Data Processing Agreement
Last updated: 1 July 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Servicebetween CoursePay Ltd ("Processor") and the Customer ("Controller"). It governs the processing of personal data about the Controller's students, staff and other individuals that the Controller uploads to or generates within the CoursePay platform ("Customer Personal Data").
1. Roles
The Controller determines the purposes and means of processing Customer Personal Data. The Processor processes Customer Personal Data on the Controller's documented instructions.
2. Subject-matter and duration
The subject-matter is the provision of the CoursePay service. Processing continues for the term of the Terms of Service and for up to 30 days after termination to allow data export.
3. Nature and purpose of processing
Storing, organising, retrieving, transmitting and displaying Customer Personal Data so that the Controller can operate its business (invoicing, payment plans, communications, reporting, student self-service).
4. Categories of data subjects
- Students and their parents / payers.
- Controller staff and administrators.
- Controller's customers where invoiced through the platform.
5. Categories of personal data
- Identifiers: name, email, phone.
- Financial: invoice amounts, payment status, last-four of card, bank reference.
- Communications: messages, notifications, support tickets.
- Usage / audit: timestamps, IP, browser.
Special-category data is not required and should not be uploaded.
6. Processor obligations
- Process only on documented instructions from the Controller (including as set out in the Terms).
- Ensure personnel authorised to process are bound by confidentiality.
- Implement appropriate technical and organisational security measures (Annex A).
- Assist the Controller with data-subject requests, DPIAs and breach notifications.
- Notify the Controller without undue delay after becoming aware of a personal data breach.
- Delete or return Customer Personal Data at the end of the service, subject to legal retention.
7. Subprocessors
The Controller gives general authorisation for the Processor to engage the subprocessors listed on the Subprocessors page. The Processor will give 30 days' notice by updating that page before adding or replacing a subprocessor. If the Controller reasonably objects, they may terminate the affected service.
8. International transfers
Where subprocessors are outside the UK/EEA, transfers rely on the UK IDTA or EU SCCs.
9. Audit
On reasonable written notice, and no more than once per year, the Controller may request a summary of the Processor's security controls and copies of relevant third-party audit reports (e.g. SOC 2, ISO 27001) once available.
Annex A — Security measures
- TLS 1.2+ for all data in transit; AES-256 at rest.
- Role-based access with least privilege; MFA on production systems.
- Row-Level Security in the database with per-tenant isolation.
- Signed webhook verification, rate limiting on public endpoints, and input validation.
- Audit logging of privileged and data-changing actions.
- Automated daily backups with quarterly restore drills.
- Vulnerability scanning; security-incident response runbook.
To execute a countersigned copy of this DPA, email privacy@coursepay.co.
