Data Processing Agreement
For customers needing a signed DPA — for GDPR, UK GDPR, CCPA, or internal procurement.
How to get the signed DPA: Email
legal@learnready.ai with your organization's legal name, jurisdiction, and the data-protection roles (typically you = Controller, LearnReady = Processor). We'll send a pre-filled DPA for signature within 2 business days. Most customers can use our standard template; if your legal team needs redlines we'll negotiate.
What our DPA covers
- Roles & responsibilities: Customer is the Controller (or "Business" under CCPA), LearnReady is the Processor (or "Service Provider"). Standard allocation.
- Categories of personal data: learner names, emails, training progress, quiz responses, certification records. When Customer enables Proctored Exam Mode on a program: still photos captured during the exam (no facial recognition is performed) plus a browser-event log (tab switches, copy/paste, fullscreen exits); if Customer also enables the optional "Capture network metadata" toggle, IP address and User-Agent at each capture. Proctoring photos and network samples auto-delete after 90 days.
- Purpose of processing: solely to provide the Service. No secondary uses. No "sale" or "sharing" of personal data.
- Sub-processors: the current list (see Privacy Policy) is pre-authorized. We notify Controller of new sub-processors and offer a right to object for cause.
- International transfers: Standard Contractual Clauses (SCCs) for EEA/UK customers, with module 2 (Controller-to-Processor) selected. UK Addendum included.
- Security measures: Annex II details — TLS encryption, AES-256 at rest, bcrypt password hashing, access controls, audit logging, breach notification within 72 hours. Matches the Security page.
- Data subject rights: we assist Controller in fulfilling access / deletion / correction / portability requests within reasonable timelines.
- Audit rights: annual right of audit (subject to confidentiality and reasonable scheduling), or acceptance of our SOC 2 Type II report once issued.
- Data return & deletion: on termination, Controller may export data for 30 days; we delete within 90 days unless legal retention applies.
What "standard" looks like in our DPA
- EU SCCs (2021/914) — Module 2 (Controller to Processor) with Annex I (parties), Annex II (security measures), Annex III (sub-processors) pre-filled
- UK International Data Transfer Addendum to the EU SCCs
- CCPA/CPRA Service Provider clauses for California data subjects
- Breach notification: 72 hours from confirmation
- Sub-processor change notice: 30 days, with right to object
- Audit rights: SOC 2 report acceptance (when available) or annual audit on reasonable notice
Common questions
Do I need a DPA? If you have customers, employees, or learners in the EU, UK, or California — yes, almost certainly. Most other regulated industries also require one.
Can I send my own DPA template? Yes. We'll review and either sign or send redlines. Most customer-template DPAs are aligned enough that we can sign with minor changes.
How long does signing take? 1-3 business days if our standard template works for you. 1-2 weeks if your legal team wants to negotiate redlines.
Is there a charge? No charge for the standard DPA. If your legal team wants a heavily customized DPA on a free or low-tier plan, we may ask you to upgrade to Pro or pay a one-time legal-review fee.
Get the DPA
Email legal@learnready.ai with:
- Your organization's legal name
- Country / jurisdiction of incorporation
- Address for execution
- Signatory name and title
- Notes (e.g., "we have learners in the EU", "we require UK SCC addendum", "our legal will redline")
We'll send a pre-filled DPA for DocuSign within 2 business days.