Data Processing Addendum

How Packt Publishing Limited processes personal data on behalf of ExpertEdge customers, including sub-processors, security measures and international transfers.

ExpertEdge data processing addendum

This Data Processing Addendum (DPA) forms part of the ExpertEdge Subscription Agreement between Packt Publishing Limited (Packt) and the customer named in that agreement (Customer). It applies where Packt processes personal data on the Customer's behalf in connection with the ExpertEdge learning platform. Packt is registered in England and Wales under company number 04759694, with its registered office at Grosvenor House, 11 St Paul's Square, Birmingham B3 1RB, United Kingdom.

1. Definitions
  • 1.1: Terms not defined in this DPA have the meanings given in the applicable data-protection law. The following terms apply throughout.
  • 1.2: Controller means the party that determines the purposes and means of the processing of personal data.
  • 1.3: Processor means the party that processes personal data on behalf of the Controller.
  • 1.4: Sub-processor means any third party engaged by Packt to process Customer Personal Data.
  • 1.5: Personal Data means any information relating to an identified or identifiable natural person.
  • 1.6: Processing means any operation performed on personal data, whether or not by automated means.
  • 1.7: Data Subject means the identified or identifiable natural person to whom Personal Data relates.
  • 1.8: UK GDPR means the United Kingdom General Data Protection Regulation as it forms part of the law of England and Wales, Scotland and Northern Ireland.
  • 1.9: EU GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council.
  • 1.10: Standard Contractual Clauses (SCCs) means the standard data-protection clauses adopted by the European Commission for the transfer of personal data to processors established outside the EEA.
  • 1.11: UK IDTA means the International Data Transfer Agreement issued by the Information Commissioner under the UK GDPR, together with the UK Addendum to the EU SCCs.
  • 1.12: Customer Personal Data means the Personal Data that Packt processes on the Customer's documented instructions under the Subscription Agreement, being the Platform Learning Data described in Annex A.
2. Roles and scope
  • 2.1: The Customer is the Controller of Customer Personal Data. Where the Customer is itself a processor acting on behalf of a third-party controller, Packt acts as a sub-processor, and the Customer warrants that it has the authority of that controller to engage Packt on these terms.
  • 2.2: Packt is the Processor of Customer Personal Data.
  • 2.3: The subject-matter, duration, nature and purpose of the processing, the types of Personal Data, and the categories of Data Subject are set out in Annex A.
3. Packt's processing obligations
  • 3.1: Packt will process Customer Personal Data only on the Customer's documented instructions, including the instructions set out in the Subscription Agreement and this DPA, unless required to do otherwise by law. Where Packt is required to process by law, it will inform the Customer of that requirement before processing, unless the law prohibits such notice on important grounds of public interest.
  • 3.2: Packt will ensure that personnel authorised to process Customer Personal Data are bound by appropriate duties of confidentiality.
  • 3.3: Packt will use commercially reasonable efforts to assist the Customer, taking into account the nature of the processing and the information available to Packt, in responding to requests from Data Subjects exercising their rights under the applicable data-protection law.
  • 3.4: Packt will use commercially reasonable efforts to assist the Customer with security, personal data breach notification, and data protection impact assessments (DPIAs), taking into account the nature of the processing and the information available to Packt.
4. Security
  • 4.1: Packt will implement and maintain appropriate technical and organisational measures appropriate to the risk presented by the processing, as described in general terms in Annex B.
  • 4.2: Packt may update those measures from time to time, provided that the level of protection is not materially reduced.
5. Sub-processors
  • 5.1: The Customer gives Packt general authorisation to engage the Sub-processors listed at the sub-processor list.
  • 5.2: Packt keeps the published Sub-processor list current and posts any changes there. The Customer may object to a new Sub-processor on reasonable data-protection grounds by contacting privacy@expertedge.org.
  • 5.3: Where the Customer objects on reasonable grounds and the parties cannot agree a resolution, the Customer may terminate the affected services in accordance with the Subscription Agreement.
  • 5.4: Packt will impose on each Sub-processor data-protection obligations that are equivalent to those set out in this DPA, and Packt remains responsible to the Customer for the performance of each Sub-processor's obligations.
6. Personal data breach
  • 6.1: Packt will use reasonable efforts to notify the Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data.
  • 6.2: The notification will describe, to the extent known and as it becomes available, the nature of the breach, the likely consequences, and the measures taken or proposed to address it.
7. Data-subject requests
  • 7.1: Packt will use commercially reasonable efforts to assist the Customer in responding to requests from Data Subjects, taking into account the nature of the processing and the information available to Packt.
  • 7.2: Where a Data Subject contacts Packt directly in relation to Customer Personal Data, Packt will refer the Data Subject to the Customer and will not respond to the substance of the request without the Customer's authorisation, save as required by law.
8. Deletion and return
  • 8.1: On termination or expiry of the Subscription Agreement, or on the Customer's instruction, Packt will delete or return Customer Personal Data within a reasonable period, save where retention is required by law.
  • 8.2: Where Packt retains Customer Personal Data because retention is legally required, Packt will protect that data in accordance with this DPA and will process it only to the extent and for the period required by that law.
9. Audit
  • 9.1: Packt will make available, on reasonable request, the information reasonably necessary to demonstrate compliance with this DPA.
  • 9.2: Audits are documentation-based. Packt will respond to reasonable requests for relevant documentation, including summaries of audit reports and certifications held by Packt or its Sub-processors. Packt does not offer on-site audits.
  • 9.3: Packt undergoes independent remote cybersecurity assessments and can provide a summary of the results on request.
10. International transfers
  • 10.1: Where Customer Personal Data is transferred outside the United Kingdom or the EEA to a country not subject to an adequacy decision, the parties will put in place appropriate safeguards, such as the UK International Data Transfer Agreement (or the UK Addendum to the EU Standard Contractual Clauses) and the EU Standard Contractual Clauses, for the relevant transfer.
  • 10.2: Where a recipient in the United States is certified under the EU-US Data Privacy Framework and the UK Extension to that framework, the parties may rely on the Data Privacy Framework (DPF) for the relevant transfer.
  • 10.3: In the event of any conflict between this clause and any other provision of the Subscription Agreement or this DPA in relation to international transfers, this clause prevails.
11. Conflict
  • 11.1: In the event of any conflict between this DPA and the Subscription Agreement, this DPA prevails on data-protection matters.
12. Annex A: description of processing
  • 12.1: Subject-matter. The provision of the ExpertEdge learning platform to the Customer.
  • 12.2: Duration. The duration of the subscription term, together with the deletion or return period set out in clause 8.
  • 12.3: Nature and purpose. Hosting and delivering learning content to the Customer's learners and recording learning activity, so that the Customer can administer and report on its learning programmes.
  • 12.4: Data subjects. The Customer's learners and administrators.
  • 12.5: Categories of personal data. Identity data and learning-activity data, as follows:
    • Identity data: email address, name, profile image, organisation id and role.
    • Learning-activity data: content launches, completions, progress, assessment scores, session times, and bookmarks.
13. Annex B: technical and organisational measures
  • 13.1: Packt will implement appropriate technical and organisational measures appropriate to the risk, taking into account the state of the art and the costs of implementation. These may include measures such as encryption in transit and at rest, access controls based on least privilege, logical separation of customer data, and logging and monitoring of security-relevant events.
  • 13.2: Packt's key sub-processors maintain their own security certifications, and Packt undergoes independent remote cybersecurity assessments.
14. Annex C: sub-processors
  • 14.1: The current Sub-processors engaged by Packt, the purposes they serve, the categories of Personal Data they process, and their locations are set out in the maintained list at the sub-processor list.

Last updated: 24 June 2026