Data Processing Agreement

Last Updated: January 23, 2025

This Data Processing Agreement ("DPA") forms part of the Terms of Service between telviro ("Company", "we", "us", or "our") and the customer ("Customer", "you", or "your") and governs the processing of personal data in connection with the services provided through telviro.online.

1. Definitions and Interpretation

In this DPA, the following terms shall have the meanings set out below:

Controller: The entity which determines the purposes and means of processing personal data.
Processor: The entity which processes personal data on behalf of the Controller.
Personal Data: Any information relating to an identified or identifiable natural person.
Processing: Any operation performed on personal data, including collection, storage, use, disclosure, or deletion.
Data Subject: An identified or identifiable natural person whose personal data is processed.
Sub-processor: Any processor engaged by the Company to process personal data on behalf of the Customer.
Data Protection Laws: All applicable laws and regulations relating to the processing of personal data and privacy.

2. Roles and Scope of Processing

2.1 Parties' Roles

The parties acknowledge and agree that with regard to the processing of personal data, the Customer acts as the Controller and the Company acts as the Processor.

2.2 Scope and Purpose

The Company shall process personal data only on documented instructions from the Customer, including with regard to transfers of personal data to third countries or international organizations, unless required to do so by applicable law. The scope, nature, and purpose of processing are as follows:

Nature of Processing: Provision of online educational services, masterclass delivery, content hosting, communication services, and related technical support.
Purpose of Processing: To enable Customer's use of the services, including account management, course delivery, progress tracking, communication, and payment processing.
Duration: For the term of the service agreement and as required thereafter for legal compliance.
Types of Personal Data: Name, email address, payment information, IP addresses, usage data, course progress, communication records, and any other data provided by Customer through the services.
Categories of Data Subjects: Customer's end users, including students, instructors, and administrative personnel.

3. Customer's Obligations

The Customer warrants and undertakes that:

It has all necessary rights and consents to provide personal data to the Company for processing.
It has provided all necessary notices and obtained all necessary consents from data subjects.
Its instructions to the Company regarding personal data processing comply with all applicable Data Protection Laws.
It shall promptly inform the Company of any changes to its processing instructions.

4. Company's Obligations

4.1 General Obligations

The Company shall:

Process personal data only in accordance with Customer's documented instructions.
Ensure that persons authorized to process personal data are subject to confidentiality obligations.
Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
Notify Customer without undue delay after becoming aware of a personal data breach.
Assist Customer in responding to requests from data subjects exercising their rights.
Assist Customer in ensuring compliance with data protection obligations.
Delete or return all personal data to Customer at the end of the provision of services, unless storage is required by law.
Make available to Customer all information necessary to demonstrate compliance with this DPA.

4.2 Processing Restrictions

The Company shall not:

Process personal data for purposes other than those specified in this DPA.
Disclose personal data to third parties without Customer's prior written consent, except as required by law.
Transfer personal data outside the designated processing locations without appropriate safeguards.

5. Security Measures

5.1 Technical and Organizational Measures

The Company implements appropriate technical and organizational security measures, including but not limited to:

Encryption of data in transit and at rest
Access controls and authentication mechanisms
Regular security assessments and testing
Network security and firewall protection
Secure data storage and backup procedures
Incident response and recovery procedures
Employee training on data protection
Physical security of data processing facilities

5.2 Security Reviews

The Company shall regularly review and update its security measures to ensure continued effectiveness and compliance with industry standards and Data Protection Laws.

6. Sub-processors

6.1 Authorization

Customer provides general authorization for the Company to engage sub-processors to assist in providing the services. The Company shall:

Maintain a current list of sub-processors
Notify Customer of any intended changes concerning the addition or replacement of sub-processors
Provide Customer with the opportunity to object to such changes within fourteen days of notification

6.2 Sub-processor Requirements

The Company shall:

Impose data protection obligations on sub-processors that provide at least the same level of protection as this DPA.
Remain fully liable to Customer for the performance of any sub-processor's obligations.
Ensure sub-processors are bound by written agreements requiring them to protect personal data to the standard required by Data Protection Laws.

6.3 Current Sub-processors

A list of current sub-processors is available upon request by contacting help@telviro.online.

7. Data Subject Rights

7.1 Assistance with Requests

The Company shall, to the extent legally permitted, promptly notify Customer if it receives a request from a data subject to exercise any rights under Data Protection Laws. The Company shall:

Not respond to such requests except on Customer's documented instructions or as required by law.
Provide reasonable assistance to Customer in responding to such requests, taking into account the nature of processing.
Use commercially reasonable efforts to assist Customer in fulfilling its obligations to respond to data subject requests.

7.2 Data Subject Rights Include

Right of access to personal data
Right to rectification of inaccurate data
Right to erasure of data
Right to restriction of processing
Right to data portability
Right to object to processing

8. Data Breach Notification

8.1 Notification Requirements

In the event of a personal data breach, the Company shall:

Notify Customer without undue delay and in any event within seventy-two hours of becoming aware of the breach.
Provide sufficient information to enable Customer to meet any obligations to report or inform data subjects of the breach.
Provide timely information relating to the breach as it becomes available.

8.2 Breach Information

Breach notifications shall include, where possible:

Description of the nature of the breach, including categories and approximate numbers of data subjects and records affected
Name and contact details of the Company's data protection contact point
Description of the likely consequences of the breach
Description of measures taken or proposed to address the breach and mitigate potential adverse effects

9. Data Transfers

9.1 Transfer Locations

Personal data shall be processed within the United Kingdom and may be transferred to other locations as necessary to provide the services, subject to appropriate safeguards.

9.2 International Transfers

Where personal data is transferred outside the designated processing locations, the Company shall ensure that:

Appropriate safeguards are in place, such as standard contractual clauses or adequacy decisions.
Customer is informed of such transfers and the safeguards applied.
Such transfers comply with all applicable Data Protection Laws.

10. Audits and Compliance

10.1 Audit Rights

The Company shall make available to Customer all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by Customer or an auditor mandated by Customer.

10.2 Audit Process

Customer may conduct audits subject to the following conditions:

Reasonable advance written notice of at least thirty days
Audits shall not occur more than once per year unless required by Data Protection Laws or in response to a suspected breach
Audits shall be conducted during business hours and shall not unreasonably interfere with Company's operations
Customer shall bear all costs associated with such audits
Auditors shall be bound by confidentiality obligations

11. Return and Deletion of Data

11.1 Data Return

Upon termination or expiration of the services, the Company shall, at Customer's choice:

Return all personal data to Customer in a commonly used and machine-readable format; or
Delete all personal data in accordance with Company's data retention procedures

11.2 Deletion Certification

Upon Customer's request, the Company shall provide written certification that all personal data has been deleted or returned, except where storage is required by applicable law.

11.3 Retention Requirements

The Company may retain personal data to the extent required by applicable law, provided that such data remains subject to the confidentiality and security obligations of this DPA.

12. Liability and Indemnification

12.1 Liability

Each party's liability under this DPA shall be subject to the limitations and exclusions of liability set out in the Terms of Service.

12.2 Indemnification

The Company shall indemnify and hold harmless Customer from any claims, damages, losses, liabilities, costs, and expenses arising from the Company's breach of this DPA, except to the extent caused by Customer's instructions or actions.

13. Term and Termination

13.1 Term

This DPA shall commence on the effective date of the Terms of Service and shall continue for as long as the Company processes personal data on behalf of Customer.

13.2 Survival

The provisions of this DPA that by their nature should survive termination shall survive, including confidentiality, liability, and data return obligations.

14. Amendments and Updates

The Company may update this DPA to reflect:

Changes in Data Protection Laws
Changes in processing operations
Regulatory guidance or requirements
Industry best practices

Material changes shall be notified to Customer with reasonable advance notice. Continued use of the services following such notification constitutes acceptance of the updated DPA.

15. Governing Law and Jurisdiction

This DPA shall be governed by and construed in accordance with the same governing law as specified in the Terms of Service. Any disputes arising from this DPA shall be resolved in accordance with the dispute resolution provisions in the Terms of Service.

16. Contact Information

For questions or concerns regarding this Data Processing Agreement, please contact:

telviro
Westwood Equestrian Westwood House Sheffield Road
Sheffield S35 4JB
United Kingdom

Email: help@telviro.online
Phone: +441912004847

17. Severability

If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall remain in full force and effect. The invalid or unenforceable provision shall be replaced with a valid provision that most closely approximates the intent and economic effect of the invalid provision.

18. Entire Agreement

This DPA, together with the Terms of Service, constitutes the entire agreement between the parties concerning the processing of personal data and supersedes all prior agreements, understandings, and arrangements, whether written or oral, relating to such subject matter.