This DPA is part of the Jiffy Compliance Terms of Service. It applies automatically when you register for a Jiffy Compliance account or purchase eLearning courses for a team. It sets out how we handle personal data that you upload or input into the platform on behalf of your workers.
The Customer
The business that registers for a Jiffy Compliance platform account or purchases eLearning courses for a team — and who decides what personal data is uploaded and why.
Loxbrook Associates Limited
Trading as Jiffy Compliance and Marble Training
Company No. 04924146
182 Worcester Road, Bromsgrove, B61 7AZ
Capitalised terms not defined here have the same meaning as in the Jiffy Compliance Terms of Service.
This DPA applies wherever we process Customer Personal Data on your behalf. That includes:
It does not apply to individual standalone learner accounts, where the person purchasing the course is also the learner and there is no third-party workforce relationship. In that case, we act as data controller directly under our Privacy Policy.
You are the data controller and we are the data processor. We'll only process Customer Personal Data on your documented instructions, unless the law requires otherwise.
This DPA supplements the Jiffy Compliance Terms of Service. If there's ever a conflict between the two on data processing matters, this DPA takes precedence.
We agree to:
You agree to:
You give us general authorisation to use the sub-processors listed in Annex 2. We'll:
If you have reasonable data protection grounds to object to a new sub-processor, let us know in writing within 14 days of our notice. If we can't resolve the issue together, you may terminate the agreement on written notice.
We won't transfer Customer Personal Data outside the UK or EEA without appropriate safeguards in place. Permitted mechanisms include:
Platform data is hosted in the EU region by default through Lovable. Where data is transferred to the USA (for example for analytics purposes, with your consent), the UK-US Data Privacy Framework and/or appropriate contractual safeguards apply.
We maintain appropriate technical and organisational security measures proportionate to the risk, including:
Our platform infrastructure partner (Lovable) maintains a 24/7 incident response team. Details of their security measures are at lovable.dev/security. We require all sub-processors to maintain equivalent standards.
If we become aware of a Security Incident affecting Customer Personal Data, we'll:
Notifying you of an incident doesn't mean we're accepting liability for it.
You're responsible for notifying the ICO (within 72 hours where required) and any affected individuals, based on the information we provide you.
If we receive a request directly from one of your workers exercising their rights under Applicable Data Protection Law (access, rectification, erasure, restriction, portability or objection), we'll:
Where you need to carry out a Data Protection Impact Assessment (DPIA) under Article 35 UK GDPR, we'll give you reasonable assistance — including cooperating with any required consultation with the ICO. It's your responsibility to decide whether a DPIA is needed.
We'll make available all information reasonably needed to demonstrate compliance with this DPA. On reasonable prior written notice of at least 30 days, and no more than once per year, you may request an audit of our data processing activities. We'll agree the scope, timing and cost with you in advance. You cover the cost of any audit unless it reveals material non-compliance on our part.
We may satisfy audit obligations by providing third-party audit reports or certifications where these are reasonably sufficient.
When your account closes or this DPA ends — or when you request it in writing — we'll:
For light business eLearning accounts, learner data will be deleted within 3 months of account closure or the end of the 12-month course access period, whichever comes later.
Sub-processors are required to delete data in line with their own retention terms. Lovable retains customer data for up to 90 days after account termination before permanent deletion.
Each party's liability under this DPA is subject to the limitations set out in the Jiffy Compliance Terms of Service. Nothing here limits either party's liability for: (a) breaches of Applicable Data Protection Law that can't be limited by contract; or (b) death or personal injury caused by negligence.
As between us, you bear primary responsibility for ensuring that your instructions to us are lawful.
This DPA runs for as long as the Jiffy Compliance Terms of Service are in force between us and ends automatically when those Terms end — subject to the survival of our data deletion obligations (Section 12) and our confidentiality obligations.
This DPA is governed by the laws of England and Wales. The courts of England and Wales have exclusive jurisdiction over any disputes arising from it.
| Item | Detail |
|---|---|
| Subject matter | Operation of the Jiffy Compliance workforce compliance platform and eLearning services on behalf of the Controller |
| Duration | For the term of the Jiffy Compliance Terms of Service, plus up to 3 months post-termination deletion period (or the end of the eLearning course access period for light business accounts) |
| Nature of processing | Storage, retrieval, structuring, display, export, deletion and security protection of Customer Personal Data |
| Purpose of processing |
Full platform accounts: workforce compliance features including employee and contractor onboarding, document management, certification tracking, H&S module (RAMS, COSHH, incidents, investigations), training and eLearning, workforce announcements, and employee and contractor portals. Light business eLearning accounts: enrolment of team members onto purchased courses, tracking of course progress and completion, issuance and storage of completion certificates, and management reporting for the account holder. |
| Data subjects |
Employees, workers, contractors and self-employed individuals engaged by the Controller. For light business eLearning accounts: team members enrolled by the Controller onto purchased courses. |
| Types of personal data |
Full platform: names, contact details (email, phone), job role/position, certifications and qualification records, training completion records, H&S documentation (including risk assessment details), incident and accident records, employment status, PPE assignment records. Light business eLearning: names, email addresses, course enrolment and progress data, completion dates and scores, certificate details. |
| Special category data | Potentially: occupational health information within accident/incident records uploaded by the Controller on the full platform. The Controller is responsible for ensuring a lawful basis under Article 9 UK GDPR for any such processing. Special category data is not expected to arise in light business eLearning accounts. |
| Sub-processor | Purpose | Location | Safeguard |
|---|---|---|---|
| Lovable Technologies Inc. | Platform infrastructure, application hosting, database services (via Supabase) and platform development tooling. Acts as sub-processor to us. | EU region (Customer data hosted in EU by default) | UK Addendum to EU SCCs · DPA at lovable.dev/data-processing-agreement |
We'll notify you of any changes to this list with at least 14 days' prior written notice. A current list of Lovable's own sub-processors (including Supabase) is at trust.lovable.dev.
Note on Stripe: Stripe, Inc. processes payment card data on our behalf for purchases and subscriptions. Stripe does not process Customer Personal Data (workforce data or learner records) — only payment transaction data relating to the account holder. Stripe is therefore listed in our Privacy Policy rather than this DPA. Stripe's DPA is available at stripe.com/gb/legal/dpa.