The terms of this Data Processing Addendum ("DPA") are incorporated by reference to the General Terms and Conditions of the SaaS Agreement (the "Agreement") between you and Vedamo EAD ("we," "us," and "our").

Data Processing Clauses

The following provisions shall apply whenever Customer Data are processed on your behalf.

1. Introduction

This DPA reflects the Parties’ agreement with respect to the terms governing the processing and security of data and information provided by you or your Authorized End Users ("Customer Data") under the applicable Agreement.

2. Duration of Data Processing Amendment

This DPA will take effect on the Amendment Effective Date and, notwithstanding expiry of the Term, remain in effect until, and automatically expire upon, deletion of all Customer Data by Vedamo as described in this Data Processing Amendment.

3. Scope of Data Protection Legislation:

  1. Application of European Legislation: The Parties acknowledge and agree that the European Data Protection Legislation will apply to the processing of personal data contained within the Customer Data ("Customer Personal Data") if, for example:
    1. the processing is carried out in the context of the activities of an establishment of the Customer in the territory of the European Economic Area (“EEA”); and/or
    2. the Customer Personal Data is personal data relating to data subjects who are in the EEA and the processing relates to the offering of services to them in the EEA or the monitoring of their behavior in the EEA.
  2. Application of Data Processing Amendment: Except to the extent that this Data Processing Amendment states otherwise, the terms of this Data Processing Amendment will apply irrespective of whether the European Data Protection Legislation applies to the processing of Customer Personal Data.

4. VEDAMO’s Obligations

  1. We shall process Customer Data within the scope of the Agreement, for the purpose of service provision during the term of the Agreement, and pursuant to your documented instructions (unless required to process Customer Data other than instructed by applicable law, in which case we will, before processing Customer Personal Data in accordance with that law, inform you unless that law prohibits us from doing so). You warrant that the collection and sharing of your Customer Data with us and our processing of Customer Data solely in accordance with the Agreement shall comply with applicable law. We shall not compile copies or duplicates without your approval, except for copies made for backup or disaster recovery purposes.
  2. Annex A of this DPA contains a list of the categories of Customer Data, the data subjects concerned, and the nature and purpose of processing.

5. Authority to Issue Instructions

  1. We agree, without limitation, to strictly follow any instructions given by you under the Agreement, as well as those issued on an individual basis with regard to the collection, processing, and/or usage of Customer Data. This includes but is not limited to instructions on the blocking, correction, or deletion of Customer Data. Our obligations under Section 5.1 shall be subject to Section 5.3.
  2. Instructions may only be issued by your management board, data protection officers, or the manager of your legal department, if applicable (hereinafter "persons authorized to issue instructions"). The persons authorized to issue instructions shall have the right, at all times, to make written appointments of additional persons authorized to issue instructions.
  3. You warrant that you shall give only lawful instructions. If we hold the view that any instruction of yours contravenes statutory regulations and/or the Agreement, we will notify you, and we are entitled to suspend execution of the instruction concerned until you confirm such instruction in writing. We have the right to deny the execution of an instruction – even if issued in writing – in cases when we conclude that we would be liable under applicable law if we execute the instructions that you provided.
  4. We shall, by way of regular self-audits, ensure that the processing of Customer Data on your behalf conforms to this DPA.

6. Data Secrecy

  1. We undertake to maintain data secrecy, pursuant to applicable Data Protection Laws, and keep Customer Data confidential. In particular, we will ensure that such persons with access to Customer Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  2. We confirm that we are aware of the applicable Data Protection Laws. We agree to make our applicable employees familiar with the relevant provisions of data protection regulations. We shall supervise compliance of such employees with applicable Data Protection Laws.

7. Sub-Processing

  1. In accordance with the provisions of this DPA and the Agreement, you acknowledge and agree that Vedamo or the following third-party providers are engaged to provide the Services listed here:
    ActiveCampaign https://www.activecampaign.com/
    Google Analytics https://analytics.google.com/
    Zendesk https://www.zendesk.com/
    (which are hereby designated as sub-processors for the purpose of processing Customer Data) may store or process Customer Data in various data centers around the world and that Customer Data might not be hosted within the country in which you are located provided that (a) notwithstanding any notice requirement in the Agreement, we shall publish notification of any changes to the sub-processors processing Customer Data at the link provided above thirty (30) days prior to any changes to the sub-processors processing Customer Data and give you an opportunity to review such changes and raise reasonable objection to such changes; and (b) the sub-processors processing Customer Data are subject to the same data protection obligations or the same level of protection as are contained in the DPA. The Customer agrees to raise any reasonable objections in writing within ten (10) calendar days of such notification. You confirm that Section 7.1 constitutes general written authorization for the purposes of the GDPR. We shall remain liable for any processing of Customer Data carried out by sub-processors engaged under the Agreement. Upon your request, we will tell you where your Customer Data is located. Notwithstanding anything to the contrary in this Section, if we and you have agreed that Customer Data will be stored in any particular location, we will store such Customer Data in the agreed upon location.
  2. You acknowledge and agree that Vedamo may transfer Customer Data to any country outside the EEA or to any country that has not been the subject of a European Commission adequacy decision provided such a transfer is made pursuant to an appropriate legal transfer mechanism. To the extent that the legal transfer mechanism relied on is declared invalid (by, for example, a competent court or authority), Vedamo shall cooperate with Customer in good faith to find an alternative legal transfer mechanism.

8. Audit

  1. Upon request, we will provide you an overview of our data processing operations, which include the following information:
    1. owners, managing boards, managing directors, or other lawfully or constitutionally appointed managers and the persons placed in charge of Customer Data processing;
    2. our address;
    3. purposes for collecting, processing, or using the Customer Data;
    4. a description of the groups of data subjects and the Customer Data or categories of Customer Data;
    5. recipients or categories of recipients to whom the Customer Data may be transferred;
    6. standard periods for the retention of Customer Data;
    7. any planned data transfer to third countries;
    8. a general description enabling a preliminary assessment as to whether the technical and organizational measures to guarantee the safety of processing are adequate. The Parties agree and acknowledge that for the purposes of this Section (Section 8.1), it shall be sufficient that we present all documentation, including a certified statement on the compliance with this Agreement, in such format as reasonably required by you or any independent auditor appointed by you at your expense. We shall make available to you any other information you request when necessary to demonstrate compliance with your obligations under Article 28 of the GDPR unless in our opinion such a request infringes Data Protection Laws or European Union or Member State law, in which case we shall inform you of our opinion.
  2. You have the right to audit our compliance with the statutory regulations on data protection and the stipulations entered into between the Parties (including the technical and organizational measures) by requesting information about and inspecting the storage of the Customer Data, as well as implemented policies and security incident reports, subject to reasonable prior notice of at least 14 days in advance and, to the extent reasonably possible, without interfering with our regular business operations.
  3. The Customer agrees that, taking into account the nature of the processing of Customer Data under the Agreement, by providing the assistance and information contained in this Agreement, we have assisted you in ensuring compliance with your obligations in respect to data protection impact assessments and prior consultation under Articles 35 and 36 of the GDPR.

9. Data Security Measures

  1. We use the following appropriate technical and organizational measures to protect Customer Data ("Security Measures"), which have to meet, at a minimum, the level required by applicable law:
    1. Admission control:
      • We employ appropriate physical safeguards to prevent unauthorized persons from gaining access to the premises where Customer Data is collected, processed, and used. Such premises may only be entered by us and/or our agents.
      • We use appropriate measures to secure buildings.
      • We use appropriate measures to ensure that hard copy Customer Data is kept secure, e.g., in locked rooms or in locked filing cabinets. Generally, steps are taken to ensure that access to hard copy Customer Data is limited in the same way it would be on an electronic IT system, i.e., access is limited to those individuals for whom it is necessary in order for them to perform their job.
    2. Entry control:
      • We shall endeavour to prevent unauthorized parties from accessing or using our data processing systems.
      • We shall require authentication and authorization to gain access to IT systems (i.e., require users to enter a user id and password before they are permitted access to IT systems).
      • We have procedures in place to permit only authorized persons to access Customer Data internally or externally by using authentication procedures (e.g., by means of appropriate passwords), except as otherwise enabled by you.
    3. Access control:
      • We employ appropriate measures to prevent individuals from accessing Customer Data unless they hold a specific access authorization.
      • We employ appropriate measures to only permit User access to Customer Data that the User needs in order to carry out the duties of their job or the purposes for which they are given access to our IT systems (i.e., we implement measures to ensure least privilege access to IT systems).
      • We shall have appropriate procedures in place for controlling the allocation and revocation of Customer Data access rights. For example, appropriate procedures are in place to revoke employee access to IT systems when they leave their job or change duties.
      • Our systems that are used to collect, process, and use Customer Data are protected by User identifiers, passwords, and graded access rights. Special access rights are produced for the purposes of technical maintenance that do not allow access to Customer Data.
      • We take appropriate administrative safeguards to protect our services against external attacks, including, for example, deploying firewalls.
    4. Transmission control:
      • We shall employ appropriate measures to protect the confidentiality, integrity, and availability of Customer Data during electronic transmission.
      • We shall encrypt the Customer Data items listed in Annex A while in transit over the internet.
    5. Input control:
      • We shall maintain logging and auditing systems to monitor activity related to the input of Customer Data.
    6. Order control:
      • We shall ensure that all requests from you with respect to Customer Data shall be processed in strict compliance with your instructions through the use of clear and unambiguous contract terms, comprehensive Statements of Work, and/or monitoring of contract performance.
    7. Availability control:
      • We shall protect Customer Data in our possession against unintentional destruction or loss by implementing appropriate management, operations, and technical controls such as firewalls, monitoring, and back-up procedures.
      • Example measures that may also be taken include: mirroring of storage media, uninterruptible power supply (UPS), remote storage, firewall systems, and disaster recovery plans.
  2. The technical and organizational measures described in Section 9.1 are subject to technological advancements and further development. We are permitted to implement suitable alternative measures as long as the alternative measures do not reduce the level of security applied to the Customer Data.
  3. We shall regularly audit and assess our compliance with the technical and organizational security measures.

10. Notification Duties

  1. Notification of infringements of data protection regulations:
    1. We shall notify you to the extent the technical and organizational measures taken by us are not in accordance with this DPA or your instructions. The same applies to malfunctions or indications of an infringement of data protection regulations, or in cases of improper processing of Customer Data, including, but not limited to, data security breaches and data losses. We and you shall mutually agree on any further collection, processing, and usage of Customer Data, and we shall initiate all reasonable necessary measures to exclude risks to the integrity and confidentiality of Customer Data.
    2. In the event that we have a reasonable, good faith belief that an unauthorized third party has gained access to or disclosed your Customer Data, we will promptly, or if required by law, over some other time frame required by said law, notify you. We will provide you with reasonable cooperation and assistance in relation to your investigation of the incident. If this incident triggers any third-party notice requirements under laws, you agree that unless otherwise required by law, as the owner of the Customer Data, you will be responsible for the timing, content, cost, and method of any such notice and compliance with such laws.
  2. You agree that, given the nature of the processing, Section 10.1 satisfies our obligation to assist you with your obligations under Articles 33 and 34 of the GDPR.
  3. We shall notify you about:
    1. any legally binding request for disclosure of the Customer Data by a law enforcement authority or other organization or body, unless prohibited by law;
    2. any request received directly by us from a data subject.
  4. We agree to provide you with reasonable cooperation and assistance in relation to any request under Section 10.3.

11. Deletion of Data

  1. Upon expiration or earlier termination of the processing services, or at an earlier time at your request, we agree to:
    1. return to you or your designee; or
    2. securely destroy or render unreadable or indecipherable, the relevant Customer Data in our possession, custody, or control.
  2. We shall ensure, from an organizational perspective, that Customer Data can be deleted within a reasonable time frame consistent with your request or the deletion requirements established in the Agreement, except that we shall not be obliged to delete Customer Data from archival and backup files except as in line with our company data deletion schedule (as permitted under Data Protection Legislation). If you request the deletion of Customer Data in archival and backup files, you shall bear the costs, including costs for business interruptions associated with such a request.

12. Data Subject Rights, Data Export

  1. Access; Rectification; Restricted Processing; Portability. During the applicable term, Vedamo will, in a manner consistent with the functionality of the Services, enable Customer to access, rectify, and restrict processing of Customer Data, including via the deletion functionality provided by Vedamo, and to export Customer Data.
  2. Data Subject Requests:
    1. Customer’s Responsibility for Requests. During the applicable Term, if Vedamo receives any request from a data subject in relation to Customer Personal Data, Vedamo will advise the data subject to submit their request to Customer, and Customer will be responsible for responding to any such request including, when necessary, by using the functionality of the Services.
    2. Vedamo’s Data Subject Request Assistance. Customer agrees that (taking into account the nature of the processing of Customer Personal Data) Vedamo will assist Customer in fulfilling any obligation to respond to requests by data subjects, including, if applicable, Customer’s obligation to respond to requests for exercising the data subject’s rights specified in Chapter III of the GDPR.

13. Final Provisions

  1. Unless specifically stipulated to the contrary by the Parties, the duration of the commissioned data processing specified by this DPA shall be coterminous with the term of the Agreement.
  2. Notwithstanding any notice requirements in the Agreement, we may update this DPA from time to time to better reflect changes in the law, new regulatory requirements, or improvements to the Service. The updated Terms shall be posted on vedamo.com. If any update to the DPA materially affects your use of the Service or your rights herein, we will provide 30 days’ prior notice at the link above or via an in-product notification. Your continued use of the Service shall constitute acceptance to be bound by the updated DPA.
  3. In the event of a conflict between this DPA and any other provision of the Agreement between you and us, this DPA will prevail; provided that you and we have agreed in an Order to any terms that are different from this DPA, the terms in such Order will prevail.

 

Annex A – Details of the Data Processing

Categories of Data

 
Name or unique identifiers, personal contact information, date of birth, gender, nationality, parent/student relationships, grade level, teachers, classes/sections/courses, grades, assignments, tests, message books, attendance, homework, degree type, schedules, achievements, feedback, financial details, usernames, passwords, service or browsing history, location data, information provided by social networks, User or Customer correspondence, disciplinary and conduct records. Any information contained in a submitted paper assignment, or other User-generated content.

Categories of Data Subject

 
Customer and Customer’s Users authorized by Customer to use Vedamo’s Services (Students, Parents, Teachers, Administrators, Observers, Guests)

Nature of Processing

 
We shall process data and information provided by you or your Authorized End Users within the scope of the Agreement, for the purpose of service provision during the term of the Agreement, and pursuant to your documented instructions (unless required to process Customer Data other than instructed by applicable law, in which case we will, before processing Customer Personal Data in accordance with that law, inform you unless that law prohibits us from doing so).