Learn the Music Industry
Start free

Security · Subprocessors · Data processing

Data Processing Agreement

Summary · last reviewed 3 June 2026

This page summarises, in plain English, how Learn the Music Industry handles personal data when a firm uses us to onboard its staff. It is a summary for reference. The binding document is the signed Data Processing Agreement (DPA), which we make available to customers on request.

Summary only, not the signed agreement. This page describes our standard terms; it does not itself create a contract. Where a firm requires a signed DPA, we provide one for execution before processing begins.

1. Roles

For the public, free learning experience there is no sign-in and we store no personal data, so no DPA is needed. When a firm buys seats and onboards staff, the firm is the data controller and Learn the Music Industry acts as the firm’s data processor: we process the limited personal data of the firm’s members only to provide the service, on the firm’s documented instructions.

2. What we process, and why

We process the minimum needed to run seat-based learning: a member’s e-mail address (to invite and authenticate them), their role within the firm, and their learning progress and competency results. We do not sell personal data and we do not use it to train models.

3. Sub-processors

We use a small, named set of sub-processors to deliver the service (hosting, authentication, database, and transactional e-mail). They are listed, with their purpose and region, on our subprocessors page. We require each to offer protections consistent with this agreement, and we give customers advance notice of material changes to the list.

4. Security

We apply technical and organisational measures appropriate to the data, including row-level security, least-privilege access, and encryption in transit. These are described on our security overview.

5. International transfers

Where personal data is processed outside the UK/EEA by a sub-processor, the transfer is covered by an appropriate safeguard (such as the UK International Data Transfer Addendum or Standard Contractual Clauses), as recorded in the signed DPA.

6. Data-subject rights and assistance

We assist the controller in responding to data-subject requests (access, correction, deletion) and in meeting its obligations around security and breach notification. We notify the controller without undue delay if we become aware of a personal-data breach affecting their data.

7. Retention and deletion

On termination, and on the controller’s instruction, we delete or return the firm’s personal data within a reasonable period, save where retention is required by law.

8. Request the signed DPA

Need a signed DPA for procurement? Ask through our contact formand we’ll send our standard DPA for review and signature before any processing begins.