SKILLSTORE DATA PROCESSING AGREEMENT

Effective Date: 2025-11-10
Last Updated: 2025-11-10

1. INTRODUCTION

This Data Processing Agreement ("DPA" or "Addendum") is entered into as and is supplemental to, and made pursuant to, the Terms of Service by and between SKILLSTORE LTD, a company registered in England and Wales (Company Number: 16495005) with its registered office at 4th Floor, 205 Regent Street, London, England, W1B 4HB ("Skillstore"), and you ("Creator", "Controller", or "you").

This Addendum applies to Skillstore's Processing of Personal Data under the Terms of Service between Skillstore and Creator for Skillstore's provision of Services (the "Agreement").

Creator enters into this Addendum on behalf of itself and, to the extent required under applicable Data Protection Laws and Regulations, in the name and on behalf of its Affiliates. For the purposes of this DPA only, and except where indicated otherwise, the term "Creator" shall include Creator and Affiliates.

This Addendum shall become legally binding upon Creator entering into the Agreement.

2. DEFINITIONS

Capitalized terms that are used but not defined in this Addendum have the meanings given in the Terms of Service available at https://skill.store/terms.

2.1 Core Terms

"Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. "Control" for purposes of this definition means direct or indirect ownership or control of more than 50% of the voting interest of the subject entity.

"Applicable Data Protection Laws" means, with respect to a party, all privacy, data protection and information security-related laws and regulations applicable to such party's Processing of Personal Data, including but not limited to:

UK GDPR (General Data Protection Regulation as it forms part of UK law)
Data Protection Act 2018
EU GDPR (General Data Protection Regulation 2016/679)
California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
Any other applicable privacy, data protection, or information security laws

"Controller" means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. In the context of this DPA, Creator is the Controller with respect to Follower Data and Learner Data.

"Data Subject" means the identified or identifiable natural person who is the subject of Personal Data. In the context of Skillstore, Data Subjects include:

Skill Builders (learners)
Creator followers
Other users whose data Creator collects through the Platform

"Follower Data" means Personal Data of Skill Builders who follow a Creator, unlock Creator content with their email, or otherwise engage with Creator content on the Platform, which Skillstore Processes on behalf of Creator.

"Learner Data" means Personal Data of Skill Builders who purchase content or services from Creator, including transaction data, contact information, and engagement data.

"Personal Data" means "personal data", "personal information", "personally identifiable information" or similar information as defined in and governed by Applicable Data Protection Laws. Personal Data includes any information relating to an identified or identifiable natural person.

"Platform Data" means the Personal Data that Skillstore Processes as a Controller, such as:

Account information (all users)
Payment information (for platform subscriptions)
Platform visitor information
Usage analytics and platform improvement data
Service-Generated Data as defined below

"Processing" or "Process" means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

"Processor" means a natural or legal person, public authority, agency, or other body which Processes Personal Data on behalf of the Controller. In the context of this DPA, Skillstore is the Processor with respect to Follower Data and Learner Data.

"Security Incident" means any confirmed unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data being Processed by Skillstore. Security Incidents do not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems.

"Service-Generated Data" means usage data and metadata that is generated through the use of the Platform, including data generated through the use of customer support and other services. This Addendum applies to Service-Generated Data to the extent Service-Generated Data constitutes Personal Data.

"Services" or "Platform" means the collective products and services that may be provided by Skillstore as defined in the Terms of Service, including the website at https://skill.store, mobile applications, and all related features, content, and services.

"Subprocessor" means any third party authorized by Skillstore to Process any Personal Data on behalf of Creator.

2.2 Skillstore-Specific Data Categories

"Creator Content Data" means Personal Data that may be contained within Creator's uploaded content (videos, images, text), to the extent Creator chooses to include it.

"Email Unlock Data" means Personal Data collected when Skill Builders provide their email address to unlock Creator content, including name and email address, which is Processed by Skillstore on behalf of Creator.

"Purchase Data" means Personal Data related to transactions between Skill Builders and Creators, including purchaser name, email, transaction amount, and purchase date.

"Analytics Data" means aggregated and individual-level data about Skill Builder engagement with Creator content, including views, completion rates, engagement metrics, and demographic information.

3. GENERAL PROVISIONS

3.1 Relationship to Terms of Service

This Addendum forms part of the Terms of Service and except as expressly set forth in this Addendum, the Terms of Service remain unchanged and in full force and effect. If there is any conflict between this Addendum and the Terms of Service, this Addendum will govern with respect to data processing matters.

3.2 Limitations of Liability

Any liabilities arising under this Addendum are subject to the limitations of liability in the Terms of Service, except where such limitations would violate Applicable Data Protection Laws.

3.3 Governing Law

This Addendum will be governed by and construed in accordance with the laws of England and Wales, unless required otherwise by Applicable Data Protection Laws.

3.4 Term and Termination

This Addendum will remain in effect until, and automatically terminate upon, deletion of all Personal Data or expiration or termination of the Terms of Service. The obligations regarding data deletion, return, and security survive termination as specified in Section 12 (Return or Deletion of Personal Data).

4. RELATIONSHIP OF THE PARTIES

4.1 Skillstore as Processor

The parties acknowledge and agree that with regard to the Processing of Follower Data, Learner Data, Email Unlock Data, Purchase Data, and Analytics Data:

Creator acts as a Controller (or Processor if Creator is processing on behalf of another Controller)
Skillstore acts as a Processor

Skillstore will Process such Personal Data in accordance with Creator's instructions as outlined in Section 6 (Role and Scope of Processing).

4.2 Data Processing Relationships

A. Email Collection and Marketing Consent:

The parties acknowledge that email collection involves two distinct processes:

Email Address Collection (Always):

All Skill Builders who unlock Creator content provide email addresses
Creator receives email address regardless of marketing consent
Email collection is necessary for platform functionality
Skillstore processes this data as Processor on behalf of Creator

Marketing Consent (Optional):

Skill Builder may opt in to Creator marketing via explicit checkbox
Consent text: "Get updates from [Creator Name] including new skills, promotions, and exclusive content"
Consent applies only to marketing and promotional communications
Consent must be explicit, informed, freely given, and unbundled from content access
Creator as Controller, Skillstore as Processor for consented marketing activities

Consent Records: Skillstore stores the following for each consent action:

Timestamp (when consent was given or withdrawn)
IP address (at time of consent)
Consent text shown to Skill Builder
Source/location (checkout, settings, post-skill prompt, etc.)
Consent status (active, withdrawn, modified)
Available to Creator for compliance and audit purposes
Retained per data retention policy (Section 12)

B. Creator-Skillstore Relationship:

When a Skill Builder:

Follows a Creator
Unlocks Creator content with their email
Purchases content or services from a Creator
Engages with Creator content

...Creator is the Controller and Skillstore is the Processor for that Skill Builder's Personal Data in relation to the Creator.

C. Creator Responsibilities as Controller:

As Controller, Creator is responsible for:

Determining the purposes and means of Processing Follower Data and Learner Data
Ensuring lawful basis exists for marketing (valid consent obtained via checkbox)
Only sending marketing emails to Skill Builders who provided explicit consent
Respecting granular consent (each Creator requires separate consent)
Providing appropriate privacy notices to Data Subjects
Responding to Data Subject rights requests
Honoring unsubscribe requests immediately (within 24 hours)
Maintaining records of processing activities
Ensuring compliance with Applicable Data Protection Laws
Not using deceptive consent practices (pre-checked boxes, forced bundling, etc.)

Creator MUST NOT:

Send marketing emails to Skill Builders who did not check the consent box
Pre-check consent boxes or use deceptive consent mechanisms
Bundle marketing consent with content access in violation of GDPR Article 7(4)
Use email addresses for purposes beyond what Skill Builder explicitly consented to
Share or sell email lists without separate consent
Continue sending marketing after Skill Builder withdraws consent

D. Skillstore Responsibilities as Processor:

As Processor, Skillstore:

Processes Personal Data only on Creator's documented instructions
Captures and stores consent via compliant opt-in checkboxes
Provides Creator with consent status for each Skill Builder (consented vs not consented)
Filters email exports to clearly indicate consent status
Processes unsubscribe requests immediately and notifies Creator
Implements appropriate technical and organizational measures
Assists Creator with Data Subject rights requests
Notifies Creator of Security Incidents
Returns or deletes Personal Data upon termination
Maintains tamper-proof consent records for audit and compliance

4.3 Skillstore as Controller

Skillstore acts as a Controller (not Processor) for the following data:

Platform Data:

All user account information (Creators and Skill Builders)
Platform subscription and payment data
Platform usage analytics and improvement data
Website visitor information
Service-Generated Data that Skillstore uses for its own purposes

Processing Legal Basis:

Skillstore Processes Platform Data on the following legal bases:

Contract Performance: To provide the Platform and Services
Legitimate Interests: For platform improvement, security, fraud prevention, and business analytics
Legal Obligation: To comply with tax, accounting, and legal requirements
Consent: Where required for marketing communications or cookies

Privacy Notice:

Skillstore Processes Platform Data in accordance with its Privacy & Cookie Notice, available at https://skill.store/privacy.

5. COMPLIANCE WITH LAW

Each party will comply with its obligations under Applicable Data Protection Laws with respect to its Processing of Personal Data.

Creator Compliance Obligations:

As Controller, Creator must:

Ensure lawful basis for all Processing
Provide Data Subjects with required privacy notices
Obtain necessary consents
Honor Data Subject rights requests
Maintain records of processing activities
Report data breaches to authorities as required
Conduct Data Protection Impact Assessments (DPIAs) where required

Skillstore Compliance Obligations:

As Processor, Skillstore must:

Process only on documented instructions
Ensure personnel are bound by confidentiality
Implement appropriate security measures
Use Subprocessors only as permitted
Assist Creator with compliance obligations
Delete or return data upon termination

6. ROLE AND SCOPE OF PROCESSING

6.1 Creator Responsibilities

A. Obtaining Necessary Consents:

Creator is solely responsible for obtaining and maintaining all necessary consents, permissions, and rights prior to collecting, storing, uploading, or Processing Personal Data through the Platform.

Creator warrants that it has:

Provided all required privacy notices to Data Subjects
Obtained all necessary consents, permissions, and rights under Applicable Data Protection Laws
Complied with all applicable laws in the collection and provision of Personal Data to Skillstore

B. Lawful Instructions:

Creator represents and warrants that its instructions to Skillstore are lawful and comply with Applicable Data Protection Laws. If Skillstore becomes aware or believes that Creator's instructions violate Applicable Data Protection Laws, Skillstore will notify Creator and may suspend Processing until the issue is resolved.

C. Data Subject Notices:

Creator must ensure Data Subjects understand the consent model. Skillstore provides the following consent mechanisms:

At Checkout/Content Unlock:

Skillstore displays: ☐ Get updates from [Creator Name] including new skills, promotions, and exclusive content

"By submitting, you agree to our Terms and Privacy Policy."

This notice:

Makes marketing consent optional (unchecked by default)
Clearly separates consent from content access
Specifies what Skill Builder is consenting to
Names the Creator as the data controller
Complies with GDPR Article 7 requirements

What Skill Builders Understand:

Email address is collected for all users (platform functionality)
Marketing consent is optional and separate
They can access content without providing marketing consent
They can withdraw consent anytime
Consent is specific to each Creator

A. Skillstore's Consent Capture:

Skillstore provides Creator with consent management tools:

Consent Collection:
- Opt-in checkbox at checkout/content unlock
- Checkbox text: "Get updates from [Creator Name] including new skills, promotions, and exclusive content"
- Unchecked by default (requires affirmative action)
- Separate from content access (not bundled)
- Post-content prompts for users who didn't initially consent
Consent Storage:
- Timestamp of consent
- IP address at time of consent
- Exact consent text shown
- Source/location of consent (checkout, settings, etc.)
- Consent status (active, withdrawn, modified)
Consent Tracking:
- Real-time consent status in Creator dashboard
- Email exports include consent status column
- Filter followers by consent status
- Consent withdrawal notifications to Creator
Consent Management Features:
- Skill Builder can view/manage consent in Settings → Email Preferences
- One-click unsubscribe in all marketing emails
- Immediate processing of consent changes
- Audit trail of all consent actions

B. Creator's Use of Consent Data:

Creator acknowledges and agrees:

Marketing Restrictions:
- May only send marketing emails to Skill Builders who provided explicit consent
- Must honor consent granularity (consent for Creator A ≠ consent for Creator B)
- Cannot use Skill Builder emails for purposes beyond stated consent
- Must stop marketing immediately upon consent withdrawal
Export Responsibilities:
- When exporting email lists, Creator must respect consent status
- Skillstore provides consent status in exports
- Creator must not market to non-consented users even after export
- External systems (if Creator exports data) are Creator's responsibility
Consent Records:
- Creator can access consent records for their Skill Builders
- Records available for compliance and audit purposes
- Creator must maintain own records if using external systems
- Creator responsible for demonstrating valid consent in their jurisdiction

C. Consent Withdrawal:

When Skill Builder withdraws marketing consent:

Skillstore's Actions (Immediate):
- Update consent status in database (within 1 hour)
- Prevent Creator from sending marketing via platform
- Notify Creator via dashboard notification
- Maintain withdrawal record for compliance
Creator's Obligations:
- Honor withdrawal immediately upon notification
- Remove from external marketing lists (if exported)
- Confirm to Skill Builder that consent withdrawn
- Update own systems within 10 business days (CAN-SPAM requirement)
- Not attempt to circumvent withdrawal

6.4 Skillstore's Instructions from Creator

A. Scope of Instructions:

By entering into the Terms of Service and this DPA, Creator instructs Skillstore to Process Follower Data, Learner Data, and related Personal Data to:

Provide Platform Services:
- Display Creator content to Skill Builders
- Enable follower relationships
- Process content purchases and transactions
- Deliver content to purchasers
- Enable communication between Creator and followers/learners
Provide Creator Tools:
- Analytics and engagement metrics
- Follower list access and CSV export (with consent status indicators)
- Audience demographic data
- Revenue and sales reporting
- Consent management dashboard
Facilitate Creator-Learner Relationships:
- Enable direct messaging (where offered)
- Deliver notifications about Creator content
- Process email unlock requests
- Manage subscription and access rights
- Capture and manage marketing consent
- Process unsubscribe/consent withdrawal requests
Operational Purposes:
- Store and backup data securely
- Prevent fraud and abuse
- Comply with legal obligations
- Perform contractual obligations under the Terms of Service
- Maintain consent records and audit trails

B. Additional Instructions:

Creator may provide additional written instructions to Skillstore regarding Processing, provided such instructions:

Are consistent with the Terms of Service
Are acknowledged in writing by Skillstore
Comply with Applicable Data Protection Laws
Do not require Skillstore to take actions outside the scope of the Platform's functionality

C. Instruction Limitations:

Skillstore may Process Personal Data beyond Creator's instructions only where:

Required by Applicable Data Protection Laws to which Skillstore is subject
Necessary to perform Skillstore's obligations under the Terms of Service
Required to comply with legal process (court orders, subpoenas, etc.)

In such cases, Skillstore will inform Creator of the legal requirement before Processing (unless prohibited by law).

6.3 What Creator Can Do with Follower and Learner Data

A. Permitted Uses:

Creator may use Follower Data and Learner Data for:

Communication and Marketing:
- Sending marketing emails and newsletters
- Promotional offers and updates
- Content announcements
- Community building and engagement
Service Delivery:
- Delivering purchased content and services
- Providing customer support
- Managing access and subscriptions
Analytics and Improvement:
- Understanding audience demographics
- Improving content based on engagement data
- Tailoring content to audience interests
External Use:
- Exporting follower lists to email marketing platforms (e.g., ConvertKit, Mailchimp, Beehiiv)
- Using audience data in Creator's own systems
- Building external relationships with followers

B. Prohibited Uses:

Creator may NOT:

Sell or Rent Data:
- Sell follower lists to third parties
- Rent email addresses
- Share data with third parties for their marketing purposes
Violate Privacy Laws:
- Process data without lawful basis
- Fail to honor unsubscribe requests
- Use data in ways not disclosed in privacy notices
Abuse Platform:
- Spam followers or learners
- Harvest data using automated means
- Use data to harm or harass individuals

C. Creator's Independent Data Use:

Once Creator exports Follower Data or Learner Data from the Platform:

Creator becomes independently responsible for that data
Creator must comply with all Applicable Data Protection Laws
Creator must maintain appropriate security measures
Creator must honor Data Subject rights requests
Skillstore is not responsible for Creator's external data processing

7. SUBPROCESSING

7.1 General Authorization

Creator specifically authorizes Skillstore to use its Affiliates as Subprocessors, and generally authorizes Skillstore to engage Subprocessors to Process Personal Data on Creator's behalf.

7.2 Subprocessor Requirements

When engaging Subprocessors, Skillstore will:

Contractual Protections:
- Enter into a written agreement with each Subprocessor
- Impose data protection obligations substantially similar to those in this DPA
- Ensure Subprocessor complies with Applicable Data Protection Laws
Remain Liable:
- Skillstore remains fully liable for compliance with this DPA
- Skillstore is responsible for any acts or omissions of Subprocessors that cause Skillstore to breach this DPA

7.3 Current Subprocessors

A list of Skillstore's current Subprocessors, including their functions and locations, is available at:

Subprocessor List: https://skill.store/subprocessors

The Subprocessor List includes:

Subprocessor name
Service provided
Data processed
Location/jurisdiction

Skillstore may update this list from time to time in accordance with Section 7.4 below.

7.4 Subprocessor Changes

A. Notice of Changes:

If Skillstore intends to add or replace Subprocessors, Skillstore will:

Update the Subprocessor List at https://skill.store/subprocessors
Notify Creator via email to the registered email address
Provide at least seven (7) calendar days advance notice

B. Creator's Right to Object:

Creator may object to the appointment of a new Subprocessor within seven (7) calendar days of notice by:

Sending written objection to [email protected]
Stating specific, reasonable grounds for objection related to data protection concerns

C. Resolution:

If Creator objects:

Skillstore will use reasonable efforts to make available a change in the Services or recommend a commercially reasonable change to Creator's configuration to avoid Processing by the objected-to Subprocessor
If Skillstore cannot provide a reasonable alternative:
- Creator may terminate the affected Services
- Termination must occur within 30 days of Skillstore's notice that no alternative is available
- No refunds will be provided for termination under this Section
- Creator remains liable for any committed fees under the Terms of Service

7.5 Emergency Subprocessors

In the event of an emergency (security incident, infrastructure failure, force majeure), Skillstore may engage Subprocessors without advance notice if necessary to maintain or restore Platform functionality. Skillstore will notify Creator as soon as reasonably practicable and will update the Subprocessor List.

8. SECURITY

8.1 Security Measures

Skillstore will implement and maintain technical and organizational security measures designed to:

Protect Personal Data from Security Incidents
Preserve the security and confidentiality of Personal Data
Ensure appropriate level of security relative to the risk

These measures are described in Schedule 2: Technical and Organizational Security Measures attached to this DPA.

8.2 Security Standards

Skillstore's security measures include, but are not limited to:

Technical Measures:

Encryption of data in transit (TLS/SSL)
Encryption of data at rest
Role-based access controls
Multi-factor authentication for administrative access
Network security (firewalls, intrusion detection)
Regular security patching and updates
24/7 monitoring for suspicious activity

Organizational Measures:

Information security policies and procedures
Employee confidentiality agreements
Security awareness training
Incident response procedures
Vendor security assessments
Regular security audits and reviews

8.3 Updates to Security Measures

Skillstore may update Security Measures from time to time to:

Reflect process improvements
Respond to changing threat landscape
Incorporate new technologies
Comply with updated security standards

Such updates will not materially decrease Skillstore's security obligations as of the Effective Date of this DPA. Skillstore will provide reasonable notice of material updates.

8.4 Creator Responsibilities

A. Shared Responsibility:

Creator acknowledges that security is a shared responsibility and Creator is responsible for:

Account Security:
- Securing account authentication credentials
- Implementing strong passwords
- Enabling multi-factor authentication (if available)
- Not sharing account access
Data Input Security:
- Ensuring data uploaded to Platform is appropriately secured before upload
- Not uploading malware, viruses, or malicious content
- Complying with Platform security requirements
External System Security:
- Securing systems and devices used to access the Platform
- Maintaining security of exported data
- Securing integration with external services (email marketing platforms, etc.)
Backups:
- Maintaining independent backups of critical data
- Not relying solely on Platform backups

B. Assessment:

Creator is responsible for:

Reviewing information made available by Skillstore about security measures
Making an independent determination whether the Platform meets Creator's security requirements
Determining whether the Platform meets Creator's obligations under Applicable Data Protection Laws

8.5 Security Incidents

A. Notification:

Upon becoming aware of a confirmed Security Incident affecting Personal Data Processed under this DPA, Skillstore will notify Creator without undue delay and in any event:

Within 72 hours of becoming aware (as required by GDPR)
Unless prohibited by applicable law or law enforcement

B. Notification Content:

Security Incident notifications will include, to the extent known and reasonably available:

Incident Details:
- Nature of the Security Incident
- Categories and approximate number of Data Subjects affected
- Categories and approximate number of Personal Data records affected
- Likely consequences of the Security Incident
Response Measures:
- Measures taken or proposed by Skillstore to address the Security Incident
- Measures to mitigate potential adverse effects
- Recommendations for Creator's actions (if any)
Contact Information:
- Point of contact for further information
- Process for Creator to request additional details

C. Investigation and Remediation:

Skillstore will:

Investigate the Security Incident promptly
Take reasonable steps to remediate the incident
Document the incident and response measures
Provide updates to Creator as investigation progresses

D. Creator's Obligations:

Creator acknowledges and agrees that:

Creator's Responsibility:
- Creator is solely responsible for complying with Security Incident notification laws applicable to Creator as Controller
- Creator is responsible for fulfilling any third-party notification obligations related to Security Incidents
- Creator is responsible for notifying supervisory authorities if required by law
Not an Admission:
- Skillstore's notification of or response to a Security Incident does NOT constitute an acknowledgment by Skillstore of any fault or liability
- Notification is provided to enable Creator to fulfill Creator's legal obligations
Exceptions:
- These obligations do NOT apply to Security Incidents caused by Creator's acts or omissions
- These obligations do NOT apply to Security Incidents occurring in Creator's systems or networks

E. Delayed Notification:

Skillstore may delay notification if:

Requested by law enforcement for investigation purposes
Necessary for Skillstore to investigate or remediate before providing notice

Such delay will not constitute undue delay for purposes of this Section.

9. AUDITS AND REVIEWS OF COMPLIANCE

9.1 Skillstore's Audit Program

Skillstore uses internal and external auditors to verify the adequacy of its security measures and compliance with data protection obligations.

Audit and Certification:

Skillstore maintains:

SOC 2 Type II certification (or equivalent)
Regular third-party security assessments
Annual security audits
Penetration testing
Vulnerability assessments

Audit reports and certifications are available upon request, subject to confidentiality restrictions.

9.2 Creator's Audit Rights

A. Standard Audit Materials:

Creator may request and Skillstore will provide:

Summary of most recent SOC 2 or equivalent audit report
Copies of applicable security certifications
Documentation of Security Measures (Schedule 2)
Subprocessor List

B. Additional Information Requests:

If Applicable Data Protection Laws require additional information or audit of Skillstore's data processing practices, Creator may request such information or audit by:

Sending written request to [email protected]
Specifying the information needed or scope of audit
Demonstrating the legal requirement necessitating the request

C. Audit Process:

For on-site or detailed audits:

Good Faith Cooperation:
- Skillstore will work with Creator in good faith to comply with audit requirements legally compelled or required under Applicable Data Protection Laws
- Audits must be conducted during normal business hours
- Reasonable advance notice required (at least 30 days)
Confidentiality:
- Creator and auditors must sign Skillstore's standard confidentiality agreement
- Audit findings may not be disclosed to third parties without Skillstore's consent (except as required by law)
Audit Costs:
- Creator bears all costs of audit
- Skillstore may charge reasonable fees if audit requires significant resources or disrupts operations
- Frequency limited to once per year (except in case of Security Incident or regulatory requirement)
Limitations:
- Audits must not interfere with Skillstore's operations
- Access to facilities and systems subject to Skillstore's security requirements
- Skillstore may redact information related to other customers or Skillstore's confidential information

9.3 Remedy for Non-Compliance

If audit reveals non-compliance with this DPA:

Skillstore Remediation:
- Skillstore will create a remediation plan
- Address issues within reasonable timeframe
- Provide updates to Creator on progress
Creator's Rights:
- If Skillstore is unable or unwilling to remediate material non-compliance within a reasonable timeframe
- Creator may terminate the affected Services by providing written notice
- Termination effective 30 days after notice
- No refunds provided
- Creator remains liable for any committed fees

10. IMPACT ASSESSMENTS AND CONSULTATIONS

10.1 Data Protection Impact Assessments (DPIAs)

If Creator is required under Applicable Data Protection Laws to conduct a Data Protection Impact Assessment (DPIA), Skillstore will provide reasonable cooperation and assistance.

Skillstore will provide:

Information about Processing activities
Description of Security Measures
Information about Subprocessors
Relevant audit reports and certifications
Other information reasonably necessary for DPIA

10.2 Prior Consultation with Authorities

If Creator is required to consult with supervisory authorities (e.g., under GDPR Article 36), Skillstore will provide reasonable cooperation to assist Creator.

10.3 Costs

Skillstore's cooperation under this Section 10 will be provided:

At no cost for reasonable, standard requests
At Creator's expense if cooperation requires Skillstore to assign significant resources
Skillstore will provide estimate of costs in advance of substantial work

11. DATA SUBJECT REQUESTS

11.1 Skillstore's Assistance

Skillstore will, upon Creator's request, provide reasonable assistance to help Creator comply with its obligations under Applicable Data Protection Laws to respond to requests from Data Subjects exercising their rights, including:

Data Subject Rights:

Right of access
Right to rectification
Right to erasure ("right to be forgotten")
Right to restriction of Processing
Right to data portability
Right to object to Processing
Rights related to automated decision-making

11.2 Self-Service Tools

Creator can fulfill many Data Subject requests independently using Platform functionality:

Creator Can:

View follower lists and Learner Data through dashboard
Export follower data (CSV download)
Delete specific follower records
Update follower information
Restrict Processing by removing content or disabling features

11.3 Assistance Beyond Self-Service

If Creator cannot reasonably fulfill a Data Subject request using self-service tools, Creator may request assistance from Skillstore by:

Submitting request to [email protected]
Providing details of the Data Subject request
Specifying the assistance needed

Skillstore will provide assistance:

Within reasonable timeframe (typically 10-15 business days)
To the extent technically feasible
At Creator's expense if assistance requires significant resources

11.4 Direct Data Subject Requests to Skillstore

If Skillstore receives a Data Subject request directly:

Creator Data:
- Skillstore will advise the Data Subject to submit their request to Creator
- Skillstore will notify Creator of the request
- Creator is responsible for responding to the request
Platform Data:
- If request relates to Platform Data (where Skillstore is Controller), Skillstore will respond directly

11.5 Creator's Obligation to Respond

Creator acknowledges that Creator (as Controller) is solely responsible for:

Receiving and responding to Data Subject requests
Verifying identity of requesting Data Subjects
Determining whether to grant or deny requests
Complying with timelines under Applicable Data Protection Laws (typically 30 days)
Communicating with Data Subjects

Special Handling for Consent Withdrawal:

When a Data Subject (Skill Builder) requests to withdraw marketing consent:

A. Skillstore's Immediate Actions:

Process unsubscribe request immediately (within 1 hour of receipt)
Update consent status in database to "withdrawn"
Prevent Creator from sending marketing emails via platform
Notify Creator via dashboard notification
Maintain record of withdrawal (timestamp, method, confirmation)
Confirm withdrawal to Data Subject (automated confirmation email)

B. Creator's Obligations Upon Notification:

Honor withdrawal immediately upon notification from Skillstore
Remove Data Subject from external marketing lists (if email was exported)
Cease all marketing communications within 24 hours
Update own systems and records within 10 business days (CAN-SPAM requirement)
Provide confirmation to Data Subject if directly requested
Not attempt to re-subscribe Data Subject without fresh consent

C. Methods of Withdrawal: Data Subjects can withdraw consent via:

One-click unsubscribe link in marketing emails (no login required)
Account Settings → Email Preferences → Uncheck Creator
Direct request to [email protected]
Direct request to Creator (Creator must notify Skillstore)

D. Effect of Withdrawal:

Marketing emails stop immediately
Data Subject retains access to all purchased/unlocked content
Data Subject remains platform member with full features
Email address remains in Creator dashboard (platform functionality)
Transactional emails continue (purchase confirmations, content access, etc.)
Data Subject can re-consent at any time

E. Consent Withdrawal Records: Skillstore maintains records of all consent withdrawals including:

Date and time of withdrawal
Method of withdrawal (unsubscribe link, settings, email, etc.)
Confirmation sent to Data Subject
Notification sent to Creator
Retained for 3 years (compliance requirement)

12. RETURN OR DELETION OF PERSONAL DATA

12.1 Upon Termination

Upon termination or expiration of the Terms of Service:

A. Standard Deletion:

Skillstore will initiate its data deletion process to delete or anonymize Personal Data Processed under this DPA within a commercially reasonable timeframe, typically:

90 days from termination for most data
Sooner if technically feasible
Longer if required by law

B. Creator's Deletion Request:

Creator may request deletion of specific data at any time by:

Using self-service deletion tools in the Platform
Contacting [email protected] with specific deletion request

Skillstore will process deletion requests within 30 days where technically feasible.

C. Data Export Request:

Creator may request export of Personal Data:

Within 60 days of termination for full data export
At any time during active relationship using Platform export tools

Export will be provided in:

Comma-separated values (CSV) format
JSON format (where applicable)
Other mutually agreed format

12.2 What Happens to Different Data Types

A. Follower Data:

Deleted within 90 days of account termination
Unless Creator exports before termination

B. Learner Data (Purchase History):

Deleted within 90 days of account termination
Exception: Transaction records retained for 6 years to comply with UK tax law
Transaction records anonymized (removed from association with Creator)

C. Content Data:

Creator-uploaded content deleted within 90 days
Exception: Content purchased by Skill Builders remains accessible to those purchasers (as specified in Terms of Service Section 5.4)
Skillstore retains limited license to deliver purchased content to existing customers

D. Analytics Data:

Individual-level data deleted within 90 days
Exception: Aggregated, anonymized analytics retained indefinitely for Platform improvement

E. Backup Data:

Personal Data in backups deleted according to backup retention schedule
Typically 30-90 days from primary deletion

12.3 Legal Retention Requirements

Notwithstanding deletion obligations, Skillstore may retain Personal Data if:

Required by Law:

Tax records (6 years - UK requirement)
Accounting records (as required by law)
Records subject to legal hold or litigation

Aggregate/Anonymized:

Data that has been aggregated or anonymized such that it no longer identifies individuals
Such data is no longer "Personal Data" and retention restrictions do not apply

Technical Limitations:

Data in backups during backup retention period
Data in archived systems awaiting full decommission
Residual copies in temporary caches (automatically overwritten)

Creator acknowledges that retained data:

Remains subject to security and confidentiality obligations of this DPA
Will be deleted when legal retention period expires
Cannot practically be deleted earlier due to technical or legal constraints

12.4 Certification of Deletion

Upon Creator's request, Skillstore will provide written certification that:

Personal Data has been deleted in accordance with this Section 12
Exceptions for legal retention have been applied appropriately
Reasonable steps taken to ensure deletion completeness

13. INTERNATIONAL PROVISIONS

13.1 Processing Locations

A. Primary Location:

Skillstore's primary Processing facilities are located in:

United Kingdom (primary hosting)
European Union (backup and CDN)
United States (certain Subprocessors)

B. Global Processing:

Creator acknowledges and agrees that:

Skillstore may transfer and Process Personal Data to and in jurisdictions where Skillstore and its Subprocessors maintain data processing operations
Such jurisdictions may include countries outside the UK and EEA
Skillstore will ensure transfers comply with Applicable Data Protection Laws

13.2 Data Transfer Mechanisms

A. Adequate Jurisdictions:

Where possible, Skillstore transfers Personal Data to countries with adequacy decisions:

Countries deemed "adequate" by UK government (UK GDPR Article 45)
Countries deemed "adequate" by European Commission (EU GDPR Article 45)

B. Standard Contractual Clauses:

For transfers to countries without adequacy decisions, Skillstore uses:

UK International Data Transfer Agreement (IDTA) for UK transfers
EU Standard Contractual Clauses (2021) for EEA transfers
As detailed in Schedule 3: Cross-Border Data Transfer Mechanisms

C. Supplementary Measures:

In addition to Standard Contractual Clauses, Skillstore implements:

Encryption of data in transit and at rest
Access controls and authentication
Regular security assessments
Contractual protections with Subprocessors
Monitoring of legal developments in destination countries

13.3 UK and EEA Data Subjects

For Personal Data of Data Subjects in the UK or EEA:

UK GDPR and/or EU GDPR apply
Schedule 3 (Cross-Border Data Transfer Mechanisms) applies
Schedule 4 (Jurisdiction-Specific Terms) applies
Standard Contractual Clauses incorporated by reference

13.4 US and California Data Subjects

For Personal Data of Data Subjects in California (and other US states with privacy laws):

CCPA, CPRA, and state privacy laws apply
Skillstore acts as "Service Provider" under CCPA
Schedule 4 (Jurisdiction-Specific Terms - California) applies
Additional restrictions on use of Personal Data apply

14. CONFIDENTIALITY

14.1 Personnel Confidentiality

Skillstore ensures that all personnel authorized to Process Personal Data:

Are bound by confidentiality obligations
Have received appropriate training on data protection
Understand their obligations under this DPA
Are subject to disciplinary action for violations

14.2 Subprocessor Confidentiality

All Subprocessors are contractually required to:

Maintain confidentiality of Personal Data
Bind their personnel to confidentiality obligations
Implement appropriate security measures

14.3 Survival

Confidentiality obligations survive termination of this DPA and the Terms of Service.

15. LIABILITY AND INDEMNIFICATION

15.1 Limitation of Liability

The limitations of liability in the Terms of Service apply to this DPA, except:

A. Exceptions Under Data Protection Laws:

Limitations of liability do NOT apply to:

Data Subject compensation claims under GDPR Article 82
Supervisory authority actions and fines
Liability that cannot be limited under Applicable Data Protection Laws

B. Mutual Liability:

Each party is liable to the other for:

Breaches of this DPA caused by that party
Acts or omissions of its Subprocessors (for Skillstore) or sub-Controllers (for Creator)
Failure to comply with Applicable Data Protection Laws

A. Controller vs. Processor Fines:

Under GDPR:

Controllers and Processors can both be fined directly by supervisory authorities
Each party is responsible for fines imposed on them
Neither party indemnifies the other for regulatory fines

B. No Cross-Indemnity for Fines:

Notwithstanding anything to the contrary in the Terms of Service or this DPA:

Skillstore is NOT responsible for:

GDPR fines imposed on Creator by supervisory authorities
Fines resulting from Creator's violations of Applicable Data Protection Laws
Fines related to Creator's Processing instructions or decisions

Creator is NOT responsible for:

GDPR fines imposed on Skillstore by supervisory authorities
Fines resulting from Skillstore's violations of Applicable Data Protection Laws
Fines related to Skillstore's Processing methods or security failures

C. Claims Between Parties:

This Section 15.2 does NOT limit:

One party's right to claim damages from the other party for breach of this DPA
Indemnification obligations in the Terms of Service (for matters other than regulatory fines)
Liability for losses caused by one party to the other

15.3 Data Subject Claims

A. Direct Claims:

Under GDPR:

Data Subjects have right to compensation from Controller or Processor
Data Subjects may sue either party directly
The party sued may invoke liability of the other party

B. Contribution and Recovery:

If one party is held liable for damages caused by the other party:

Liable party may recover contribution from responsible party
Recovery based on degree of responsibility
Each party responsible for damages it caused

16. NOTICE AND COMMUNICATION

16.1 Contact Information

For Skillstore:

General Data Protection Inquiries:
Email: [email protected]
Attention: Data Protection Team

Security Incidents:
Email: [email protected]
Attention: Security Team

Mailing Address:
SKILLSTORE LTD
Data Protection Team
4th Floor, 205 Regent Street
London, England, W1B 4HB
United Kingdom

For Creator:

Communications will be sent to:

Email address associated with Creator's account
Additional email addresses specified in account settings
Mailing address provided during account creation (if applicable)

16.2 Method of Notice

Notices under this DPA may be provided by:

Email (deemed received 24 hours after sending)
Platform notification (deemed received when posted)
Registered mail (deemed received 5 business days after mailing)

Creator is responsible for maintaining current contact information.

17. CHANGES TO THIS DPA

17.1 Right to Amend

Skillstore may update this DPA from time to time to:

Reflect changes in Applicable Data Protection Laws
Reflect changes in Processing activities
Improve clarity or address ambiguities
Reflect changes in Subprocessors or Security Measures

17.2 Notice of Changes

For material changes to this DPA, Skillstore will:

Provide at least 30 days' advance notice
Send notice via email to Creator's registered email address
Post notice on the Platform
Update the "Last Updated" date

17.3 Creator's Options

If Creator objects to material changes:

Creator may terminate the Services by providing written notice within 30 days
Termination effective at end of notice period
No refunds provided for early termination
Creator remains liable for committed fees

Continued use of the Platform after changes take effect constitutes acceptance.

SCHEDULE 1: SUBJECT MATTER & DETAILS OF PROCESSING

1. Nature and Purpose of Processing

A. Skillstore as Processor:

Skillstore Processes Personal Data as a Processor on behalf of Creator (as Controller) for the following purposes:

Platform Services:

Displaying Creator's content to Skill Builders
Managing follower relationships
Processing content purchases and transactions
Delivering content to purchasers
Storing Creator's content securely

Creator Tools:

Providing analytics and engagement metrics
Enabling follower list access and export
Generating audience demographic reports
Calculating and reporting revenue data
Facilitating Creator-learner communication

Operational Support:

Preventing fraud and abuse
Providing customer support
Maintaining platform security and stability
Complying with legal obligations

B. Skillstore as Controller:

Skillstore Processes Platform Data as a Controller for:

Operating and improving the Platform
Providing Services to all users
Marketing and promotional activities
Business analytics and reporting
Compliance with legal obligations

See Privacy & Cookie Notice at https://skill.store/privacy for full details.

2. Processing Activities

A. Follower Data and Learner Data (Skillstore as Processor):

Processing activities include:

Collection: When Skill Builders follow Creator, unlock content, or make purchases
Storage: Secure storage in Skillstore databases
Organization: Indexing and categorizing for Creator access
Retrieval: Providing Creator access through dashboard and exports
Analysis: Generating analytics and engagement metrics
Transmission: Delivering content to purchasers, sending notifications
Restriction: Implementing access controls and privacy settings
Erasure: Deleting data upon Creator request or account termination

B. Platform Data (Skillstore as Controller):

Processing activities include:

Account management and authentication
Payment processing (subscriptions)
Platform usage analytics
Service improvements and development
Marketing communications
Legal compliance and reporting

3. Duration of Processing

A. Follower Data and Learner Data:

Active Processing:

Continues while Creator's account is active
Continues while Skill Builders' access to purchased content continues

Post-Termination:

Most data deleted within 90 days of Creator account termination
Transaction records retained for 6 years (UK tax law)
Purchased content remains accessible to purchasers (license continuation)

B. Platform Data:

Retention periods as specified in Privacy & Cookie Notice:

Account data: While account is active + 30 days
Transaction records: 6 years
Analytics: Aggregated indefinitely, individual-level 2 years
Marketing data: Until opt-out + 30 days

4. Categories of Data Subjects

A. Follower Data and Learner Data:

Data Subjects whose Personal Data is Processed as part of Creator's audience:

Skill Builders: Individuals who follow Creator or engage with Creator content
Purchasers: Skill Builders who purchase Creator's content or services
Email Unlocks: Skill Builders who provide email to access Creator content
Prospective Learners: Individuals who view Creator content without following

B. Platform Data:

Data Subjects whose Personal Data is Processed for Platform operations:

All Users: Creators and Skill Builders with accounts
Website Visitors: Individuals who visit skill.store without accounts
Support Contacts: Individuals who contact Skillstore support

5. Categories of Personal Data

A. Follower Data and Learner Data (Processor):

Personal Data Creator can access about their audience:

Identification Data:

Full name
Email address
Username
Profile photo URL

Engagement Data:

Follow date
Content views and watch time
Completion rates
Likes, comments, shares
Last activity date

Purchase Data:

Transaction ID
Purchase date and time
Amount paid
Content purchased
Payment method type (not full details)

Demographic Data (where provided by Skill Builder):

Age range
Location (country/region)
Language preference
Interests and preferences

Communication Data:

Direct messages with Creator (where feature enabled)
Email opt-in status
Unsubscribe preferences

Marketing Consent Data:

Consent status (consented, not consented, withdrawn)
Consent timestamp (date and time of consent)
Consent IP address (at time of consent)
Consent source/location (checkout, settings, post-skill prompt, etc.)
Exact consent text shown to Skill Builder
Consent withdrawal date (if applicable)
Consent withdrawal method (if applicable)
Consent modification history

Analytics Data:

Aggregated statistics
Engagement trends
Audience demographics

B. Platform Data (Controller):

Personal Data Skillstore processes for Platform operations:

Account Data:

Full name
Email address
Password (encrypted)
Account creation date
Account type (Creator/Skill Builder)
Subscription status

Payment Data (for Platform subscriptions):

Payment method (tokenized)
Billing address
Transaction history with Skillstore
Tax information (where applicable)

Usage Data:

Login history
Platform features used
Device information
IP address
Browser information

Support Data:

Support ticket content
Communication with support team
Feedback and survey responses

6. Sensitive Data or Special Categories of Data

A. Prohibition on Sensitive Data:

Creators are strictly prohibited from:

Collecting special categories of data through the Platform
Uploading sensitive data to Creator content
Requesting sensitive data from Skill Builders

Special Categories of Data include:

Racial or ethnic origin
Political opinions
Religious or philosophical beliefs
Trade union membership
Genetic data
Biometric data for unique identification
Health data
Sex life or sexual orientation

B. Children's Data:

Platform not intended for users under 18
Creators must not target content to minors
If Creator becomes aware of data from person under 18, must delete immediately

C. Financial Data:

Payment card details processed by Stripe/PayPal (not stored by Skillstore)
Only tokenized payment information stored

D. Exceptions:

Sensitive data may be contained in:

User-generated content (Creator videos) - Creator responsible
Support communications - handled in accordance with privacy laws
Legal compliance - where required by law

SCHEDULE 2: TECHNICAL & ORGANIZATIONAL SECURITY MEASURES

This Schedule describes Skillstore's security measures implementing Article 32 of GDPR and equivalent provisions in other Applicable Data Protection Laws.

1. Measures of Pseudonymization and Encryption

Encryption:

Data in Transit:

All data transmitted over internet encrypted using TLS 1.2 or higher
HTTPS enforced for all Platform connections
Secure WebSocket connections (WSS) for real-time features
VPN required for administrative access

Data at Rest:

All Personal Data encrypted at rest using AES-256 encryption
Database encryption enabled
File storage encrypted
Backup encryption
Encryption keys rotated regularly

Pseudonymization:

User IDs replaced with pseudonymous identifiers where feasible
Analytics data pseudonymized
IP addresses hashed or truncated
Payment information tokenized

2. Confidentiality, Integrity, Availability, and Resilience

Confidentiality:

Access Controls:

Role-based access control (RBAC)
Principle of least privilege
Multi-factor authentication required for admin access
Regular access reviews
Immediate revocation upon termination

Personnel Training:

All employees complete data protection training
Specialized training for teams handling Personal Data
Annual refresher training required
Confidentiality agreements signed

Integrity:

Data Validation:

Input validation on all user submissions
Data integrity checks
Version control for data modifications
Audit logs for data changes

System Integrity:

Code reviews and testing
Change management procedures
Separation of development and production environments
Automated testing before deployment

Availability:

Infrastructure Redundancy:

Multiple availability zones
Redundant servers and storage
Load balancing
Failover mechanisms

Business Continuity:

Disaster recovery plan
Backup and restore procedures
Incident response plan
Regular testing of recovery procedures

Resilience:

Monitoring:

24/7 system monitoring
Automated alerts for anomalies
Performance monitoring
Security information and event management (SIEM)

Updates:

Regular security patches
Vulnerability scanning
Penetration testing annually
Dependency updates

3. Ability to Restore Availability and Access

Backup Strategy:

Backup Frequency:

Continuous replication for critical data
Daily backups for all Personal Data
Weekly full backups
Monthly archived backups

Backup Security:

Backups encrypted
Stored in separate geographic location
Access controls on backup systems
Regular backup integrity tests

Recovery Capabilities:

Recovery Time Objectives (RTO):

Critical systems: 4 hours
Non-critical systems: 24 hours

Recovery Point Objectives (RPO):

Critical data: 1 hour or less
Non-critical data: 24 hours

Recovery Testing:

Quarterly disaster recovery drills
Annual full disaster recovery test
Documentation of recovery procedures
Regular review and update of recovery plans

4. Regular Testing and Evaluation

Security Assessments:

Internal Assessments:

Quarterly vulnerability scans
Bi-annual penetration testing
Ongoing security monitoring
Regular security policy reviews

External Assessments:

Annual third-party security audit
SOC 2 Type II examination
ISO 27001 assessment (planned)
Compliance audits as required

Effectiveness Evaluation:

Key performance indicators (KPIs) for security
Metrics on incidents and response times
Regular review of security controls
Continuous improvement process

5. User Identification and Authorization

Authentication:

User Authentication:

Unique username and password required
Strong password requirements enforced
Optional multi-factor authentication (MFA)
MFA required for high-privilege accounts

Employee Authentication:

Unique credentials for all personnel
MFA required for all system access
Single sign-on (SSO) for corporate systems
Immediate credential revocation upon termination

Authorization:

Access Provisioning:

Role-based access control
Least privilege principle
Approval required for elevated access
Regular access reviews (quarterly)
Just-in-time privileged access

Session Management:

Session timeouts
Secure session tokens
Logout on inactivity
Protection against session hijacking

6. Protection of Data During Transmission

Network Security:

Encryption:

TLS 1.2 or higher for all transmissions
Perfect forward secrecy enabled
Strong cipher suites only

Network Controls:

Firewalls at network perimeter
Network segmentation
Virtual private networks (VPNs) for remote access
Intrusion detection/prevention systems (IDS/IPS)

API Security:

API authentication required
Rate limiting
Input validation
Secure API design

7. Protection of Data During Storage

Storage Security:

Physical Security:

Data centers with 24/7 security
Multi-factor access to facilities
Video surveillance
Visitor logs and escort requirements

Logical Security:

Encrypted file systems
Access controls on storage systems
Regular security updates
Isolation between customer data

Database Security:

Encrypted databases
Parameterized queries (SQL injection prevention)
Database access logging
Regular database security audits

8. Physical Security of Locations

Data Center Security:

Skillstore uses certified data centers with:

Certifications: ISO 27001, SOC 2, PCI DSS Level 1 (where applicable)
Physical Controls:
- 24/7 security personnel
- Video surveillance
- Biometric access controls
- Visitor logs and escort requirements
- Secure disposal of physical media

Office Security:

Controlled access to office facilities
Visitor sign-in and escort
Clean desk policy
Secure disposal of documents
No Personal Data on portable devices without encryption

9. Event Logging

Logging Strategy:

What is Logged:

User authentication events
Administrative actions
Data access and modifications
System configuration changes
Network traffic
Security events
Application errors

Log Management:

Centralized log management system
Logs protected from tampering
Logs retained for minimum 1 year (or as required by law)
Regular log review
Automated alerting for security events

Monitoring:

Security team monitors logs 24/7
Automated correlation and analysis
Investigation of suspicious activity
Escalation procedures for security events

10. System Configuration

Secure Configuration:

Baseline Configuration:

Hardened operating systems
Removal of unnecessary services
Disabling unnecessary accounts
Default passwords changed
Security patches applied

Change Management:

Documented change procedures
Testing before production deployment
Peer review of changes
Rollback procedures
Configuration version control

Development Security:

Secure Coding:

Secure development lifecycle
OWASP Top 10 awareness
Code reviews
Static application security testing (SAST)
Dynamic application security testing (DAST)

Environment Segregation:

Separate development, testing, production environments
No production data in non-production environments
Different credentials for each environment

11. IT and IT Security Governance

Security Program:

Governance Structure:

Dedicated security team
Chief Information Security Officer (or equivalent)
Security policies and procedures
Regular management reviews
Board reporting on security

Risk Management:

Risk-based security approach
Regular risk assessments
Threat modeling
Vulnerability management
Incident response plan

Vendor Management:

Security reviews of vendors
Contractual security requirements
Regular vendor assessments
Subprocessor security standards

Compliance:

Regular compliance audits
Documentation of compliance activities
Privacy by design principles
Data protection impact assessments

12. Certifications and Assurance

Current Certifications:

SOC 2 Type II (completed/in progress)
PCI DSS Level 1 (through payment processors)

Planned Certifications:

ISO 27001
ISO 27701 (privacy extension)
Cyber Essentials (UK)

Audits:

Annual security audits
Penetration testing
Compliance audits
Internal audits quarterly

13. Data Minimization

Minimization Principles:

Collection:

Collect only data necessary for specified purposes
No excessive data collection
Purpose limitation enforced

Retention:

Data deleted when no longer needed
Retention periods defined
Automated deletion where possible
Regular data cleanup

Creator Control:

Creators determine what data to collect
Platform provides tools for minimal data collection
Guidance on data minimization best practices

14. Data Quality

Accuracy:

Creator Responsibility:

Creator responsible for accuracy of data they collect
Creator provides correct information to Skill Builders

Skillstore Support:

Tools for Creators to correct data
Validation of input data
Error checking and reporting
Data integrity monitoring

Reliability:

Data backups ensure reliability
Redundant storage
Regular integrity checks

15. Limited Data Retention

Retention Policies:

Default Retention:

Active accounts: Data retained while account active
Deleted accounts: 90 days maximum (most data)
Transaction records: 6 years (legal requirement)

Creator Control:

Creators can delete data at any time
Self-service deletion tools
Assistance provided if tools insufficient

Automated Deletion:

Scheduled deletion jobs
Verification of deletion success
Audit trail of deletions

16. Accountability

Accountability Measures:

Policies and Procedures:

Data protection policies
Security policies
Incident response procedures
Employee handbook

Documentation:

Records of processing activities
Data protection impact assessments
Security incident reports
Compliance documentation

Oversight:

Data Protection Officer (or equivalent function)
Regular audits and reviews
Management reporting
Board oversight

Training:

Mandatory data protection training
Role-specific training
Regular updates
Assessment of training effectiveness

17. Data Portability and Erasure

Data Subject Rights Support:

Creator Tools:

Dashboard access to follower and learner data
CSV export functionality
API access (where available)
Self-service deletion

Skillstore Assistance:

Help with complex requests
Technical support for exports
Verification of erasure
Documentation of actions taken

Data Formats:

CSV for structured data
JSON for complex data structures
PDF for reports and summaries
Other formats upon request

Erasure Verification:

Confirmation of deletion
Deletion from backups during next cycle
Certification upon request

18. Sub-processor Security

Sub-processor Requirements:

Contractual Obligations:

Data protection clauses substantially similar to this DPA
Security measures equivalent to Skillstore's
Audit rights
Notification of security incidents

Security Standards:

Sub-processors must implement technical and organizational measures
Regular security assessments
Compliance with Applicable Data Protection Laws

Specific Obligations:

Notify Skillstore of Security Incidents promptly
Delete data upon instruction
No additional sub-processing without authorization
No change in processing location without notice
Process only on Skillstore's instructions

Monitoring:

Regular review of sub-processor performance
Security questionnaires
Audit reports review
Incident tracking

Consent Capture Security:

Integrity of Consent Mechanism:

Checkboxes default to unchecked (no pre-ticking)
Consent cannot be bypassed programmatically
Consent text immutable once displayed
Timestamp automatically recorded (cannot be modified)
IP address captured and stored securely
Source/location tracking for audit trail

Consent Storage:

Tamper-proof consent records
Immutable audit logs of all consent actions
Consent data encrypted at rest (AES-256)
Consent data encrypted in transit (TLS 1.2+)
Timestamp verification to prevent backdating
Redundant storage for consent records

Consent Access Controls:

Only authorized personnel can view consent records
Creators can only see consent status for their own followers
Full consent details (IP, timestamp, text) restricted to compliance team
No ability to modify historical consent records (append-only logs)
All access to consent records logged for audit
Multi-factor authentication required for consent data access

Consent Export Security:

Encrypted export files (password-protected ZIP or encrypted CSV)
Consent status clearly flagged in exports with dedicated column
Separate fields for: email collected vs marketing consent
Export includes consent timestamp and source
Export logs maintained showing who exported what and when
Rate limiting on exports to prevent abuse

Consent Processing Integrity:

Real-time processing of consent changes (no delays)
Unsubscribe requests processed within 1 hour maximum
Dashboard updates reflect consent status immediately
Email filtering respects consent status (cannot send to non-consented)
Consent withdrawal triggers automated notifications to Creator
Cannot override or ignore consent status

Consent Audit Trail:

Complete history of all consent actions per user
Tracks: grant, modify, withdraw, re-subscribe
Includes: timestamp, IP, method, confirmation status
Audit trail retained for 3 years minimum
Audit trail immutable (append-only)
Available to regulators and auditors upon request

Unsubscribe Link Security:

One-click unsubscribe (no login required)
Unsubscribe tokens encrypted and time-limited
Cannot be reused or forged
Immediate confirmation to user
Logs maintained of all unsubscribe actions
No ability for Creator to re-subscribe without fresh consent

Consent Record Retention:

Active consents retained indefinitely
Withdrawn consents retained for 3 years (compliance)
Deleted account consents retained per legal requirements
Backup retention follows standard backup schedule
Deletion upon request (subject to legal retention)

SCHEDULE 3: CROSS-BORDER DATA TRANSFER MECHANISMS

1. Definitions

"Standard Contractual Clauses" or "SCCs" means:

2021 EU SCCs: Standard Contractual Clauses approved by European Commission in decision 2021/914
UK IDTA: UK International Data Transfer Agreement issued by the UK Information Commissioner's Office
Swiss SCC: Swiss Federal Data Protection and Information Commissioner's approved clauses

2. Application of Standard Contractual Clauses

For transfers of Personal Data from the UK, European Economic Area (EEA), or Switzerland to Skillstore or Skillstore's Subprocessors located outside those territories, the applicable Standard Contractual Clauses apply as follows:

3. EU Standard Contractual Clauses (2021)

For data transfers from the EEA subject to the 2021 Standard Contractual Clauses:

A. Module Selection:

The following modules apply based on the parties' roles:

✓ Module Two (Controller to Processor):

Applies where Creator is a Controller of Personal Data
Skillstore is a Processor of that Personal Data
This is the primary module for Follower Data and Learner Data

✓ Module Three (Processor to Processor):

Applies where Creator is a Processor acting on behalf of another Controller
Skillstore is a sub-Processor
This applies if Creator itself is processing on behalf of a third party

B. Module-Specific Terms:

For each applicable Module:

Clause 7 (Docking Clause):

The optional docking clause will not apply

Clause 9 (Use of Sub-processors):

Option 2 applies: General written authorization
Creator authorizes use of Sub-processors listed at https://skill.store/subprocessors
Notice period for Sub-processor changes: 7 calendar days (as specified in Section 7.4 of this DPA)
Objection process: As specified in Section 7.4 of this DPA

Clause 11 (Redress):

The optional language will not apply

Clause 17 (Governing Law):

Option 1 applies
Governing law: Laws of Ireland

Clause 18 (Choice of Forum and Jurisdiction):

Clause 18(b) applies
Disputes resolved before: Courts of Ireland

C. Annex I (Parties and Processing Details):

Part A: List of Parties

Data Exporter (Creator):

Name: Creator's legal name or individual name
Address: Address associated with Creator account
Contact: Email address registered with Creator account
Activities: Creating educational content, building audience, monetizing content
Role: Controller (or Processor if acting on behalf of third party)
Signature: By entering into Terms of Service, Creator is deemed to have signed these SCCs as of the Effective Date

Data Importer (Skillstore):

Name: SKILLSTORE LTD
Address: 4th Floor, 205 Regent Street, London, England, W1B 4HB
Contact: [email protected] / Skillstore Privacy Team
Activities: Operating educational content marketplace platform
Role: Processor (or sub-Processor if Creator is Processor)
Signature: By entering into Terms of Service, Skillstore is deemed to have signed these SCCs as of the Effective Date

Part B: Description of Transfer

Categories of Data Subjects:

As described in Schedule 1, Section 4 of this DPA

Categories of Personal Data:

As described in Schedule 1, Section 5 of this DPA

Sensitive Data (Special Categories):

As described in Schedule 1, Section 6 of this DPA
Prohibited except where legally required or inadvertently included in user content

Frequency of Transfer:

Continuous for the duration of the Terms of Service

Nature of Processing:

As described in Schedule 1, Section 1 of this DPA

Purpose of Processing:

As described in Schedule 1, Section 1 of this DPA

Period of Processing:

As described in Schedule 1, Section 3 of this DPA

Sub-processor Transfers:

Subject matter, nature, and duration: As listed at https://skill.store/subprocessors

Part C: Competent Supervisory Authority

For Module Two and Three:

Irish Data Protection Commission is the competent supervisory authority

D. Annex II (Technical and Organizational Measures):

Schedule 2 of this DPA serves as Annex II of the Standard Contractual Clauses.

E. Annex III (List of Sub-processors):

The list at https://skill.store/subprocessors serves as Annex III.

4. UK International Data Transfer Agreement (UK IDTA)

For data transfers from the UK subject to UK GDPR:

A. Incorporation:

The UK International Data Transfer Agreement (UK IDTA) is incorporated by reference and applies to transfers from the UK.

B. Parties:

Exporter (Creator):

Details: As specified in Section 3.C above
Role: Controller (or Processor)

Importer (Skillstore):

Details: As specified in Section 3.C above
Role: Processor (or sub-Processor)

C. Tables to the UK IDTA:

Table 1: Parties and Key Processing Details

Start date: Effective Date of Terms of Service
Parties' details: As specified in Section 3.C above
Parties' key contact: [email protected] (Skillstore); Creator's account email (Creator)

Table 2: Selected SCCs, Modules and Selected Clauses

SCCs: EU Standard Contractual Clauses (2021)
Modules: Module Two and/or Module Three (as applicable)
Selected clauses: As specified in Section 3.B above

Table 3: Appendix Information

Annex 1A (Parties): As specified in Section 3.C Part A above
Annex 1B (Description of Transfer): As specified in Section 3.C Part B above
Annex II (Technical and Organizational Measures): Schedule 2 of this DPA
Annex III (List of Sub-processors): https://skill.store/subprocessors

Table 4: Ending this Addendum when the Approved Addendum Changes

Option: Neither party can end this UK IDTA on written notice

D. Governing Law:

The UK IDTA is governed by the laws of England and Wales.

E. Jurisdiction:

Disputes under the UK IDTA will be resolved before the courts of England and Wales.

5. Swiss Standard Contractual Clauses

For data transfers from Switzerland:

A. Application:

The 2021 EU SCCs apply with the following modifications for Swiss law:

B. Modifications:

References to GDPR:

References to "GDPR" include the Swiss Federal Act on Data Protection (FADP)
References to "EU" or "EEA" include Switzerland where context requires

Supervisory Authority:

The Swiss Federal Data Protection and Information Commissioner (FDPIC) is the competent supervisory authority for Swiss data subjects

Governing Law and Jurisdiction:

Option 1 in Clause 17: Governed by laws of Switzerland
Clause 18(b): Disputes resolved before courts of Switzerland (alternatively, courts agreed between parties)

C. Other Terms:

All other terms from Section 3 (EU Standard Contractual Clauses) apply with necessary modifications for Swiss law.

6. Supplementary Measures

In addition to the Standard Contractual Clauses, Skillstore implements supplementary measures to ensure adequate protection:

A. Encryption:

All Personal Data encrypted in transit (TLS 1.2+)
All Personal Data encrypted at rest (AES-256)

B. Access Controls:

Role-based access with least privilege
Multi-factor authentication for admin access
Regular access reviews

C. Contractual Protections:

All Subprocessors subject to equivalent protections
Contractual prohibitions on government access (where legally possible)
Transparency commitments

D. Monitoring:

Monitoring of legal developments in destination countries
Regular review of adequacy of protections
Updates to measures as needed

E. Transparency:

Notification of government requests (where legally permitted)
Transparency reports (where feasible)
Right to challenge unlawful requests

7. Conflict of Terms

To the extent there is any conflict between:

The Standard Contractual Clauses, and
Any other terms in this DPA or the Terms of Service

The Standard Contractual Clauses will prevail with respect to data transfers governed by those clauses.

8. Multiple Modules

Where more than one Module of the Standard Contractual Clauses applies:

Each Module applies independently
Creator can rely on the Module appropriate to Creator's role
If Creator's role changes, the applicable Module changes accordingly

9. Updates to Transfer Mechanisms

If new data transfer mechanisms become available (e.g., adequacy decisions, new approved clauses):

Skillstore may transition to new mechanisms
Skillstore will notify Creator of changes
No reduction in level of protection

SCHEDULE 4: JURISDICTION-SPECIFIC TERMS

1. UNITED KINGDOM

A. Applicable Laws:

The definition of "Applicable Data Protection Laws" includes:

UK GDPR (General Data Protection Regulation as retained in UK law)
Data Protection Act 2018
Privacy and Electronic Communications Regulations (PECR)

B. References:

References in this DPA to "GDPR" are deemed to include references to the UK GDPR and Data Protection Act 2018.

C. Supervisory Authority:

The Information Commissioner's Office (ICO) is the supervisory authority for UK data protection matters.

D. Sub-processor Requirements:

When Skillstore engages a Subprocessor under Section 7, Skillstore will require any appointed Subprocessor to:

Protect Personal Data to the standard required by UK data protection laws
Implement technical and organizational measures that meet UK GDPR requirements
Process data only in:
- A country with a UK adequacy decision, OR
- On terms equivalent to the UK IDTA or other approved transfer mechanism

E. Post-Brexit Considerations:

Transfers from UK to EEA may require transfer mechanism if EEA-UK adequacy decision lapses
Skillstore monitors adequacy decisions and will implement necessary mechanisms

2. EUROPEAN ECONOMIC AREA (EEA)

A. Applicable Laws:

The definition of "Applicable Data Protection Laws" includes:

General Data Protection Regulation (EU 2016/679) ("EU GDPR")
ePrivacy Directive (2002/58/EC)
National implementations of EU privacy laws

B. Sub-processor Requirements:

When Skillstore engages a Subprocessor under Section 7, Skillstore will:

Require any appointed Subprocessor to protect Personal Data to the standard required by EU GDPR, including:
- Data protection obligations referred to in Article 28(3) of GDPR
- Sufficient guarantees to implement appropriate technical and organizational measures
Require any appointed Subprocessor to agree in writing to process data only:
- In a country with an EU adequacy decision, OR
- On terms equivalent to the 2021 EU Standard Contractual Clauses

C. GDPR Penalties:

Notwithstanding anything to the contrary in this DPA or the Terms of Service:

No Cross-Indemnification for Fines:

Neither party will be responsible for GDPR fines issued under Article 83 of the GDPR against the other party by a supervisory authority.

Clarification:

If Creator is fined by a supervisory authority, Skillstore is not liable for that fine
If Skillstore is fined by a supervisory authority, Creator is not liable for that fine
This does NOT limit claims between parties for breach of DPA (damages other than regulatory fines)

D. Data Subject Rights:

Skillstore will assist Creator in responding to Data Subject rights requests under GDPR Articles 15-22, as described in Section 11 of this DPA.

3. SWITZERLAND

A. Applicable Laws:

The definition of "Applicable Data Protection Laws" includes:

Swiss Federal Act on Data Protection (FADP)
Swiss Ordinance on Data Protection

B. Supervisory Authority:

The Swiss Federal Data Protection and Information Commissioner (FDPIC) is the supervisory authority for Swiss data protection matters.

C. Sub-processor Requirements:

When Skillstore engages a Subprocessor under Section 7, Skillstore will:

Require any appointed Subprocessor to protect Personal Data to the standard required by Swiss FADP
Ensure Subprocessors implement appropriate technical and organizational measures
Require Subprocessors to process data only in:
- A country with a Swiss adequacy decision, OR
- On terms equivalent to Swiss-approved Standard Contractual Clauses

D. Cross-Border Transfers:

Schedule 3 (Cross-Border Data Transfer Mechanisms) Section 5 applies to transfers from Switzerland.

4. CALIFORNIA (UNITED STATES)

A. Applicable Laws:

The definition of "Applicable Data Protection Laws" includes:

California Consumer Privacy Act (CCPA)
California Privacy Rights Act (CPRA)
California Civil Code Section 1798.100 et seq.

B. CCPA/CPRA Definitions:

For purposes of this Section, the following terms have the meanings given in the CCPA/CPRA:

"Business"
"Service Provider"
"Sell" or "Sale"
"Share" or "Sharing"
"Personal Information"
"Sensitive Personal Information"
"Consumer"
"Commercial Purpose"

C. Skillstore as Service Provider:

With respect to California Personal Information:

Skillstore's Role:

Skillstore is a "Service Provider" under the CCPA/CPRA
Creator is a "Business" under the CCPA/CPRA

Skillstore's Obligations:

Skillstore will NOT:

Sell Personal Information:
- Skillstore will not sell Personal Information received from Creator
- Skillstore will not sell Personal Information of Creator's customers/followers
Retain, Use, or Disclose for Unauthorized Purposes:
- Skillstore will not retain, use, or disclose Personal Information for any purpose other than providing the Services specified in the Terms of Service
- Skillstore will not retain, use, or disclose Personal Information for any commercial purpose other than providing the Services
- Skillstore will not retain, use, or disclose Personal Information outside the direct business relationship between Skillstore and Creator
Share Personal Information:
- Skillstore will not share Personal Information for cross-context behavioral advertising
- Skillstore will not share Personal Information with third parties except as Subprocessors authorized under Section 7

D. Specific Purpose and Direct Business Relationship:

The parties acknowledge and agree that:

Integral to Services:
- The Processing of Personal Data authorized by Creator's instructions in Section 6 is integral to and encompassed by Skillstore's provision of the Services
- Processing is part of the direct business relationship between Skillstore and Creator
Not Consideration:
- Skillstore's access to Personal Data does NOT constitute part of the consideration exchanged between the parties
- Creator is not paying for access to Personal Data; Creator is paying for Services

E. Service-Generated Data:

To the extent that Service-Generated Data or Platform Data constitutes Personal Information:

Skillstore is the "Business" with respect to such data
Skillstore Processes such data in accordance with its Privacy & Cookie Notice at https://skill.store/privacy
Such data is NOT subject to Service Provider restrictions

F. Consumer Rights:

Skillstore will assist Creator in responding to California Consumer rights requests, including:

Right to know
Right to delete
Right to correct
Right to opt-out of sale/sharing
Right to limit use of sensitive personal information

Assistance provided as described in Section 11 of this DPA.

G. Audits:

Creator has the right to take reasonable and appropriate steps to ensure Skillstore uses Personal Information in accordance with Creator's obligations under CCPA/CPRA, including through audits as described in Section 9 of this DPA.

H. Certification:

Upon Creator's request, Skillstore will provide written certification that:

Skillstore understands the restrictions in this Section 4
Skillstore will comply with them

5. OTHER US STATES WITH COMPREHENSIVE PRIVACY LAWS

A. Applicability:

To the extent other US states enact comprehensive privacy laws similar to CCPA/CPRA (e.g., Virginia CDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA), the terms of Section 4 (California) above will apply mutatis mutandis (with necessary modifications) to Personal Information subject to those laws.

B. Skillstore Monitoring:

Skillstore monitors developments in US state privacy laws and will update this Schedule as necessary to ensure compliance.

6. ADDITIONAL JURISDICTIONS

A. Other Jurisdictions:

If Creator is located in or Processes Personal Data of Data Subjects in jurisdictions not specifically addressed above, and if Applicable Data Protection Laws in those jurisdictions impose requirements on the Processing relationship:

Creator must notify Skillstore in writing
Parties will work in good faith to amend this DPA to comply with such requirements
If amendment not possible, Section 9.3 (Remedy for Non-Compliance) may apply

B. Conflicting Requirements:

If requirements under one jurisdiction's laws conflict with requirements under another:

Parties will work in good faith to resolve conflict
Skillstore will comply with most stringent requirement where possible
If compliance impossible, Section 9.3 may apply

SIGNATURE

This Data Processing Agreement is incorporated into and forms part of the Terms of Service between Creator and Skillstore.

By accepting the Terms of Service, you (Creator) agree to be bound by this Data Processing Agreement.

SKILLSTORE LTD

Name: SKILLSTORE LTD
Company Number: 16495005
Address: 4th Floor, 205 Regent Street, London, England, W1B 4HB
Email: [email protected]

Effective Date: Date Creator accepts the Terms of Service

Last Updated: 2025-11-10
Version: 1.0

SKILLSTORE DATA PROCESSING AGREEMENT

1. INTRODUCTION

2. DEFINITIONS

2.1 Core Terms

2.2 Skillstore-Specific Data Categories

3. GENERAL PROVISIONS

3.1 Relationship to Terms of Service

3.2 Limitations of Liability

3.3 Governing Law

3.4 Term and Termination

4. RELATIONSHIP OF THE PARTIES

4.1 Skillstore as Processor

4.2 Data Processing Relationships

4.3 Skillstore as Controller

5. COMPLIANCE WITH LAW

6. ROLE AND SCOPE OF PROCESSING

6.1 Creator Responsibilities

6.3 Consent Management (Added)

6.4 Skillstore's Instructions from Creator

6.4 Skillstore's Instructions from Creator

6.3 What Creator Can Do with Follower and Learner Data

7. SUBPROCESSING

7.1 General Authorization

7.2 Subprocessor Requirements

7.3 Current Subprocessors

7.4 Subprocessor Changes

7.5 Emergency Subprocessors

8. SECURITY

8.1 Security Measures

8.2 Security Standards

8.3 Updates to Security Measures

8.4 Creator Responsibilities

8.5 Security Incidents

9. AUDITS AND REVIEWS OF COMPLIANCE

9.1 Skillstore's Audit Program

9.2 Creator's Audit Rights

9.3 Remedy for Non-Compliance

10. IMPACT ASSESSMENTS AND CONSULTATIONS

10.1 Data Protection Impact Assessments (DPIAs)

10.2 Prior Consultation with Authorities

10.3 Costs

11. DATA SUBJECT REQUESTS

11.1 Skillstore's Assistance

11.2 Self-Service Tools

11.3 Assistance Beyond Self-Service

11.4 Direct Data Subject Requests to Skillstore

11.5 Creator's Obligation to Respond

11.6 Right to Withdraw Marketing Consent

12. RETURN OR DELETION OF PERSONAL DATA

12.1 Upon Termination

12.2 What Happens to Different Data Types

12.3 Legal Retention Requirements

12.4 Certification of Deletion

13. INTERNATIONAL PROVISIONS

13.1 Processing Locations

13.2 Data Transfer Mechanisms

13.3 UK and EEA Data Subjects

13.4 US and California Data Subjects

14. CONFIDENTIALITY

14.1 Personnel Confidentiality

14.2 Subprocessor Confidentiality

14.3 Survival

15. LIABILITY AND INDEMNIFICATION

15.1 Limitation of Liability

15.2 GDPR Fines

15.3 Data Subject Claims

16. NOTICE AND COMMUNICATION

16.1 Contact Information

16.2 Method of Notice

17. CHANGES TO THIS DPA

17.1 Right to Amend

17.2 Notice of Changes

17.3 Creator's Options

SCHEDULE 1: SUBJECT MATTER & DETAILS OF PROCESSING

1. Nature and Purpose of Processing

2. Processing Activities

3. Duration of Processing

4. Categories of Data Subjects

5. Categories of Personal Data

6. Sensitive Data or Special Categories of Data