Coursebricks Ltd — Data Processing Agreement (DPA)
Effective date: 31 Aug 2025
1. Parties
This Data Processing Agreement ("Agreement") is entered into between [Customer Name] (the "Controller") and Coursebricks Ltd (the "Processor"). This Agreement forms part of the SaaS Subscription Agreement between the parties.
2. Subject matter & duration
The Processor shall process Personal Data on behalf of the Controller for the purpose of providing the Coursebricks training management service. The Agreement is effective for the duration of the Controller’s subscription and until all Personal Data has been deleted or returned.
3. Nature & purpose of processing
- Hosting and maintaining the Coursebricks platform.
- Storing, organising and securing training provider data.
- Providing reporting, analytics and integrations authorised by the Controller.
- Customer support and incident resolution.
4. Categories of data subjects
Customer employees (administrators, trainers and staff) and Customer end clients / learners.
5. Types of personal data
- Identification: name, email address, job title.
- Contact details: phone number, organisation.
- Training-related records: enrollments, attendance and certificates.
- Billing & payment details (processed via sub-processor such as Stripe).
6. Sub-processors
The Controller authorises the Processor to engage the following sub-processors:
| Sub-Processor | Service | Location | Notes |
|---|---|---|---|
| Vercel | Hosting frontend & serverless functions | EU | GDPR-compliant; DPA available |
| AWS S3 | File storage (uploads, certificates) | EU (Ireland/Frankfurt) | GDPR-compliant; DPA available |
| Neon | Managed Postgres database | EU | GDPR-compliant |
| Upstash / Redis | Caching / queues | EU | GDPR-compliant |
| Stripe | Payment processing | EU / EEA | GDPR-compliant |
| Xero | Accounting & invoicing | EU / UK | GDPR-compliant |
Processor will notify Controller of changes to sub-processors.
7. Processor obligations
- Process Personal Data only on documented Controller instructions.
- Ensure staff confidentiality obligations.
- Implement appropriate technical & organisational measures.
- Assist Controller with data subject requests.
- Notify Controller of personal data breaches without undue delay.
8. International transfers
Personal data is stored and processed in the EU. Where transfers outside the EU/UK occur, Processor will ensure appropriate safeguards such as Standard Contractual Clauses or adequacy mechanisms are in place.
9. Data subject rights
Processor shall, to the extent possible, assist the Controller with responding to requests to access, rectify, erase, restrict or port personal data.
10. Deletion & return of data
Upon termination of services, Processor will delete or return personal data within 30 days, unless required to retain data by law.
11. Liability
Liability shall be governed by the underlying SaaS Subscription Agreement and applicable data protection law.
12. Governing law
This Agreement is governed by the laws of England & Wales.
Annex I — Details of Processing
Controller: [Customer Name] — Processor: Coursebricks Ltd
- Data categories: staff data, learner data, training metadata.
- Purposes: provision of the SaaS training management system.
- Duration: subscription period + 30 days post-termination.
Contact: yousef@coursebricks.io