DRAFT — pending solicitor review. Not for execution.

Data Processing Addendum

This Addendum applies where Literate Ltd processes personal data on behalf of the Customer in connection with the Service.

1. Roles

The Customer is the data controller. Literate is the data processor. For SSO-mode tenants, Literate stores only pseudonyms and never holds staff PII.

2. Categories of data

Staff identifiers (name, email, or pseudonym), training records, scores, certificates, audit timestamps.

3. Sub-processors

Listed at literate.eu/security with locations and SCCs where applicable.

4. Security

Per the Information Security Policy at literate.eu/legal/security.

5. Audit

Customer may request a SOC 2 or ISO 27001 report (when available) once per year. Penetration test summary furnished on request under NDA.

6. International transfers

EU-only processing. Where any transfer is necessary, EU SCCs or UK IDTA apply.

7. Term

Coterminous with the Service agreement. On termination, data deleted within 90 days (training records retained for the 6-year statutory period).

DRAFT — replace before launch.