Certified Coach

Data Processing Addendum

Version 0.1.0 · Last updated: 2026-XX-XX

This policy is provided for informational purposes. Certified Coach Ltd recommends consulting qualified legal counsel for your specific circumstances.

1. Scope and application

This Data Processing Addendum (“DPA”) applies where an organisation (“Controller”) uses the Certified Coach platform (“Processor”) to process personal data relating to coaching certificates.

This DPA supplements the Terms of Service and forms part of the agreement between the Controller and Certified Coach Ltd.

2. Controller and processor roles

The relationship between the parties depends on the data in question:

Data typeControllerProcessor
Certificate data (names, qualifications, award dates)OrganisationCertified Coach Ltd
Coach account data (email, profile)Certified Coach LtdN/A (controller)
Organisation account dataCertified Coach LtdN/A (controller)
DBS check data (future)OrganisationCertified Coach Ltd (via Umbrella Body)

3. Processing instructions

The Processor shall process personal data only on documented instructions from the Controller, including with regard to transfers to third countries. The purposes of processing are:

  • Storing and displaying certificate data on the Platform
  • Enabling public verification of certificates
  • Managing certificate lifecycle events (issuance, renewal, revocation, expiry)
  • Generating reports and analytics for the Controller
  • Sending transactional notifications related to certificate events

4. Sub-processors

The Processor uses the following sub-processors. The Controller consents to the use of these sub-processors by accepting this DPA. The Processor will notify the Controller at least 30 days before adding a new sub-processor.

Sub-processorPurposeLocationTransfer safeguard
Clerk (Clerk, Inc.)Authentication and identity managementUnited StatesSCCs + DPA
Neon (Neon, Inc.)PostgreSQL database hostingUnited StatesSCCs + DPA
Vercel (Vercel, Inc.)Web application hosting and CDNGlobal (edge)SCCs + DPA
Resend (Resend, Inc.)Transactional email deliveryUnited StatesSCCs + DPA

5. Security measures

The Processor implements appropriate technical and organisational measures to protect personal data, including:

  • Encryption in transit (TLS 1.2+) and at rest
  • Access controls with role-based permissions
  • Multi-factor authentication for administrative access
  • Regular security assessments and dependency auditing
  • Automated vulnerability scanning (CodeQL, Dependabot)
  • Audit logging of data access and modifications
  • Database backups with point-in-time recovery

6. Data breach notification

In the event of a personal data breach affecting Controller data:

  • The Processor will notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach
  • The notification will include: nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed
  • The Controller is responsible for notifying the ICO and affected data subjects as required under UK GDPR Articles 33 and 34
  • The Processor will cooperate with the Controller and provide all necessary information and assistance

7. Data subject requests

The Processor will assist the Controller in responding to data subject requests (access, rectification, erasure, portability, restriction, objection) by:

  • Forwarding any requests received directly to the Controller promptly
  • Providing tools and exports to help the Controller fulfil requests
  • Implementing technical measures to support erasure, rectification, and portability
  • Not responding directly to data subjects on behalf of the Controller without authorisation

8. International transfers

Where personal data is transferred outside the United Kingdom, the Processor ensures:

  • Transfers are made to countries with an adequate level of protection as determined by the UK government, or
  • Appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the ICO
  • Supplementary measures are applied where needed (encryption, access controls, contractual commitments)

9. Audit rights

The Controller has the right to audit the Processor's compliance with this DPA. Audits shall be:

  • Conducted no more than once per year, unless a data breach has occurred
  • Arranged with reasonable notice (at least 30 days)
  • Conducted during normal business hours
  • At the Controller's expense, unless the audit reveals material non-compliance

The Processor may satisfy audit requirements by providing relevant certifications, audit reports, or other evidence of compliance.

10. Term, termination, and data return

This DPA remains in effect for the duration of the Controller's use of the Platform. On termination:

  • The Processor will, at the Controller's choice, return or delete all Controller personal data within 90 days
  • The Processor will provide a data export in a structured, commonly used format
  • Deletion will be confirmed in writing
  • The Processor may retain data where required by applicable law, with the Controller notified of such retention

11. Contact

For questions about this DPA, contact our Data Protection Officer at privacy@certified-coach.com.