Data Processing Agreement

This Data Processing Agreement (“DPA”) amends and forms part of the written agreement between Educative Inc, (“Educative”) and you (“Customer”) titled Technology Services Agreement or Terms of Use, each as applicable (the “Agreement”). This DPA prevails over any conflicting term of the Agreement but does not otherwise modify the Agreement. 

  1. Definitions
    1. In this DPA:
      1. “Controller”“Data Subject”“Personal Data”“Personal Data Breach”“Processing”, “Processor”, and “Supervisory Authority” have the meaning given to them in Data Protection Law;
      2. “Customer Personal Data” means Personal Data Processed by Educative as a Processor on behalf of Customer or Third Party Controller;
      3. “Data Protection Law” means the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the e-Privacy Directive 2002/58/EC (as amended by Directive 2009/136/EC), their national implementations in the European Economic Area (“EEA”), including the European Union, the UK Data Protection Act 2018, the GDPR as amended by the Data Protection Act 2018 and the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 and 2020 (“UK GDPR”) and all other data protection laws of the EEA and Switzerland, each as applicable, and as may be amended or replaced from time to time;
      4. “Data Subject Rights” means Data Subjects' rights to information, access, rectification, erasure, restriction, portability, objection, the right to withdraw consent, and the right not to be subject to automated individual decision-making in accordance with Data Protection Law;
      5. “International Data Transfer” means any disclosure of Personal Data by an organization subject to Data Protection Law to another organization located outside the EEA, the UK, or Switzerland;
      6. “Services” means the services provided by Educative to Customer under the Agreement;
      7. “Subprocessor” means a Processor engaged by Educative to Process Customer Personal Data; 
      8. “Standard Contractual Clauses” or “SCCs” means the clauses annexed to the EU Commission Implementing Decision 2021/914 of June 4, 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (Text with EEA relevance), C/2021/3972, OJ L 199, 7.6.2021, p. 31-61, as amended or replaced from time to time;
      9. “Third-Party Controller” means a Controller for which Customer is a Processor; and
      10. “UK Addendum” means the International Data Transfer Addendum to the EU Commission SCCs issued by the UK Information Commissioner under Section 119A(1) of the UK Data Protection Act 2018 (version B1.0, in force March 21, 2022), available here.
    2. Capitalized terms used but not defined herein have the meaning given to them in the Agreement.
  2. Scope
    1. This DPA only applies if the Processing of Customer Personal Data by Educative is subject to Data Protection Law to provide the Services. By agreeing to the Agreement, the Customer also agrees to this DPA to the extent applicable.
    2. The subject matter, nature and purpose of the Processing, the types of Customer Personal Data and categories of Data Subjects are set out in Annex I.
    3. Customer is a Controller and appoints Educative as a Processor on behalf of Customer. Customer is responsible for compliance with the requirements of Data Protection Law applicable to Controllers.
    4. If Customer is a Processor on behalf of a Third-Party Controller, then Customer: is the single point of contact for Educative; must obtain all necessary authorizations from such Third-Party Controller; undertakes to issue all instructions and exercise all rights on behalf of such other Third-Party Controller.
    5. Customer acknowledges that Educative may Process Personal Data relating to the operation, support, or use of the Services for its own business purposes, such as billing, account management, data analysis, benchmarking, technical support, product development, and compliance with law. Educative is the Controller for such Processing and will Process such data in accordance with Data Protection Law.
  3. Instructions
    1. Educative will Process Customer Personal Data to provide the Services and in accordance with Customer's documented instructions.
    2. The Controller's instructions are documented in this DPA, the Agreement, and any applicable statement of work. 
    3. Customer may reasonably issue additional instructions as necessary to comply with Data Protection Law. Educative may charge a reasonable fee to comply with any additional instructions.
    4. Unless prohibited by applicable law, Educative will inform Customer if Educative is subject to a legal obligation that requires Educative to Process Customer Personal Data in contravention of Customer's documented instructions.
  4. Personnel
    1. Educative will ensure that all personnel authorized to Process Customer Personal Data are subject to an obligation of confidentiality.
  5. Security and Personal Data Breaches
    1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Educative will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including the measures listed in Annex II.
    2. Customer acknowledges that the security measures in Annex II are appropriate in relation to the risks associated with Customer's intended Processing and will notify Educative prior to any intended Processing for which Educative's security measures may not be appropriate.
    3. Educative will notify Customer without undue delay after becoming aware of a Personal Data Breach involving Customer Personal Data. If Educative's notification is delayed, it will be accompanied by reasons for the delay.
  6. Subprocessing
    1. Customer hereby authorizes Educative to engage the following Subprocessors: See Annex III.
    2. Educative will enter into a written agreement with Subprocessors which imposes materially the same obligations as required by Data Protection Law.
    3. Educative will notify Customer prior to any intended change to Subprocessors. Customer may object to the addition of a Subprocessor based on reasonable grounds relating to a potential or actual violation of Data Protection Law by providing written notice detailing the grounds of such objection within thirty (30) days following Educative's notification of the intended change. Customer and Educative will work together in good faith to address Customer's objection. If Educative chooses to retain the Subprocessor, Educative will inform Customer at least thirty (30) days before authorizing the Subprocessor to Process Customer Personal Data, and Customer may immediately discontinue using the relevant parts of the Services, and may terminate the relevant parts of the Services within thirty (30) days.
  7. Assistance
    1. Taking into account the nature of the Processing, and the information available to Educative, Educative will assist Customer, including, as appropriate, by implementing technical and organizational measures, with the fulfillment of Customer's own obligations under Data Protection Law to: comply with requests to exercise Data Subject Rights; conduct Data Protection Impact Assessments, and prior consultations with Supervisory Authorities; and notify a Personal Data Breach.
    2. Educative may charge a reasonable fee for assistance under thisSection 7. If Educative is at fault, Educative and Customer shall each bear their own costs related to assistance.
  8. Audit
    1. Upon reasonable request at least sixty (60) days in advance and no more than once per calendar year, Educative must make available to Customer all information necessary to demonstrate compliance with the obligations of this DPA and allow for and contribute to audits, including inspections, at reasonable intervals or if there are indications of non-compliance, and performed by an independent auditor as agreed upon by Customer and Educative. The foregoing shall only extend to those documents and facilities relevant and material to the Processing of Customer Personal Data and shall be conducted during normal business hours and in a manner that causes minimal business disruption.
    2. Educative will inform Customer if Educative believes that Customer's instruction under Section 8.1  infringes Data Protection Law. Educative may suspend the audit or inspection or withhold requested information until Customer has modified or confirmed the lawfulness of the instructions in writing.
    3. Customer shall bear all costs related to an audit.
  9. International Data Transfers
    1. Customer hereby authorizes Educative to perform International Data Transfers to any country deemed adequate by the European Commission or the competent authorities, as appropriate; on the basis of adequate safeguards in accordance with Data Protection Law; or pursuant to the Standard Contractual Clauses and the UK Addendum referred to in Sections 9.2 and 9.3.
    2. By signing this DPA, Educative and Customer conclude Module 2 (Controller-to-Processor) of the Standard Contractual Clauses and, to the extent Customer is a Processor on behalf of a Third-Party Controller, Module 3 (Processor-to-Subprocessor) of the Standard Contractual Clauses, which are hereby incorporated and completed as follows: the “data exporter” is Customer; the “data importer” is Educative; the optional docking clause in Clause 7 is implemented; Option 2 of Clause 9(a) is implemented and the time period therein is specified in Section 6.3 above; the optional redress clause in Clause 11(a) is struck; Option 1 in Clause 17 is implemented and the governing law is the law of Ireland; the courts in Clause 18(b) are the Courts of Dublin, Ireland; Annex I and II to Module 2 and 3 of the SCCs are Annex I and II to this DPA respectively. For International Data Transfers from Switzerland: (i) Data Subjects who have their habitual residence in Switzerland may bring claims under the SCCs before the courts of Switzerland and (ii) the SCCs cover Personal Data pertaining to legal entities until the entry into force of the revised Swiss Federal Act on Data Protection of 2020. For the sake of clarity, if and to the extent that the Standard Contractual Clauses apply, signatures of assent of Customer and Educative to the Agreement will be deemed signatures to the Standard Contractual Clauses.
    3. By signing this DPA, Educative and Customer conclude the UK Addendum, which is hereby incorporated and applies to International Data Transfers outside the UK. Part 1 of the UK Addendum is completed as follows: (i) in Table 1, the “Exporter” is Customer and the “Importer” is Educative, their details are set forth in this DPA, and the Agreement; (ii) in Table 2, the first option is selected and the “Approved EU SCCs” are the SCCs referred to in Section 9.2 of this DPA; (iii) in Table 3, Annexes 1 (A and B), and II to the “Approved EU SCCs” are Annex I and II to this DPA respectively; and (iv) in Table 4, both the “Importer” and the “Exporter” can terminate the UK Addendum. For the sake of clarity, if and to the extent that the UK Addendum applies, signatures of assent of Customer and Educative to the Agreement will be deemed signatures to the UK Addendum.
    4. If Educative's compliance with Data Protection Law applicable to International Data Transfers is affected by circumstances outside of Educative's control, including if a legal instrument for International Data Transfers is invalidated, amended, or replaced, then Customer and Educative will work together in good faith to reasonably resolve such non-compliance. In the event that additional, replacement or alternative standard contractual clauses or UK standard contractual clauses are approved by Supervisory Authorities, Educative reserves the right to amend the Agreement and this DPA by adding to or replacing, the standard contractual clauses or UK standard contractual clauses that form part of it at the date of signature in order to ensure continued compliance with Data Protection Law.
  10. Notifications
    1. Customer will send all notifications, requests and instructions under this DPA to Educative via email to privacy@educative.io
  11. Liability
    1. Educative's entire liability arising out of or relating to this DPA (including the Standard Contractual Clauses), whether in contract, tort, or under any other theory of liability, is subject to the applicable exclusions and limitations of liability clauses set forth in the Agreement. For the avoidance of doubt, Educative's total liability for all claims from Customer and all of its users arising out of or related to the Agreement or this DPA will apply in aggregate for all claims under both the Agreement and this DPA. Nothing in this DPA will limit Educative's liability with respect to any liability or loss which may not be limited under Data Protection Law.
    2. Where Educative has paid compensation, damages or fines, Educative is entitled to claim back from Customer that part of the compensation, damages or fines, corresponding to Customer's part of responsibility for the compensation, damages or fines.
  12. Termination and return or deletion
    1. This DPA is terminated upon the termination of the Agreement.
    2. Customer may request return of Customer Personal Data up to ninety (90) days after termination of the Agreement. Unless required or permitted by applicable law, Educative will delete all remaining copies of Customer Personal Data within one hundred eighty (180) days after returning Customer Personal Data to Customer.
  13. Applicable law and jurisdiction
    1. This DPA is governed by the laws of the United States of America. Any disputes relating to this DPA will be subject to the exclusive jurisdiction of the courts of the United States of America, Bellevue, Washington. 
  14. Modification of this DPA
    1. This DPA may only be modified by a written amendment signed by both Educative and Customer.
  15. Invalidity and severability
    1. If any provision of this DPA is found by any court or administrative body of a competent jurisdiction to be invalid or unenforceable, then the invalidity or unenforceability of such provision does not affect any other provision of this DPA and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.

ANNEX I

DESCRIPTION OF THE TRANSFER

  1. LIST OF PARTIES

    Data exporter:

    • Name: Customer (as defined above)
    • Address: Set out in the applicable order form, in the Customer's account, or other relevant documentation.
    • Contact person's name, position and contact details: Set out in the applicable order form, in the Customer's account, or other relevant documentation.
    • Activities relevant to the data transferred under these Clauses: Customer receives Educative's services as described in the Agreement and Educative Processes Personal Data on behalf of Customer in that context.
    • Signature and date: Set out in the applicable order form, in the Customer's account, or other relevant documentation.
    • Role (controller/processor): Controller, or Processor on behalf of Third-Party Controller.

    Data importer:

    • Name: Educative (as defined above)
    • Address: 12280 NE District Way, Bellevue WA 98005
    • Contact person's name, position and contact details: Junaid Haroon (privacy@educative.io), Vice President of Engineering. 
    • Activities relevant to the data transferred under these Clauses: Educative provides its services to Customer as described in the Agreement and Processes Personal Data on behalf of Customer in that context.
    • Signature and date: May 15, 2023.
    • Role (controller/processor): Processor on behalf of Educative, or Subprocessor on behalf of Third-Party Controller.
  2. DESCRIPTION OF INTERNATIONAL DATA TRANSFER
    • Categories of Data Subjects whose Personal Data is transferred:
      #Category of Data Subjects
      1Data exporter's Primary Administrator and Billing Contact (if different from Administrator)
      2Data exporter's Authorized Users who access Processor's Services
      3Viewers of data exporter's uploaded Customer Content
      4Data Subjects depicted, referenced, or recorded by data exporter within data exporter's uploaded Customer Content Other Data Subjects as defined by data exporter in its sole discretion
    • Categories of Personal Data transferred:
      #Category of Personal Data
      1Data Exporter Personal Data:
      1. Name
      2. Email address
      3. Mailing and billing address, phone and fax number
      4. Billing and accounting information, including payment details
      2Authorized User Personal Data: Data Exporter Personal Data:
      1. Name
      2. Email address
      3. Organization, Employer, or Relation to data exporter
      3Viewer (licensed, or non-licensed) Personal Data may include:
      1. IP address
      2. Access, usage, and event details
      3. Location, date, and time stamps
      4. Actions taken
      5. Operating system, browser, and device type
      6. Performance metrics of platform
      7. Referring and exit pages
      4Error reports and usage analytics may include:
      1. IP address
      2. Access, usage, and event details
      3. Location, date, and time stamps
      4. Actions taken
      5. Operating system, browser, and device type
      6. Performance metrics of platform
      5Customer Content
      1. Personal Data and Sensitive Personal Data, as determined by the data exporter in its sole discretion, which may include photographic, video, and audio recordings, physical characteristics or descriptions, and likenesses of, or references to, Data Subjects.
      2. Other Personal Data or Sensitive Personal Data, as defined by the data exporter in its sole discretion
    • Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:
      #Category of Sensitive DataApplied restrictions or safeguards
      1Sensitive data may be transferred by the data exporter in its sole discretionn/a
    • The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis): On a continuous basis.
    • Nature of the processing: The Personal Data will be processed and transferred as described in the Agreement and applicable Order Form(s) and generally includes recording, screen casting, video streaming, and video content management.
    • Purpose(s) of the data transfer and further processing: The Personal Data will be transferred and further processed for the provision of the Services as described in the Agreement and the applicable Order Form(s).
    • The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: Personal Data will be retained for as long as necessary taking into account the purpose of the Processing, and in compliance with applicable laws, including laws on the statute of limitations and Data Protection Law. When determining the retention period, we take into account various criteria, such as the type of products and services requested, the nature and length of our relationship with the data subject, the impact on the services we provide to the data subject if we delete some information from or about them, mandatory retention periods provided by law and the statute of limitations.
    • For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: For the subject matter and nature of the Processing, reference is made to the Agreement and this DPA. The Processing will take place for the duration of the Agreement.
  3. COMPETENT SUPERVISORY AUTHORITY
    • The competent authority for the Processing of Personal Data relating to Data Subjects located in the EEA is the Supervisory Authority of Ireland.
    • The competent authority for the Processing of Personal Data relating to Data Subjects located in the UK is the UK Information Commissioner.
    • The competent authority for the Processing of Personal Data relating to Data Subjects located in the UK is the UK Information Commissioner.

ANNEX II

TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Educative will, at a minimum, implement the following types of security measures:

Educative maintains administrative, physical and technical safeguards for protection of the security, confidentiality and integrity of Personal Data as set for the below. Educative will not materially decrease the overall security of the Services during a subscription term.

  1. Physical access control

    Technical and organizational measures to prevent unauthorized persons from gaining access to the data processing systems available in premises and facilities (including databases, application servers and related hardware), where Customer Personal Data are Processed, include:

    • Establishing security areas, restriction of access paths; 
    • Establishing access authorizations for employees and third parties;
    • Access control system (ID reader, magnetic card, chip card); 
    • Key management, card-keys procedures;
    • Door locking (electric door openers etc.);
    • Security staff;
    • Surveillance facilities, video/CCTV monitor, alarm system; and
    • Securing decentralized data processing equipment and personal computers.
  2. Virtual access control

    Technical and organizational measures to prevent data processing systems from being used by unauthorized persons include:

    • User identification and authentication procedures;
    • Strong ID/password security procedures (special characters, minimum length and complexity requirements, change of password);
    • Automatic blocking (e.g. password or timeout);
    • Monitoring of break-in-attempts and automatic turn-off of the user ID upon several erroneous passwords attempts;
    • Creation of one master record per user, user-master data procedures per data processing environment; and
    • Creation of one master record per user, user-master data procedures per data processing environment; and
  3. Data access control

    Technical and organizational measures to ensure that persons entitled to use a data processing system gain access only to such Customer Personal Data in accordance with their access rights, and that Customer Personal Data cannot be read, copied, modified or deleted without authorization, include:

    • Internal policies and procedures;
    • Control authorization schemes;
    • Differentiated access rights (profiles, roles, transactions and objects); 
    • Monitoring and logging of accesses;
    • Disciplinary action against employees who access Customer Personal Data without authorization;
    • Reports of access;
    • Access procedure;
    • Change procedure;
    • Deletion procedure; and
    • Encryption.
  4. Disclosure control

    Technical and organizational measures to ensure that Customer Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media (manual or electronic), and that it can be verified to which companies or other legal entities Customer Personal Data are disclosed, include:

    • Encryption/tunneling;
    • Logging; and
    • Transport security.
  5. Entry control

    Technical and organizational measures to monitor whether Customer Personal Data have been entered, changed or removed (deleted), and by whom, from data processing systems, include:

    • Logging and reporting systems; and
    • Audit trails and documentation.
  6. Control of instructions

    Technical and organizational measures to ensure that Customer Personal Data are Processed solely in accordance with the instructions of the Controller include: :

    • Unambiguous wording of the contract;
    • Formal commissioning (request form); and
    • Criteria for selecting the Processor.
  7. Availability control

    Technical and organizational measures to ensure that Customer Personal Data are protected against accidental destruction or loss (physical/logical) include:

    • Backup procedures;
    • Mirroring of hard disks (e.g. RAID technology);
    • Uninterruptible power supply (UPS);
    • Remote storage;
    • Anti-virus/firewall systems; and
    • Disaster recovery plan.
  8. Separation control

    Technical and organizational measures to ensure that Customer Personal Data collected for different purposes can be Processed separately include:

    • Separation of databases;
    • “Internal client” concept / limitation of use;
    • Segregation of functions (production/testing); and
    • Procedures for storage, amendment, deletion, transmission of data for different purposes.
  9. Testing controls

    Technical and organizational measures to test, assess and evaluate the effectiveness of the technical and organizational measures implemented in order to ensure the security of the processing include:

    • Periodical review and test of disaster recovery plan;
    • Testing and evaluation of software updates before they are installed;
    • Authenticated (with elevated rights) vulnerability scanning; and
    • Test bed for specific penetration tests and Red Team attacks.
  10. IT governance

    Technical and organizational measures to improve the overall management of IT and ensure that the activities associated with information and technology are aligned with the compliance efforts include:

    • Certification/assurance of processes and products;
    • Processes for data minimization;
    • Processes for data quality;
    • Processes for limited data retention;
    • Processes for ensuring accountability; and
    • Data subject rights policies.

    Educative will contractually require its Subprocessors to implement the same or at least equivalent technical and organizational measures to be able to provide assistance to Customer.

ANNEX III

LIST OF SUBPROCESSORS

Customer authorizes Educative to engage the following Subprocessors:

Name of SubprocessorNature of Processing ActivitiesLocation of Processing

Braintree

Payment processor

United States based data center facility owned and managed by Cyxtera Amazon Web Services (AWS) located in US, Germany and Australia
DropboxSign (HelloSign)Electronic signaturesUnited States: HelloSign Data Residency
GongBusiness operationsUnited States, Europe, Israel and other locations
Google AnalyticsBusiness operationsAny country in which Google maintains facilities, as set forth at: Google Data Center Locations
Google CloudWeb hosting servicesAny country in which Google maintains facilities, as set forth at: Google Data Center Locations
HelpScoutCustomer supportUnited States: HelpScout Security Policy
HotjarUser experience analyticsIreland and European Union (EU) on the Amazon Web Services infrastructure, eu-west-1 data centers
HubspotBusiness operationsUnited States
Microsoft ClarityUser experience analyticsAny country in which Microsoft maintains facilities, as set forth at: Azure geographies
PayPalPayment processorUnited States based data center facility owned and managed by Cyxtera Amazon Web Services (AWS) located in US, Germany and Australia
ProfitwellPayment processorUnited States
SendgridBusiness operationsUnited States
StripePayment processorUnited States based data center facility owned and managed by Cyxtera Amazon Web Services (AWS) located in US
UserbackUser feedback toolUnited States