Data Processors

Data Processors, Sub-Processors and Suppliers

We have listed the third party processors, suppliers and sub-processors we currently work with. We ensure we have a written contract in place with any third party processor we use to ensure that the processor only acts on our written instruction, that we are confident in the security of the data we have shared, and that we can perform audits and inspections to ensure that the data we share with them is secure and they are compliant with relevant data protection laws. These third party service providers are required not to use your Personal Data other than to provide the services requested by us.

These suppliers and sub-processors include:

  • Freshdesk (Freshworks Inc.), a customer support software used to communicate with users and track queries to ensure they are resolved, a company located in the United States that participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework as set forth by the US Department of Commerce, covering the collection, use and retention of personal data transferred from the European Union to the United States.
  • Amazon Web Services, Inc. (AWS), a subsidiary of Amazon.com, Inc which provides our cloud computing services. AWS complies with the EU-US Privacy Shield Framework, as set forth by the US Department of Commerce, covering the collection, use and retention of personal data transferred from the European Union to the United States.
  • Customer.io, a service that allows us to send emails and SMS messages to you based on customer segments, for managing your Multiverse application and marketing purposes. Customer.io is located in the United States and is compliant with the U.S.-EU Privacy Shield & U.S.-Swiss Privacy Shield Framework as set forth by the U.S. Department of Commerce. In addition, Customer.io is compliant with the EU General Data Protection Regulation (GDPR) .
  • G Suite and Google Cloud Platform (Google Group), which provides cloud computing, productivity and collaboration tools, software and products to us. Google complies with the EU-US Privacy Shield Framework, as set forth by the US Department of Commerce, covering the collection, use and retention of personal data transferred from the European Union to the United States.
  • Typeform (Typeform S.L), an online form service we use to collect information from our users, suppliers and employers, which is located in Spain and which will be required to be compliant with European and Spanish data protection legislation, including the EU GDPR.
  • Facebook Inc, a social network and advertising platform that allows us to communicate with you and advertise to prospective candidates, who are located in the United States, that participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework as set forth by the US Department of Commerce, covering the collection, use and retention of personal data transferred from the European Union to the United States.
  • Cognassist (e-Quality Learning Limited), a service developed to enable us to identify and support apprentices with additional learning needs, who are located within the United Kingdom, and registered with the Information Commissioner’s Office under the UK Data Protection Act (no. ZA148727). Reason for processing: Legitimate interest of Cognassist to perform assessment and then ongoing support to apprentices on behalf of the Training Provider. Name needed to identify outcome of the report with the individual. Date of birth needed to inform assessment outcome based on age. Email and mobile phone number is collected to enable Cognassist to contact individuals to provide further support following assessment. Postcode is collected because Cognassist are trying to build up national profiles for their research into learning needs.
  • iPEGS Limited (MiPEGS service), a service that allows us to collect information and data from you through digital forms that you complete electronically, who are located within the United Kingdom, and registered with the Information Commissioner’s Office under the UK Data Protection Act (no. ZA166460). Reasons for processing: Legal obligation with the Education and Skills Funding Agency.
    The Education and Skills Funding Agency, the executive government agency of the UK Department for Education, with which we share learner data in accordance with the terms and conditions of funding imposed on providers of learning and our legal obligation as a training provider, who are located within the United Kingdom, and registered with the Information Commissioner’s Office under the UK Data Protection Act (no. Z1001723).
  • Pellcomp Software Ltd, the provider of the PICS learner management system that we use to manage learner data once an apprentice starts an apprenticeship, and for financial management services. Pellcomp Software are located within the United Kingdom, and registered with the Information Commissioner’s Office under the UK Data Protection Act (no. Z7316870).
    Tableau Software UK Limited, a data visualisation and analytics platform. Tableau is fully compliant with EU, UK and US data privacy regulations and is registered with the Information Commissioner’s Office under the UK Data Protection Act (no. Z2760739). All data processed using Tableau software is stored within the UK on Multiverse-owned servers.
  • OVH Limited, a cloud infrastructure provider, which allows us to host data servers. OVH is fully compliant with EU and UK data privacy regulations and is registered with the Information Commissioner’s Office under the UK Data Protection Act (no. Z1153433). All of our OVH servers are located within the UK and are owned by Multiverse.
    Aircury Limited, a UK company that provides us with products and services for transferring and transforming data between our data systems. Aircury is fully compliant with EU and UK data privacy regulations and is registered in England under company number 10641335.
  • Hotjar, a technology service that helps us better understand our users’ experience (e.g. how much time they spend on which pages, which links they choose to click, what users do and don’t like, etc.) and this enables us to build and maintain our service with user feedback. Hotjar uses cookies and other technologies to collect data on our users’ behavior and their devices. This includes a device's IP address (processed during your session and stored in a de-identified form), device screen size, device type (unique device identifiers), browser information, geographic location (country only), and the preferred language used to display our website. Hotjar stores this information on our behalf in a pseudonymized user profile. Hotjar is contractually forbidden to sell any of the data collected on our behalf.
  • Hivebrite, a cloud community management and engagement provider, which allows us to host and manage the Multiverse Community Hub. Hivebrite is fully compliant with EU data privacy regulations. Our Hivebrite instance is located within the EU and all data is owned by Multiverse.
    Iterable, a service that allows us to send emails and SMS messages to you based on customer segments, for managing your Multiverse application and marketing purposes.
  • Iterable is located in the United States and is compliant with the U.S.-EU Privacy Shield & U.S.-Swiss Privacy Shield Framework as set forth by the U.S. Department of Commerce. In addition, Iterable is compliant with the EU General Data Protection Regulation (GDPR).
  • Webanywhere - Host our learner management system Applied, which is located on London based AWS servers.Webanywhere Ltd is fully compliant with EU and UK data privacy regulations and is registered in England under company number
  • Zapier, it provides software to integrate web applications via automation. Zapier is based in the USA and fully supports the privacy rights of our customers and our users and is fully GDPR-compliant.