Data Processing Agreement
Last updated: August 8, 2025
This Data Processing Agreement ("Agreement") forms part of the contract for services between lelvira ("Processor") and the customer entity that has accepted the Terms of Service ("Controller"). This Agreement reflects the parties' agreement with respect to the processing of personal data by the Processor on behalf of the Controller in connection with the services provided through lelvira.online.
1. Definitions
For the purposes of this Agreement, the following terms shall have the meanings set out below:
| Term | Definition |
|---|---|
| Personal Data | Any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller in connection with the services. |
| Processing | Any operation or set of operations performed on personal data, including collection, recording, storage, adaptation, retrieval, use, disclosure, erasure, or destruction. |
| Data Subject | An identified or identifiable natural person to whom personal data relates. |
| Sub-processor | Any third party engaged by the Processor to process personal data on behalf of the Controller. |
| Security Incident | Any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed. |
| Applicable Law | Any applicable data protection legislation, regulation, or binding guidance in force from time to time that governs the processing of personal data under this Agreement. |
| Services | The online education platform and related services provided by the Processor through lelvira.online, including course delivery, content hosting, and user account management. |
2. Scope and Purpose
2.1 Subject Matter
This Agreement governs the terms under which the Processor processes personal data on behalf of the Controller as part of the delivery of the Services described in the applicable service agreement or terms of service.
2.2 Nature of Processing
The Processor shall process personal data solely to the extent necessary to provide the Services, including but not limited to:
a) Hosting and managing user accounts and authentication;
b) Delivering course content and tracking learner progress;
c) Processing transactions and maintaining billing records;
d) Providing customer support and communications;
e) Maintaining platform security and preventing fraud;
f) Generating aggregated analytics related to platform usage.
2.3 Categories of Personal Data
The categories of personal data processed under this Agreement may include:
a) Identification data such as name, username, and account credentials;
b) Contact data such as email address and phone number;
c) Transaction and billing data;
d) Technical data such as IP address, device identifiers, and browser information;
e) Usage and activity data related to interaction with the Services;
f) Any other personal data submitted by the Controller or data subjects through the Services.
2.4 Categories of Data Subjects
The data subjects whose personal data may be processed include individuals who register for or use the Services, including students, learners, administrators, and any other end users authorised by the Controller.
3. Obligations of the Processor
3.1 Instructions
The Processor shall process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to any third country or international organisation, unless required to do so by applicable law. Where such a legal requirement exists, the Processor shall inform the Controller of that legal requirement before processing, unless prohibited from doing so.
3.2 Confidentiality
The Processor shall ensure that persons authorised to process personal data on its behalf are subject to appropriate obligations of confidentiality, whether under a contractual arrangement or a statutory duty.
3.3 Technical and Organisational Measures
The Processor shall implement and maintain appropriate technical and organisational measures to protect personal data against a security incident, taking into account:
a) The state of the art and the costs of implementation;
b) The nature, scope, context, and purposes of processing;
c) The risks of varying likelihood and severity to the rights and freedoms of natural persons.
Such measures include, but are not limited to, encryption of personal data in transit and at rest, pseudonymisation where appropriate, access controls and authentication mechanisms, regular testing and evaluation of security measures, and resilience procedures for backup and recovery.
3.4 Sub-processing
The Processor shall not engage sub-processors to process personal data without prior written authorisation from the Controller, whether specific or general. Where general authorisation is given, the Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object to such changes.
Where the Processor engages sub-processors, it shall impose data protection obligations equivalent to those set out in this Agreement by way of a written contract, ensuring that the sub-processor provides sufficient guarantees to implement appropriate technical and organisational measures. The Processor shall remain fully liable to the Controller for the performance of the sub-processor's obligations.
3.5 Data Subject Rights
Taking into account the nature of the processing, the Processor shall assist the Controller by implementing appropriate technical and organisational measures, insofar as reasonably possible, for the fulfilment of the Controller's obligations to respond to requests by data subjects exercising their rights. Such rights may include the right to access, rectification, erasure, restriction of processing, data portability, and objection.
Where a data subject makes a request directly to the Processor, the Processor shall promptly forward the request to the Controller and shall not respond directly to such requests except as instructed by the Controller or as required by applicable law.
3.6 Assistance to Controller
The Processor shall assist the Controller in ensuring compliance with applicable obligations relating to:
a) Security of processing;
b) Notification of security incidents to relevant authorities and affected data subjects;
c) Data protection impact assessments and prior consultations with supervisory authorities where required;
d) Any other applicable data protection obligations relevant to the nature and scope of processing.
3.7 Security Incident Notification
The Processor shall notify the Controller without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a security incident affecting personal data processed under this Agreement. Such notification shall include, to the extent known at the time:
a) A description of the nature of the security incident;
b) The categories and approximate number of data subjects and personal data records concerned;
c) The likely consequences of the security incident;
d) The measures taken or proposed to address the security incident and, where appropriate, to mitigate its possible adverse effects.
Where full information is not available at the time of initial notification, it shall be provided in phases as information becomes available.
3.8 Deletion or Return of Data
Upon termination or expiry of this Agreement, or upon request by the Controller, the Processor shall, at the Controller's election, delete or return all personal data processed under this Agreement, and shall delete or destroy existing copies unless applicable law requires continued retention. The Processor shall certify compliance with this obligation in writing upon request.
3.9 Audit and Inspection
The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations set out in this Agreement and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller. The Processor shall promptly notify the Controller if any instruction provided by the Controller infringes applicable data protection law.
4. Obligations of the Controller
4.1 Lawful Basis
The Controller represents and warrants that it has a lawful basis for processing all personal data provided to or collected through the Processor under this Agreement, and that any instructions given to the Processor comply with applicable law.
4.2 Accuracy of Data
The Controller is responsible for the accuracy, quality, and legality of personal data submitted through the Services, including obtaining all necessary consents from data subjects where required.
4.3 Notification to Data Subjects
The Controller is responsible for providing adequate privacy notices to data subjects regarding the processing of their personal data, including the involvement of the Processor and any sub-processors.
5. International Data Transfers
5.1 Transfer Mechanisms
Where personal data is transferred to countries or territories that are not recognised as providing an adequate level of data protection, such transfers shall be carried out in accordance with a valid and applicable legal transfer mechanism, including but not limited to standard contractual clauses approved by a competent authority, binding corporate rules, or any other lawful transfer mechanism.
5.2 Processor Obligations
The Processor shall not transfer personal data to any country or territory outside the originating jurisdiction without the prior written consent of the Controller, except as required by applicable law or where a valid transfer mechanism is in place as described in clause 5.1.
6. Sub-processors
6.1 Current Sub-processors
The Controller acknowledges and provides general authorisation for the Processor to engage sub-processors as necessary for the provision of the Services. A list of current sub-processors is available upon written request to contact@lelvira.online. The Processor shall update this list and notify the Controller of any material changes.
6.2 Objections
The Controller may object to the appointment of a new sub-processor by notifying the Processor in writing within fourteen (14) days of receiving notice of the proposed change. If the Controller objects and the parties cannot reach a resolution, either party may terminate the relevant services upon reasonable written notice without liability for early termination, provided the termination is solely attributable to the objection.
7. Liability and Indemnification
7.1 Processor Liability
The Processor shall be liable for damage caused by processing only where it has not complied with obligations under applicable data protection law specifically directed at processors, or where it has acted outside or contrary to the lawful instructions of the Controller.
7.2 Controller Liability
The Controller shall be liable for damage caused by processing that infringes applicable data protection law, or that arises from unlawful or inaccurate instructions given to the Processor.
7.3 Limitation
To the extent permitted by applicable law, the aggregate liability of each party under or in connection with this Agreement shall be subject to the limitations and exclusions set forth in the applicable service agreement or terms of service between the parties.
8. Term and Termination
8.1 Duration
This Agreement shall remain in effect for as long as the Processor processes personal data on behalf of the Controller in connection with the Services.
8.2 Termination
This Agreement shall automatically terminate upon termination or expiry of the underlying service agreement, unless the parties agree otherwise in writing.
8.3 Survival
The obligations under clause 3.8 (Deletion or Return of Data) and clause 7 (Liability and Indemnification) shall survive the termination or expiry of this Agreement.
9. Governing Law and Dispute Resolution
This Agreement shall be governed by and construed in accordance with the applicable laws of the jurisdiction in which the Processor is established. Any disputes arising out of or in connection with this Agreement shall be resolved through good faith negotiation between the parties. If the parties are unable to resolve the dispute through negotiation, either party may pursue resolution through the applicable courts or alternative dispute resolution mechanisms as agreed between the parties.
10. General Provisions
10.1 Order of Precedence
In the event of any conflict between this Agreement and the main service agreement or terms of service, the provisions of this Agreement shall take precedence with respect to the subject matter of data processing.
10.2 Amendments
This Agreement may only be amended by a written instrument signed by authorised representatives of both parties, except where the Processor is required to update this Agreement to comply with changes in applicable law, in which case the Processor shall provide reasonable notice of such changes.
10.3 Severability
If any provision of this Agreement is found to be invalid, illegal, or unenforceable, the remaining provisions shall continue in full force and effect.
10.4 Entire Agreement
This Agreement, together with any schedules or annexes attached hereto and the applicable service agreement, constitutes the entire agreement between the parties with respect to the processing of personal data and supersedes all prior agreements, representations, and understandings relating to this subject matter.
11. Contact Information
For any questions, requests, or notices relating to this Agreement, or to exercise any rights described herein, please contact the Processor using the following details:
lelvira
Castle Mill Works, Birmingham New Rd, Dudley DY1 4DA, United Kingdom
Email: contact@lelvira.online
Phone: +44 7922 572595
Website: lelvira.online
By continuing to use the Services after the last updated date of this Agreement, the Controller acknowledges that it has read, understood, and agreed to be bound by the terms of this Data Processing Agreement.