This Data Processing Addendum (DPA) forms part of the Terms of Service between Rapid Cert Ireland (Processor) and the subscribing organization (Controller). It sets out roles, instructions, data sovereignty guarantees, security and breach notification, sub-processors, EEA hosting and international transfers, deletion and return, audit rights, and governing law.
Annex 1 covers subject matter, duration, nature and purpose of processing, categories of data subjects, and types of personal data for training management and certification services.
This Data Processing Addendum ("DPA") forms part of the Terms of Service (the "Agreement") between Rapid Cert Ireland ("Processor") and the organization or entity subscribing to the Service ("Controller").
This DPA reflects the parties' agreement with regard to the Processing of Personal Data, in accordance with the requirements of Data Protection Laws.
1. Definitions
"Data Protection Laws" means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, and Ireland (including the GDPR), applicable to the Processing of Personal Data under the Agreement.
"GDPR" means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.
"Personal Data" means any information relating to an identified or identifiable natural person processed by Rapid Cert on behalf of the Controller.
"Services" means the certificate management, CRM, and training software services provided by Rapid Cert.
"Sub-processor" means any third party appointed by or on behalf of the Processor to process Personal Data on behalf of the Controller.
2. Scope and Role of the Parties
2.1 Roles
The parties acknowledge and agree that with regard to the Processing of Personal Data, the Client is the Data Controller and Rapid Cert is the Data Processor.
2.2 Instructions
Processor shall process Personal Data only in accordance with Controller's documented instructions. The Agreement and this DPA constitute the Controller's complete instructions.
3. Strict Data Sovereignty Guarantees
3.1 No Sale of Data
Rapid Cert is strictly prohibited from selling, renting, or leasing Personal Data to any third party.
3.2 No Data Transfers or Giveaways
Rapid Cert shall not transfer, "give away," or share Personal Data with third parties for marketing, profiling, or any commercial purposes unrelated to the direct provision of the Services.
3.3 Exclusivity of Use
Personal Data processed under this DPA shall be used exclusively for the purpose of providing the Services defined in the Agreement (e.g., generating certificates, managing bookings, and CRM functions).
4. Processor Obligations
4.1 Confidentiality
Processor shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the data and have committed themselves to confidentiality.
4.2 Security
Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage.
4.3 Data Subject Rights
Processor shall, to the extent legally permitted, promptly notify Controller if Processor receives a request from a Data Subject to exercise their rights (e.g., access, rectification, deletion). Processor shall assist Controller in fulfilling its obligations to respond to such requests.
4.4 Personal Data Breach
Processor shall notify Controller without undue delay (and in any event within 48 hours) after becoming aware of a Personal Data Breach.
5. Sub-processors
5.1 Appointment
Controller acknowledges and agrees that Processor may engage third-party Sub-processors (such as cloud hosting providers) in connection with the provision of the Services.
5.2 Liability
Processor shall remain fully liable to the Controller for the performance of the Sub-processor's obligations.
6. International Transfers
6.1 EEA Hosting
Rapid Cert processes and stores all primary Client Personal Data on secure servers located within the European Economic Area (EEA).
6.2 Transfers
Processor shall not transfer Personal Data outside the EEA unless it has taken such measures as are necessary to ensure the transfer is in compliance with Data Protection Laws.
7. Deletion or Return of Personal Data
7.1 Termination
Upon termination of the Services, at the choice of the Controller, the Processor shall delete or return all Personal Data to the Controller, unless Irish or European Union law requires the storage of the Personal Data.
8. Audit Rights
8.1 Information Requests
Processor shall make available to Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.
9. Governing Law
This DPA shall be governed by and construed in accordance with the laws of Ireland. The parties agree to submit to the exclusive jurisdiction of the Irish courts.
Annex 1: Details of Processing
Subject Matter: The provision of training management software and certification services.
Duration: The duration of the Agreement plus any period thereafter until data is deleted.
Nature and Purpose: To enable the Controller to manage students, trainees, bookings, and the issuance of training certificates.
Categories of Data Subjects: Students, trainees, employees, and customers of the Controller.
Types of Personal Data: Name, email address, training records, assessment results, certificate numbers, and contact information.
Rapid Cert Ireland Dublin Business District, Dublin, D02, Ireland