This Data Processing Addendum (the “Addendum”) forms part of the Agreement between Company and Customer. In consideration the mutual covenants and promises set forth herein, and for other good and valuable consideration, the receipt of which the Parties hereby acknowledge, the Parties hereby agree as follows:
1. Definitions. In addition to the defined terms specified in the first paragraph, recitals and substantive provisions of this Addendum, the following terms have the meanings set forth below. Capitalized terms used but not otherwise defined herein will have the same meanings given to such terms in the Agreement:
1.1 “Applicable Privacy and Security Law” means all data protection and privacy laws to which the respective party in its role in the Processing or other treatment of information or data applicable to the type of data and information shared under the Agreement, and any treatises, regulations, guidance, or statutory codes of practice issued by any relevant government authorities applicable to the type of data and information shared under the Agreement. For the avoidance of doubt, Applicable Privacy and Security Law may include, but is not necessarily limited to: (a) the Family Educational Rights and Privacy Act of 1974; (b) the Children’s Online Privacy Protection Act of 1998; (c) the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act and any binding regulations promulgated thereunder (“CCPA”), (d) any other comprehensive United States state privacy law, and (e) the Personal Information Protection and Electronic Documents Act and substantially similar provincial legislation, as well as any applicable federal or provincial privacy or data protection legislation applicable to institutions and organizations in Canada; in each case, as updated, amended or replaced from time to time.
1.2 “Personal Data” means any information relating to an identified or identifiable natural person as defined by the Applicable Privacy and Security Law, and to which Company has access from time to time in connection with its performance of the Processing Services on behalf of Customer.
1.3 “Privacy and Security Authority” means the relevant supervisory authority with responsibility for privacy or data protection matters as applicable to Customer.
1.4 “Process”, “Processing”, or “Processed” means any operation or set of operations which is performed upon Personal Data whether by automatic means, including, but not limited to, collecting, recording, organising, storing, adapting or altering, retrieving, consulting, using, disclosing, making available, aligning, combining, blocking, erasing, and destroying Personal Data.
1.5 “Processing Services” means the services provided by Company and Subprocessors in relation to the Processing of Personal Data as described in the Agreement.
1.6 “Subprocessor” means any subcontractor (including any third party and/or Company Affiliate) engaged by Company to Process Personal Data on behalf of Company.
2. Processing Requirements.
2.1 Company agrees and warrants that, with respect to all Personal Data that it Processes on behalf of Customer, it will, during the entire term of this Addendum:
(a) Process Personal Data only as required and necessary for the purposes of providing the Processing Services and as otherwise agreed between the Parties in writing (and only if consistent with the terms of the Agreement) and for no other purpose, and, in so doing, will act solely on the instructions of Customer;
(b) not use, retain, or disclose Personal Data outside of the direct business relationship between Customer and Company;
(c) not combine the Personal Data with any other personal information, except as specifically instructed by Customer in writing;
(d) not retain, use, or disclose any Personal Data for any purpose other than for the specific purpose of providing the Processing Services under the Agreement, including retaining, using, or disclosing Personal Data for a commercial purpose (as defined in CCPA) other than providing the Processing Services under the Agreement; and
(e) not sell, or share (as that term is defined in the CCPA) rent, transfer, purport to transfer to a third-party Personal Data with for any purpose, except as specifically instructed by Customer in writing.
2.2 Company agrees that Personal Data subject to the terms and conditions of this Addendum is not being provided to or accessible to Company directly in exchange for monetary or other valuable consideration and is provided only to enable the provision of Services under the Agreement.
2.3 Company has implemented certain features in the Services that allows Customer to respond to data subject requests, such as an individual’s right to update, correct, or delete Personal Data. To the extent Customer is not able to directly address a data subject request, at Customer’s cost, Company will reasonably assist Customer in responding to data subject requests.Customer shall be responsible for any decisions it makes with regard to data subject requests.
2.4 Company will provide to Customer such co-operation, assistance, and information as Customer may reasonably request to enable it to comply with its obligations under any Applicable Privacy and Security Law and co-operate and comply with the directions or decisions of a relevant Privacy and Security Authority, in each case within such reasonable time as would enable Customer to meet any time limit imposed by the Privacy and Security Authority.
2.5 Company will permit Customer to reasonably monitor its compliance with this Section 2, as required by Applicable Privacy and Security Law. Company will also make available to Customer all information in Company’s possession necessary to demonstrate that Company is in compliance with the obligation of this Section 2 and Applicable Privacy and Security Law. Section 9 shall control with regard to the monitoring and demonstration of compliance required by this Section 2.5.
2.6 Company shall notify Customer in the event Company makes a determination that it can no longer meet its obligations under Applicable Privacy and Security Law.
2.7 To the extent permitted by applicable law, Company may aggregate, deidentify, or anonymize Personal Data so it no longer meets the definition of Personal Data and may use such aggregated, deidentified, or anonymized data for its own research and development purposes. Company represents and warrants to not reidentify, attempt to reidentify, or direct any other party to reidentify any data that has been deidentified, unless such services are contemplated under the Agreement.
3. Customer Obligations. Customer is solely responsible for its use of the Processing Services, including (a) obtaining any needed consents or authorizations for Company to Process Personal Data; (b) without limitation of Processor’s obligations under Section 5 (Security of Personal Data), making appropriate use of the Processing Services to ensure a level of security appropriate to the risk in respect of the Personal Data; (c) securing the account authentication credentials, systems and devices Customer uses to access the Processing Services; (d) securing Customer’s systems and devices that Company uses to provide the Services; and (e) backing up Personal Data.
4. Confidentiality. Without prejudice to any existing contractual arrangements between the Parties, Company will treat all Personal Data as confidential and it will inform all its employees, agents and any approved Subprocessors engaged in processing the Personal Data of the confidential nature of the Personal Data. The Company will ensure that all such persons or parties have signed an appropriate confidentiality agreement, are otherwise bound to a duty of confidentiality, or are under an appropriate statutory obligation of confidentiality.
5. Security of Personal Data.
5.1 Company will implement and maintain appropriate technical, physical, and organizational security measures designed to protect Personal Data against accidental or unlawful destruction or accidental loss, damage, alteration, unauthorized disclosure, or access, in particular where the Processing involves the transmission of data over a network, and against all other unlawful forms of Processing. These measures will include, at a minimum, the security measures agreed upon by the Parties in Schedule B.
6. Use of Subprocessors.
6.1 Customer hereby agrees and provides a general authorization that Company may engage Company’s Affiliates or third parties as Subprocessors to engage in the Processing Services. Company will ensure that Subprocessors have entered into a written agreement that is no less protective than this Addendum. Company will be fully liable for the acts and omissions of any Subprocessors to the same extent as if the acts or omissions were performed by Company.
6.2 Company will make available to Customer a list of all Subprocessors and provide Customer with a mechanism to obtain notice of any updates to that list. Company shall provide Customer with thirty (30) days prior notice of any additional or replacement Subprocessors. After being notified, Customer must notify Company withing five (5) days of any reasonable objection it has to such Subprocessors. In the event Customer provides a reasonable objection, Company will use commercially reasonable efforts to make a change in processing under the Agreement to avoid Processing of Personal Data by such Subprocessors. If Company is unable to make available such change within a reasonable period of time, Customer may terminate the Services provided under the Agreement in respect only to those services which cannot be provided by Company without the use of the objected-to Subprocessors, by providing written notice to Company.
7. Data Breach and Notification Requirements.
7.1 Company will notify Customer promptly after becoming aware of any breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data (“Security Breach”). Such notification will include (a) a detailed description of the Security Breach, (b) the type of data that was the subject of the Security Breach, and (c) the identity of each affected person (or, where not possible, the approximate number of data subjects and Personal Data concerned). Company will communicate to Customer: (i) the name and contact details of Company’s data protection officer or other point of contact where more information can be obtained; (ii) a description of the likely consequences of the Security Breach, as then understood; (iii) a description of the measures taken or proposed to be taken by Company to address the Security Breach, including, where appropriate, measures to mitigate its possible adverse effects; and additionally in such notification or thereafter (iv) as soon as such information can be collected or otherwise becomes available, any other information Customer may reasonably request relating to the Security Breach.
7.2 Company will investigate the Security Breach and identify, prevent, and mitigate the effects of any such Security Breach in accordance with its obligations hereunder and carry out any recovery or other action necessary to remedy the Security Breach.
8. Privacy Impact Assessment. Where requested to do so by Customer, Company will promptly make available to Customer all information necessary to demonstrate Customer’s compliance with Applicable Privacy and Security Law in carrying out a privacy impact assessment of the Processing Services and cooperate with Customer to implement agreed mitigation actions to address privacy risks identified in any such privacy impact assessment.
9. Audit Rights. Customer may remotely audit Company’s compliance with its obligations under this Addendum up to once per year and on such other occasions as may be required by Applicable Data Privacy Laws, including where mandated by Customer’s Privacy and Security Authority. Company will contribute to such audits by providing Customer or Customer’s Privacy and Security Authority with the information and assistance that Company considers appropriate in the circumstances and reasonably necessary to conduct the audit. To request an audit, Customer must submit a proposed audit plan to Company at least two (2) weeks in advance of the proposed audit date and any third-party auditor must sign a customary non-disclosure agreement mutually acceptable to the parties (such acceptance not to be unreasonably withheld) providing for the confidential treatment of all information exchanged in connection with the audit and any reports regarding the results or findings thereof. The proposed audit plan must describe the proposed scope, duration, and start date of the audit. Company will review the proposed audit plan and provide Customer with any concerns or questions (for example, any request for information that could compromise Company security, privacy, employment or other relevant policies). Company will work cooperatively with Customer to agree on a final audit plan. Nothing in this Section 9 shall require Company to breach any duties of confidentiality. If the controls or measures to be assessed in the requested audit are addressed in an SOC 2 Type 2, ISO, NIST or similar audit report performed by a qualified third-party auditor within twelve (12) months of Customer’s audit request and Company has confirmed there have been no known material changes in the controls audited since the date of such report, Customer agrees to accept such report in lieu of requesting an audit of such controls or measures. The audit must be conducted during regular business hours, subject to the agreed final audit plan and Company’s safety, security or other relevant policies, and may not unreasonably interfere with Company business activities. Any audits are at Customer’s sole expense. Customer shall reimburse Company for any time expended by Company and any third parties in connection with any audits or inspections under this Section 9 at Company’s then-current professional services rates, which shall be made available to Customer upon request. Customer will be responsible for any fees charged by any auditor appointed by Customer to execute any such audit.
10. Deletion of Data. Unless applicable law requires Company to maintain Customer’s Personal Data, the return or destruction of Personal Data shall be controlled by the applicable provisions in the Agreement.
11. Notices. The Parties will provide notices related to this Addendum per the notice procedures outlined the Agreement.
12. Limitation of Liability. Any claims brought under, or in connection with, this Addendum, shall be subject to the exclusions and limitations of liability set forth in the Agreement.
13. Term. This Addendum will commence on the Effective Date of the Agreement and will continue in full force and effect until the later of (a) the termination or expiration of the Agreement, or (b) completion of the last of the Processing Services to be performed pursuant to the Agreement, or (c) Company and its Subprocessors are no longer in possession of any Personal Data.
14. Construction. This Addendum is intended to supplement the Agreement and any other confidentiality or data security obligations of the Parties. In the event of conflict between this Addendum, the Agreement, and any other confidentiality or data security obligations of the Parties, (a) the higher protections with respect to Personal Data will control, and (b) if conflict still exist, the terms and conditions of this Addendum will control.
15. Counterparts. This Addendum may be executed in any number of counterparts, each of which will be deemed an original, but all of which together will constitute one and the same instrument.
Schedule A to Data Processing Addendum
Summary & Scope of Processing
1. Subject Matter: The context for the Processing of Customer Personal Data is Company’s provision of the Services under the Agreement.
2. Duration of Processing: Company will Process Customer Personal Data until expiration or termination of the Agreement.
3. Nature and Purpose of Processing: Company will Process Personal Data for the purpose of providing services in accordance with the Agreement.
4. Categories of Data Subjects: Company will Process Personal Data that relates to any data subjects about whom Customer transfers Personal Data to Company to provide services under the Agreement.
5. Types of Personal Data Processed:
• Contact information of students and teachers (name, email address, phone number, address, username, and password)
• Commercial information (purchases, information about subscriptions, products and services, and other commercial information)
• Preference data (profile/account settings and interests in specific topics)
• Employment-related data of teachers (role and job title in school institution/district)
• Communication information (contents of your communication with Company)
• Usage Information (information on your interaction with our digital offerings)
• Only applicable to One95
o Additional student information (Enrolled class, grade, assessment scores and administrations, intervention group participation and service dates, optional pictures, optional voice recordings)
Schedule B to Data Processing Addendum
Security Measures
Company has implemented and maintains comprehensive technical and organizational safeguards, which contain those safeguards described below:
• Organizational management and individuals responsible for the development, implementation and maintenance of the Company’s information security program.
• Audit and risk assessment procedures for the purposes of periodic review and assessment of risks to Company’s organization, monitoring and maintaining compliance with the Company’s policies and procedures, and reporting the condition of its information security and compliance to internal senior management.
• Data security controls which include, at a minimum, logical segregation of data, restricted (e.g. role-based) access and monitoring, and utilization of commercially available industry standard encryption technologies for Personal Data that is transmitted over public networks (i.e. the Internet) or when transmitted wirelessly or at rest or stored on portable media (i.e. laptop computers).
• Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions, (e.g. granting access on a need-to-know and least privilege basis, use of unique IDs and passwords for all users, periodic review and revoking/changing access promptly when employment terminates or changes in job functions occur).
• Password controls designed to manage and control password strength, expiration and usage including prohibiting users from sharing passwords and requiring that the Company’s passwords that are assigned to its employees: (i) be at least eight (8) characters in length, (ii) not be stored in readable format on the Company’s computer systems; (iii) must have defined complexity; and (iv) newly issued passwords must be changed after first use.
• System audit or event logging and related monitoring procedures to proactively record user access and system activity.
• Physical and environmental security of data centers, server room facilities and other areas containing Personal Data designed to: (i) protect information assets from unauthorized physical access, (ii) manage, monitor and log movement of persons into and out of the Company’s facilities, and (iii) guard against environmental hazards such as heat, fire and water damage.
• Operational procedures and controls to provide for configuration, monitoring and maintenance of technology and information systems, including secure disposal of systems and media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal or release from the Company’s possession.
• Change management procedures and tracking mechanisms designed to test, approve and monitor all material changes to the Company’s technology and information assets.
• Incident management procedures design to allow Company to investigate, respond to, mitigate and notify of events related to the Company’s technology and information assets.
• Network security controls designed to protect systems from intrusion and limit the scope of any successful attack.
• Vulnerability assessment, patch management and threat protection technologies, and scheduled monitoring procedures designed to identify, assess, mitigate and protect against identified security threats, viruses and other malicious code.
• Disaster recovery procedures designed to maintain service and/or recovery from foreseeable emergencies or disasters.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article