Data Processing Agreement

Last updated: January 2026

This Data Processing Agreement (“DPA”) forms part of the agreement between AMC Academy Tech (“Processor”, “we”, “our”, “us”) and the client organisation (“Controller”, “you”) for the provision of training and related services. It sets out the terms under which we process personal data on your behalf in accordance with the UK General Data Protection Regulation (UK‑GDPR) and the Data Protection Act 2018.

1. Subject Matter & Duration

This DPA applies to all processing of personal data carried out by AMC Academy Tech on behalf of the Controller in connection with the delivery of training, LMS services, assessments, and related activities. The DPA remains in force for the duration of the underlying service agreement and until all personal data has been deleted or returned in accordance with Section 10.

2. Nature & Purpose of Processing

We process personal data solely for the purpose of delivering training services, managing LMS access, administering assessments and certifications, and providing agreed reporting and support to the Controller.

3. Types of Personal Data & Data Subjects

Categories of data subjects may include:

Types of personal data may include:

4. Processor Obligations

We shall:

5. Controller Obligations

The Controller is responsible for:

6. Sub‑Processors

We may engage third‑party sub‑processors (such as hosting providers, LMS vendors, or communication platforms) to support the delivery of services. We shall:

7. International Transfers

Where personal data is transferred outside the UK or EEA, we shall ensure that appropriate safeguards are in place, such as standard contractual clauses or equivalent mechanisms, in accordance with applicable data protection laws.

8. Security Measures

We implement technical and organisational measures appropriate to the risk, including secure hosting, encryption in transit, access controls, activity logging, and regular security reviews. Further details may be provided in technical documentation or upon reasonable request.

9. Data Subject Rights & Assistance

Taking into account the nature of the processing, we will assist the Controller, where reasonably possible, in fulfilling obligations to respond to requests from data subjects (such as access, rectification, deletion, or objection), and in meeting other compliance obligations under UK‑GDPR.

10. Data Retention, Return & Deletion

Upon termination of the services, or upon written request from the Controller, we shall delete or return personal data processed on behalf of the Controller, unless retention is required by law or for legitimate defence of legal claims. Aggregated or anonymised data that does not identify individuals may be retained for statistical or analytical purposes.

11. Audit & Compliance

Upon reasonable notice and during normal business hours, the Controller may request information necessary to demonstrate compliance with this DPA. Where appropriate, this may include reviewing relevant documentation or third‑party certifications. Any on‑site audits shall be subject to separate agreement on scope, timing, and cost.

12. Personal Data Breach

In the event of a personal data breach affecting data processed on behalf of the Controller, we shall:

13. Priority & Changes

In the event of any conflict between this DPA and the underlying service agreement, this DPA shall prevail with respect to data protection matters. We may update this DPA to reflect changes in law or our processing activities; material changes will be communicated to the Controller where practicable.

14. Contact

For questions about this DPA or data protection matters, please contact:
info@amcacademy.tech