Legal

Doc DPA-01 · Rev 2026-07-07 · Summary

Data Processing Addendum

Last updated: 7 July 2026 · summary

This page summarises how ARSHIA Learning processes personal data on behalf of a customer using Cohort. A full, signable DPA is available on request and forms part of your subscription agreement.

Roles

The customer is the data controller of its employees’ personal data. ARSHIA Learning is the processor, processing that data only on the customer’s documented instructions to provide Cohort.

What we process

On the customer’s behalf: learner names, work emails, usernames, role, module assignments, learning progress, quiz results and completion records.

Sub-processors

We maintain a current list of sub-processors and will give notice of material changes so a customer can object.

Security

Data is encrypted in transit (HTTPS/TLS). Access is role-based and tenant-isolated so one customer’s administrators cannot reach another customer’s data. Session cookies are HTTP-only and secure. Passwords are stored only as salted hashes.

Data breach notification

We will notify the affected customer without undue delay after becoming aware of a personal-data breach, and cooperate with obligations under the Australian Notifiable Data Breaches scheme.

International transfers & residency

Where infrastructure is located outside Australia, transfers are made under appropriate safeguards. Australian data residency can be arranged on request for customers who require it.

Deletion & return

On termination, we will make the customer’s data available for export and then delete it within a reasonable period, unless retention is required by law.

Request the signable DPA

Email hello@arshialearning.com.au and we’ll send the full document for signature.

← Back to Trust & security