🖨️ Click here to download in PDF format (141 KB)
Data Processing Addendum (DPA)
Last updated: March 2026
1. Introduction
This Data Processing Addendum (“DPA”) forms part of the agreement between ImmerseMe Limited (“ImmerseMe”, “we”, “us”, “our”) and the customer (“Institution”, “you”, “your”).
This DPA applies where ImmerseMe processes Personal Data on behalf of the Institution in connection with the use of the ImmerseMe platform (“Platform”).
This DPA reflects the parties’ agreement regarding the processing of Personal Data in accordance with applicable data protection laws, including GDPR, UK GDPR, and relevant education privacy laws such as FERPA.
2. Definitions
For the purposes of this DPA:
Personal Data means any information relating to an identified or identifiable individual
Processing means any operation performed on Personal Data
Data Controller means the entity determining the purposes and means of processing
Data Processor means the entity processing data on behalf of the Controller
Subprocessor means a third party engaged by the Processor
Applicable Laws means all relevant data protection and privacy laws
3. Roles of the Parties
The Institution is the Data Controller
ImmerseMe is the Data Processor
ImmerseMe will process Personal Data:
Only on documented instructions from the Institution
Only for the purpose of delivering the Platform
4. Scope and Purpose of Processing
Purpose
Processing is carried out to:
Provide language learning services
Deliver analytics and insights
Support educational outcomes
Maintain and improve the Platform
Categories of Data Subjects
Students
Teachers and educators
Administrators
Categories of Personal Data
Basic identifiers (e.g. name, email)
Educational data (e.g. class, progress)
User-generated content (e.g. speech recordings, text responses)
Technical and usage data
5. Processor Obligations
ImmerseMe shall:
Process Personal Data only on documented instructions
Ensure personnel are bound by confidentiality obligations
Implement appropriate technical and organisational security measures
Assist the Institution with data subject rights requests
Assist with compliance obligations under applicable laws
Notify the Institution of any Personal Data Breach (see Section 10)
Delete or return Personal Data upon termination (see Section 11)
6. Student Data Protections
ImmerseMe commits that:
Student data is used only for educational purposes
Student data is never sold
Student data is not used for advertising, profiling, or marketing
Student data is processed in accordance with institutional instructions
7. AI Data Processing
Where AI features are used:
AI is used solely to support educational functionality
Personal Data is minimised before being processed by AI systems
Limited data may be transmitted to trusted AI service providers
Identifiable student data is not used to train general-purpose AI models
AI outputs are assistive and subject to human oversight
8. Subprocessors
ImmerseMe may engage Subprocessors to support the Platform.
ImmerseMe shall:
Maintain a current list of Subprocessors
Ensure Subprocessors are contractually bound to data protection obligations
Ensure Subprocessors implement appropriate safeguards
Remain fully responsible for Subprocessor performance
Subprocessor Changes
ImmerseMe will notify the Institution of material Subprocessor changes at least 14 days in advance, where required by applicable law.
9. International Data Transfers
Where Personal Data is transferred internationally, ImmerseMe will ensure appropriate safeguards, including:
Standard Contractual Clauses (SCCs)
Transfers to jurisdictions with adequacy decisions
Secure processing infrastructure
10. Data Breach Notification
In the event of a Personal Data Breach:
ImmerseMe will notify the Institution within 48 hours of becoming aware of the breach
Notification will include:
Description of the breach
Categories of data affected
Likely consequences
Mitigation steps taken
ImmerseMe will cooperate with the Institution to support compliance with regulatory obligations.
11. Data Retention and Deletion
Upon termination of services:
Personal Data will be deleted or anonymised within 30 days
Backup systems may retain data for up to 90 days before permanent deletion
Data may be retained where required by law.
12. Data Subject Rights
ImmerseMe will assist the Institution in responding to requests relating to:
Access
Rectification
Erasure
Restriction
Data portability
Objection
13. Security Measures
ImmerseMe implements appropriate technical and organisational measures, including:
Encryption in transit
Access controls and authentication safeguards
Secure cloud infrastructure
Monitoring and logging
Vendor due diligence
Security practices are regularly reviewed and improved.
14. Audits and Compliance
Upon reasonable request, ImmerseMe will provide information necessary to demonstrate compliance with this DPA.
This may include:
Documentation
Security summaries
Compliance responses
15. FERPA Alignment
Where applicable:
ImmerseMe acts as a school official with legitimate educational interest
Student data is used only for authorised educational purposes
Data is not redisclosed except as permitted by the Institution or required by law
16. Term and Termination
This DPA remains in effect for the duration of the agreement.
Upon termination:
Processing ceases
Data is handled in accordance with Section 11
17. Governing Law
This DPA is governed by the same law as the Terms of Use, unless otherwise agreed.
18. Contact
For questions regarding this DPA:
19. Final Statement
ImmerseMe is committed to protecting personal data and supporting institutions in meeting their privacy and compliance obligations globally.