Data Processing Agreement

Version 2026-05-29

⚠️ Template starting point covering GDPR Art. 28 essentials. Have a qualified lawyer review and finalise before relying on it.

This Data Processing Agreement ("DPA") forms part of the agreement between the course creator / tenant ("Controller") and The Social Target ("Processor") for use of the platform.

1. Roles

The Controller determines the purposes and means of processing end-user personal data. The Processor processes that data only on the Controller's documented instructions, including this DPA.

2. Scope of processing

  • Subject matter: operation of the course/membership platform
  • Duration: for the term of the service agreement
  • Nature & purpose: hosting, payments, email, analytics, access control
  • Data subjects: the Controller's students and leads
  • Data categories: identity, contact, purchase, usage, and marketing data

    • 3. Processor obligations

  • process only on documented instructions
  • ensure personnel are bound by confidentiality
  • implement appropriate technical & organisational security measures
  • assist the Controller with data-subject requests and breach notification
  • delete or return personal data at the end of the engagement

    • 4. Sub-processors

    The Controller authorises the use of the sub-processors listed at /legal/subprocessors. The Processor remains responsible for their compliance and will give notice of changes.

    5. International transfers

    Where personal data is transferred outside the EEA, the transfer relies on EU Standard Contractual Clauses or another valid safeguard.

    6. Security

    Measures include encryption in transit, access controls, audit logging, least-privilege access, and regular backups (point-in-time recovery).

    7. Breach notification

    The Processor will notify the Controller without undue delay after becoming aware of a personal-data breach affecting the Controller's data.

    8. Audit

    The Processor will make available information necessary to demonstrate compliance and allow for reasonable audits by the Controller.

    9. Deletion

    On termination, the Processor deletes or returns all Controller personal data, save where retention is required by law.