Data Processing Agreement
1. Roles
The provider is the controller and Virtuopo Ltd is the processor. This DPA forms part of the agreement between the parties and applies whenever CID processes personal data on the provider's behalf.
2. Subject-matter & duration
Subject-matter: operating the diagnostic platform. Duration: for the term of the agreement. Nature & purpose: capturing self-assessment responses, generating personal readouts, and producing aggregated reporting.
3. Types of data & data subjects
- Data subjects: the provider's respondents (and its admin users).
- Personal data: name, email, role/team, self-assessment scores, and free-text reflections. No special-category data is intended to be processed.
4. Processor obligations
- Process personal data only on the controller's documented instructions.
- Ensure persons authorised to process are bound by confidentiality.
- Implement appropriate technical and organisational security measures (Annex A).
- Not engage sub-processors except as permitted below.
- Assist the controller with data-subject requests and with security, breach and DPIA duties.
- Notify the controller without undue delay on becoming aware of a personal data breach.
- At the controller's choice, delete or return personal data at the end of the agreement.
- Make available information needed to demonstrate compliance and allow audits.
5. Sub-processors
The controller gives general authorisation for the sub-processors listed at /sub-processors. We will give notice of intended changes and remain responsible for our sub-processors' performance.
6. International transfers
Personal data is hosted in the UK/EU. Any transfer to a sub-processor outside the UK/EU is made under appropriate safeguards (e.g. UK/EU Standard Contractual Clauses or an adequacy decision).
7. Annex A — security measures
- Encryption of data in transit and at rest.
- Database-level isolation between providers (row-level security).
- Role-based access control; least privilege; logging of access to individual-level data.
- No public sign-up; admin accounts created under control.
- Regular patching and dependency review.