Data processing agreement
Last updated: 27 June 2026 · Privacy policy · Sub-processors
This summary describes the data processing agreement (DPA) that forms part of every customer contract under Article 28 UK GDPR. A countersignable copy is available on request. Where this summary and the signed DPA differ, the signed DPA prevails.
Roles
For apprentice, employer and staff records, your training provider is the controller and Journey is the processor, acting only on your documented instructions. For account and billing data, Journey is the controller.
Scope & instructions
We process personal data only to provide and support the platform, as set out in the agreement, and for no other purpose. We will tell you if an instruction appears to breach data-protection law.
Security
We maintain appropriate technical and organisational measures aligned with our ISO 27001 information-security management system and Cyber Essentials certification — including encryption in transit and at rest, hard tenant isolation, role-based access control and an append-only audit log. See our Trust & security page.
Confidentiality & staff
Personnel with access to personal data are bound by confidentiality and access is limited to those who need it to deliver the service.
Sub-processors
We use a short list of vetted sub-processors, published on our sub-processors page. We give notice of changes so you can object, and we remain responsible for their performance.
International transfers
Personal data is hosted in the UK / EU. Where any transfer outside the UK is necessary, it is protected by an appropriate safeguard such as the UK International Data Transfer Agreement or addendum.
Assistance & data subject rights
We help you respond to data-subject requests and to meet your security, breach-notification and data-protection-impact-assessment obligations. Per-apprentice data can be exported as a structured bundle.
Breach notification
We will notify you without undue delay after becoming aware of a personal data breach affecting your data, with the information you need to meet your own reporting duties.
Return & deletion
On termination we return or delete personal data at your choice, subject to retention required by funding rules or law.
Audit
We make available the information needed to demonstrate compliance and will support audits in line with the agreement, including our certifications and security documentation.
Contact
To request a signed DPA, email privacy@journeyapp.co.uk.