[{"data":1,"prerenderedAt":69},["ShallowReactive",2],{"policy-data-processing-agreement":3},{"html":4,"meta":5,"toc":24,"summary":67,"error":68},"\n\u003Ch2 id=\"1-parties-and-roles\">1. Parties and Roles\u003C\u002Fh2>\n\u003Cp>This \u003Cbutton type=\"button\" class=\"q-glossary-trigger\" data-glossary-slug=\"data-processing-agreement\" data-glossary-term=\"Data Processing Agreement\" aria-label=\"Definition: Data Processing Agreement\">Data Processing Agreement\u003C\u002Fbutton> (\"DPA\") forms part of the agreement between Qualitect Ltd (\"Qualitect\") and the customer organisation (\"Customer\") that uses the Qualitect platform (\"the Agreement\"). The Customer is the controller of Customer Content as defined in clause 4 and Qualitect processes that content only on the Customer's documented instructions. Qualitect is an independent controller of the account and administrative data described in clause 4, which it processes as set out in the Privacy Policy.\u003C\u002Fp>\n\u003Ch2 id=\"2-subject-matter-and-duration\">2. Subject Matter and Duration\u003C\u002Fh2>\n\u003Cp>The subject matter of this DPA is the provision of the Qualitect platform and related services. Processing continues for the term of the Agreement and the limited period after termination described in clause 10.\u003C\u002Fp>\n\u003Ch2 id=\"3-nature-and-purpose-of-processing\">3. Nature and Purpose of Processing\u003C\u002Fh2>\n\u003Cp>Processing enables the Customer's authorised users to create, review, approve and export \u003Cbutton type=\"button\" class=\"q-glossary-trigger\" data-glossary-slug=\"qualification\" data-glossary-term=\"Qualification\" aria-label=\"Definition: Qualification\">qualification\u003C\u002Fbutton> content, including AI-assisted generation, evidence ingestion and compliance checking. Where the Customer uses learning services provided by Qualitect, processing also enables the delivery of learning content to the Customer's learners and the management of their enrolment and progress. The AI Use and Transparency Policy and the Data and Content Sourcing Policy describe how generation and sourcing operate.\u003C\u002Fp>\n\u003Ch2 id=\"4-data-and-roles\">4. Data and Roles\u003C\u002Fh2>\n\u003Cp>Customer Content means the source materials, evidence files and other content the Customer's users upload or enter, the qualification content generated from them and any \u003Cbutton type=\"button\" class=\"q-glossary-trigger\" data-glossary-slug=\"personal-data\" data-glossary-term=\"Personal data\" aria-label=\"Definition: Personal data\">personal data\u003C\u002Fbutton> they contain. Where the Customer uses learning services provided by Qualitect, Customer Content also includes \u003Cbutton type=\"button\" class=\"q-glossary-trigger\" data-glossary-slug=\"learner\" data-glossary-term=\"Learner\" aria-label=\"Definition: Learner\">learner\u003C\u002Fbutton> personal data, including enrolment, progress and achievement records. The Customer is the controller of Customer Content.\u003C\u002Fp>\n\u003Cp>Account and administrative data means the data Qualitect processes to operate the platform: user account details (name, work email, organisation, role), usage and audit data (actions taken, timestamps, IP addresses) and billing records. Qualitect is an independent controller of this data.\u003C\u002Fp>\n\u003Cp>The platform does not require \u003Cbutton type=\"button\" class=\"q-glossary-trigger\" data-glossary-slug=\"special-category-data\" data-glossary-term=\"Special category data\" aria-label=\"Definition: Special category data\">special category data\u003C\u002Fbutton>. Where the Customer chooses to include special category data or criminal offence data within Customer Content, the Customer is responsible for ensuring a lawful basis, an applicable condition under Article 9 or Article 10 of UK \u003Cbutton type=\"button\" class=\"q-glossary-trigger\" data-glossary-slug=\"gdpr\" data-glossary-term=\"GDPR\" aria-label=\"Definition: GDPR\">GDPR\u003C\u002Fbutton> and the minimisation of the personal data included.\u003C\u002Fp>\n\u003Ch2 id=\"5-categories-of-data-subject\">5. Categories of Data Subject\u003C\u002Fh2>\n\u003Cp>The Customer's authorised users, any individuals identified in Customer Content and, where the Customer uses learning services provided by Qualitect, the Customer's learners.\u003C\u002Fp>\n\u003Ch2 id=\"6-customer-obligations\">6. Customer Obligations\u003C\u002Fh2>\n\u003Cp>The Customer shall ensure that its instructions to Qualitect are lawful, that it has a lawful basis for the personal data contained in Customer Content and that data subjects have been provided with any information required under UK GDPR. Where the Customer uses learning services provided by Qualitect, the Customer shall notify Qualitect if Customer Content includes personal data relating to children under 18.\u003C\u002Fp>\n\u003Ch2 id=\"7-qualitect-obligations-uk-gdpr-article-28-3\">7. Qualitect Obligations (UK GDPR Article 28(3))\u003C\u002Fh2>\n\u003Cp>Qualitect shall:\u003C\u002Fp>\n\u003Cp>(a) process Customer Content only on the Customer's documented instructions, including with regard to international transfers, unless required to do otherwise by law;\u003C\u002Fp>\n\u003Cp>(b) ensure that persons authorised to process Customer Content are subject to obligations of confidentiality;\u003C\u002Fp>\n\u003Cp>(c) implement the technical and organisational measures in clause 8;\u003C\u002Fp>\n\u003Cp>(d) meet the \u003Cbutton type=\"button\" class=\"q-glossary-trigger\" data-glossary-slug=\"sub-processor\" data-glossary-term=\"Sub-processor\" aria-label=\"Definition: Sub-processor\">sub-processor\u003C\u002Fbutton> conditions in clause 9;\u003C\u002Fp>\n\u003Cp>(e) taking into account the nature of the processing, assist the Customer in responding to requests from data subjects exercising their rights under UK GDPR;\u003C\u002Fp>\n\u003Cp>(f) assist the Customer with security, personal data breach notification and data protection impact assessments;\u003C\u002Fp>\n\u003Cp>(g) notify the Customer without undue delay after becoming aware of a personal data breach affecting Customer Content;\u003C\u002Fp>\n\u003Cp>(h) delete or return Customer Content in accordance with clause 10;\u003C\u002Fp>\n\u003Cp>(i) make available the information necessary to demonstrate compliance with this DPA and allow for audits in accordance with clause 11;\u003C\u002Fp>\n\u003Cp>(j) immediately inform the Customer if, in Qualitect's opinion, an instruction from the Customer infringes UK GDPR or other applicable data protection law.\u003C\u002Fp>\n\u003Ch2 id=\"8-technical-and-organisational-measures\">8. Technical and Organisational Measures\u003C\u002Fh2>\n\u003Cp>Qualitect implements the following measures: hosting, storage and backup of Customer Content in UK AWS regions; \u003Cbutton type=\"button\" class=\"q-glossary-trigger\" data-glossary-slug=\"encryption-at-rest-and-in-transit\" data-glossary-term=\"Encryption at rest and in transit\" aria-label=\"Definition: Encryption at rest and in transit\">encryption at rest and in transit\u003C\u002Fbutton>; \u003Cbutton type=\"button\" class=\"q-glossary-trigger\" data-glossary-slug=\"role-based-access-control\" data-glossary-term=\"Role-based access control\" aria-label=\"Definition: Role-based access control\">role-based access control\u003C\u002Fbutton>; row-level tenant isolation between customer organisations; an append-only audit log; least-privilege access to production systems. These measures are maintained under the Information Security Policy and are reviewed and updated as the platform develops, without reducing the overall level of protection.\u003C\u002Fp>\n\u003Ch2 id=\"9-sub-processors\">9. Sub-processors\u003C\u002Fh2>\n\u003Cp>The Customer authorises Qualitect to use sub-processors for cloud hosting, AI generation and service delivery. The current list of sub-processors and their processing locations is maintained on the Trust and Security page at qualitect.co.uk\u002Fsecurity. Qualitect will give the Customer 30 days' notice of any intended change to its sub-processors and the Customer may object on reasonable data protection grounds. Qualitect remains responsible for the performance of its sub-processors.\u003C\u002Fp>\n\u003Ch2 id=\"10-return-and-deletion\">10. Return and Deletion\u003C\u002Fh2>\n\u003Cp>On termination of the Agreement, Qualitect will, at the Customer's choice, delete or return Customer Content within 30 days unless otherwise agreed in writing with the Customer, except where retention is required by law. Audit records are append-only to protect the integrity of qualification records and are retained for a minimum of seven years as described in the Data Protection Policy.\u003C\u002Fp>\n\u003Ch2 id=\"11-audit\">11. Audit\u003C\u002Fh2>\n\u003Cp>Qualitect will make available the information reasonably necessary to demonstrate compliance with this DPA and will allow and contribute to audits conducted by the Customer or an auditor appointed by the Customer, subject to reasonable prior notice, appropriate confidentiality obligations and a limit of one audit in any rolling twelve-month period unless a supervisory authority requires otherwise or a personal data breach affecting Customer Content has occurred. Qualitect may in the first instance satisfy an audit request by providing written responses, relevant documentation and available independent assurance reports and certifications, with further audit rights exercisable where these are reasonably insufficient. The Customer bears its own audit costs and Qualitect may charge reasonable costs for audit support beyond the provision of written responses, documentation and available independent assurance reports and certifications.\u003C\u002Fp>\n\u003Ch2 id=\"12-international-transfers\">12. International Transfers\u003C\u002Fh2>\n\u003Cp>Customer Content is hosted and stored in UK AWS regions. AI generation involves the transfer of Customer Content contained in processing requests to sub-processors located outside the UK, as shown in the sub-processor list maintained on the Trust and Security page. Any such transfer relies on an approved UK transfer mechanism, the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses, together with the additional safeguards described in the Data Protection Policy.\u003C\u002Fp>\n\u003Ch2 id=\"13-liability-and-precedence\">13. Liability and Precedence\u003C\u002Fh2>\n\u003Cp>Liability under this DPA is subject to the limitations and exclusions of liability in the Terms and Conditions. In the event of conflict between this DPA and the Agreement on data protection matters, this DPA prevails.\u003C\u002Fp>\n\u003Ch2 id=\"14-contact-information\">14. Contact Information\u003C\u002Fh2>\n\u003Cp>\u003Cstrong>Data protection contact:\u003C\u002Fstrong> dataprotection@qualitect.co.uk\u003Cbr>\u003Cstrong>General:\u003C\u002Fstrong> hello@qualitect.co.uk\u003Cbr>\u003Cstrong>Registered office:\u003C\u002Fstrong> Qualitect Limited, 32 Willoughby Road, London, N8 0JG\u003Cbr>\u003Cstrong>Trading address:\u003C\u002Fstrong> 8a Stafford Street, London, W1S 4RU\u003Cbr>\u003Cstrong>Website:\u003C\u002Fstrong> qualitect.co.uk\u003C\u002Fp>",[6,9,12,15,18,21],{"k":7,"v":8},"Version","1.0",{"k":10,"v":11},"Status","Live",{"k":13,"v":14},"Effective Date","13 July 2026",{"k":16,"v":17},"Review Date","13 July 2027",{"k":19,"v":20},"Policy Owner","Compliance and Accreditation Lead",{"k":22,"v":23},"Approved By","Chief Executive Officer",[25,28,31,34,37,40,43,46,49,52,55,58,61,64],{"id":26,"text":27},"1-parties-and-roles","1. Parties and Roles",{"id":29,"text":30},"2-subject-matter-and-duration","2. Subject Matter and Duration",{"id":32,"text":33},"3-nature-and-purpose-of-processing","3. Nature and Purpose of Processing",{"id":35,"text":36},"4-data-and-roles","4. Data and Roles",{"id":38,"text":39},"5-categories-of-data-subject","5. Categories of Data Subject",{"id":41,"text":42},"6-customer-obligations","6. Customer Obligations",{"id":44,"text":45},"7-qualitect-obligations-uk-gdpr-article-28-3","7. Qualitect Obligations (UK GDPR Article 28(3))",{"id":47,"text":48},"8-technical-and-organisational-measures","8. Technical and Organisational Measures",{"id":50,"text":51},"9-sub-processors","9. Sub-processors",{"id":53,"text":54},"10-return-and-deletion","10. Return and Deletion",{"id":56,"text":57},"11-audit","11. Audit",{"id":59,"text":60},"12-international-transfers","12. International Transfers",{"id":62,"text":63},"13-liability-and-precedence","13. Liability and Precedence",{"id":65,"text":66},"14-contact-information","14. Contact Information","This Data Processing Agreement (\"DPA\") forms part of the agreement between Qualitect Ltd (\"Qualitect\") and the customer organisation (\"Customer\") that",false,1784287572421]