Data Processing Agreement (DPA)

Effective Date: 1st April 2025 
Version: 1.1

  1. Nature and Purpose of Processing

Processor provides learning management, content delivery, learner tracking, and reporting services via the Zanda360 platform. The data processed may include user names, emails, login activity, course completions, quiz results, and certifications. This data is used solely for the purpose of delivering services and managing platform functionality. 

  1. Duration

This DPA remains in effect for as long as the Controller continues to use the Zanda360 platform and until all personal data is deleted or returned in accordance with this DPA. 

  1. Processor Obligations

The Processor shall: 

  • Process personal data only on the Controller’s documented instructions, which include actions taken by the Controller via their use of the platform and its configuration tools
  • Ensure personnel confidentiality obligations are in place
  • Maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk
  • Notify the Controller without undue delay upon becoming aware of a personal data breach, including relevant information as required under Article 33 of the UK GDPR
  • Provide reasonable assistance with data subject rights requests where applicable to the platform’s functionality
  1. Sub-processors

The Controller authorises the use of the following Sub-processors: 

  • Amazon Web Services (UK) – cloud infrastructure 
  • Transactional email delivery
  1. Security Measures

The Processor implements commercially reasonable security controls including encryption, access control, monitoring, and incident response. A summary of security measures is available upon request. Additional documentation or these measures may be provided under NDA. 

  1. Data Transfers

No personal data is transferred outside of the UK or EEA unless the Processor ensures appropriate safeguards are in place in accordance with Chapter V of the UK GDPR. 

  1. Return or Deletion of Data

Upon termination of services, Controller data will be deleted from the platform unless required to be retained by law. Export may be requested before termination in a commonly used machine-readable format. 

  1. Audit Rights

Processor will provide summary information to demonstrate compliance upon reasonable request. External audits may be permitted only where required by law and agreed in advance in writing with reasonable notice and scope. 

  1. Governing Law

This DPA is governed by the laws of England and Wales. 

  1. Contact

Questions about this DPA should be directed to: Terry Simmons, CEO, terry@elearningplus.co.uk. Alternatively, you may contact us via info@elearningplus.co.uk.