Data Processing Addendum

This Data Processing Addendum ("DPA") supplements the Terms & Conditions and governs the processing of personal data by Opus Marketplace LLC (dba TIC Training Center) ("Processor," "We," "Us") on behalf of any organization or business entity purchasing bulk seats or training access ("Controller," "You," "Client").

Nature of Processing: We process the personal data of your Authorized Users (e.g., your employees, contractors, or students) exclusively to deliver our e-learning services, issue credentials, and maintain platform security.

The Deterministic Boundary: We do not subject your data to "High-Risk AI," predictive behavioral profiling, or "Affective Computing" (emotion inference). All course progression and grading logic relies on fixed, deterministic formulas.

Service Provider Status (CCPA): For the core delivery of our e-learning services, training access, and credentialing, we act strictly as your "Service Provider." We do not sell or share the educational records of your Authorized Users. However, our overarching platform utilizes standard third-party analytics and marketing cookies (including Google and Meta) which may constitute "sharing" for cross-context behavioral advertising under certain state laws. It is the Controller's responsibility to inform Authorized Users that they may opt-out of these specific marketing cookies using the platform's Notification & Privacy dashboard.

Security, Confidentiality, & Breach Notification: We implement robust technical and organizational measures to protect your data. All personnel authorized to process your data are bound by strict confidentiality agreements. In the event of a confirmed personal data breach affecting your Authorized Users, we will notify you without undue delay (and in no event later than 72 hours) after becoming aware of it. Furthermore, unless prohibited by law, we will notify you of any legally binding government requests for your data so that you may seek a protective order.

Approved Infrastructure: To deliver our services at scale, we use specialized third-party infrastructure. By agreeing to this DPA, you authorize our use of the following categories of sub-processors:

• Learning Management: LearnWorlds (EU-based)
• Financial Processing: Stripe (US-based)
• Automation & Logging: Make.com (US-based)
• Communications & Analytics: Drip, Google Workspace, Meta, Cloudflare, Vimeo.

Sub-Processor Liability: We remain responsible for our sub-processors' compliance with the obligations of this DPA. We will provide 30 days' notice (via our Privacy Policy or direct email) before adding a new sub-processor, giving you the right to object.

Standard Contractual Clauses (SCCs): For data transferred out of the European Economic Area (EEA), the standard contractual clauses adopted by the European Commission (Module Two: Controller to Processor) are incorporated into this DPA by reference.  For the purposes of these SCCs: (a) the governing law shall be the Republic of Ireland; (b) Section 1 of this DPA (Roles and Scope) serves as Annex I ; and (c) Section 2 (Sub-Processors and Data Security) serves as Annex II.

EU-Brazil Adequacy (Feb 2026): Data transfers between our EU-hosted platform (LearnWorlds) and users in Brazil are protected under the February 2026 mutual adequacy decision, without the need for additional SCCs.

UK DUAA Compliance: For data subject to the UK Data (Use and Access) Act 2025 (DUAA) and the UK GDPR, we incorporate the UK International Data Transfer Addendum to the EU SCCs by reference. To the extent we act as an independent Controller for platform security and fraud prevention, we process such data under the formalized legitimate interests provisions of the DUAA.

Audits: We maintain detailed records of our data processing activities. Upon written request (not more than once annually), we will provide you with the necessary documentation to demonstrate our compliance with this DPA. If documentation is insufficient, we will allow for a reasonable technical audit by a mutually agreed-upon third party, at your expense.

Data Subject Rights: If an Authorized User sends a data request (e.g., a deletion request) directly to us, we will promptly forward it to you. We will assist you technically (via our platform tools) to fulfill the request.

Standard Retention & Deletion: Because your team may have ongoing access to their purchased training without a fixed expiration date, we do not arbitrarily delete data based on a "contract end date." Instead, in accordance with our Record of Processing Activities (ROPA), we automatically delete or anonymize your Authorized Users' personal data after two (2) years of continuous inactivity.

Controller Deletion Requests: As the Data Controller, you retain the right to have your team's data deleted sooner. Upon your formal written request, we will safely remove the requested data from our active systems within 90 days, unless retention is strictly required by North Carolina state law or IRS financial compliance.

General Support & Accessibility Feedback
For general questions, course support, or to request a reasonable accommodation, please reach out to our support team:

• Email: info@traumainformedcaretraining.com

Formal Legal & Privacy Inquiries
For formal legal notices, privacy inquiries, or Data Subject Access Requests (DSARs), you may contact us at: 

• Opus Marketplace LLC (dba TIC Training Center) 
  42 Albemarle Rd #2Asheville, NC 28801, USA
• Email: info@traumainformedcaretraining.com