Data Processing Agreement
DATED: May 10, 2022
1. Scope, Order of Precedence and Term
1.1 This data processing agreement (the “Data Processing Agreement”) applies to EduBrite’s Processing of Personal Data as part of EduBrite LMS Subscription (“LMS Subscription”). The LMS Subscription are described in (i) the applicable order form or statement of work (SOW) for LMS Subscription, and (ii) the applicable agreement or other applicable master agreement by and between You and EduBrite in which this Data Processing Agreement is referenced, and (iii) terms of use (i, ii and iii collectively the “LMS Services Agreement”).
1.2 Unless otherwise expressly stated in the order, this version of the Data Processing Agreement is incorporated into and subject to the terms of the LMS Services Agreement, and shall be effective and remain in force for the Subscription Period of the LMS Subscription.
1.3 Except as expressly stated otherwise in this Data Processing Agreement or the order, in the event of any conflict between the terms of the LMS Services Agreement, including any policies or schedules referenced therein, and the terms of this Data Processing Agreement, the relevant terms of this Data Processing Agreement shall take precedence.
2. Definitions
2.1 “Applicable Data Protection Law” means (i) Directive 95/46/EC of October 24, 1995, as amended, on the protection of individuals with regard to the Processing of Personal Data and on the free movement of such data (‘Directive’) until such time that it is replaced by Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, applicable as of May 25, 2018; and (ii) any other data privacy or data protection law or regulation that applies to the Processing of Personal Data under this Data Processing Agreement;
2.2 “You” means the customer entity that has executed the order;
2.3 “Data Subject”, “Data Protection Impact Assessments”, “Data Protection Officer”, “Process/Processing”, “Supervisory Authority”, “Controller”, “Processor” and “Binding Corporate Rules” (or any of the equivalent terms) have the meaning set forth under Applicable Data Protection Law;
2.4“Standard Contractual Clauses” means Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as currently set out at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj
2.5 “EduBrite” means the EduBrite Systems Inc. that has executed the order and that that may assist in the performance of the LMS Subscription as set forth in Section 3.3;
2.6 “Personal Data” means any information relating to a Data Subject that EduBrite may Process on Your behalf as part of the LMS Subscription;
2.7 “Third Party Subprocessor” means a third party subcontractor, other than an EduBrite Affiliate, engaged by EduBrite and which may Process Personal Data as set forth in Section 3.3.
Other capitalized terms have the definitions provided for them in the LMS Services Agreement or as otherwise specified below.
3. Controller and Processor of Personal Data and Purpose of Processing
3.1 You are and will at all times remain the Controller of the Personal Data Processed by EduBrite under the LMS Services Agreement. You are responsible for compliance with Your obligations as a Controller under Applicable Data Protection Law, in particular for justification of any transmission of Personal Data to EduBrite (including providing any required notices and obtaining any required consents and/or authorizations, or otherwise securing an appropriate legal basis under Applicable Data Protection Law), and for Your decisions and actions concerning the Processing of such Personal Data.
3.2 EduBrite is and will at all times remain a Processor with regard to the Personal Data provided by You to EduBrite under the LMS Services Agreement. EduBrite is responsible for compliance with its obligations under this Data Processing Agreement and for compliance with its obligations as a Processor under Applicable Data Protections Law.
3.3 EduBrite and any persons acting under the authority of EduBrite, including Third Party Subprocessors as set forth in Section 8, will Process Personal Data solely for the purpose of (i) providing the LMS Subscription in accordance with the LMS Services Agreement and this Data Processing Agreement (ii) complying with Your documented written instructions in accordance with Section 5, or (iii) complying with EduBrite’s regulatory obligations in accordance with Section 13.
4. Categories of Personal Data and Data Subjects
4.1 In order to perform the LMS Subscription and depending on the LMS Subscription You have ordered, EduBrite may Process some or all of the following categories of Personal Data: personal contact information such as name, email address, and passwords; professional details including job title and function, and business contact details; unique IDs collected from mobile devices, network carriers or data providers, IP addresses, and online behavior and interest data.
4.2 Categories of Data Subjects whose Personal Data may be Processed in order to perform the LMS Subscription may include, among others, Your representatives and end users, such as Your employees, job applicants, contractors, collaborators, partners, suppliers, customers and clients.
4.3 Additional categories of Personal Data and/or Data Subjects may be described in the LMS Services Agreement. Unless otherwise specified in Your order, Your Content may not include any sensitive or special personal data that imposes specific data security or data protection obligations on EduBrite in addition to or different from those specified in this Data Processing Agreement.
5. Your Instructions
5.1 EduBrite will Process Personal Data on Your written instructions as specified in the LMS Services Agreement and this Data Processing Agreement, including instructions regarding data transfers as set forth in Section 7.
5.2 You may provide additional instructions in writing to EduBrite with regard to Processing of Personal Data in accordance with Applicable Data Protection Law. EduBrite will comply with all such instructions to the extent necessary for EduBrite to (i) comply with its Processor obligations under Applicable Data Protection Law; or (ii) assist You to comply with Your Controller obligations under Applicable Data Protection Law relevant to Your use of the LMS Subscription, including assistance with notifying Personal Data breaches as set forth in Section 11, Data Subject requests as set forth in Section 6, and Data Protection Impact Assessments (DPIAs).
5.3 To the extent required by Applicable Data Protection Law, EduBrite will immediately inform You if, in its opinion, Your instruction infringes Applicable Data Protection Law. You acknowledge and agree that EduBrite is not responsible for performing legal research and/or for providing legal advice to You.
5.4 Without prejudice to EduBrite’s obligations under this Section 5, the parties will negotiate in good faith with respect to any charges or fees that may be incurred by EduBrite to comply with instructions with regard to the Processing of Personal Data that require the use of resources different from or in addition to those required for the provision of the LMS Subscription.
6. Rights of Data Subjects
6.1 EduBrite will grant You electronic access to Your LMS Subscription environment that holds Personal Data to enable You to respond to requests from Data Subjects to exercise their rights under Applicable Data Protection Law, including requests to access, delete or erase, restrict, rectify, receive and transmit, block access to or object to Processing of specific Personal Data or sets of Personal Data.
6.2 To the extent such electronic access is not available to You, You can open a “topic” via EduBrite Support Center, or other applicable primary support tool provided for the Services), and provide detailed written instructions to EduBrite (including the Personal Data necessary to identify the Data Subject) on how to assist with such Data Subject requests in relation to Personal Data held in Your LMS Subscription environment. EduBrite will promptly follow such instructions. If applicable, the parties will negotiate in good faith with respect to any charges or fees that may be incurred by EduBrite to comply with instructions that require the use of resources different from or in addition to those required for the provision of the LMS Subscription.
6.3 If EduBrite directly receives any Data Subject requests regarding Personal Data, it will promptly pass on such requests to You without responding to the Data Subject if the Data Subject identifies You as the Data Controller. If the Data Subject does not identify You, EduBrite will instruct the Data Subject to contact the entity responsible for collecting their Personal Data.
7. Personal Data Transfers
7.1Personal Data in Your LMS Subscription environment may be transferred to, and stored and processed in any country in which EduBrite or its Subprocessors maintain facilities. EduBrite will not migrate Your LMS Subscription environment to a different data center region without Your prior written authorization.
7.2 EduBrite Systems Inc. and its U.S. Subsidiaries (Collectively, “EduBrite”) have certified compliance under the EU-U.S. and Swiss-U.S. Privacy Shield Principles. For Personal Data transferred from the European Economic Area to EduBrite, EduBrite will provide at least the same level of privacy protection as is required by the EU-U.S. and Swiss-U.S. Privacy Shield Principles. EduBrite will notify You if EduBrite determines it can no longer meet its obligations under this Section 7.2. EduBrite will take reasonable and appropriate steps to stop and remediate, and will cooperate with Your reasonable requests regarding any unauthorized processing of such Personal Data by EduBrite. EduBrite may provide a summary or a representative copy of the relevant privacy provisions of this DPA to the U.S. Department of Commerce upon request.
7.3 Without prejudice to Section 7.1, EduBrite may access and Process Personal Data as necessary to perform the LMS Subscription, including for IT security purposes, maintenance and performance of the LMS Subscription and related infrastructure, LMS Subscription technical support.
7.4 To the extent such global access involves a transfer of Personal Data originating from the European Economic Area (“EEA”) or Switzerland to Third Party Subprocessors located in countries outside the EEA or Switzerland that have not received a binding adequacy decision by the European Commission or by a competent national EEA data protection authority, such transfers are subject to (i) the terms of the Standard Contractual Clauses incorporated into this Data Processing Agreement by reference; or (ii) other binding and appropriate transfer mechanisms that provide an adequate level of protection in compliance with Applicable Data Protection Law, such as approved Binding Corporate Rules for Processors. For the purposes of the Standard Contractual Clauses, You and EduBrite agree that (i) You will act as the data exporter on Your own behalf and on behalf of any of Your entities, (ii) EduBrite will act on its own behalf as the data importers, (iii) any Third Party Subprocessors will act as ‘subcontractors’ pursuant to Clause 11 of the Standard Contractual Clauses.
7.5 Transfers of Personal Data originating from other locations globally to Third Party Subprocessors requires all transfers of Personal Data to be made in compliance with all applicable EduBrite privacy policies and standards; and for Third Party Subprocessors, the terms of the relevant EduBrite Third Party Subprocessor agreement incorporating data privacy requirements consistent with the relevant requirements of this Data Processing Agreement.
8. Third Party Subprocessors
8.1 Subject to the terms and restrictions specified in Sections 3.3, 7 and 8, You agree that EduBrite may engage Third Party Subprocessors to assist in the performance of the LMS Subscription.
8.2 EduBrite maintains lists of Third Party Subprocessors that may Process Personal Data. These lists are available to You in Appendix A.
8.3 Within sixty (60) calendar days of EduBrite providing such notice to You, You may object to the intended involvement of a Third Party Subprocessor in the performance of the LMS Subscription, providing objective justifiable grounds related to the ability of such Third Party Subprocessor to adequately protect Personal Data in accordance with this Data Processing Agreement or Applicable Data Protection Law in writing by submitting a “topic” via EduBrite Support Center, or other applicable primary support tool provided for the Services. In the event Your objection is justified, You and EduBrite will work together in good faith to find a mutually acceptable resolution to address such objection, including but not limited to reviewing additional documentation supporting the Third Party Subprocessors’ compliance with this Data Processing Agreement or Applicable Data Protection Law, or delivering the LMS Subscription without the involvement of such Third Party Subprocessor. To the extent You and EduBrite do not reach a mutually acceptable resolution within a reasonable timeframe, You shall have the right to terminate the relevant LMS Subscription (i) upon serving prior notice in accordance with the terms of the LMS Services Agreement; (ii) without liability to You and EduBrite and (iii) without relieving You from Your payment obligations under the LMS Services Agreement up to the date of termination. If the termination in accordance with this Section 8.3 only pertains to a portion of LMS Subscription under an order, You will enter into an amendment or replacement order to reflect such partial termination.
8.4 Third Party Subprocessors are required to abide by the same level of data protection and security as EduBrite under this Data Processing Agreement as applicable to their Processing of Personal Data. You may request that EduBrite audit a Third Party Subprocessor or provide confirmation that such an audit has occurred (or, where available, obtain or assist customer in obtaining a third-party audit report concerning the Third Party Subprocessor’s operations) to verify compliance with such obligations. You will also be entitled, upon written request, to receive copies of the relevant privacy and security terms of EduBrite’s agreement with any Third Party Subprocessors may Process Personal Data.
8.5 EduBrite remains responsible at all times for the performance of Third Party Subprocessors’ obligations in compliance with the terms of this Data Processing Agreement and Applicable Data Protection Law.
9. Technical and Organizational Measures, and Confidentiality of Processing
9.1 EduBrite has implemented and will maintain appropriate technical and organizational security measures for the Processing of Personal Data. These measures take into account the nature, scope and purposes of Processing as specified in this Data Processing Agreement, and are intended to protect Personal Data against the risks inherent to the Processing of Personal Data in the performance of the LMS Subscription, in particular risks from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise Processed.
9.2 In particular, EduBrite has implemented the policies as mentioned in the LMS Services Agreement. You are advised to carefully review the applicable sections in the LMS Services Agreement to understand which specific security measures and practices apply to the particular LMS subscription ordered by You, and to ensure that these measures and practices are appropriate for the Processing of Personal Data pursuant to this Data Processing Agreement.
9.3 All EduBrite staff, as well as any Third Party Subprocessors that may have access to Personal Data are subjected to appropriate confidentiality arrangements.
10. Audit Rights and Cooperation with You and Your Supervisory Authorities
10.1 You may audit EduBrite’s compliance with its obligations under this Data Processing Agreement up to once per year. In addition, to the extent required by Applicable Data Protection Law, including where mandated by Your Supervisory Authority, You or Your Supervisory Authority may perform more frequent audits. EduBrite will contribute to such audits by providing You or Your Supervisory Authority with the information and assistance reasonably necessary to conduct the audit, including any relevant records of Processing activities applicable to the LMS Subscription ordered by You.
10.2 If a third party is to conduct the audit, the third party must be mutually agreed to by You and EduBrite (except if such Third Party is a competent Supervisory Authority). EduBrite will not unreasonably withhold its consent to a third party auditor requested by You. The third party must execute a written confidentiality agreement acceptable to EduBrite or otherwise be bound by a statutory confidentiality obligation before conducting the audit.
10.3 To request an audit, You must submit a detailed proposed audit plan to EduBrite at least two (2) weeks in advance of the proposed audit date. The proposed audit plan must describe the proposed scope, duration, and start date of the audit. EduBrite will review the proposed audit plan and provide You with any concerns or questions (for example, any request for information that could compromise EduBrite security, privacy, employment or other relevant policies). EduBrite will work cooperatively with You to agree on a final audit plan.
10.4 If the requested audit scope is addressed in a similar audit report issued by a qualified third party auditor within the prior twelve months and EduBrite provides such report to You confirming there are no known material changes in the controls audited, You agree to accept the findings presented in the third party audit report in lieu of requesting an audit of the same controls covered by the report.
10.5 The audit must be conducted during regular business hours at the applicable facility, subject to the agreed final audit plan and EduBrite’s health and safety or other relevant policies, and may not unreasonably interfere with EduBrite business activities.
10.6 You will provide EduBrite any audit reports generated in connection with any audit under this Section 10, unless prohibited by Applicable Data Protection Law or otherwise instructed by a Supervisory Authority. You may use the audit reports only for the purposes of meeting Your regulatory audit requirements and/or confirming compliance with the requirements of this Data Processing Agreement. The audit reports are Confidential information of the parties under the terms of the LMS Services Agreement.
10.7 Any audits are at Your expense. The parties will negotiate in good faith with respect to any charges or fees that may be incurred by EduBrite to provide assistance with an audit that requires the use of resources different from or in addition to those required for the provision of the LMS Subscription.
11. Incident Management and Personal Data Breach Notification
11.1 EduBrite promptly evaluates and responds to incidents that create suspicion of or indicate unauthorized access to or Processing of Personal Data (“Incident”). All EduBrite staff that have access to or Process Personal Data are instructed on responding to Incidents, including prompt internal reporting, escalation procedures, and chain of custody practices to secure relevant evidence. EduBrite’s agreements with Third Party Subprocessors contain similar Incident reporting obligations.
11.2 In order to address an Incident, EduBrite defines escalation paths and response teams involving internal functions such as Information Security and Legal. The goal of EduBrite’s Incident response will be to restore the confidentiality, integrity, and availability of the LMS Subscription environment and the Personal Data that may be contained therein, and to establish root causes and remediation steps. Depending on the nature and scope of the Incident, EduBrite may also involve and work with You and outside law enforcement to respond to the Incident.
11.3 To the extent EduBrite becomes aware and determines that an Incident qualifies as a breach of security leading to the misappropriation or accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed on the LMS Subscription environment that compromises the security, confidentiality or integrity of such Personal Data (“Personal Data Breach”), EduBrite will inform You of such Personal Data Breach without undue delay but at the latest within 24 hours.
11.4 EduBrite will take reasonable measures designed to identify the root cause(s) of the Personal Data Breach, mitigate any possible adverse effects and prevent a recurrence. As information regarding the Personal Data Breach is collected or otherwise reasonably becomes available to EduBrite and to the extent permitted by law, EduBrite will provide You with (i) a description of the nature and reasonably anticipated consequences of the Personal Data Breach; (ii) the measures taken to mitigate any possible adverse effects and prevent a recurrence; (iii) where possible, the categories of Personal Data and Data Subjects including an approximate number of Personal Data records and Data Subjects that were the subject of the Personal Data Breach; and (iv) other information concerning the Personal Data Breach reasonably known or available to EduBrite that You may be required to disclose to a Supervisory Authority or affected Data Subject(s).
11.5 Unless otherwise required under Applicable Data Protection Law, the parties agree to coordinate in good faith on developing the content of any related public statements or any required notices for the affected Data Subjects and/or notices to the relevant Supervisory Authorities.
12. Return and Deletion of Personal Data upon Termination of LMS Subscription
12.1 Following termination of the LMS Subscription, EduBrite will make available for retrieval Your Personal Data then available in Your LMS Subscription environment, unless otherwise expressly stated in the LMS Services Agreement. For any uploaded content You are advised to keep the original content files as a backup because the system may not retain the uploaded content in its original format. The content may get repurposed as per the LMS Subscription requirements.
12.2 Upon termination of the LMS Subscription or upon expiry of the retrieval period following termination of the LMS Subscription (if available), EduBrite will promptly delete all copies of Personal Data from the LMS Subscription environment by rendering such Personal Data unrecoverable, except as may be required by law. EduBrite’s data deletion practices are described in more detail in the LMS Services Agreement.
13. Legally Required Disclosure Requests
If EduBrite receives any subpoena, judicial, administrative or arbitral order of an executive or administrative agency, regulatory agency, or other governmental authority which relates to the Processing of Personal Data (“Disclosure Request”), it will promptly pass on such Disclosure Request to You without responding to it, unless otherwise required by applicable law (including to provide an acknowledgement of receipt to the authority that made the Disclosure Request).
At Your request, EduBrite will provide You with reasonable information in its possession that may be responsive to the Disclosure Request and any assistance reasonably required for You to respond to the Disclosure Request in a timely manner.
14. Governing Law
14.1 This Data Processing Agreement shall be governed by the law of the Member State in which the Your registered office is established.
14.2 Impact of local laws. As of the Effective Date, EduBrite has no reason to believe that the laws and practices in any third country of destination applicable to its Processing of the Personal Data as set forth in the Infrastructure and Sub-processors Documentation, including any requirements to disclose Personal Data or measures authorising access by a Public Authority, prevent EduBrite from fulfilling its obligations under this DPA. If EduBrite reasonably believes that any existing or future enacted or enforceable laws and practices in the third country of destination applicable to its Processing of the Personal Data ("Local Laws") prevent it from fulfilling its obligations under this DPA, it shall promptly notify Customer. In such a case, EduBrite shall use reasonable efforts to make available to the affected Customer a change in the Services or recommend a commercially reasonable change to Customer’s configuration or use of the Services to facilitate compliance with the Local Laws without unreasonably burdening Customer. If EduBrite is unable to make available such change promptly, Customer may terminate the applicable Order Form(s) and suspend the transfer of Personal Data in respect only to those Services which cannot be provided by EduBrite in accordance with the Local Laws by providing written notice in accordance with the “Notices” section of the Agreement. Customer shall receive a refund of any prepaid fees for the period following the effective date of termination for such terminated Services
15. Obligations of the data importer in case of access by public authorities
15.1 Notification. EduBrite agrees to notify You promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph 14.2, including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph 14.2.
15.2 Review of legality and data minimisation. (a) EduBrite agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. EduBrite shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the EduBrite shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of EduBrite under Clause 15.1.
(b) EduBrite agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to You It shall also make it available to the competent supervisory authority on request.
(c) EduBrite agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.
Appendix A
This Appendix forms part of the Clauses in DPA. The list of subprocessors approved by the data imported as of the effective date of the DPA is as set forth below:
| Subprocessor Name | Description of Processing |
| iWeb Technologies, Inc. | Hosting & Infrastructure |
| Amazon Web Services, Inc. | Hosting & Infrastructure |
| Trinus Corporation | Services & Support |
| Cloudflare, Inc. | Web Infrastructure/security, CDN |
| Mydbops IT Solutions | Services & Support |
