Data Processing Agreement (DPA)

Last updated: 2026-04-19

1. Background

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between FRANCHISE FAMILY LTD, operator of onboarding.team(“Data Processor”, “we”, “us”), and the customer (“Data Controller”, “you”).

This DPA reflects the parties' agreement on the processing of personal data in accordance with the EU General Data Protection Regulation (EU GDPR) and the UK GDPR.

2. Roles and responsibilities

Data Controller (you): you determine the purposes and means of processing personal data submitted to the onboarding.team platform — typically: hire names and emails, preboarding and onboarding journey content, training assignments, test attempts, homework submissions, mentor approvals, and completion records.

Data Processor (us): we process personal data only on your documented instructions and only for the purpose of providing the platform services described in the Terms of Service.

3. Categories of data and data subjects

  • Categories of data subjects: your employees, new hires, mentors, managers, and platform administrators.
  • Categories of personal data: identity data (name, work email), employment data (role, location), platform activity data (logins, module completions, test scores, homework files, mentor approvals, timestamps).
  • Special categories: we do not expect to process special-category data (Article 9 GDPR). You agree not to upload such data unless we have agreed in writing.

4. Sub-processors

You authorise us to engage third-party sub-processors to assist in providing the services. The current sub-processors are:

  • EU-region cloud hosting — for compute, storage, and backups.
  • Stripe — for secure payment processing (PCI-DSS Level 1).
  • Plausible Analytics — for cookie-less marketing analytics on the public website only.
  • Transactional email provider — for trial, account, and security emails.

All sub-processors are bound by written agreements requiring them to provide at least the same level of data protection required by this DPA. We will give you reasonable prior notice of any new or replacement sub-processor. You may object to a change on reasonable data-protection grounds; in that case we will work in good faith to find an alternative.

5. Security measures

We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256).
  • Network segmentation and firewall controls.
  • Access control on the principle of least privilege.
  • Audit logging on administrative actions.
  • Regular automated backups with documented restore drills.
  • Vulnerability scanning and timely patching of dependencies.
  • Annual review of security policies and incident-response runbooks.

6. International transfers

Personal data is hosted in the EU by default. Where transfers outside the UK or the EEA are necessary (e.g., for a sub-processor headquartered abroad), we rely on adequacy decisions or Standard Contractual Clauses (SCCs) to ensure equivalent protection.

7. Personal data breach notification

We will notify you without undue delay — and in any event within 72 hours of becoming aware — of a personal data breach affecting your data, including the nature of the breach, the categories and approximate number of records affected, the likely consequences, and the measures taken or proposed to address it.

8. Data subject rights & deletion

We will assist you in fulfilling your obligations to respond to requests from data subjects (e.g., right of access, right to rectification, right to erasure, right to data portability) using the tools available in the platform.

Upon termination of your account, we will delete or return all personal data within 30 days, unless we are legally required to retain it (e.g., invoicing records).

9. Audits

We will make available to you all information reasonably necessary to demonstrate compliance with this DPA. On reasonable written request and no more than once per year, you may audit our compliance — by reviewing our security documentation, or (for Enterprise customers) through a remote audit at your reasonable expense.

10. Term and termination

This DPA is effective for as long as we process personal data on your behalf and remains in force until that processing ends. Provisions that should reasonably survive termination (confidentiality, deletion obligations, indemnities) survive.

11. Contact

Operator: FRANCHISE FAMILY LTD, registered in England and Wales.
DPA contact: hello@onboarding.team with the subject “DPA”.