Data Processing Agreement

Summary of our standard Data Processing Agreement

Overview

Last updated April 2026.

This page summarises our standard Data Processing Agreement. It covers two distinct deployments of our platform and you should read the section relevant to you:

  • School deployments (free): Skills Hub licensed at no cost to UK schools and FE colleges, with anonymised dataset contribution
  • Workforce deployments (paid): Employer Skills Audit and Skills Hub Workforce engagements with employers of any size

Institutions and organisations contracting with Enterprise Skills Ltd will receive a full DPA for co-signature as part of the onboarding process.

Scope

Enterprise Skills Ltd processes personal data solely for the purpose of delivering the Enterprise Skills platform and related services. For schools this means:

  • Providing interactive business simulation tools
  • Generating Human Skills Index scores and capability assessments
  • Providing educator dashboards for progress monitoring
  • Generating certificates and portfolio evidence
  • Contributing anonymised, aggregated data to the Human Skills Index in return for free platform access

For workforce deployments this means:

  • Delivering the Employer Skills Audit assessment
  • Generating individual, team, department and organisation-level HSI scores
  • Producing board-ready reports for audit committees, boards and executive teams
  • Providing quarterly re-audit, trend reporting and AI exposure assessment

Categories of Personal Data

The following categories of personal data are processed under this agreement:

  • First initial and surname (or full name for workforce deployments where required)
  • Email address (used for authentication; removable on request or licence expiry)
  • Student, employee or user ID number (optional, where provided by the institution or employer)
  • Job title, role, department and reporting line (workforce deployments only)
  • Simulation scores and Human Skills Index data (platform-generated)
  • Session and usage data (platform-generated)
  • Portfolio entries and reflections (user-created, educator or manager approved)

No special category data (Article 9 UK GDPR) is collected or processed. HSI scores are not used to make automated decisions about individuals, including for recruitment, promotion, performance management or termination.

Data Subjects

This agreement covers the following categories of data subject:

  • Students aged 14-18 enrolled at the institution (schools)
  • Adult learners enrolled at the institution (FE colleges)
  • Educators and administrators who access the educator portal
  • Employees, contractors and managers assessed under the Employer Skills Audit (workforce)
  • HR, L&D and executive users accessing the workforce dashboards

Processor Obligations

Enterprise Skills Ltd will:

  • Process personal data only on documented instructions from the institution
  • Ensure all authorised persons are bound by confidentiality obligations
  • Implement appropriate technical and organisational security measures, including encryption in transit (TLS 1.2+) and at rest (AES-256), role-based access controls, and database-level institutional data isolation
  • Assist the institution in meeting its obligations under Articles 32 to 36 of the UK GDPR
  • Assist in responding to data subject rights requests
  • Not transfer personal data outside the United Kingdom without prior written consent

Data Breach Notification

Enterprise Skills Ltd will notify the institution without undue delay, and within 72 hours, after becoming aware of a personal data breach, providing full details of the nature, scope, consequences, and remediation measures.

Subprocessors

The following subprocessors are used solely for the purpose of operating the platform infrastructure. All personal data remains within the United Kingdom.

Subprocessor Service Data Processed Location
Supabase (via AWS) Database and authentication All personal data and scores UK (eu-west-2, London)
Netlify Application hosting and CDN No personal data stored; serves application code only Global CDN
Cloudflare DNS, SSL/TLS, DDoS protection, WAF No personal data stored; traffic passes through in transit only Global CDN

Audit Rights

The institution may audit our compliance with this agreement, subject to reasonable notice (not less than 30 days).

Data Return and Deletion

On termination of the licence, the institution may request return of all data in CSV format and/or deletion within 90 days.

In the absence of specific instructions, email addresses are removed within 30 days, with residual pseudonymised data (first initial, surname, institution name, and capability scores) retained for certificate verification only.

Governing Law

This agreement is governed by the laws of England and Wales.

Request a Full DPA

To request a full Data Processing Agreement for co-signature, please contact us directly. We will provide the full DPA document as part of the institution onboarding process.

Email: dpo@enterpriseskills.co.uk