Data Processing Agreement

Last updated: 20 February 2026

1. Introduction & Parties

This Data Processing Agreement ("DPA") forms part of the agreement for services ("Principal Agreement") between:

  • Exyon Ltd (Company No. 16939934), registered at Office 1, Izabella House, 24-26 Regent Place, City Centre, Birmingham, B1 3NJ ("Processor", "we", "us"); and
  • The organisation agreeing to the Principal Agreement ("Controller", "you", "your").

This DPA sets out the terms on which the Processor will process Personal Data on behalf of the Controller in connection with the Services, and ensures compliance with the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018.

In the event of any conflict between this DPA and the Principal Agreement, this DPA shall prevail with respect to the processing of Personal Data.

2. Definitions

In this DPA, the following terms have the meanings set out below. Terms not defined herein shall have the meanings given to them in the UK GDPR.

  • "Controller" means the organisation that determines the purposes and means of the processing of Personal Data.
  • "Processor" means Exyon Ltd, which processes Personal Data on behalf of the Controller.
  • "Personal Data" means any information relating to an identified or identifiable natural person processed by the Processor on behalf of the Controller in connection with the Services.
  • "Data Subject" means an identified or identifiable natural person to whom the Personal Data relates.
  • "Sub-processor" means any third party appointed by the Processor to process Personal Data on behalf of the Controller.
  • "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
  • "Services" means the services provided by the Processor to the Controller under the Principal Agreement, including the ExyonLearn and ExyonLMS platforms.
  • "UK GDPR" means the General Data Protection Regulation (EU) 2016/679 as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018, as amended.

3. Scope & Purpose of Processing

The Processor shall process Personal Data only to the extent necessary to provide the Services under the Principal Agreement. The details of the processing are set out in Annex A.

The Processor shall not process Personal Data for any purpose other than as instructed by the Controller, unless required to do so by applicable law. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless the law prohibits such notification.

4. Processor Obligations

The Processor shall:

  • Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data outside the United Kingdom, unless required to do so by applicable law.
  • Ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  • Implement and maintain appropriate technical and organisational measures as set out in Annex B to ensure a level of security appropriate to the risk of the processing.
  • Assist the Controller, taking into account the nature of the processing, by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the Controller's obligations to respond to Data Subject requests exercising their rights under Chapter III of the UK GDPR.
  • Assist the Controller in ensuring compliance with its obligations under Articles 32 to 36 of the UK GDPR, taking into account the nature of processing and the information available to the Processor.
  • At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of Services, and delete existing copies unless applicable law requires storage of the Personal Data.
  • Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the UK GDPR and allow for and contribute to audits and inspections conducted by the Controller or another auditor mandated by the Controller.
  • Immediately inform the Controller if, in the Processor's opinion, an instruction from the Controller infringes the UK GDPR or other applicable data protection law.

5. Sub-processing

The Controller provides general written authorisation for the Processor to engage the Sub-processors listed in Annex C.

The Processor shall:

  • Inform the Controller of any intended changes concerning the addition or replacement of Sub-processors, giving the Controller the opportunity to object to such changes within 30 days of notification.
  • Ensure that any Sub-processor is bound by data protection obligations no less protective than those set out in this DPA by way of a written contract.
  • Remain fully liable to the Controller for the performance of each Sub-processor's obligations.

If the Controller objects to a new Sub-processor on reasonable grounds relating to data protection, the Processor shall use reasonable efforts to make available an alternative solution. If no alternative is available, the Controller may terminate the affected Services without penalty.

6. International Data Transfers

The Processor stores all primary customer data within the United Kingdom. Where any transfer of Personal Data to a country outside the United Kingdom is required, the Processor shall ensure that:

  • The transfer is to a country recognised by the UK Secretary of State as providing an adequate level of data protection; or
  • Appropriate safeguards are in place, including the International Data Transfer Agreement (IDTA) or UK Addendum to the EU Standard Contractual Clauses, as approved by the Information Commissioner's Office.

Encrypted backups are stored in EU data centres for disaster recovery purposes. Backup data is encrypted prior to transfer and can only be decrypted when restored to the UK-based hosting environment. The EU is recognised as providing an adequate level of data protection under UK adequacy regulations.

A transfer impact assessment shall be conducted before any new international transfer is initiated.

7. Data Subject Rights

The Processor shall, taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests from Data Subjects exercising their rights under the UK GDPR, including:

  • Right of access (Article 15)
  • Right to rectification (Article 16)
  • Right to erasure (Article 17)
  • Right to restriction of processing (Article 18)
  • Right to data portability (Article 20)
  • Right to object (Article 21)

If the Processor receives a request directly from a Data Subject, the Processor shall promptly notify the Controller and shall not respond to the request without the Controller's prior written instructions, unless required to do so by applicable law.

8. Data Breach Notification

The Processor shall notify the Controller without undue delay, and in any event within 24 hours, after becoming aware of a Personal Data Breach. This notification shall:

  • Describe the nature of the Personal Data Breach, including where possible the categories and approximate number of Data Subjects and Personal Data records concerned.
  • Communicate the name and contact details of the Processor's point of contact.
  • Describe the likely consequences of the Personal Data Breach.
  • Describe the measures taken or proposed to be taken to address the Personal Data Breach, including measures to mitigate its possible adverse effects.

The Processor shall cooperate with and assist the Controller in meeting the Controller's obligation to notify the Information Commissioner's Office within 72 hours, and to communicate the breach to affected Data Subjects where required.

9. Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations set out in this DPA and shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

Audits shall be subject to reasonable prior notice of at least 30 days and shall be conducted during normal business hours in a manner that does not unreasonably disrupt the Processor's operations. The Controller shall bear the costs of any audit unless the audit reveals material non-compliance by the Processor, in which case the Processor shall bear such costs.

The Processor may satisfy audit requests by providing the Controller with relevant certifications, audit reports, or compliance documentation (such as Cyber Essentials certification) where these adequately address the Controller's audit requirements.

10. Term, Termination & Data Return

This DPA shall remain in effect for the duration of the Principal Agreement and for as long as the Processor processes Personal Data on behalf of the Controller.

Upon termination or expiry of the Principal Agreement, the Processor shall, at the Controller's election:

  • Return all Personal Data to the Controller in a commonly used, machine-readable format; or
  • Securely delete all Personal Data and confirm deletion in writing.

The Controller shall notify the Processor of its election within 30 days of termination. If no election is made, the Processor shall securely delete the Personal Data within 90 days of termination. The Processor may retain Personal Data to the extent required by applicable law, provided it maintains confidentiality and processes it only for the purpose required by law.

11. Liability

Each party's liability under this DPA shall be subject to the limitations and exclusions of liability set out in the Principal Agreement, except that neither party excludes or limits liability for:

  • Death or personal injury caused by negligence.
  • Fraud or fraudulent misrepresentation.
  • Any liability which cannot be excluded or limited by applicable law.

Nothing in this DPA limits or excludes the rights of Data Subjects or the authority of the Information Commissioner's Office.

Annex A — Processing Details

Categories of Data Subjects

  • Learners and trainees enrolled by the Controller
  • Staff, tutors, and administrators of the Controller
  • Employer contacts associated with apprenticeship or training programmes

Types of Personal Data

  • Name, email address, and contact details
  • Job title, role, and organisational affiliation
  • Unique learner number (ULN) and other educational identifiers
  • Course enrolment, progress, assessment results, and completion records
  • Login credentials (hashed) and authentication data
  • IP addresses and device information (for platform access)
  • Payment and billing information (where applicable)

Purposes of Processing

  • Provision and administration of the learning management platform
  • User account creation and authentication
  • Course delivery, tracking, and assessment
  • Reporting and analytics for the Controller
  • Transactional email communications
  • Payment processing and billing
  • Platform maintenance, security monitoring, and technical support

Retention

Personal Data is retained for the duration of the Principal Agreement plus 90 days to allow for data return or deletion in accordance with Section 10. Backup copies are retained for up to 30 days following deletion from production systems. Specific retention periods may be agreed in writing between the parties.

Annex B — Technical & Organisational Measures

The Processor implements and maintains the following measures to protect Personal Data:

Encryption

  • Encryption in transit using TLS 1.3
  • Encryption at rest using AES-256
  • Password hashing using industry-standard algorithms (bcrypt)

Access Control

  • Role-based access controls enforced at application and infrastructure levels
  • Multi-tenant architecture with strict data isolation between customers
  • Principle of least privilege for all system access
  • Regular access reviews and revocation of unnecessary permissions

Infrastructure Security

  • All primary data hosted in UK data centres
  • Backups encrypted at rest before transfer to geographically separate EU data centres, restorable only within the UK hosting environment
  • Firewall protection and network segmentation
  • Regular security patching and vulnerability management
  • Cyber Essentials certified

Availability & Resilience

  • Daily automated backups with 30-day retention
  • Disaster recovery procedures and tested restore processes
  • Monitoring and alerting for system availability and security events

Organisational Measures

  • Confidentiality obligations for all personnel
  • Data protection awareness and training
  • Incident response procedures and breach notification processes
  • Regular review and update of security policies

Annex C — Authorised Sub-processors

The following Sub-processors are authorised to process Personal Data on behalf of the Controller:

Sub-processorPurposeData Location
HostingerCloud infrastructure & hostingUnited Kingdom
BrevoTransactional emailEU
StripePayment processingUK/EU
GoCardlessPayment processingUK/EU

12. Contact

For questions about this DPA or to exercise any rights under it, please contact us:

  • Email: [email protected]
  • Address: Exyon Ltd, Office 1, Izabella House, 24-26 Regent Place, City Centre, Birmingham, B1 3NJ

See also our Privacy Policy and Terms of Service.