Data Processing Addendum

This Data Processing Addendum (“DPA”) amends and forms part of the written agreement between the Customer and imagi Education, Inc. (“Vendor”) (collectively, “the parties”) for the provision of services to Customer (the “Agreement”). This DPA prevails over any conflicting term of the Agreement but does not otherwise modify the Agreement.

1. Definitions

  1. In this DPA: 

    1. Data Protection Law” means all laws that apply to the Processing of Personal Data under the Agreement, including (a) the Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g, and its implementing regulations, 34 C.F.R. Part 99 ("FERPA"); (b) applicable state education privacy laws; and (c) the laws and regulations of the United States and its states, as amended from time to time, in each case to the extent such laws and regulations apply to the relevant party.

    2. Personal Data” means any information that reasonably relates, directly or indirectly, to an identified or identifiable natural person that Vendor may Process on Customer’s behalf in performing the services under the Agreement. Personal Data includes “education records” regulated by the Family Educational Rights and Privacy Act. 

    3. Processing” (including its cognate "Process”) means any operation or set of operations which is performed on Personal Data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

    4. Security Incident” means a breach of security leading to the unauthorized or unlawful access by a third party, or confirmed accidental or unlawful destruction, loss or alteration, of Personal Data.

    5. Services” means the services that the Vendor provides to Customer under the Agreement. 

  1. Capitalized terms used but not defined herein have the meaning given to them in the Agreement.

2. Data Protection

  1. When Vendor Processes Personal Data, it will:

    1. Process the Personal Data to provide the Services in accordance with the Agreement and this DPA;

    2. assist Customer, taking into account the nature of the Processing and the information available to Vendor, in complying with Customer's obligations to respond to requests concerning Personal Data from individuals under applicable Data Protection Law;

    3. implement and maintain appropriate physical, technical and organizational measures to ensure a level of security appropriate to the risk, which include the technical and organizational measures required by applicable Data Protection Law; 

    4. only entrust the Processing of Personal Data to personnel who have undertaken to comply with confidentiality requirements; and

    5. upon termination of the Agreement, as instructed by Customer, delete or return the Personal Data, except where continued retention of Personal Data is in accordance with applicable law or Vendor’s policies, in which case Vendor shall retain such Personal Data in accordance with this DPA.

  2. Vendor will not (a) “sell” or “share” (as defined in Data Protection Law) the Personal Data; (b) retain, use, combine, or disclose the Personal Data for any purpose other than as permitted under this DPA and in accordance with the Agreement; or (c) retain, use, or disclose the Personal Data other than in the context of the direct relationship with Customer in accordance with the Agreement.

 

3. Customer Responsibilities

  1. Customer is responsible for the lawfulness of Personal Data processing under or in connection with the services. Customer will (i) provide all required notices and obtain all required consents, permissions and rights necessary under applicable Data Protection Law for Vendor to lawfully Process Personal Data for the purposes contemplated by the Agreement; (ii) make appropriate use of the services to ensure a level of security appropriate to the particular content of the Personal Data; (iii) comply with all Data Protection Law applicable to the collection of Personal Data and the transfer of such Personal Data to Vendor; and (iv) ensure its processing instructions comply with applicable laws (including applicable Data Protection Law).

4. Subprocessing

  1. Customer agrees that Vendor may use the third-party suppliers to Process Personal Data on its behalf for the provision of the services under the Agreement (each a “Subprocessor”). 

  2. Vendor will ensure that any Subprocessors to which it transfers Personal Data enter into written agreements with Vendor requiring that the Subprocessor abide by terms substantially similar to those contained in this DPA. 

  3. Vendor will remain liable for any breaches of this DPA caused by its Subprocessors.

5. Assistance and Notifications

  1. Unless prohibited by Data Protection Law, Vendor must inform Customer if Vendor: 

    1. receives a request, complaint or other inquiry regarding the Processing of Personal Data; 

    2. receives a binding or non-binding request to disclose Personal Data from law enforcement, courts or any government body; 

    3. is subject to a legal obligation that requires Vendor to Process Personal Data in contravention of Customer’s instructions; or

    4. is otherwise unable to comply with Data Protection Law or this DPA. 

  2. Upon becoming aware of a Security Incident, Vendor will inform Customer without undue delay and will provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by Customer to allow Customer to fulfil its data breach reporting obligations under applicable Data Protection Law. 

 

6. Audit

  1. Vendor will make available to Customer at Customer’s request reasonable information which is necessary to demonstrate compliance with this DPA as requested by Customer. 

  2. To the extent Vendor makes available to Customer confidential summary reports ("Audit Report") prepared by third-party security professionals, upon request from Customer, Vendor may provide such Audit Report in satisfaction of any audit rights accorded to Customer pursuant to Data Protection Law. 

  3. If Customer can demonstrate that it requires additional information, beyond the Audit Report, then Customer may request, at Customer's cost, Vendor to provide for an audit subject to reasonable confidentiality procedures, which will: (i) not include access to any information that could compromise confidential information relating to other Vendor customers or suppliers, Vendor's technical and organizational measures, or any trade secrets; and (ii) be performed upon not less than thirty (30) days’ notice, during regular business hours and in such a manner as not to unreasonably interfere with Vendor’s normal business activities.

 

7. General

  1. If there is any conflict between this DPA and the Agreement, this DPA will prevail to the extent of that conflict in connection with the Processing of Personal Data.

  2. If any provision of this DPA is found by any court or administrative body of competent jurisdiction to be invalid or unenforceable, then the invalidity or unenforceability of such provision does not affect any other provision of this DPA and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.

  3. Notwithstanding anything to the contrary in the Agreement or this DPA, the liability of each party under this DPA is subject to the limitations of liability set out in the Agreement.

  4. This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement.