Data Processing Agreement
Last updated: July 30, 2025
This Data Processing Agreement ("Agreement") forms part of the contractual relationship between Pelvora ("Company", "we", "us", or "our") and the individual or entity ("Customer", "you") accessing or using our services available at pelvora.online. This Agreement sets out the terms under which the Company processes personal data on behalf of the Customer in connection with the provision of its online education and masterclass services.
By using our services, you acknowledge that you have read, understood, and agree to be bound by this Agreement.
1. Definitions
For the purposes of this Agreement, the following terms shall have the meanings set out below:
- "Personal Data" means any information relating to an identified or identifiable natural person that is submitted to, collected by, or processed through the Services.
- "Processing" means any operation or set of operations performed on Personal Data, including collection, recording, storage, adaptation, retrieval, use, disclosure, or erasure.
- "Data Controller" means the entity that determines the purposes and means of processing Personal Data.
- "Data Processor" means the entity that processes Personal Data on behalf of the Data Controller.
- "Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
- "Sub-processor" means any third party engaged by the Company to process Personal Data in connection with the Services.
- "Services" means the online masterclasses, educational content, platform features, and related offerings provided by Pelvora at pelvora.online.
- "Applicable Data Protection Law" means all data protection and privacy legislation applicable to the processing of Personal Data under this Agreement.
2. Roles and Responsibilities
2.1 Data Controller and Processor Relationship
The parties acknowledge that with respect to Personal Data submitted by the Customer or collected from end users of the Customer's account, the Customer acts as the Data Controller and the Company acts as the Data Processor. The Company shall process such Personal Data solely on the documented instructions of the Customer.
2.2 Company as Data Controller
With respect to Personal Data the Company collects directly for its own business purposes (such as account management, billing, platform analytics, and communications), the Company acts as an independent Data Controller and processes such data in accordance with its Privacy Policy.
2.3 Customer Obligations
The Customer represents and warrants that:
- It has the legal authority and all necessary rights, consents, and authorisations to provide Personal Data to the Company for processing under this Agreement.
- It complies with all Applicable Data Protection Law in connection with its use of the Services.
- Its instructions to the Company for processing Personal Data comply with Applicable Data Protection Law.
- It has informed Data Subjects of the relevant processing activities as required by Applicable Data Protection Law.
3. Nature and Purpose of Processing
3.1 Subject Matter
The Company processes Personal Data for the purpose of providing the Services, which include facilitating access to online masterclasses, managing user accounts, processing course enrolments, delivering educational content, and supporting customer service functions.
3.2 Duration
The Company shall process Personal Data for the duration of the Customer's use of the Services, or until earlier termination of this Agreement, unless Applicable Data Protection Law requires longer retention.
3.3 Types of Personal Data
The categories of Personal Data processed under this Agreement may include:
- Identity data: name, username, and similar identifiers
- Contact data: email address, telephone number, and postal address
- Account credentials and authentication data
- Payment and transaction data (processed via authorised payment processors)
- Course participation and learning progress data
- Communications and support correspondence
- Technical and usage data: IP addresses, browser type, device identifiers, and log files
3.4 Categories of Data Subjects
Data Subjects may include the Customer's employees, contractors, students, end users, or any other individuals whose Personal Data is submitted to the Services by or on behalf of the Customer.
4. Processing Instructions
4.1 Compliance with Instructions
The Company shall process Personal Data only in accordance with the Customer's documented instructions, which are set out in this Agreement and in any applicable service agreement, unless required to do so by applicable law, in which case the Company shall inform the Customer of that legal requirement before processing, unless such law prohibits disclosure on grounds of public interest.
4.2 Unauthorised Instructions
If the Company determines that an instruction from the Customer infringes Applicable Data Protection Law, the Company shall notify the Customer without undue delay. In such circumstances, the Company shall be entitled to suspend performance of the relevant processing until the Customer provides lawful and documented instructions.
5. Confidentiality
The Company shall ensure that all personnel authorised to process Personal Data are subject to appropriate confidentiality obligations, whether by contract or by operation of professional or statutory duties. The Company shall limit access to Personal Data to those personnel who require access for the purpose of delivering the Services.
6. Security Measures
6.1 Technical and Organisational Measures
Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Company shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
6.2 Such measures shall include, as appropriate:
- Pseudonymisation and encryption of Personal Data where technically feasible
- Measures to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems and services
- Measures to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident
- Processes for regularly testing, assessing, and evaluating the effectiveness of technical and organisational security measures
- Access controls and authentication requirements for personnel
- Secure data transmission protocols
6.3 Security Updates
The Company may update or modify its security measures from time to time, provided that such modifications do not materially reduce the level of protection afforded to Personal Data.
7. Sub-processors
7.1 Authorisation
The Customer hereby grants the Company general authorisation to engage Sub-processors to assist in providing the Services. The Company shall maintain an up-to-date list of Sub-processors and shall make this available to the Customer upon request.
7.2 Sub-processor Obligations
Where the Company engages a Sub-processor, it shall:
- Carry out appropriate due diligence to ensure the Sub-processor provides sufficient guarantees regarding its data protection practices.
- Enter into a written agreement with the Sub-processor that imposes data protection obligations no less protective than those set out in this Agreement.
- Remain fully liable to the Customer for the acts or omissions of any Sub-processor to the extent the Company would be liable if it had performed the processing directly.
7.3 New Sub-processors
The Company shall provide reasonable prior notice to the Customer of any intended changes to Sub-processors. If the Customer reasonably objects to the appointment of a new Sub-processor on legitimate data protection grounds, the parties shall seek to resolve the matter in good faith. If no resolution is reached, the Customer may terminate the relevant Services on written notice.
8. Data Subject Rights
8.1 Assistance
Taking into account the nature of the processing, the Company shall assist the Customer, by appropriate technical and organisational measures insofar as this is possible, in fulfilling the Customer's obligations to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law, including rights of access, rectification, erasure, restriction, portability, and objection.
8.2 Forwarding Requests
If the Company receives a request directly from a Data Subject relating to Personal Data processed on behalf of the Customer, the Company shall, where reasonably practicable, promptly forward such request to the Customer and shall not respond to the Data Subject directly unless authorised to do so by the Customer or required to do so by law.
9. Personal Data Breach
9.1 Notification
The Company shall notify the Customer without undue delay, and where feasible, within seventy-two (72) hours of becoming aware of a Personal Data Breach affecting Personal Data processed under this Agreement. Such notification shall include, to the extent available at the time:
- A description of the nature of the breach, including the categories and approximate number of Data Subjects and Personal Data records concerned
- The name and contact details of the Company's data protection contact
- A description of the likely consequences of the breach
- A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects
9.2 Cooperation
The Company shall cooperate with the Customer and take reasonable steps to assist in the investigation, mitigation, and remediation of a Personal Data Breach. Where the Company's notification is provided in phases, subsequent updates shall be provided as further information becomes available.
10. Data Protection Impact Assessments and Prior Consultation
Upon the Customer's reasonable request, the Company shall provide reasonable assistance to the Customer in connection with any data protection impact assessments and prior consultations with supervisory authorities that the Customer is required to carry out under Applicable Data Protection Law, taking into account the nature of processing and the information available to the Company.
11. International Data Transfers
11.1 Transfer Restrictions
The Company shall not transfer Personal Data to a third country or international organisation except as necessary to provide the Services, and shall ensure that any such transfer is carried out in compliance with Applicable Data Protection Law, including by implementing appropriate safeguards such as standard contractual clauses, adequacy decisions, or other recognised transfer mechanisms.
11.2 Safeguards
Where transfers are made to countries or organisations that are not recognised as providing an adequate level of protection, the Company shall implement appropriate safeguards to ensure that Personal Data receives a level of protection essentially equivalent to that guaranteed within applicable frameworks.
12. Return and Deletion of Personal Data
12.1 Upon Termination
Upon termination or expiry of the Agreement, or upon the Customer's written request, the Company shall, at the Customer's election, return or securely delete all Personal Data processed on behalf of the Customer, unless Applicable Data Protection Law requires continued retention.
12.2 Retention by Law
To the extent the Company is required by Applicable Data Protection Law to retain any Personal Data beyond the termination of this Agreement, it shall notify the Customer accordingly and shall continue to protect such data in accordance with this Agreement until it is deleted.
13. Records of Processing Activities
The Company shall maintain records of all categories of processing activities carried out on behalf of the Customer as required under Applicable Data Protection Law. Such records shall contain all information required by applicable law and shall be made available to competent supervisory authorities upon request.
14. Audit Rights
14.1 Audit and Inspection
The Company shall make available to the Customer all information reasonably necessary to demonstrate compliance with the obligations set out in this Agreement, and shall allow for and contribute to audits and inspections conducted by the Customer or a mandated third-party auditor.
14.2 Conditions
Any audit shall be conducted with reasonable prior written notice, no more frequently than once per calendar year unless a material breach is suspected, during normal business hours, and in a manner that minimises disruption to the Company's operations. The Customer shall bear all costs associated with the audit unless the audit reveals a material non-compliance by the Company.
15. Limitation of Liability
Each party's liability arising out of or in connection with this Agreement shall be subject to the limitations and exclusions set out in the main service agreement between the parties. Nothing in this Agreement shall limit or exclude liability for gross negligence, wilful misconduct, fraud, or any liability that cannot be excluded or limited by applicable law.
16. Term and Termination
This Agreement shall remain in force for the duration of the main service agreement between the parties. Termination of the main service agreement shall automatically terminate this Agreement, subject to any provisions that by their nature survive termination, including obligations relating to data deletion and confidentiality.
17. Order of Precedence
In the event of any conflict or inconsistency between this Agreement and the main service agreement between the parties, the provisions of this Agreement shall prevail with respect to the subject matter of data processing. All other terms of the main service agreement shall remain unaffected.
18. Amendments
The Company reserves the right to update or modify this Agreement from time to time to reflect changes in Applicable Data Protection Law, operational practices, or the nature of the Services. The Customer will be notified of material changes, and continued use of the Services following notice of any amendment constitutes acceptance of the updated Agreement.
19. Severability
If any provision of this Agreement is found to be invalid, unlawful, or unenforceable, such provision shall be modified to the minimum extent necessary to make it valid, lawful, and enforceable. If such modification is not possible, the relevant provision shall be deemed deleted. Any modification or deletion shall not affect the validity and enforceability of the remaining provisions of this Agreement.
20. Contact Information
If you have any questions, concerns, or requests relating to this Data Processing Agreement or the processing of your Personal Data, please contact us using the details below:
Pelvora
Unity Business Centre
26 Roundhay Rd
Leeds LS7 1AB
United Kingdom
Email: contact@pelvora.online
Phone: +44 7925 237834