This Data Processing Agreement ("DPA") forms part of the agreement between Cyber Learning Hub ("Processor", "we", "us") and the customer organisation ("Controller", "you") that subscribes to our cyber awareness training platform (the "Services"). This DPA governs the processing of personal data that the Controller provides to, or that is collected by, the Processor in connection with the Services.

By using the Services, the Controller agrees to this DPA. If you require a countersigned copy, contact us.

1. Definitions

In this DPA:

• "Data Protection Laws" means the GDPR, the UK GDPR, the California Consumer Privacy Act (CCPA), the Australian Privacy Act 1988 and any other applicable data protection legislation;
• "Personal Data" has the meaning given in the GDPR (Article 4(1));
• "Data Subject" means an identified or identifiable natural person whose Personal Data is processed;
• "Sub-processor" means a third party engaged by the Processor to process Personal Data on behalf of the Controller;
• "Services" means the Cyber Learning Hub platform, training modules, phishing assessments and related features.

2. Roles & Responsibilities

The Controller (customer organisation) determines the purposes and means of processing Personal Data and is responsible for the lawful basis of processing, including obtaining any necessary consents from employees enrolled in the Services.

The Processor (Cyber Learning Hub) processes Personal Data solely on documented instructions from the Controller and only as necessary to provide the Services.

3. Categories of Data Processed

Data Subjects: Employees and administrators of the Controller organisation who use the Services.

4. Processing Instructions

The Processor shall:

• Process Personal Data only on documented instructions from the Controller, including with respect to transfers of Personal Data outside the EEA;
• Not process Personal Data for any purpose other than delivering the Services;
• Immediately inform the Controller if, in its opinion, an instruction infringes Data Protection Laws;
• Ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

5. Sub-processors

The Controller provides general authorisation for the Processor to engage the sub-processors listed in our Sub-Processor Registry. As of the date of this DPA, the authorised sub-processors are:

The Processor shall notify the Controller of any intended changes to sub-processors by updating the Sub-Processor Registry at least 14 days before engaging a new sub-processor. The Controller may object by contacting us within that period.

The Processor shall impose data protection obligations on each sub-processor that are no less protective than those set out in this DPA.

6. Security Measures

The Processor implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

• Encryption in transit — all data transmitted via TLS 1.2 or higher;
• Encryption at rest — database and backups encrypted using AES-256 (Cloudflare D1);
• Access controls — magic-link authentication for admin access; no shared passwords;
• Infrastructure security — DDoS protection, WAF and edge security via Cloudflare;
• No card storage — payment card data is processed exclusively by Stripe (PCI DSS Level 1);
• Minimal data collection — we collect only the data necessary to deliver the Services;
• Analytics consent — Google Analytics fires only after explicit user consent via our cookie banner;
• Regular review — security measures are reviewed periodically and updated as appropriate.

7. Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligations to respond to requests from Data Subjects exercising their rights under Data Protection Laws, including:

• Right of access — Data Subjects may request a copy of their Personal Data. The Controller can export training and assessment data from the admin dashboard;
• Right to rectification — inaccurate data can be corrected through the admin dashboard or by contacting us;
• Right to erasure — the Controller may request deletion of employee data by contacting us. We will action deletion requests within 30 days;
• Right to data portability — training records can be exported in CSV format via the admin dashboard;
• Right to restrict processing — upon request, we will restrict processing to storage only;
• Right to object — the Controller may object to processing at any time by contacting us.

If the Processor receives a request directly from a Data Subject, it shall promptly redirect the request to the Controller unless legally required to respond directly.

8. Breach Notification

In the event of a Personal Data breach (as defined in GDPR Article 4(12)), the Processor shall:

• Notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach;
• Provide sufficient information to enable the Controller to meet its own notification obligations to supervisory authorities and Data Subjects;
• Include in the notification: (a) the nature of the breach, (b) categories and approximate number of Data Subjects affected, (c) likely consequences, and (d) measures taken or proposed to mitigate the breach;
• Cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation and remediation of the breach;
• Not notify any third party of a breach without the Controller's prior written consent, unless legally required to do so.

9. International Data Transfers

Cyber Learning Hub operates infrastructure in the United States and Australia. Personal Data may be transferred to, and processed in, countries outside the EEA. Where such transfers occur, we rely on:

• Standard Contractual Clauses (SCCs) approved by the European Commission;
• Adequacy decisions where applicable;
• Binding contractual commitments with sub-processors.

If required, the Controller may request a copy of the applicable transfer mechanism by contacting us.

10. Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for, and contribute to, audits and inspections conducted by the Controller or an auditor mandated by the Controller. The Controller shall provide at least 30 days' written notice of any audit request.

11. Data Retention & Deletion

Upon termination of the Services or upon written request from the Controller, the Processor shall:

• Delete or return all Personal Data to the Controller within 30 days;
• Delete existing copies unless applicable law requires retention;
• Confirm deletion in writing upon request.

During the term of the Services, training and assessment data is retained for as long as the Controller's account is active, to support ongoing compliance reporting.

12. Liability

Each party's liability under this DPA is subject to the limitations of liability set out in the main service agreement between the parties (the Terms of Service).

13. Term & Termination

This DPA shall remain in effect for the duration of the Controller's use of the Services. Obligations relating to confidentiality, data deletion and cooperation with authorities shall survive termination.

14. Governing Law

This DPA is governed by the laws applicable to the main service agreement. For matters specifically relating to GDPR compliance, the laws of the European Union shall apply to the extent required.

15. Contact

For questions about this DPA, to request a countersigned copy, or to exercise any rights under this agreement, please contact us

See also: Privacy Policy · Sub-Processor Registry · Terms of Service · Disclaimer