Data Processing Agreement
Last Updated: June 13, 2025
This Data Processing Agreement ("Agreement") forms part of the terms between Arvenza ("Data Processor," "we," "us," or "our") and the customer or user accessing our platform ("Data Controller," "you," or "your"). This Agreement governs the processing of personal data carried out by Arvenza on behalf of the Data Controller in connection with the provision of online education and course delivery services available at arvenza.online.
By using our services, you acknowledge and agree to the terms of this Agreement. If you are entering into this Agreement on behalf of an organization, you represent that you have the authority to bind that organization.
1. Definitions
For the purposes of this Agreement, the following definitions apply:
- Personal Data: Any information relating to an identified or identifiable natural person, including but not limited to names, email addresses, payment details, and usage data.
- Processing: Any operation performed on personal data, including collection, recording, storage, adaptation, retrieval, use, disclosure, or deletion.
- Data Controller: The natural or legal person who determines the purposes and means of processing personal data.
- Data Processor: The natural or legal person who processes personal data on behalf of the Data Controller.
- Sub-processor: Any third party engaged by the Data Processor to process personal data in connection with the services.
- Data Subject: The individual to whom personal data relates.
- Security Incident: Any unauthorized access, disclosure, alteration, or destruction of personal data.
- Services: The online educational platform, courses, and related features provided by Arvenza through arvenza.online.
2. Scope and Purpose of Processing
2.1 Nature of Processing
Arvenza processes personal data solely for the purpose of delivering the Services described in the applicable terms of service. Processing activities may include account registration, course enrollment, progress tracking, communication, payment processing, and platform analytics.
2.2 Categories of Personal Data
The categories of personal data processed under this Agreement may include:
- Identity data: full name, username, profile information
- Contact data: email address, phone number, billing address
- Financial data: payment method details, transaction history
- Technical data: IP address, browser type, device identifiers, cookies
- Usage data: course progress, assessment results, interaction logs
- Communications: support queries, feedback, correspondence
2.3 Categories of Data Subjects
Data subjects may include registered users, students enrolled in courses, site visitors, and individuals who contact Arvenza for support or information.
2.4 Duration of Processing
Processing shall continue for the duration of the active service relationship and shall cease upon termination or expiration of the applicable service agreement, subject to any retention obligations described in this Agreement.
3. Obligations of the Data Processor
3.1 Instructions
Arvenza shall process personal data only on documented instructions from the Data Controller, including those set out in this Agreement and the general terms of service, unless required by applicable law to process personal data for other purposes. In such cases, Arvenza shall inform the Data Controller of that legal requirement before processing, unless prohibited from doing so.
3.2 Confidentiality
Arvenza shall ensure that all personnel authorized to process personal data are subject to appropriate confidentiality obligations. Access to personal data shall be limited to those individuals who require it to perform their duties in connection with the Services.
3.3 Security Measures
Arvenza shall implement and maintain appropriate technical and organizational measures to protect personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage. Such measures shall take into account the nature, scope, context, and purposes of processing, as well as the risks to the rights and freedoms of data subjects. Measures may include:
- Encryption of data in transit and at rest
- Access control mechanisms and authentication protocols
- Regular security assessments and vulnerability testing
- Incident detection and response procedures
- Staff training on data protection practices
- Backup and disaster recovery procedures
3.4 Sub-processors
Arvenza may engage sub-processors to assist in delivering the Services. By agreeing to this Agreement, the Data Controller grants general authorization for Arvenza to engage sub-processors, subject to the conditions set out below:
- Arvenza shall enter into a written agreement with each sub-processor imposing data protection obligations equivalent to those in this Agreement.
- Arvenza shall remain liable for the acts and omissions of its sub-processors to the same extent as if it had performed the processing directly.
- Arvenza shall notify the Data Controller of any intended changes regarding the addition or replacement of sub-processors, providing the Data Controller with an opportunity to object.
3.5 Data Subject Rights
Arvenza shall, taking into account the nature of the processing, assist the Data Controller by appropriate technical and organizational measures in fulfilling its obligations to respond to requests from data subjects seeking to exercise their rights. Such rights may include:
- The right to access personal data held about them
- The right to rectification of inaccurate or incomplete data
- The right to erasure of personal data under applicable conditions
- The right to restriction of processing
- The right to data portability
- The right to object to processing
Requests received directly by Arvenza from data subjects shall be forwarded to the Data Controller without undue delay unless Arvenza is otherwise authorized to respond directly.
3.6 Data Protection Impact Assessments
Arvenza shall provide reasonable assistance to the Data Controller in carrying out data protection impact assessments and prior consultations with supervisory authorities where required, taking into account the nature of processing and information available to Arvenza.
4. Obligations of the Data Controller
4.1 Lawful Basis
The Data Controller represents and warrants that it has a lawful basis for any personal data it provides or makes available to Arvenza for processing, and that such personal data has been collected in accordance with applicable data protection laws and regulations.
4.2 Accuracy of Data
The Data Controller is responsible for ensuring the accuracy, completeness, and relevance of personal data submitted through the Services. Arvenza shall not be liable for processing inaccurate data provided by the Data Controller or the data subjects.
4.3 Notifications to Data Subjects
The Data Controller is responsible for providing all necessary privacy notices and obtaining all required consents from data subjects in accordance with applicable laws prior to submitting personal data for processing by Arvenza.
5. Security Incidents and Breach Notification
5.1 Notification Obligation
In the event of a confirmed security incident involving personal data processed under this Agreement, Arvenza shall notify the Data Controller without undue delay after becoming aware of such an incident. The notification shall include, to the extent available at the time of notification:
- A description of the nature of the security incident, including categories and approximate number of data subjects and records affected
- The name and contact details of a point of contact from whom further information may be obtained
- A description of the likely consequences of the incident
- A description of measures taken or proposed to address the incident
5.2 Cooperation
Arvenza shall cooperate with the Data Controller and take reasonable steps to mitigate the effects of a security incident and prevent future occurrences. The Data Controller is responsible for any notifications required to be made to supervisory authorities or data subjects, unless otherwise agreed in writing.
6. International Data Transfers
Where personal data is transferred outside the country or region in which the Data Controller is located, Arvenza shall ensure that such transfers are conducted in compliance with applicable data protection requirements. Where required, Arvenza shall implement appropriate safeguards such as standard contractual clauses, binding corporate rules, or other lawful transfer mechanisms recognized under applicable law.
Arvenza will make available to the Data Controller, upon request, information about the safeguards applied to international data transfers.
7. Data Retention and Deletion
7.1 Retention During Service
Arvenza shall retain personal data for the period necessary to deliver the Services and fulfill contractual obligations, unless a longer retention period is required or permitted by applicable law.
7.2 Deletion Upon Termination
Upon termination or expiration of the service relationship, or upon written request by the Data Controller, Arvenza shall, at the Data Controller's election, delete or return all personal data and delete existing copies, unless applicable law requires retention of the personal data. Arvenza shall confirm in writing that deletion or return has been completed.
7.3 Backup Retention
Personal data held in secure backup systems may be retained for a limited period following deletion from active systems, subject to technical and operational constraints, and will be purged in accordance with Arvenza's standard backup rotation schedule.
8. Audit Rights and Compliance Verification
8.1 Records of Processing
Arvenza shall maintain records of processing activities carried out under this Agreement as required by applicable law, and shall make such records available to the Data Controller upon reasonable written request.
8.2 Audits
Arvenza shall provide the Data Controller with all information reasonably necessary to demonstrate compliance with this Agreement. The Data Controller may request an audit of Arvenza's data processing activities, subject to reasonable advance notice, agreement on scope and timing, and confidentiality obligations. Audit costs shall be borne by the Data Controller unless the audit reveals a material breach of this Agreement by Arvenza.
8.3 Third-Party Certifications
Where Arvenza holds relevant third-party certifications or has undergone independent security assessments, it may provide copies or summaries of such reports in lieu of or in supplement to direct audits, where the Data Controller agrees this is sufficient.
9. Limitation of Liability
Each party's liability under this Agreement shall be subject to the limitations and exclusions set out in the applicable general terms of service between the parties. Nothing in this Agreement shall limit liability for death or personal injury caused by negligence, fraud or fraudulent misrepresentation, or any other liability that cannot be limited or excluded under applicable law.
10. Term and Termination
This Agreement shall commence upon the Data Controller's acceptance of the general terms of service and shall remain in effect for the duration of the service relationship. This Agreement shall automatically terminate upon termination or expiration of the applicable service agreement. Provisions that by their nature should survive termination, including those relating to confidentiality, security, data deletion, and liability, shall survive the termination of this Agreement.
11. Amendments
Arvenza reserves the right to update or modify this Agreement from time to time to reflect changes in applicable laws, regulations, or operational practices. In the event of material changes, Arvenza shall notify the Data Controller through the email address registered with the account or by notice published on the platform. Continued use of the Services following such notification constitutes acceptance of the updated Agreement.
12. Order of Precedence
In the event of any conflict or inconsistency between this Agreement and the general terms of service or privacy policy, the provisions of this Agreement shall prevail with respect to the subject matter of data processing. All other matters shall be governed by the applicable general terms.
13. Governing Provisions
This Agreement is intended to be legally neutral and broadly applicable across multiple regulatory frameworks. Nothing in this Agreement limits either party's obligations under applicable data protection legislation. Where mandatory requirements of applicable law impose stricter obligations than those set out in this Agreement, such mandatory requirements shall take precedence.
14. Contact Information
For any questions, requests, or notices relating to this Data Processing Agreement, please contact Arvenza using the details below:
| Contact Method | Details |
|---|---|
| Company Name | Arvenza |
| support@arvenza.online | |
| Phone | +44 207 831 0359 |
| Postal Address | 133-149 St Nicholas Cir, Leicester LE1 4LF, United Kingdom |
| Website | arvenza.online |
We aim to respond to all data-related inquiries within a reasonable timeframe. For urgent security incidents or data breach notifications, please contact us immediately via email with the subject line "Security Incident – Urgent."
By accessing or using the Services provided by Arvenza, you confirm that you have read, understood, and agree to be bound by the terms of this Data Processing Agreement as of the date of your acceptance.