Skip to main content
Legal

Data Processing Addendum

Version 2026-07-13 · Last updated 13 July 2026

This Data Processing Addendum (“DPA”) forms part of the intle Terms of Serviceor other written agreement that references it (the “Agreement”). It applies when a customer processes personal data through intle as a controller and EDTECHLAB LTDprocesses that data on the customer’s behalf.

1. Parties, scope and roles

The customer identified by the account, order form or other Agreement is the “Controller”. EDTECHLAB LTD, company 17103855, is the “Processor”. This DPA covers personal data submitted to, stored in, generated through, or collected by the Service on the Controller’s behalf (“Customer Personal Data”).

Each party will comply with applicable Data Protection Law, including the UK GDPR and Data Protection Act 2018. Intle remains an independent controller for its separate account administration, billing, security, legal-compliance and consented marketing activities described in the Privacy Policy.

2. Controller instructions and obligations

The Processor will process Customer Personal Data only on the Controller’s documented instructions, including the Agreement, product settings, support requests and other written instructions, unless UK law requires otherwise. If legally permitted, the Processor will tell the Controller before carrying out a legally required instruction. The Processor will promptly inform the Controller if it reasonably believes an instruction infringes Data Protection Law.

The Controller is responsible for:

  • the lawfulness, fairness and transparency of its processing and instructions;
  • having an appropriate lawful basis and giving required notices to data subjects;
  • the accuracy and minimisation of data submitted to the Service;
  • configuring participant name/email collection and access controls appropriately; and
  • meeting children’s-data, special-category-data, retention and data-subject-rights obligations that apply to its use case.

The Controller retains control of Customer Personal Data and may issue lawful instructions, use available access and export controls, request rights or compliance assistance, require deletion or return as set out below, and exercise its audit rights.

3. Confidentiality and security

The Processor will ensure that people authorised to process Customer Personal Data are subject to confidentiality obligations and receive access only as needed for their role. Taking account of the state of the art, implementation costs, processing context and risk, the Processor will maintain appropriate technical and organisational measures under Article 32. The current measures are summarised in Annex 2 and may be updated without materially reducing the overall protection of Customer Personal Data.

4. Sub-processors

The Controller gives general written authorisation for the Processor to use the providers listed on the Sub-processors page. The Processor will bind each sub-processor that handles Customer Personal Data to written data-protection terms offering substantially the same protection required by this DPA and remains responsible for the sub-processor’s performance of those duties.

The Processor will give institutional customers at least 30 days’ written notice before adding or replacing a sub-processor that will handle Customer Personal Data. The Controller may object during that period on reasonable data-protection grounds. The parties will work in good faith on a reasonable alternative; if none is available, the Controller may stop using the affected feature or terminate the affected Service.

5. International transfers

The Processor will not make a restricted transfer of Customer Personal Data except on documented instructions and with a lawful transfer mechanism. Where required, the parties will rely on UK adequacy regulations, the UK International Data Transfer Agreement, or the UK Addendum to the EU Standard Contractual Clauses, together with appropriate transfer-risk assessment and supplementary measures. Current verified and unverified processing-region information is published on the Sub-processors page.

6. Data-subject requests and compliance assistance

Taking account of the nature of processing, the Processor will provide reasonable assistance through product controls or support so the Controller can respond to data subjects exercising their rights. If the Processor receives a request concerning Customer Personal Data, it will direct the requester to the Controller unless legally required to respond itself.

Taking account of the information available, the Processor will reasonably assist the Controller with security obligations, breach notification, data protection impact assessments and prior consultation with the ICO. The Controller remains responsible for deciding whether a notification, DPIA or consultation is required.

7. Personal-data breaches

The Processor will notify the Controller without undue delay after becoming aware of a personal-data breach affecting Customer Personal Data. As information becomes available, the notice will describe the nature of the breach, likely consequences, affected data and people, and measures taken or proposed. A notice is not an admission of fault or liability. The Processor will take reasonable steps to contain, investigate and mitigate the breach and will cooperate with the Controller’s response.

8. Return, deletion and retention

During the Agreement, the Controller can retrieve generated packages and available session exports through the Service and may request reasonable assistance with return of other Customer Personal Data. At the end of the Agreement, the Processor will, at the Controller’s choice, delete or return Customer Personal Data and delete remaining copies, unless UK law requires retention. Self-service account deletion removes live user-owned application and storage data as described in the Privacy Policy.

Data in encrypted backups may remain beyond live deletion for the processor-operated backup cycle. It will be put beyond ordinary use, protected under this DPA and deleted through the applicable expiry cycle unless restoration is required for disaster recovery or law.

9. Information, audits and records

The Processor will provide information reasonably necessary to demonstrate compliance with Article 28. The Controller may audit that compliance once in any 12-month period, and additionally following a material breach or regulator request, on reasonable prior notice. Audits must occur during normal business hours, minimise disruption, protect other customers’ data and confidential security information, and use existing reports or remote evidence first where they provide sufficient assurance. Each party bears its own costs unless the audit identifies a material breach by the Processor.

10. Liability, term and priority

This DPA starts when the Agreement takes effect and continues while the Processor holds Customer Personal Data. Liability under this DPA is subject to the Agreement except where Data Protection Law does not permit a limitation. If this DPA conflicts with the Agreement on protection of Customer Personal Data, this DPA prevails. A signed order or negotiated data-protection agreement expressly overriding this DPA prevails for that customer.

Annex 1 — Details of processing

  • Subject matter: AI-assisted authoring, editing, storage, hosted-session delivery, participant tracking, SCORM packaging, team administration and support.
  • Duration: the Agreement plus the deletion and backup-expiry periods described above.
  • Nature and purpose: collect, transmit, organise, store, retrieve, generate, display, export, support and delete data solely to provide and secure the Service on the Controller’s instructions.
  • Data subjects: the Controller’s staff, authors, administrators, invitees, learners, trainees, session participants and other people whose data the Controller submits. Under-16 participants are permitted only in an authorised institutional or guardian context.
  • Personal-data types: names, email addresses, role/team data, source-file and prompt content, generated content, optional participant identity, responses, scores, progress, timestamps, session records and necessary device/request metadata.
  • Sensitive data: the Service is not designed for special-category or criminal-offence personal data. The Controller must not submit it unless an order or written instruction expressly authorises the use case and the parties have documented suitable safeguards.

Annex 2 — Technical and organisational measures

  • encrypted HTTPS transport and provider-managed encryption at rest;
  • Supabase authentication, row-level security and tenant-aware access controls;
  • least-privilege service access, secret separation and administrator controls;
  • rate limits, input validation, upload restrictions and abuse controls;
  • unguessable hosted-session identifiers, optional session passwords and HMAC-signed participant cookies;
  • server-enforced participant data-minimisation settings and redacted error monitoring;
  • dependency, type, lint, automated test and security-review checks in the development workflow;
  • live-data deletion controls, plan retention rules and processor backup-expiry cycles; and
  • incident investigation, containment and notification procedures.

This list describes current controls and is not a claim of ISO, SOC 2, Cyber Essentials or other certification. See the Trust Centre for current evidence.

Annex 3 — Sub-processors and contact

The live provider inventory, purposes, data categories, known regions and contract links are maintained on the Sub-processors page, which is incorporated into this DPA. Data-protection instructions and notices should be sent to admin@intle.co.uk.

Processor: EDTECHLAB LTD, company 17103855, registered in England and Wales. Registered office: 167-169 Great Portland Street, London, England, W1W 5PF.