Data Processing Agreement
Last updated: January 2026
This Data Processing Agreement (“DPA”) forms part of the agreement between AMC Academy Tech (“Processor”, “we”, “our”, “us”) and the client organisation (“Controller”, “you”) for the provision of training and related services. It sets out the terms under which we process personal data on your behalf in accordance with the UK General Data Protection Regulation (UK‑GDPR) and the Data Protection Act 2018.
1. Subject Matter & Duration
This DPA applies to all processing of personal data carried out by AMC Academy Tech on behalf of the Controller in connection with the delivery of training, LMS services, assessments, and related activities. The DPA remains in force for the duration of the underlying service agreement and until all personal data has been deleted or returned in accordance with Section 10.
2. Nature & Purpose of Processing
We process personal data solely for the purpose of delivering training services, managing LMS access, administering assessments and certifications, and providing agreed reporting and support to the Controller.
3. Types of Personal Data & Data Subjects
Categories of data subjects may include:
- Learners, employees, contractors, or other personnel nominated by the Controller.
- Authorised representatives such as training managers or administrators.
Types of personal data may include:
- Identity data (name, email, role, organisation, department, vessel or unit).
- Account data (usernames, enrolments, access logs).
- Training and assessment data (course progress, scores, feedback, completion status).
- Certification data (certificates issued, dates, validity, verification records).
- Technical data (IP address, device type, browser information, access timestamps).
4. Processor Obligations
We shall:
- Process personal data only on documented instructions from the Controller.
- Ensure that persons authorised to process personal data are bound by confidentiality obligations.
- Implement appropriate technical and organisational measures to protect personal data.
- Assist the Controller in meeting data subject rights and compliance obligations where reasonably possible.
- Notify the Controller without undue delay after becoming aware of a personal data breach.
5. Controller Obligations
The Controller is responsible for:
- Ensuring that all personal data provided to AMC Academy Tech is collected lawfully.
- Providing appropriate privacy information to data subjects.
- Determining the lawful basis for processing and the purposes of processing.
- Managing internal access to reports and training data shared by AMC Academy Tech.
6. Sub‑Processors
We may engage third‑party sub‑processors (such as hosting providers, LMS vendors, or communication platforms) to support the delivery of services. We shall:
- Use only sub‑processors that provide sufficient guarantees of data protection.
- Ensure sub‑processors are bound by written agreements with data protection obligations no less protective than this DPA.
- Remain responsible for the actions of sub‑processors in relation to personal data.
7. International Transfers
Where personal data is transferred outside the UK or EEA, we shall ensure that appropriate safeguards are in place, such as standard contractual clauses or equivalent mechanisms, in accordance with applicable data protection laws.
8. Security Measures
We implement technical and organisational measures appropriate to the risk, including secure hosting, encryption in transit, access controls, activity logging, and regular security reviews. Further details may be provided in technical documentation or upon reasonable request.
9. Data Subject Rights & Assistance
Taking into account the nature of the processing, we will assist the Controller, where reasonably possible, in fulfilling obligations to respond to requests from data subjects (such as access, rectification, deletion, or objection), and in meeting other compliance obligations under UK‑GDPR.
10. Data Retention, Return & Deletion
Upon termination of the services, or upon written request from the Controller, we shall delete or return personal data processed on behalf of the Controller, unless retention is required by law or for legitimate defence of legal claims. Aggregated or anonymised data that does not identify individuals may be retained for statistical or analytical purposes.
11. Audit & Compliance
Upon reasonable notice and during normal business hours, the Controller may request information necessary to demonstrate compliance with this DPA. Where appropriate, this may include reviewing relevant documentation or third‑party certifications. Any on‑site audits shall be subject to separate agreement on scope, timing, and cost.
12. Personal Data Breach
In the event of a personal data breach affecting data processed on behalf of the Controller, we shall:
- Notify the Controller without undue delay after becoming aware of the breach.
- Provide available information to help the Controller assess impact and meet notification obligations.
- Take reasonable steps to mitigate the effects and prevent recurrence.
13. Priority & Changes
In the event of any conflict between this DPA and the underlying service agreement, this DPA shall prevail with respect to data protection matters. We may update this DPA to reflect changes in law or our processing activities; material changes will be communicated to the Controller where practicable.
14. Contact
For questions about this DPA or data protection matters, please contact:
info@amcacademy.tech