Legal
Doc DPA-01 · Rev 2026-07-07 · Summary
Data Processing Addendum
Last updated: 7 July 2026 · summary
This page summarises how ARSHIA Learning processes personal data on behalf of a customer using Cohort. A full, signable DPA is available on request and forms part of your subscription agreement.
The customer is the data controller of its employees’ personal data. ARSHIA Learning is the processor, processing that data only on the customer’s documented instructions to provide Cohort.
What we process
On the customer’s behalf: learner names, work emails, usernames, role, module assignments, learning progress, quiz results and completion records.
Sub-processors
- Railway — application hosting and database infrastructure.
We maintain a current list of sub-processors and will give notice of material changes so a customer can object.
Security
Data is encrypted in transit (HTTPS/TLS). Access is role-based and tenant-isolated so one customer’s administrators cannot reach another customer’s data. Session cookies are HTTP-only and secure. Passwords are stored only as salted hashes.
Data breach notification
We will notify the affected customer without undue delay after becoming aware of a personal-data breach, and cooperate with obligations under the Australian Notifiable Data Breaches scheme.
International transfers & residency
Where infrastructure is located outside Australia, transfers are made under appropriate safeguards. Australian data residency can be arranged on request for customers who require it.
Deletion & return
On termination, we will make the customer’s data available for export and then delete it within a reasonable period, unless retention is required by law.
Request the signable DPA
Email hello@arshialearning.com.au and we’ll send the full document for signature.