Legal

Data Processing Agreement

How we process and protect your data. This DPA supplements our Terms of Service and applies to all personal data processed through the SkillDrill platform.

Last updated: April 2026

1

Definitions

"Controller"
means the Customer (your organisation) who determines the purposes and means of processing personal data.
"Processor"
means Fully Coded Solutions Limited (trading as SkillDrill), registered in England and Wales.
"Data Subject"
means any identified or identifiable natural person whose personal data is processed through the platform.
"Sub-processor"
means any third party engaged by the Processor to process personal data on behalf of the Controller.
2

Scope and Purpose

This DPA applies to all personal data processed by SkillDrill on behalf of the Customer, including:

  • Employee/staff names, email addresses, and contact details
  • Skills, qualifications, and professional experience data
  • Onboarding conversation transcripts
  • Welfare and safeguarding flags
  • Custom profile fields defined by the Customer

Data is processed for the sole purpose of providing the SkillDrill skills mapping and workforce intelligence service as described in the Terms of Service.

3

Data Protection Standards

SkillDrill processes data in accordance with:

UK GDPR

UK General Data Protection Regulation

EU GDPR

Regulation (EU) 2016/679

CCPA / CPRA

California Consumer Privacy Act (US)

DPA 2018

UK Data Protection Act 2018

4

Security Measures

The Processor implements the following technical and organisational measures:

Encryption at rest

AES-256-GCM with per-tenant derived encryption keys using HKDF

Encryption in transit

TLS 1.2/1.3 enforced on all connections

Tenant isolation

Multi-tenant architecture with tenant-scoped database queries on every operation

Access control

Role-based access control with per-route permission enforcement

Authentication

Password hashing (bcrypt), optional two-factor authentication (TOTP/email), brute force protection

Infrastructure

UK-based data centres with enterprise-grade DDoS protection and web application firewall

Monitoring

Audit logging of administrative actions, welfare data access tracking

5

Data Residency

By default, all data is stored in data centres located in the United Kingdom. Customers may request data storage in alternative regions (subject to availability):

🇬🇧

United Kingdom

Default

🇺🇸

United States

On request

🇪🇺

European Union

On request

Data does not leave the selected region. The region is set at account creation and displayed in account settings.

6

Sub-processors

The following sub-processors are engaged to provide the service:

Sub-processorPurposeLocation
Amazon Web ServicesInfrastructure hosting and database storageUK / US / EU (per tenant region)
Anthropic (via AWS Bedrock)AI language model for skills conversationsUK / EU (data not retained)
CloudflareEdge network, WAF and DDoS protectionGlobal edge (UK/EU PoPs for UK/EU tenants)
StripePayment processingUS / EU
Amazon Web Services (SES)Transactional email (account, notification and password emails)UK / EU (eu-west-2 by default)
Google Analytics 4Aggregated website analytics (marketing site only; IP anonymisation enabled)US (transfers under SCCs)

The Controller will be notified of any changes to sub-processors with reasonable advance notice.

7

AI Data Processing

Conversation data is sent to the AI provider (currently Anthropic, accessed via AWS Bedrock in the UK/EU region) for real-time processing during onboarding sessions. The AI provider:

Does not retain conversation data after processing
Does not use conversation data for model training
Processes data in accordance with their own DPA

All conversation transcripts are encrypted (AES-256-GCM) before storage in the SkillDrill database.

8

Data Subject Rights

The platform supports the following data subject rights:

Right of access

Staff can view their full profile, skills, and conversation history

Right to data portability

Staff can export their data in machine-readable format

Right to erasure

Staff can delete their profile and all associated data (where enabled by the Controller)

Right to withdraw consent

Staff can withdraw consent for data processing

9

Data Breach Notification

In the event of a personal data breach, the Processor will notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach. Notification will include:

  • Description of the nature of the breach
  • Categories and approximate number of data subjects affected
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach
10

Data Retention and Deletion

Data is retained for the duration of the Customer's subscription. Upon termination:

1

The Customer may export all data before account closure

2

All personal data is deleted within 30 days of account termination

3

Encrypted backups are purged within 90 days

11

International Data Transfers

Where data is transferred outside the UK/EEA (for example, to the AI provider), appropriate safeguards are in place including:

  • Standard Contractual Clauses (SCCs) as approved by the European Commission
  • International Data Transfer Agreement (IDTA) as approved by the UK ICO
  • Transfer Impact Assessments where required
12

Governing Law

This DPA is governed by the laws of England and Wales. Any disputes arising from this agreement shall be subject to the exclusive jurisdiction of the courts of England and Wales.

13

Contact

For questions about this DPA or to exercise data protection rights:

Fully Coded Solutions Limited

Barn Owl Cottage, Chapel Hill
Ponsanooth, TR3 7ET
United Kingdom

Email: [email protected]