Inversity Limited (trading as ‘PAIR’) 

Company Number: 14434231 

Address: 86–90 Paul Street, London, EC2A 4NE, United Kingdom 

This Data Processing Addendum (“DPA”) is entered into between: 

1. Inversity LTD, a company incorporated in England and Wales (company no. 14434231), trading as “PAIR”, with registered office at 86–90 Paul Street, London, EC2A 4NE (“PAIR”, “Processor”, “we”, “us”); and 

2. The customer identified in the Agreement (“Customer”, “Controller”, “you”). 

This DPA forms part of the master subscription agreement, order form, or other written agreement governing Customer’s use of PAIR’s services (the “Agreement”). 

1. Definitions and Interpretation 

1.1 Capitalised terms not defined in this DPA have the meanings in the Agreement. 

1.2 “Data Protection Laws” means all laws relating to data protection and privacy applicable to the Parties, including the UK GDPR and the Data Protection Act 2018, and, where applicable, the EU GDPR and similar laws in other jurisdictions. 

1.3 “Customer Personal Data” means Personal Data Processed by PAIR on behalf of Customer under the Agreement. 

1.4 “Personal Data”, “Processing”, “Controller”, “Processor”, “Data Subject”, “Personal Data Breach”, “Supervisory Authority” have the meanings in the Data Protection Laws. 

1.5 “International Transfer” means a transfer of Customer Personal Data to a country or organisation outside the UK/EU where such transfer is restricted by the Data Protection Laws. 

1.6 “Security Measures” means the technical and organisational measures set out in Schedule 2, as updated in accordance with this DPA. 

1.7 “Sub‑processor” means any third party engaged by PAIR to Process Customer Personal Data on behalf of Customer. 

1.8 Order of precedence. If this DPA conflicts with the Agreement, this DPA prevails in relation to Processing of Customer Personal Data. 

2. Scope and Roles 

2.1 Processor role. For Processing of Customer Personal Data under the Agreement, Customer is the Controller and PAIR is the Processor. 

2.2 Controller activities outside scope. PAIR may process Personal Data as an independent Controller for its own purposes where permitted by applicable law, including billing, account management, service security, fraud or abuse prevention, and compliance with legal obligations. PAIR may also process Aggregated Data as defined in the Agreement, including for analytics, benchmarking, product improvement and related business purposes. Such processing is governed by the Agreement and PAIR’s Privacy Notice and falls outside the scope of this DPA to the extent that the data processed does not constitute Personal Data under applicable Data Protection Legislation. 

2.3 Services. The Processing under this DPA relates to PAIR’s provision of the PAIR platform and related services as described in the Agreement and Schedule 1. 

3. Customer Instructions 

3.1 Documented instructions. PAIR will Process Customer Personal Data only on Customer’s documented instructions as set out in the Agreement, this DPA, and Schedule 1, or as required by law (in which case PAIR will inform Customer unless legally prohibited). 

3.2 Additional instructions. Customer may issue additional reasonable written instructions; if PAIR believes an instruction violates Data Protection Laws, PAIR will promptly notify Customer. 

3.3 Customer responsibilities. Customer is responsible for the lawfulness of Personal Data and Processing instructions, and for providing any required notices and obtaining any required consents. 

4. PAIR’s Processing Obligations 

4.1 Compliance. PAIR will comply with Data Protection Laws applicable to it as a Processor. 

4.2 Confidentiality. PAIR will ensure that persons authorised to Process Customer Personal Data are subject to confidentiality obligations. 

4.3 Security. PAIR will implement and maintain the Security Measures in Schedule 2 appropriate to the risks of the Processing. These measures reflect PAIR’s documented security programme (including SDLC, RBAC/SSO/MFA, environment segregation, encryption at rest/in transit, continuous monitoring, vulnerability management, incident response, and annual third‑party testing). 

4.4 Data protection by design and default. PAIR will take steps to ensure only the Personal Data necessary for each Processing purpose are Processed. 

4.5 Records. PAIR will maintain records of Processing activities as required by Data Protection Laws. 

5. Sub‑processors 

5.1 Authorisation. Customer generally authorises PAIR to engage Sub‑processors to provide the Services. A current list is set out in Schedule 3 and may be updated from time to time. 

5.2 Notice of changes. PAIR will notify Customer of intended changes to Sub‑processors (e.g., email or an online page) and give Customer a reasonable opportunity to object on reasonable, data‑protection grounds. 

5.3 Objections. If Customer reasonably objects, the Parties will discuss in good faith to find a feasible alternative; if none is available, Customer may terminate the affected Services (only) without penalty as its exclusive remedy. 

5.4 Flow‑down. PAIR will impose data protection obligations on Sub‑processors no less protective than those in this DPA and remains responsible for their performance. PAIR does not permit Sub‑processors to use Customer Personal Data for their own purposes (including model training) unless expressly authorised by Customer in writing. 

6. Assistance to Customer 

6.1 Data Subject requests. Taking into account the nature of Processing, PAIR will assist Customer, via appropriate technical and organisational measures, to respond to Data Subject requests to exercise rights under Data Protection Laws. 

6.2 Security/DPIA assistance. PAIR will provide reasonable assistance to Customer in relation to security, Personal Data Breach notifications, data protection impact assessments, and consultations with Supervisory Authorities, in each case as relates to PAIR’s Processing and information available to PAIR. 

6.3 Costs. Where assistance requires significant time or resources, the Parties may agree reasonable fees. 

7. Personal Data Breach 

7.1 Notification. Upon becoming aware of a Personal Data Breach affecting Customer Personal Data, PAIR will notify Customer without undue delay and provide information reasonably required for Customer to meet its obligations (including timelines consistent with applicable law). 

7.2 Mitigation. PAIR will take appropriate steps to contain, investigate, and mitigate the effects of the Personal Data Breach. 

8. International Transfers

8.1 Transfers. PAIR and its Sub‑processors may carry out International Transfers where necessary to provide the Services, subject to this Clause 8. 

8.2 Safeguards. Where required, PAIR will ensure transfers are subject to appropriate safeguards, including: (a) an adequacy decision; (b) EU Commission Standard Contractual Clauses (SCCs); (c) the UK International Data Transfer Agreement (IDTA) or UK Addendum to the SCCs; or (d) other lawful mechanisms. 

8.3 Incorporation. To the extent applicable, the relevant transfer tool (SCCs and/or UK IDTA/UK Addendum) is deemed incorporated by reference or may be attached as Schedule 4, with Customer as data exporter and PAIR (or Sub‑processor) as data importer. 

8.4 Supplementary measures. Where appropriate, PAIR will implement supplementary measures designed to protect Customer Personal Data in connection with International Transfers. 

9. Audits and Information 

9.1 Information. Upon reasonable written request, PAIR will make available to Customer information necessary to demonstrate compliance with this DPA, including security documentation, policies, and summaries of independent audit reports. 

9.2 Remote audits. Where Customer has agreed separate written terms with PAIR expressly granting audit rights, and if the information provided under Section 9.1 is insufficient in Customer’s reasonable opinion, Customer (or its independent auditor) may conduct a remote audit of PAIR’s relevant systems and processes, subject to (a) at least 30 days’ written notice, (b) agreement on scope and methodology, and (c) appropriate confidentiality obligations. 

9.3 On-site audits. Where Customer has agreed separate written terms with PAIR expressly granting audit rights, any on-site component of an audit shall occur only if remote review is insufficient and shall be limited to PAIR’s offices where relevant personnel work, excluding any cloud data centres, and shall not require PAIR to disclose information or access relating to other customers. 

10. Retention, Deletion and Return 

10.1 Duration. PAIR will Process Customer Personal Data for the term of the Agreement unless otherwise required by law. 

10.2 Return or deletion. Upon termination/expiry of the Agreement, or upon Customer’s written request, PAIR will either (a) delete Customer Personal Data, or (b) return it to Customer and then delete remaining copies, within a reasonable period (taking account of back‑up/archival cycles), unless retention is required by law. 

10.3 Back‑ups. Deletion from back‑ups will occur within PAIR’s standard back‑up and data‑retention schedules. 

11. Use of Special Categories and Restricted Data 

11.1 The Services are not designed to Process special categories of Personal Data or data relating to criminal convictions and offences. Customer will not intentionally submit such data without PAIR’s prior written agreement and any additional terms or safeguards required by law. 

12. Liability, Governing Law and Miscellaneous 

12.1 Liability. The Agreement’s limitations and exclusions of liability apply to this DPA; nothing limits liability where not permitted by law. 

12.2 Governing law. This DPA is governed by the law stated in the Agreement. Where the Agreement is silent, this DPA is governed by the laws of England and Wales, and the courts of England and Wales have exclusive jurisdiction (subject to mandatory provisions of applicable transfer tools). 

12.3 Amendments. PAIR may update this DPA to reflect changes in law or industry practice. Material changes will be notified to Customer; if Customer reasonably objects to a change that materially reduces protections, the Parties will work in good faith to agree an alternative. 

SCHEDULE 1 – DESCRIPTION OF PROCESSING 

A. Subject matter: Provision of the PAIR SaaS platform and related services, including hosting, storage, support, configuration, and AI-powered workflow features. 

B. Duration: For the term of the Agreement until return/deletion in accordance with this DPA. 

C. Nature and purposes: Processing necessary to provide and support the Services (user administration, content delivery, personalisation and marking per Customer configuration, security, troubleshooting, analytics to operate the service), and to comply with law. 

D. Categories of Data Subjects: Customer’s authorised users (e.g., administrators, instructors, learners) and individuals whose Personal Data Customer inputs into the Services. 

E. Categories of Personal Data (as determined by Customer): Identification and profile data (e.g., name, email, role), employment information, user-uploaded documents/videos, course and assignment feedback, support requests (including screenshots), authentication/SSO data (e.g., via Auth0), and technical/telemetry data (e.g., IP address, device/browser, logs). These categories reflect Customer’s use of the platform and PAIR’s infrastructure as described in PAIR’s data residency and security documentation. 

F. Special categories: Not intended to be processed unless agreed in writing with additional safeguards. 

G. Processing operations: Collection, storage, organisation, transmission, retrieval, use, disclosure to Sub‑processors, logging/monitoring, back‑up, deletion/return. 

SCHEDULE 2 – SECURITY MEASURES 

Security Programme 

PAIR maintains an information security programme designed to protect Customer Personal Data from accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. The programme includes administrative, technical, and organisational measures appropriate to the nature of the data and risks associated with the Processing. 

A. Technical and Organisational Measures 

PAIR will implement and maintain the following high-level security controls for the duration of the Agreement: 

1. Governance and Policies. A documented security and data protection framework, including policies on information security, access control, change management, incident response, risk management, business continuity and disaster recovery. 

2. Personnel Security. All PAIR members of staff and contractors who will have access to customer PII at scale undergo BPSS screening, which verifies their identity, right to work in the UK, criminal record (specifically unspent convictions), and employment history for the past three years. 

3. Access Control. Measures to ensure only authorised personnel have access to Customer Personal Data, based on the principles of least privilege and role-based access. Multi-factor authentication is available to all users and is required for privileged administrative access by members of PAIR staff. 

4. Encryption. Customer Personal Data is encrypted in transit using industry-standard TLS, and at rest using strong encryption appropriate to the hosting environment. 

5. Logical Separation. Mechanisms ensuring logical isolation between Customer environments to prevent unintended data access. 

6. Secure Development and Change Management. Processes to ensure changes to PAIR’s systems (including code, infrastructure, and configurations) are tested, reviewed, and deployed using secure engineering practices. 

7. Monitoring and Logging. Monitoring of relevant systems and services to detect anomalous activity, potential security events, and operational issues. 

8. Vulnerability and Patch Management. Regular vulnerability scanning of relevant systems and timely application of patches in accordance with risk and industry norms. 

9. Incident Response. A documented and maintained incident response process, including identification, escalation, containment, and remediation of security incidents. 

10. Business Continuity and Back-ups. Continuity and recovery measures appropriate to PAIR’s cloud environment, including regular back‑ups and the capability to restore data from those back‑ups. 

11. Third-party Assurance. Annual independent security testing (such as penetration testing), and maintenance of relevant security accreditations, including the UK National Cyber Security Centre’s Cyber Essentials Plus certification. 

B. Non-Contractual Security Documentation 

PAIR maintains a Security Whitepaper, available to Customer on request, which describes PAIR’s security controls in more detail. The Whitepaper is provided for transparency only and does not form part of this Agreement. PAIR may update the Whitepaper from time to time to reflect improvements, provided such updates do not materially reduce the overall level of protection for Customer Personal Data. 

C. Customer Responsibilities 

Customer is responsible for maintaining the security and confidentiality of its own access credentials, user accounts, and devices, and for configuring the Services in accordance with security options provided by PAIR. 

SCHEDULE 3 – AUTHORISED SUB‑PROCESSORS (as of the Effective Date) 

The following third parties are engaged by PAIR to support delivery of the Services. Hosting regions and purposes reflect PAIR’s current data residency statement (last updated 10 March 2026).