Home

Data processing agreement

Last updated: 27 June 2026 · Privacy policy · Sub-processors

This summary describes the data processing agreement (DPA) that forms part of every customer contract under Article 28 UK GDPR. A countersignable copy is available on request. Where this summary and the signed DPA differ, the signed DPA prevails.

Roles

For apprentice, employer and staff records, your training provider is the controller and Journey is the processor, acting only on your documented instructions. For account and billing data, Journey is the controller.

Scope & instructions

We process personal data only to provide and support the platform, as set out in the agreement, and for no other purpose. We will tell you if an instruction appears to breach data-protection law.

Security

We maintain appropriate technical and organisational measures aligned with our ISO 27001 information-security management system and Cyber Essentials certification — including encryption in transit and at rest, hard tenant isolation, role-based access control and an append-only audit log. See our Trust & security page.

Confidentiality & staff

Personnel with access to personal data are bound by confidentiality and access is limited to those who need it to deliver the service.

Sub-processors

We use a short list of vetted sub-processors, published on our sub-processors page. We give notice of changes so you can object, and we remain responsible for their performance.

International transfers

Personal data is hosted in the UK / EU. Where any transfer outside the UK is necessary, it is protected by an appropriate safeguard such as the UK International Data Transfer Agreement or addendum.

Assistance & data subject rights

We help you respond to data-subject requests and to meet your security, breach-notification and data-protection-impact-assessment obligations. Per-apprentice data can be exported as a structured bundle.

Breach notification

We will notify you without undue delay after becoming aware of a personal data breach affecting your data, with the information you need to meet your own reporting duties.

Return & deletion

On termination we return or delete personal data at your choice, subject to retention required by funding rules or law.

Audit

We make available the information needed to demonstrate compliance and will support audits in line with the agreement, including our certifications and security documentation.

Contact

To request a signed DPA, email privacy@journeyapp.co.uk.