Data Processing Agreement
This Data Processing Agreement forms part of the agreement between you and Create-AI Ltd for the use of the CourseAgent platform, as required under UK GDPR Article 28.
Version 1.2 - Create-AI Ltd
| Version | 1.2 - Production |
| Governing law | England and Wales |
| Contact | info@courseagent.ai |
1. Definitions
- "Applicable Data Protection Law" means the UK GDPR as defined in the Data Protection Act 2018, and any other applicable data protection or privacy laws in the jurisdiction where Data Subjects are located.
- "Personal Data" means any information relating to an identified or identifiable natural person.
- "Processing" means any operation performed on Personal Data, including collection, storage, use, transfer and deletion.
- "Data Subject" means the individual to whom Personal Data relates.
- "Sub-processor" means any third party engaged by the Processor to process Personal Data.
- "Supervisory Authority" means, for UK processing, the Information Commissioner's Office (ICO).
2. Scope and purpose
2.1 Subject matter
This DPA governs the processing of Personal Data by the Processor on behalf of the Controller in connection with the CourseAgent platform, including the Academy LMS feature and all associated services.
2.2 Nature of processing
The Processor will process Personal Data as necessary to provide the CourseAgent platform, including:
- User account management and authentication
- Course content storage and delivery
- Learning analytics and progress tracking
- Email communication delivery
- Platform administration and support
- AI-assisted content generation
2.3 Support access
The platform provides a Support Access toggle that Controllers can enable or disable at any time via Settings - Organisation - Security.
When Support Access is enabled: Platform administrators may view organisation details, author lists and courses; may impersonate authors for troubleshooting; all access sessions are logged in the organisation's audit trail.
When Support Access is disabled: Platform administrators cannot access any organisation data; impersonation is blocked for all authors; this setting cannot be overridden by the platform team.
Impersonation sessions: A mandatory reason must be provided; sessions automatically expire after 60 minutes of inactivity or 4 hours maximum; all actions are logged with dual attribution; password changes, account deletion and 2FA modifications are restricted during impersonation.
2.4 Duration
This DPA shall remain in effect for the duration of the main service agreement between the parties.
3. Categories of data and data subjects
3.1 Categories of data subjects
| Category | Description |
|---|---|
| Course Authors | Employees or contractors who create course content |
| Learners | Individuals who access courses via Academy portals |
| Organisation Administrators | Master Admins and team managers |
3.2 Types of personal data
| Data type | Examples | Sub-processors |
|---|---|---|
| Identity data | Names, job titles, profile photos | Supabase |
| Contact data | Email addresses | Supabase, Resend |
| Account data | Login credentials, authentication tokens | Supabase |
| Usage data | Login history, feature usage, IP addresses | Supabase, Cloudflare |
| Content data | Course materials, AI prompts and outputs | Supabase, Google Cloud Vertex AI |
| Learning data | Progress, quiz scores, completion records | Supabase |
| Audio narration data | Text content submitted for narration | ElevenLabs |
| Billing data | Purchase history, subscription records | Stripe |
3.3 Special categories of personal data
The Controller must not upload special categories of Personal Data (as defined in GDPR Article 9) to the platform unless the Controller has obtained explicit consent from Data Subjects and notified the Processor in writing of the legal basis.
3.4 Learner data processing
Learner data collected through Academy portals includes email address (for authentication), learning progress and completion data, quiz scores and assessment results, and portal access logs.
Learners are not tracked across organisations. Each organisation's learner data is isolated via row-level security policies. Active learner data is retained while the organisation's subscription is active. Following account termination, learner data is deleted within 30 days unless legal retention is required.
4. Obligations of the processor
4.1 Processing instructions
The Processor shall process Personal Data only on documented instructions from the Controller; ensure that all authorised persons have committed to confidentiality; implement appropriate technical and organisational security measures; assist the Controller in responding to Data Subject requests; delete or return all Personal Data at the end of the service unless retention is required by law.
4.2 Data protection impact assessments
The Processor shall assist the Controller in conducting DPIAs where required under GDPR Article 35 by providing technical and organisational security documentation within 10 business days of a written request.
4.3 Security measures
| Measure | Implementation |
|---|---|
| Encryption at rest | AES-256 encryption for all stored data |
| Encryption in transit | TLS 1.3 for all data transmission |
| Access controls | Row-Level Security (RLS) policies in Supabase |
| Authentication | Password hashing, optional 2FA |
| Audit logging | Comprehensive action logging |
| Backups | Regular automated backups, 90-day retention |
| Role-based access | 30+ granular author permission flags |
| Incident response | Documented breach procedures (see section 8) |
5. Sub-processors
5.1 Authorisation
The Controller provides general authorisation for the Processor to engage sub-processors, subject to the conditions in this section.
5.2 Current sub-processors
| Sub-processor | Purpose | Location | Safeguards |
|---|---|---|---|
| Supabase Inc. | Database, authentication, storage | EU (primary), US (backup) | Standard Contractual Clauses, EU data residency option |
| Google Cloud Vertex AI | AI content generation (Gemini models) | United States | Standard Contractual Clauses, Google Cloud DPA, no training on customer data |
| ElevenLabs | AI audio narration | United States | Data processing addendum |
| Resend Inc. | Transactional email delivery | United States | Standard Contractual Clauses |
| Cloudflare Inc. | CDN, security, performance | Global edge network | Standard Contractual Clauses, GDPR-compliant processing |
| Vercel Inc. | Application hosting | Global | Standard Contractual Clauses |
| Stripe Inc. | Payment processing | United States, EU | PCI-DSS Level 1 certified, Standard Contractual Clauses |
5.3 Changes to sub-processors
The Processor shall notify the Controller of any intended sub-processor changes at least 30 days in advance via email to the primary contact. The Controller has 21 days to object. If no resolution is reached, the Controller may terminate the affected services.
5.4 AI processing specific terms
| Provider | Purpose | Data retention | AI training |
|---|---|---|---|
| Google Cloud Vertex AI (Gemini) | Content generation, quiz creation, translation | 30 days (trust and safety) | No customer data used for training |
| ElevenLabs | Audio narration generation | As per provider terms | As per provider terms |
6. International data transfers
Personal Data may be transferred outside the United Kingdom only where appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) or the UK International Data Transfer Agreement (IDTA). Customers can configure primary data storage in EU regions where supported by sub-processors (Supabase EU region option available).
7. Data subject rights
The Processor shall assist the Controller in responding to Data Subject requests within 5 business days of receiving a written request. This includes requests to access, rectify, erase, restrict processing of, or port Personal Data.
If a Data Subject contacts the Processor directly, the Processor shall promptly redirect them to the Controller.
The Processor implements automated account lifecycle management aligned with the UK GDPR storage limitation principle - dormancy warnings at 12 months, deletion warnings at 23 months, automatic deletion at 24 months (see Privacy Policy section 6 for full detail).
8. Data breach notification
The Processor shall notify the Controller without undue delay after becoming aware of a Personal Data breach, and in any event within 24 hours where feasible and no later than 72 hours.
Initial notification (within 24 hours): preliminary notice that a breach has occurred and commitment to provide full details.
Full notification (within 72 hours): nature of breach, categories and number of Data Subjects affected, categories and number of records affected, likely consequences, measures taken or proposed.
To report a security concern to Create-AI Ltd: info@courseagent.ai (monitored and acknowledged promptly).
9. Audit rights
The Controller may verify the Processor's compliance with this DPA by requesting relevant documentation (provided within 10 business days) or by reviewing independent audit reports including SOC 2 Type II reports and penetration test summaries.
On-site audits may be conducted with a minimum of 30 days' written notice, no more than once per year unless a breach is suspected, at the Controller's expense unless material non-compliance is found.
The Processor shall provide an annual compliance summary upon request, including a summary of security measures, list of non-confidential security incidents, sub-processor changes and certifications maintained.
10. Term and termination
Upon termination or expiry of the main service agreement, the Processor shall, at the Controller's choice, return or delete all Personal Data within 30 days. The following data may be retained where required by law:
| Data type | Retention period | Basis |
|---|---|---|
| Audit logs | 12 months post-termination | Security / legitimate interest |
| Financial records | 7 years | UK tax law |
| Backup copies | Up to 90 days (natural rotation) | Operational necessity |
| AI provider data | Up to 30 days (provider retention) | Trust and safety |
All retained data remains subject to this DPA's confidentiality provisions and is isolated from active systems. Upon request, the Processor shall certify in writing that deletion has been completed.
11. Liability
Each party's liability under this DPA is subject to the limitations set out in the main service agreement. Each party shall indemnify the other for losses arising directly from its breach of this DPA or Applicable Data Protection Law.
12. General provisions
This DPA is governed by the laws of England and Wales. The courts of England and Wales shall have exclusive jurisdiction. In the event of conflict between this DPA and the main service agreement, this DPA shall prevail regarding data protection matters. This DPA may be amended by the Processor to reflect changes in Applicable Data Protection Law with 30 days' notice to the Controller.
13. Contact information
Create-AI Ltd has not appointed a Data Protection Officer as it is not required under GDPR Article 37. Data protection matters are managed internally by the privacy team.
Create-AI Ltd, trading as CourseAgent
Email: info@courseagent.ai
Version: 1.2 - Production
© 2026 Create-AI Ltd. All rights reserved.