UJJI Data Processing Agreement (DPA)
Effective Date: February 2025
For the delivery of our services, you are the data controller, and we are the data processor.
1. Subject Matter of Processing
The subject matter of the processing under this contract is set out in our terms and conditions.
2. Duration of Processing
The data will be processed and/or erased in accordance with the controller’s instruction. The processor will, unless instructed otherwise, cease processing any personal data and erase such data after contract termination or upon the controller’s explicit request, in accordance with Section 10 (Data Export & Offboarding). If the controller does not request deletion, the processor will delete all personal data within sixty (60) days after termination of the service agreement.
3. Nature and Purpose of Processing
The nature and purpose of the processing are set out in our terms and conditions. Processing is limited to such matters with processing being conducted electronically.
4. Categories of Data Subjects and Type of Personal Data
The categories of data subjects will be Customer data and Customer User data. The type of personal data will be related to the service provided and set out in our terms and conditions.
5. Confidentiality Obligations
The Processor will:
- Maintain strict confidentiality of all personal data received, processed, or stored.
- Ensure that all employees, agents, and sub processors handling personal data are bound by confidentiality agreements or equivalent legal obligations.
- Implement security measures to prevent unauthorized access, disclosure, or use of confidential data.
6. Obligations of the Processor
The Processor will:
- Only process personal data on the documented instructions of the controller unless required to do so by law.
- Ensure that persons authorized to process personal data have committed themselves to confidentiality.
- Take appropriate technical and organizational security measures, including encryption, access control, and regular security audits.
- Be fully liable for any damage caused by subprocessors and ensure that subprocessors are bound by the same obligations as this agreement.
- Notify the data controller of any changes to subprocessors at least fourteen (14) calendar days in advance, allowing for objections.
- Assist the controller in responding to data subjects’ rights requests and conducting data protection impact assessments.
- Delete or return all personal data to the controller within 30 days after the end of service provision. If no action is taken by the controller, the processor will delete all data within 60 days after termination.
- Make available compliance information upon request, including audit reports once per calendar year.
- Ensure an appropriate safeguard is in place for data transfers outside the UK or EEA.
- Notify the controller within 48 hours of a reportable data breach, providing all necessary assistance in fulfilling regulatory reporting obligations.
- Inform the controller if an instruction violates GDPR or other data protection laws.
- Assist the controller in fulfilling security obligations under GDPR Articles 32–36, including breach notification to Supervisory Authorities where required.
- Maintain a record of processing activities (ROPA) to demonstrate compliance with applicable laws.
7. Data Transfers & Compliance Mechanisms
The processor will:
- Ensure that data transfers outside the UK/EEA comply with GDPR Articles 44–46.
- Use Standard Contractual Clauses (SCCs) or equivalent legal mechanisms.
8. Audit Rights
- The controller may conduct audits to verify compliance with this agreement, provided that:
- Reasonable notice is given (at least 30 days in advance).
- Audits are conducted once per year unless a material breach is suspected.
9. Subprocessor Engagement
The controller authorizes the processor to use subprocessors, provided that:
- The processor notifies the controller of any new or replacement subprocessors at least 14 days in advance.
- The controller may object to changes in writing within this period.
10. Data Export & Offboarding
Upon termination of services:
- The controller may request an export of data in a structured, machine-readable format.
- If no request is made, the processor will delete all personal data within 60 days after termination.
Annex A – Description of Processing Activities
Category
Details
1. Identity of the Controller and Processor
THE CUSTOMER is the Controller (owner of the data).UJJI LTD is the Processor (responsible for handling the data under the Controller’s instructions).
2. Subject Matter of the Processing
UJJI processes personal data to provide its SaaS-based knowledge management and training platform. This includes collecting and analyzing user data to personalize training, track progress, and generate content.
3. Duration of Processing
Data is processed as long as the customer has an active contract with UJJI.After contract termination, UJJI deletes all personal data within 60 days, unless required by law to keep it longer.
4. Nature and Purpose of Processing
Nature of Processing:
Collecting (when users sign up or interact with the platform);
Storing (in cloud-based servers);
Processing (to personalize training and track progress);
Deleting (when no longer needed)
Purpose of Processing:
Delivering personalized learning experiences;
Tracking user progress and engagement;
Ensuring platform security and compliance
5. Type of Personal Data Processed
User Identity Data (name, email, job title);
Account Data (login credentials, authentication tokens);
Training Data (course completion, scores, feedback);
AI-Generated Content Data (personalized training materials);
Technical Data (IP address, browser type, device info);
6. Categories of Data Subjects
Employees and users of THE CUSTOMER;
Administrators/Leaders of THE CUSTOMER managing training programs;
UJJI Administrators supporting THE CUSTOMER;
7. Authorized Personnel
THE CUSTOMER personnel (Workforce, HR, L&D, IT teams) and UJJI staff (customer support, content support, tech)
8. Approved Subprocessors
Infrastructure
Heroku (UJJI apps & backend hosting);
Vercel (UJJI Web App hosting);
AWS (cloud storage & infrastructure);
New Relic (performance monitoring);
Papertrail (log management);
Rollbar (error tracking);
ChatGPT API (AI-generated training content);
Eleven Labs API (voice-over for training content);
Payments (if applicable):
Stripe (payment processing)
UJJI will notify the Controller at least 14 days in advance before adding or replacing subprocessors.
9. Data Retention & Deletion
Customers can request a data export within 30 days of termination. If no request is made, UJJI deletes all data within 60 days.
If legally required, some data may be retained for compliance.
.png)
.png)
