Data Processing Agreement

Last Updated: 1 November 2025

1. Introduction and Scope

This Data Processing Agreement (“DPA”) forms part of the contract between The Virtuoso Academy (“Processor”) and the customer (“Controller”) for the provision of educational services. It applies when the Controller’s use of Services involves Processing Personal Data subject to the UK GDPR, EU GDPR, or other applicable data protection laws.

Key Definitions:

  • Controller: Entity determining purposes and means of Processing
  • Processor: The Virtuoso Academy, processing on behalf of Controller
  • Personal Data: Information relating to an identifiable natural person
  • Data Subject: Individual whose data is processed
  • Processing: Any operation performed on Personal Data

2. Applicability

2.1 When This DPA Applies

  • Enterprise or group licences purchased
  • Controller’s employees or students use Services
  • Processing involves Personal Data of UK/EU data subjects or jurisdictions with similar laws

2.2 Individual Users

  • Individual user = Controller of their own data
  • The Virtuoso Academy = Processor
  • Privacy Policy governs relationship

2.3 Order of Precedence

  1. Enterprise Service Agreement
  2. This DPA
  3. Terms of Use
  4. Privacy Policy

3. Roles and Responsibilities

3.1 Controller Obligations

  • Comply with applicable data protection laws
  • Ensure lawful basis for Processing
  • Provide proper notices to Data Subjects
  • Obtain required consents
  • Limit transfers to necessary Personal Data
  • Inform Processor of Processing restrictions

3.2 Processor Obligations

  • Process Personal Data only on documented Controller instructions
  • Ensure confidentiality of authorised personnel
  • Implement appropriate security measures
  • Assist in responding to Data Subject rights
  • Assist with compliance obligations
  • Delete or return data upon termination
  • Allow audits and provide compliance documentation

3.3 Prohibited Processing

  • No Processing beyond Controller’s instructions
  • No transfers without safeguards
  • No selling or using data beyond service provision
  • No retention longer than necessary

4. Details of Processing

4.1 Nature and Purpose

Purpose: Delivering online educational services.

Nature: Registration, progress tracking, communication, analytics, payment processing (via third parties).

4.2 Duration

  • During active account usage
  • Retention as per Privacy Policy and legal requirements
  • As instructed for enterprise accounts

4.3 Types of Personal Data

  • Identity data
  • Contact data
  • Technical data
  • Usage data
  • Profile and preference data
  • Financial data (via third-party processors)
  • Employment data (enterprise users)

4.4 Categories of Data Subjects

  • Healthcare and wellness professionals
  • Enterprise employees
  • Administrative users
  • Faculty and content creators
  • Prospective students

4.5 Sensitive Data

We do not request special category data. If voluntarily shared, it is processed under strict minimisation and confidentiality.

5. Sub-Processors

5.1 Authorised Sub-Processors

  • Infrastructure: AWS, Google Cloud
  • Communications: SendGrid/Twilio, Mailchimp, Intercom
  • Analytics: Google Analytics, Mixpanel
  • Payments: Stripe, PayPal
  • Video Hosting: Vimeo, YouTube
  • Productivity: Zendesk, Google Workspace

5.2 Sub-Processor Obligations

  • Bound by equivalent data protection obligations
  • Implement appropriate safeguards
  • Process data only on Processor’s instructions
  • Permit audits where required

5.3 Changes to Sub-Processors

  • 30 days’ prior notice for new sub-processors
  • Controller may object within 14 days
  • Alternative solutions discussed if objection upheld

6. Data Subject Rights

6.1 Assistance with Requests

  • Access
  • Rectification
  • Erasure
  • Restriction
  • Portability
  • Objection

6.2 Request Handling

Individual Users: Contact Processor directly.

Enterprise Users: Requests forwarded to Controller; Processor assists where required.

6.3 Response Time

  • Acknowledgement within 3 business days
  • Fulfilment within statutory timeframes

7. Security Measures

7.1 Technical Measures

  • Encryption in transit (TLS 1.2+) and at rest (AES-256)
  • Role-based access control
  • Multi-factor authentication for admin access
  • Firewalls, IDS/IPS, DDoS protection
  • Regular vulnerability scanning and penetration testing

7.2 Organisational Measures

  • Background checks
  • Confidentiality agreements
  • Security awareness training
  • Incident response and business continuity plans
  • Vendor risk management

7.3 Security Standards Compliance

  • ISO 27001
  • SOC 2 Type II
  • Cloud security best practices

8. Data Breach Notification

8.1 Breach Definition

  • Unauthorised access, loss, alteration, or disclosure

8.2 Notification Obligations

To Controller: Within 24 hours, including details of breach, affected data, consequences, mitigation steps.

To Supervisory Authority: Controller responsibility (Processor assists).

To Data Subjects: Controller decides; Processor supports.

8.3 Investigation and Mitigation

  • Immediate investigation
  • Mitigation and containment
  • Documentation and evidence preservation
  • Cooperation with Controller and authorities

9. International Data Transfers

9.1 Transfer Mechanisms

  • EEA/UK transfers permitted under adequacy decisions
  • Standard Contractual Clauses for third countries
  • Supplementary safeguards as needed

9.2 Sub-Processor Transfers

  • Sub-processors bound by SCCs or equivalent
  • Documented transfer mechanisms

9.3 US Data Transfers

  • SCCs with US organisations
  • Supplementary safeguards
  • Ongoing review of legal landscape

10. Audits and Compliance

10.1 Audit Rights

  • Controller may request compliance information
  • Controller may conduct audits

10.2 Audit Process

  • 30 days’ notice (unless breach suspected)
  • During business hours
  • Minimising disruption
  • Confidentiality obligations apply

10.3 Compliance Documentation

  • ISO/SOC reports
  • Security policies
  • Sub-processor agreements
  • Transfer documentation

11. Data Deletion and Return

11.1 End of Service

  • Controller may request return or deletion of all Personal Data
  • Completed within 30 days
  • Certification provided if requested

11.2 Exceptions to Deletion

  • Legal obligations
  • Backup retention (auto-deleted per schedule)

11.3 Individual User Account Deletion

  • Self-service deletion or email request
  • Completed within 30 days

12. Liability and Indemnification

12.1 Liability Allocation

  • Each party liable for its own Processing
  • Processor liable only for obligations specific to processors
  • Subject to Terms of Use or Enterprise Agreement limitations

12.2 Indemnification

Processor indemnifies Controller for: Violations of this DPA, breaches of law, unauthorised Processing.

Controller indemnifies Processor for: Violations of law, unlawful instructions, failure to obtain consents.

13. Term and Termination

13.1 Term

Effective for duration of Services or until all Personal Data is deleted/returned.

13.2 Survival

  • Data deletion obligations
  • Confidentiality
  • Liability clauses
  • Post-termination audit rights

14. Governing Law and Jurisdiction

14.1 Applicable Law

Governed by laws of England and Wales.

14.2 Supervisory Authority

  • UK: ICO
  • EU: Controller’s national authority

15. Amendments

  • Updates for legal or processing changes
  • 30 days’ notice for material amendments
  • Controller consent required for significant changes

16. Notices and Contact

16.1 Data Protection Officer

Email: [email protected]
Phone: +44 7448 190917

16.2 Breach Notifications

Email: [email protected]
Phone: +44 7448 190917

16.3 General DPA Enquiries

Email: [email protected]

This DPA is incorporated into enterprise agreements and Terms of Use.

Last Reviewed: November 2025