undefined · Jupiter

Legal

This DPA is incorporated by reference into the Terms of Service between you and JUPITER EDTECH LIMITED, and into any Order Form. It governs our processing of Personal Data on your behalf.

Introduction and status

This Data Processing Addendum (‘DPA’) applies when you use Jupiter to process Personal Data. For the purposes of this DPA:

You (the Customer) are the data controller.
We (Jupiter / JUPITER EDTECH LIMITED) are the data processor.
Learners (your employees, contractors, and other end users) are the data subjects.

This DPA is governed by the UK GDPR (UK General Data Protection Regulation) and the Data Protection Act 2018 (DPA 2018). Where you also operate in the EU, the EU GDPR applies in parallel; this DPA satisfies both frameworks.

Definitions

For clarity in this DPA:

Controller: The legal entity determining the purposes and means of processing (you, the customer).
Processor: The legal entity processing personal data on the controller’s behalf (Jupiter).
Personal Data: Any information relating to an identified or identifiable natural person, as defined in the UK GDPR and EU GDPR.
Data Subject: The individual to whom the personal data relates (your learner, employee, or contractor).
Subprocessor: A third party engaged by the processor to further process personal data.
Personal Data Breach: A breach of security leading to unauthorised or accidental access to, loss of, destruction of, or damage to personal data.
Processing: Any operation performed on personal data (collection, recording, organisation, storage, retrieval, use, disclosure, etc.).

Scope and nature of processing

Subject matter

Jupiter processes Personal Data for the purpose of providing the Jupiter Service: specifically, the creation, delivery, and tracking of microlearning and compliance training courses.

Duration

Processing occurs for the duration of the Subscription Term set out in the Order Form, plus 60 days (the “Retention Period”) during which you may request return or deletion.

Nature of processing

We:

Store learner profile data (name, email, job title, department, role, language preference).
Record course enrolment, lesson completion, and quiz results.
Log learner interaction events (lesson accessed, time spent, answers submitted).
Analyse learner data to personalise future content and generate progress reports.
Use learner data to train AI models that personalise content delivery (where you have explicitly authorised AI processing).

Purpose

The purpose of processing is to:

Deliver training content to learners.
Track learning progress and generate compliance evidence.
Personalise content based on learner role and preferences.
Generate reports and analytics for you.

Types of personal data

Identification data: name, email, user ID.
Employment data: job title, department, manager, office location, employment status.
Interaction data: lesson access timestamps, duration, quiz responses, feedback provided.
Behavioural data: course completion rates, learning patterns, time-of-day usage.
Optional: phone number, address (if uploaded by you).

Categories of data subjects

Your employees and workers.
Contractors and agency workers.
Temporary staff and interns.
External stakeholders (partners, suppliers, customers) if you include them in training.

Processor obligations

As your processor, we agree to:

Process only on documented instructions

We process Personal Data only as instructed by you in writing. Instructions include:

The contents of your Order Form and Subscription.
The controls you configure in the Service (who can access learner data, what data to collect, reporting preferences).
Any written request you submit to contact@m42k.com.

If we receive an instruction from a learner or third party (e.g., a data subject access request), we will not respond directly; instead, we will forward it to you and follow your instructions.

Ensure staff confidentiality and security

All personnel with access to your Personal Data are bound by confidentiality obligations equivalent to those in this DPA. We conduct security training and background checks on staff handling your data.

Implement appropriate technical and organisational measures

We maintain appropriate security measures including:

Encryption of data in transit (TLS 1.2+) and at rest (AES-256 or equivalent).
Access controls: role-based access, multi-factor authentication, session timeouts.
Audit logging of all access to Personal Data.
Regular security assessments, vulnerability scanning, and penetration testing.
Incident response procedures and forensic capabilities.
Employee background checks and confidentiality agreements.
Data minimisation: we do not collect or retain data beyond what is necessary.
Pseudonymisation and anonymisation where feasible.

See /security for more detail on our security practices.

Assist with data subject rights

We will, at your request and within 14 days, assist you in responding to the following data subject rights:

Access requests: Provide you with copies of personal data we hold relating to a specific data subject (via secure export).
Rectification: Correct inaccurate personal data on receipt of your written instruction.
Erasure: Delete personal data on your instruction, subject to legal retention obligations.
Restriction: Restrict processing on your instruction (we will not further process the data except at your request or as required by law).
Portability: Provide personal data in a portable format (e.g., CSV) to facilitate portability to another processor.
Objection: Cease processing for specific purposes on your objection.

You are responsible for submitting the data subject’s request to us and providing your verified instruction. We will not verify the data subject’s identity independently.

Assist with data protection impact assessments and compliance

We will, at your request and at no additional cost:

Provide you with information about our processing and security measures.
Participate in data protection impact assessments (DPIAs) related to our processing.
Provide documentation (e.g., our security certifications, audit reports).

Notify you of breaches

If we discover a Personal Data Breach affecting your data, we will notify you without undue delay and, in any case, within 48 hours of discovering the breach. Our notification will include:

The nature of the breach.
The approximate number of data subjects and personal data records affected.
A description of the likely consequences.
The measures taken or proposed to mitigate the breach.

You are then responsible for notifying affected data subjects and the ICO if required by the UK GDPR.

No onward transfers without instruction

We will not share, sell, or transfer your Personal Data to third parties except as set out in the Subprocessors section below or as required by law.

Subprocessors

Authorisation

You authorise us to engage subprocessors (third parties) to process your Personal Data as part of delivering the Service. You grant general authorisation to engage subprocessors; you do not need to consent to each new subprocessor individually, but we will provide notice as set out below.

Current subprocessors

As of the date of this DPA, we use the following subprocessors:

Subprocessor	Location	Purpose	Data processed
Amazon Web Services (AWS)	EU (Frankfurt, primary); US (Virginia, backup)	Cloud hosting, storage	All personal data
Cloudflare	Global	CDN, DDoS protection	IP address, access logs
Resend	US	Email delivery	Email address, learner name, notification content
Anthropic	US	AI-based content personalisation (optional)	Learner role, course topic, interaction history (anonymised where possible)
Stripe	US	Payment processing	Billing address, VAT number, payment method (card last digits only)

Note: Stripe does not process learner data. AWS, Cloudflare, and Resend process learner data only to the extent necessary to deliver the Service.

Notification of new subprocessors

If we engage a new subprocessor, we will:

Notify you by email at least 30 days in advance.
Describe the identity of the subprocessor, the location of processing, and the purpose.
Describe any new risks introduced.

You have the right to object to a new subprocessor on reasonable grounds relating to data protection within 14 days of notification. If you object, we will discuss the objection in good faith. If we cannot resolve the objection, you may terminate the affected portion of the Subscription without penalty.

Subprocessor contracts

We ensure all subprocessors are bound by written contracts imposing data protection obligations at least equivalent to this DPA, including obligations around confidentiality, security, and sub-subprocessor authorisation.

International transfers

Where data is transferred

Personal Data is stored primarily in the EU (AWS Frankfurt). However, data may be transferred to the US for:

Email delivery (Resend).
AI-based processing (Anthropic) — optional, and only if EU-based models are unavailable.
Backup and disaster recovery (AWS secondary region in US).

Legal mechanism

Where Personal Data is transferred to a country not covered by a UK Adequacy Decision or EU Adequacy Decision, we rely on:

UK IDTA (International Data Transfer Addendum) for transfers under UK GDPR to countries with a UK adequacy decision.
EU Standard Contractual Clauses for transfers under EU GDPR to the US and other non-adequate countries.

These mechanisms ensure that the level of data protection afforded in the EU/UK is maintained in the recipient country.

Right to object

You can object to specific transfers if you have concerns. Email contact@m42k.com with details. We will discuss the objection and may be able to offer alternative processing arrangements (e.g., EU-only hosting).

Personal data breach

Notification

If we discover a Personal Data Breach, we will notify you within 48 hours. The notification will include:

Nature of the breach (unauthorised access, accidental loss, destruction, etc.).
Approximate number of data subjects and records affected.
Likely consequences.
Measures taken or proposed to contain and mitigate the breach.

We will continue to provide updates as our investigation progresses.

Your responsibility

You are responsible for:

Determining whether notification to affected data subjects is required under the UK GDPR (generally required unless there is low risk).
Notifying the ICO if you determine that a breach is likely to result in significant risk to the rights and freedoms of data subjects.
Documenting the breach and your assessment.

We will provide reasonable assistance in drafting notifications and responding to regulator enquiries.

Audits and compliance

Your right to audit

You have the right to audit our processing and security measures. Audits:

May be conducted no more than once per 12 months unless we are under investigation by a regulator.
Must be conducted on reasonable notice (at least 14 days, or as agreed).
Must be conducted during business hours and in a manner that does not disrupt our operations.
Are subject to confidentiality: you and your auditors must execute a confidentiality agreement.

Our preferred approach

Rather than on-site audits, we prefer to satisfy audit obligations by:

Providing you with a copy of our latest SOC 2 Type II report (audited annually by an independent third party), which covers security, availability, and confidentiality.
Providing documentation of our security measures, subprocessor agreements, and incident response procedures.
Responding to a reasonable questionnaire about our practices.

On-site audits are available on request but are subject to additional fees and scheduling constraints.

Return and deletion of personal data

Upon termination

Within 60 days of termination of the Subscription, you may elect to either:

Return: We securely transfer all Personal Data to you (or to another processor you designate) in a portable, machine-readable format (e.g., CSV).
Delete: We securely delete all Personal Data from our systems and subprocessors’ systems. You must certify that you have complied with all legal retention obligations before requesting deletion.

If you do not elect either option within 60 days, we will delete the data.

Certification of deletion

Where deletion is requested, we will:

Securely erase data from all production systems.
Securely erase data from backup and archive systems (subject to normal backup retention policies).
Instruct all subprocessors to delete the data.
Provide written certification of deletion within 30 days.

Some residual data may remain in anonymised logs for 90 days for security and forensic purposes, but it will not be linked to you or your learners.

Liability

Our liability for breaches of this DPA is subject to the limitation of liability clause in the Terms of Service at /legal/terms. In summary:

Our total liability is capped at 12 months of fees paid by you.
We are not liable for indirect or consequential damages.
The above cap does not apply to death, personal injury, fraud, or liability that cannot be excluded under UK law.

Governing law and jurisdiction

This DPA is governed by the laws of England and Wales. Any dispute arising from this DPA shall be resolved in the courts of England and Wales.

Contact

For questions about this DPA, data subject rights requests, or breach notifications, contact:

Privacy contact: contact@m42k.com
Data Protection Officer (if you require escalation): contact@m42k.com
Security issues: security@m42k.com

For customers operating in the EU or transferring data to the US, the Standard Contractual Clauses for data transfers from the EU to third countries (Module One: Controller to Processor, Module Two: Processor to Processor) are incorporated into this DPA by reference. The full text is available at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en.

Jupiter, as the processor, agrees to be bound by the Standard Contractual Clauses and will defend you against any claims arising from our breach of those clauses.

Questions about this document? Email contact@m42k.com.

JUPITER EDTECH LIMITED · 12 Orchard Way, Kings Sutton, Banbury, England, OX17 3PZ · Registered in England & Wales.