Data Processing Addendum

Data Processing Addendum (DPA) — UK GDPR

Effective Date: 1 March 2026

Parties:

  • Controller/Client: The Vogue Boost customer identified in the applicable Order/SOW (“Client” or “Controller”), and
  • Processor: Vogue Boost Ltd, registered in England & Wales, 71-75, Shelton Street, London, WC2H 9JQ, company no. 16446529 (“Vogue Boost,” “Processor,” “we/us”).

This DPA forms part of the Agreement (Terms & Conditions, Order/SOW, and incorporated policies). If there is a conflict between this DPA and the Agreement regarding personal data processing, this DPA prevails.

1) Definitions

  • Data Protection Laws: UK GDPR, Data Protection Act 2018, PECR, and, where applicable, EU GDPR.
  • Personal Data, Data Subject, Controller, Processor, Processing: As defined by UK GDPR.
  • Sub-processor: A processor engaged by Vogue Boost to process Client Personal Data.
  • Client Personal Data: Personal data processed by Vogue Boost strictly on behalf of Client under the Agreement. This expressly excludes User-Generated Content (UGC) voluntarily submitted by Data Subjects to public or community areas of the Services (e.g., forums, Signal Rooms), which Vogue Boost processes as an independent Controller in accordance with the Privacy Policy.

2) Roles & Processing Instructions

2.1 Roles. For Client Personal Data, Client is Controller and Vogue Boost is Processor.

2.2 Instructions. Vogue Boost will process Client Personal Data only: (i) on documented instructions from Client (the Agreement and this DPA), (ii) as necessary to deliver the Services described in the Order/SOW, and (iii) to comply with law (we will inform Client unless legally prohibited).

2.3 Prohibited Purposes. We will not sell or use Client Personal Data for advertising or unrelated profiling.

3) Confidentiality & Personnel

3.1 Confidentiality. Vogue Boost ensures that persons authorised to process Client Personal Data are bound by confidentiality obligations and receive appropriate data protection training.

3.2 Access Controls. Access is restricted by role and least-privilege principles.

4) Security of Processing

4.1 Measures. Vogue Boost implements technical and organisational measures appropriate to risk, as described in Annex II (TOMs), considering the state of the art, costs, nature, scope, context, and purposes of processing.

4.2 Updates. We may update TOMs from time to time, provided the overall security level is not materially diminished.

5) Sub-processing

5.1 General Authorisation. Client provides general authorisation for Vogue Boost to engage Sub-processors listed in Annex III or on our published Sub-processor page.

5.2 Notice & Objection. We will provide advance notice (e.g., email or webpage) for new Sub-processors. Client may object on reasonable grounds related to data protection within 10 business days; if unresolved, Client may suspend the affected portion of Services or terminate that portion for convenience (pro-rata refund of prepaid, undelivered Services).

5.3 Flow-down. We will enter into a written contract with each Sub-processor imposing data protection obligations no less protective than those in this DPA. Vogue Boost remains responsible for Sub-processor performance.

6) International Transfers

6.1 Transfers. If Client Personal Data is transferred outside the UK/EEA, Vogue Boost will ensure appropriate transfer safeguards apply, e.g., UK International Data Transfer Agreement (IDTA) or EU SCCs (2021) with UK Addendum, and supplementary measures where appropriate.

6.2 Cooperation. Upon request, Vogue Boost will provide details of applicable transfer mechanisms (commercially reasonable redactions may apply).

7) Assistance to Controller

7.1 Data Subject Requests. Taking into account the nature of processing, we will assist Client with reasonable technical and organisational measures, to respond to DSRs (access, rectification, erasure, restriction, portability, objection) to the extent legally required.

7.2 DPIAs & Consultation. We will provide reasonable assistance for DPIAs and prior consultations with supervisory authorities in relation to processing under this DPA.

8) Personal Data Breach Notification

8.1 Notice. Vogue Boost will notify Client without undue delay after becoming aware of a Personal Data Breach affecting Client Personal Data.

8.2 Content. Notification will include known details such as: nature of breach, categories/approximate number of data subjects and records, likely consequences, and measures taken/proposed to address it. We will provide updates as information becomes available.

8.3 Client Duties. Client remains responsible for any legally required notifications to supervisory authorities or data subjects unless otherwise agreed in writing.

9) Records, Audits & Compliance

9.1 Records. Vogue Boost maintains records of processing as required by law.

9.2 Third-Party Reports. Upon reasonable request, Vogue Boost will make available security summaries, policies, and independent attestations (if available) to demonstrate compliance.

9.3 Audits. No more than once per 12 months, on 30 days’ prior written notice, during business hours, and subject to confidentiality, Client may conduct an audit or appoint an independent auditor (not a competitor). Audits shall: (i) minimise disruption; (ii) be limited to facilities, systems, and records relevant to Client Personal Data; and (iii) be of reasonable duration. Client bears audit costs; Vogue Boost may charge reasonable time/expenses for support.

10) Return & Deletion

10.1 Deletion. Upon termination or expiry of the Services (or upon Client’s written request), Vogue Boost will delete or return Client Personal Data and delete existing copies within 90 days, unless retention is required by law, internal backup cycles, or to establish, exercise, or defend legal claims.

10.2 Certification. Upon Client request, Vogue Boost will certify deletion/return.

11) Liability & Order of Precedence

11.1 Liability. Each party’s liability under this DPA is subject to the limitations and exclusions set out in the Agreement, except to the extent prohibited by Data Protection Laws.

11.2 Precedence. If there is a conflict, this DPA controls with respect to processing of Client Personal Data.

12) Term & Termination

This DPA becomes effective on the Effective Date of the Agreement or the first processing of Client Personal Data (whichever is earlier) and remains in force for so long as Vogue Boost processes Client Personal Data for Client.

13) Governing Law & Jurisdiction

This DPA is governed by the laws of England and Wales, with the exclusive jurisdiction of the courts of England and Wales, except to the extent required otherwise by applicable Data Protection Laws or mandatory SCC/IDTA terms.

Annex I — Description of Processing

A. Subject Matter & Duration

  • Subject Matter: Delivery of FinTech upskilling digital products, subscriptions (content libraries, Signal Rooms, communities), and productised/professional services (SOW).
  • Duration: For the subscription/SOW term and data retention periods as specified in the Privacy Policy and this DPA, or until deletion/return per Section 10.

B. Nature & Purpose of Processing

  • Account creation & seat management; access control and content delivery (streaming/download).
  • Learner engagement, progress tracking (if enabled), attendance, assessments (optional).
  • Support, incident response, billing operations, and service improvement (aggregated/limited analytics).
  • Security monitoring, fraud/licence-abuse detection (including the use of automated AI-based content scanning and trace identification to ensure strict license and copyright compliance).

C. Categories of Data Subjects

  • Client’s personnel and authorised users (learners, admins).
  • Client’s business contacts relevant to SOW delivery.

D. Categories of Personal Data

  • Identity: name, business email, role/title, company, country.
  • Account: username, seat assignment, access logs, SSO identifiers (if enabled).
  • Learning context: attendance, completion states, assessment inputs (optional).
  • Communications: support tickets, feedback.
  • Billing contacts and transaction metadata (no full card numbers).

E. Special Categories of Data

  • None expected. Client will not provide special category data. If necessary, it must be expressly agreed in the SOW with appropriate safeguards.

F. Processing Operations

  • Collection, recording, organisation, structuring, storage, retrieval, consultation, use, disclosure by transmission (to Sub‑processors for hosting/LMS/email/support), restriction, erasure, destruction, and automated scanning/monitoring for security and intellectual property protection.

Annex II — Technical & Organisational Measures (TOMs)

Governance & Access

  • Role‑based access controls (RBAC); least privilege; joiner‑mover‑leaver procedures.
  • MFA for admin accounts; password hashing; SSO support where applicable.
  • Security training; confidentiality agreements for staff and contractors.

Data Security

  • TLS 1.2+ encryption in transit; encryption at rest for primary data stores.
  • Network segmentation; firewalls; reputable hosting/CDN providers.
  • Secure software development lifecycle (secure coding, code review, dependency scanning).

Monitoring & Response

  • Audit logging of administrative and security-relevant events.
  • Vulnerability management; regular patching; endpoint protection for corporate devices.
  • Incident response plan; breach notification processes aligned to Section 8.

Availability & Resilience

  • Backups and tested restoration procedures; redundancy for critical components.
  • Change management; capacity planning; DDoS protections (e.g., CDN/WAF).

Data Minimisation & Retention

  • Collect only necessary data; define retention schedules; anonymise or aggregate analytics where feasible.

Sub-processor Management

  • Vendor due diligence; contractual security obligations; continuous oversight.

Annex III — Authorised Sub‑processors (Illustrative Categories)

(A current list will be maintained on our website or provided upon request.)

  • Cloud hosting & CDN (e.g., UK/EU data centres where feasible)
  • Learning platform / video streaming
  • Email (transactional & marketing)
  • Payment processing
  • CRM & support ticketing
  • Analytics (privacy‑centric configuration)

Annex IV — Data Transfer Mechanisms

  • UK IDTA or EU SCCs (2021) (Module 2: Controller → Processor) with the UK Addendum, as applicable.
  • Supplementary measures (technical, organisational, and contractual) assessed per transfer risk.

Execution. This DPA is incorporated into and automatically effective with the Agreement upon (i) execution of an Order/SOW, or (ii) continued use of the Services where the Agreement permits electronic acceptance.