transfer mechanisms.

11. Data subject requests

If Nineteen Point Two receives a request from a data subject relating to Customer Personal Data, it will either:

• refer the request to the Customer, where appropriate
• notify the Customer, where lawful and practical
• assist the Customer to respond, taking into account the nature of the processing

Nineteen Point Two will not respond directly to the substance of a request unless instructed by the Customer or required by law.

12. Personal data breaches

Nineteen Point Two will notify the Customer without undue delay after becoming aware of a confirmed personal data breach affecting Customer Personal Data.

The notice will include available information reasonably required by the Customer to assess the breach, meet notification obligations and reduce harm.

Nineteen Point Two’s notification of a breach is not an admission of fault or liability.

13. Assistance with DPIAs and compliance

Nineteen Point Two will provide reasonable assistance to the Customer with data protection impact assessments, prior consultation, security obligations and breach obligations where required by Data Protection Laws and where the information is available to Nineteen Point Two.

If assistance requires substantial additional work, Nineteen Point Two may charge reasonable fees unless prohibited by law or agreed otherwise.

14. Return and deletion

At the end of the service, Nineteen Point Two will return, export or delete Customer Personal Data in line with the Customer’s instructions, the agreement and applicable law.

Nineteen Point Two may retain limited copies where required for legal, accounting, security, backup, dispute resolution or legitimate business purposes, provided such data remains protected and is not actively processed for other purposes.

Backup deletion may take place on the normal backup lifecycle of relevant infrastructure providers.

15. Audit and information rights

Nineteen Point Two will make reasonable information available to demonstrate compliance with this DPA.

The Customer may request reasonable audit information no more than once per year unless required due to a confirmed serious security incident.

Any audit must be conducted on reasonable notice, during normal business hours, in a way that does not compromise security, confidentiality, service availability or other customers’ data.

Nineteen Point Two may satisfy audit requests through security summaries, policies, supplier documentation, certifications or written responses where appropriate.

16. Order of precedence

If there is a conflict between this DPA and the WAIA Terms of Service in relation to processing Customer Personal Data, this DPA takes priority.

Schedule 1: Processing Details

Subject matter

Provision of WAIA, including workplace AI learning, learner access, progress records, guidance acknowledgement, administrator reporting and customer support.

Duration

For the term of the customer agreement and any agreed retention, export, deletion, backup or legal retention period.

Nature of processing

Collection, recording, storage, hosting, organisation, structuring, retrieval, display, transmission, analysis, reporting, support, deletion and related processing required to provide WAIA.

Purpose of processing

To provide WAIA to the Customer, including:

• user authentication
• learner invitation and access
• course assignment
• learning delivery
• progress tracking
• knowledge check or assessment capture
• guidance acknowledgement
• certificate or completion evidence
• organisation administration
• support
• security
• troubleshooting
• service operation

Categories of data subjects

• Customer employees
• Customer workers
• Customer contractors
• Customer administrators
• Customer invited learners
• Customer contacts
• Support users

Categories of personal data

• name
• work email address
• organisation
• job role or access role, where provided
• user ID
• account status
• invitation status
• course assignment
• learning progress
• lesson completion data
• knowledge check or assessment responses
• guidance acknowledgement records
• certificate or completion status
• administrator actions
• support messages
• technical logs
• IP address and device information where captured for security or service operation

Special category data

WAIA is not intended to process special category data. Customers must not upload special category data unless expressly agreed in writing.

Processing frequency

Continuous during the term of the service.

Subprocessors

Current subprocessors are listed at /subprocessors/.