Skip to content
All governance documents

Data and Security

Data Processing Agreement

Version
1.0
Status
Live
Effective Date
13 July 2026
Review Date
13 July 2027
Policy Owner
Compliance and Accreditation Lead
Approved By
Chief Executive Officer

1. Parties and Roles

This ("DPA") forms part of the agreement between Qualitect Ltd ("Qualitect") and the customer organisation ("Customer") that uses the Qualitect platform ("the Agreement"). The Customer is the controller of Customer Content as defined in clause 4 and Qualitect processes that content only on the Customer's documented instructions. Qualitect is an independent controller of the account and administrative data described in clause 4, which it processes as set out in the Privacy Policy.

2. Subject Matter and Duration

The subject matter of this DPA is the provision of the Qualitect platform and related services. Processing continues for the term of the Agreement and the limited period after termination described in clause 10.

3. Nature and Purpose of Processing

Processing enables the Customer's authorised users to create, review, approve and export content, including AI-assisted generation, evidence ingestion and compliance checking. Where the Customer uses learning services provided by Qualitect, processing also enables the delivery of learning content to the Customer's learners and the management of their enrolment and progress. The AI Use and Transparency Policy and the Data and Content Sourcing Policy describe how generation and sourcing operate.

4. Data and Roles

Customer Content means the source materials, evidence files and other content the Customer's users upload or enter, the qualification content generated from them and any they contain. Where the Customer uses learning services provided by Qualitect, Customer Content also includes personal data, including enrolment, progress and achievement records. The Customer is the controller of Customer Content.

Account and administrative data means the data Qualitect processes to operate the platform: user account details (name, work email, organisation, role), usage and audit data (actions taken, timestamps, IP addresses) and billing records. Qualitect is an independent controller of this data.

The platform does not require . Where the Customer chooses to include special category data or criminal offence data within Customer Content, the Customer is responsible for ensuring a lawful basis, an applicable condition under Article 9 or Article 10 of UK and the minimisation of the personal data included.

5. Categories of Data Subject

The Customer's authorised users, any individuals identified in Customer Content and, where the Customer uses learning services provided by Qualitect, the Customer's learners.

6. Customer Obligations

The Customer shall ensure that its instructions to Qualitect are lawful, that it has a lawful basis for the personal data contained in Customer Content and that data subjects have been provided with any information required under UK GDPR. Where the Customer uses learning services provided by Qualitect, the Customer shall notify Qualitect if Customer Content includes personal data relating to children under 18.

7. Qualitect Obligations (UK GDPR Article 28(3))

Qualitect shall:

(a) process Customer Content only on the Customer's documented instructions, including with regard to international transfers, unless required to do otherwise by law;

(b) ensure that persons authorised to process Customer Content are subject to obligations of confidentiality;

(c) implement the technical and organisational measures in clause 8;

(d) meet the conditions in clause 9;

(e) taking into account the nature of the processing, assist the Customer in responding to requests from data subjects exercising their rights under UK GDPR;

(f) assist the Customer with security, personal data breach notification and data protection impact assessments;

(g) notify the Customer without undue delay after becoming aware of a personal data breach affecting Customer Content;

(h) delete or return Customer Content in accordance with clause 10;

(i) make available the information necessary to demonstrate compliance with this DPA and allow for audits in accordance with clause 11;

(j) immediately inform the Customer if, in Qualitect's opinion, an instruction from the Customer infringes UK GDPR or other applicable data protection law.

8. Technical and Organisational Measures

Qualitect implements the following measures: hosting, storage and backup of Customer Content in UK AWS regions; ; ; row-level tenant isolation between customer organisations; an append-only audit log; least-privilege access to production systems. These measures are maintained under the Information Security Policy and are reviewed and updated as the platform develops, without reducing the overall level of protection.

9. Sub-processors

The Customer authorises Qualitect to use sub-processors for cloud hosting, AI generation and service delivery. The current list of sub-processors and their processing locations is maintained on the Trust and Security page at qualitect.co.uk/security. Qualitect will give the Customer 30 days' notice of any intended change to its sub-processors and the Customer may object on reasonable data protection grounds. Qualitect remains responsible for the performance of its sub-processors.

10. Return and Deletion

On termination of the Agreement, Qualitect will, at the Customer's choice, delete or return Customer Content within 30 days unless otherwise agreed in writing with the Customer, except where retention is required by law. Audit records are append-only to protect the integrity of qualification records and are retained for a minimum of seven years as described in the Data Protection Policy.

11. Audit

Qualitect will make available the information reasonably necessary to demonstrate compliance with this DPA and will allow and contribute to audits conducted by the Customer or an auditor appointed by the Customer, subject to reasonable prior notice, appropriate confidentiality obligations and a limit of one audit in any rolling twelve-month period unless a supervisory authority requires otherwise or a personal data breach affecting Customer Content has occurred. Qualitect may in the first instance satisfy an audit request by providing written responses, relevant documentation and available independent assurance reports and certifications, with further audit rights exercisable where these are reasonably insufficient. The Customer bears its own audit costs and Qualitect may charge reasonable costs for audit support beyond the provision of written responses, documentation and available independent assurance reports and certifications.

12. International Transfers

Customer Content is hosted and stored in UK AWS regions. AI generation involves the transfer of Customer Content contained in processing requests to sub-processors located outside the UK, as shown in the sub-processor list maintained on the Trust and Security page. Any such transfer relies on an approved UK transfer mechanism, the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses, together with the additional safeguards described in the Data Protection Policy.

13. Liability and Precedence

Liability under this DPA is subject to the limitations and exclusions of liability in the Terms and Conditions. In the event of conflict between this DPA and the Agreement on data protection matters, this DPA prevails.

14. Contact Information

Data protection contact: dataprotection@qualitect.co.uk
General: hello@qualitect.co.uk
Registered office: Qualitect Limited, 32 Willoughby Road, London, N8 0JG
Trading address: 8a Stafford Street, London, W1S 4RU
Website: qualitect.co.uk