Version 1.0 · Last updated 18 June 2026
This Data Processing Agreement governs how Alignix Ltd processes personal data about a training provider’s learners. The provider is the controller of that data and Alignix is the processor. This DPA is incorporated into and forms part of the Master Subscription Agreement, and a provider accepts it by signing its Order Form.
Contents
- Definitions and Interpretation
- Status and Scope of Processing
- Alignix’s Obligations as Processor
- The Controller’s Obligations
- International Transfers
- Liability
- Term and Termination
- General
- Schedule 1: Details of Processing
- Schedule 2: Security Measures
- Schedule 3: Sub-processors
This Agreement
This Data Processing Agreement (this “DPA”) is made between:
(1) Alignix Ltd, a company registered in England and Wales with company number 17268592, whose registered office is at 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ (“Alignix”, the “Processor”); and
(2) the organisation identified as the Provider in the Order Form (the “Provider”, the “Controller”).
Background
(A) The parties have entered into a Master Subscription Agreement under which Alignix provides the Alignix Pathways platform to the Provider (the “Principal Agreement”).
(B) In providing the Platform, Alignix Processes Personal Data relating to the Provider’s Authorised Learners on the Provider’s behalf.
(C) This DPA sets out the terms on which Alignix Processes that Personal Data, and is incorporated into and forms part of the Principal Agreement.
1. Definitions and Interpretation
1.1 Capitalised terms used but not defined in this DPA have the meaning given in the Principal Agreement. In this DPA:
“Controller”, “Processor”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Process”, “Processing” and “Supervisory Authority” have the meanings given in the Data Protection Legislation.
“Data Protection Legislation” means the UK GDPR, the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003, and all other applicable laws relating to the Processing of Personal Data, in each case as amended or replaced from time to time.
“Learner Personal Data” means Personal Data relating to the Provider’s Authorised Learners that Alignix Processes on the Provider’s behalf under the Principal Agreement, as described in Schedule 1.
“Principal Agreement” means the Master Subscription Agreement between the parties.
“Restricted Transfer” means a transfer of Personal Data to a country outside the United Kingdom that is not covered by UK adequacy regulations.
“Sub-processor” means any third party engaged by Alignix to Process Learner Personal Data.
“UK GDPR” has the meaning given in section 3(10) of the Data Protection Act 2018.
1.2 This DPA is incorporated into and forms part of the Principal Agreement. If there is any conflict or inconsistency between this DPA and the remaining terms of the Principal Agreement in relation to the Processing of Personal Data, this DPA prevails.
1.3 The interpretation provisions of the Principal Agreement apply to this DPA.
2. Status and Scope of Processing
2.1 The parties acknowledge that, in respect of Learner Personal Data, the Provider is the Controller and Alignix is the Processor.
2.2 The subject matter and duration of the Processing, its nature and purpose, the types of Personal Data and the categories of Data Subjects are set out in Schedule 1.
2.3 Alignix is the Controller of Personal Data relating to the Provider’s account, administrators and business contacts, which it Processes in accordance with its privacy policy. That Processing is outside the scope of this DPA.
3. Alignix’s Obligations as Processor
3.1 Alignix will Process Learner Personal Data only on the Provider’s documented instructions, including with regard to transfers, unless required to do otherwise by law (in which case Alignix will, where lawful, inform the Provider of that legal requirement before Processing). The Principal Agreement and this DPA, together with any further written instructions the Provider gives, constitute the Provider’s complete and documented instructions.
3.2 Alignix will inform the Provider if, in its opinion, an instruction infringes the Data Protection Legislation, although Alignix is not obliged to provide legal advice.
3.3 Alignix will ensure that persons authorised to Process Learner Personal Data are subject to an appropriate duty of confidentiality.
3.4 Alignix will implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as required by Article 32 of the UK GDPR, as described in Schedule 2.
3.5 Sub-processors:
(a) The Provider gives a general authorisation for Alignix to engage the Sub-processors listed in Schedule 3.
(b) Alignix will inform the Provider of any intended addition or replacement of a Sub-processor, giving the Provider a reasonable opportunity to object on reasonable data protection grounds. If the Provider objects and the parties cannot resolve the matter, the Provider may terminate the Principal Agreement in respect of the affected Processing.
(c) Alignix will impose on each Sub-processor data protection obligations equivalent to those in this DPA, and remains liable to the Provider for the acts and omissions of its Sub-processors.
3.6 Taking into account the nature of the Processing, Alignix will assist the Provider, by appropriate technical and organisational measures and insofar as possible, to respond to requests from Data Subjects exercising their rights under the Data Protection Legislation.
3.7 Taking into account the nature of the Processing and the information available to it, Alignix will assist the Provider in ensuring compliance with its obligations relating to security of Processing, notification of Personal Data Breaches, data protection impact assessments and prior consultation, under Articles 32 to 36 of the UK GDPR.
3.8 Alignix will notify the Provider without undue delay after becoming aware of a Personal Data Breach affecting Learner Personal Data, and will provide the Provider with sufficient information to allow the Provider to meet any obligation to report the breach to a Supervisory Authority or Data Subjects.
3.9 On termination or expiry of the Principal Agreement, Alignix will, at the Provider’s choice, delete or return all Learner Personal Data and delete existing copies within 30 days, unless the law requires storage of the Personal Data. The data export process is as described in the Principal Agreement.
3.10 Alignix will make available to the Provider all information reasonably necessary to demonstrate compliance with this DPA and Article 28 of the UK GDPR, and will allow for and contribute to audits, including inspections, conducted by the Provider or an auditor it mandates, on reasonable prior written notice and no more than once in any 12 month period (unless required by a Supervisory Authority), subject to reasonable confidentiality and security conditions and at the Provider’s cost.
4. The Controller’s Obligations
4.1 The Provider warrants that it has a lawful basis for the Processing, that it has provided all necessary privacy information to Data Subjects, and that its instructions to Alignix comply with the Data Protection Legislation.
4.2 The Provider is responsible for the accuracy, quality and legality of Learner Personal Data and the means by which it acquired that data.
4.3 The Provider will not instruct Alignix to Process special category Personal Data through the Platform unless the parties have agreed appropriate additional measures in writing.
5. International Transfers
5.1 Alignix will not make a Restricted Transfer of Learner Personal Data without ensuring an appropriate transfer mechanism is in place, such as UK adequacy regulations, the UK International Data Transfer Agreement, or the UK Addendum to the EU Standard Contractual Clauses.
5.2 Schedule 3 indicates which Sub-processors may involve a transfer of Personal Data outside the United Kingdom and the safeguard relied on.
6. Liability
6.1 The liability of each party under or in connection with this DPA is subject to the exclusions and limitations of liability set out in the Principal Agreement.
7. Term and Termination
7.1 This DPA takes effect on the Effective Date of the Principal Agreement and continues for as long as Alignix Processes Learner Personal Data under the Principal Agreement.
7.2 The provisions of this DPA that are required to give effect to the deletion, return and audit obligations survive termination or expiry of the Principal Agreement.
8. General
8.1 This DPA forms part of the Principal Agreement and is governed by the laws of England and Wales, and the parties submit to the exclusive jurisdiction of the courts of England and Wales.
8.2 Except as amended by this DPA, the terms of the Principal Agreement remain in full force. The general provisions of the Principal Agreement apply to this DPA.
This DPA is executed by the parties signing the Order Form under the Principal Agreement, which incorporates this DPA.
Schedule 1: Details of Processing
| Subject matter | Provision of the Alignix Pathways platform to the Provider and its Authorised Learners. |
|---|---|
| Duration | The term of the Principal Agreement, together with the post-termination deletion period set out in clause 3.9. |
| Nature and purpose | Hosting, storage and Processing of Learner Personal Data to deliver career roadmaps, skills challenges, assessments and related learning features; generation of AI outputs based on learner inputs; and delivery of platform notifications. |
| Type of Personal Data | Learner name; email address; account login credentials; role, career and skills information the learner provides; CV and experience content the learner inputs; challenge and assessment submissions; and platform usage data. No special category Personal Data is intended to be Processed. |
| Categories of Data Subjects | The Provider’s Authorised Learners; and, where applicable, the Provider’s administrators. |
| Controller | The Provider. |
| Processor | Alignix Ltd. |
Schedule 2: Technical and Organisational Security Measures
Alignix maintains the following measures, which it may update from time to time provided the level of security is not reduced:
- Access control: role-based access (platform administrator, provider administrator and learner roles), with access limited to what each role requires.
- Authentication: individual user accounts and credentials, and protection of authentication data.
- Encryption: encryption of Personal Data in transit using TLS, and encryption at rest as provided by the hosting infrastructure.
- Hosting and infrastructure: use of reputable infrastructure providers (including Supabase and Cloudflare) that maintain their own security and resilience measures.
- Logical separation: separation of each provider’s data within the Platform.
- Resilience and backups: regular backups and measures to restore availability of and access to Personal Data in a timely manner after an incident.
- Confidentiality: confidentiality obligations on personnel who have access to Personal Data.
- Vulnerability and change management: application updates and monitoring to address known vulnerabilities.
- Incident response: a process to detect, respond to and notify Personal Data Breaches.
Schedule 3: Sub-processors
The Provider authorises the following Sub-processors:
| Sub-processor | Purpose | Location and transfer safeguard |
|---|---|---|
| Supabase | Database hosting and storage of Learner Personal Data. | United States. Transfer safeguarded by the UK Addendum to the EU Standard Contractual Clauses. |
| Lovable | Application hosting and AI gateway routing. | United States. Transfer safeguarded by the UK Addendum to the EU Standard Contractual Clauses. |
| OpenAI | AI Processing (generation of roadmaps, challenges and assessments from learner inputs). | United States. Transfer safeguarded by the UK Addendum to the EU Standard Contractual Clauses. |
| Cloudflare | Content delivery, DNS and security, including DDoS protection. | Global edge network. Transfer safeguarded by appropriate contractual clauses. |
| Microsoft | Delivery of transactional emails from notify.alignix.co.uk. | United States. Transfer safeguarded by the UK Addendum to the EU Standard Contractual Clauses. |
Excluded (not Sub-processors; no Learner Personal Data is shared with them): Adzuna and Reed are queried as sources of job advertisement data only. Alignix sends search parameters to them, not Learner Personal Data.
Alignix Ltd · Company number 17268592 · 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ
This DPA forms part of the Master Subscription Agreement and is accepted by the Provider signing its Order Form.