DATA PROCESSING AGREEMENT
This Data Processing Agreement (including any terms set forth in a schedule, appendix or addendum hereto, “DPA”)is by and between you (“Customer”), and ReadySet Solutions Co., a Delaware corporation (“Vendor”). Customer and Vendor may be referred to herein together as the “Parties”, and each may be referred to herein as a “Party”. To the extent that the Parties have entered into a prior agreement governing the processing of personal data (the “Prior Agreement”), the Parties understand and agree that this DPA shall supersede and replace such Prior Agreement. For good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, Customer and Vendor hereby agree as follows:
Definitions.
1.1 “Applicable Laws” means, collectively, all now existing or hereinafter enacted or amended laws, rules, regulations (including, without limitation, self-regulatory obligations), and/or sanctions programs applicable to a Party’s performance hereunder and/or obligations with respect to data protection.
1.2 “CCPA” means the California Consumer Privacy Act of 2018 (Title 1.81.5 of the Civil Code of the State of California), together with all effective regulations adopted thereunder (in each case, as amended from time to time).
1.3 “Customer Data” means all information, data, content and other materials, in any form or medium, that is submitted, posted, collected, transmitted or otherwise provided by or on behalf of Customer through the Services.
1.4 “Customer Personal Data” means Customer Data that is Personal Data processed by Vendor on behalf of Customer in the provision of the Services under the Service Agreement(s).
1.5 “Controller” means (i) under and in the context of European Data Protection Law, the data “controller” (as defined by GDPR), (ii) under and in the context of CCPA, the “business” (or third party) (each, as defined by CCPA), and (iii) under and in the context of any other privacy or data protection law, rule, or regulation applicable to a Party’s performance hereunder, a “controller”, “business”, or corresponding term denoting a substantially similar definition, role, and obligations under such law, rule or regulation.
1.6 “EU GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (and each successor regulation, directive or other text of the foregoing, in each case as amended from time to time).
1.7 “European Data Protection Law” means each of EU GDPR, UK GDPR, and the Federal Data Protection Act of 19 June 1992 (Switzerland) (as the same may be superseded by the Swiss Data Protection Act 2020 and as amended from time to time).
1.8 “GDPR” means, as applicable, (i) the EU GDPR and/or (ii) the UK GDPR.
1.9 “Personal Data” means any information that constitutes (a) “personal information” (as defined by, and in the context of, CCPA), (b) “personal data” (as defined by, and in the context of, European Data Protection Law), and/or (c) “personal data,” “personal information,” or other term denoting a substantially similar definition and obligations under, and in the context of, any other Applicable Laws, in each case that is (i) made available or otherwise provided by Customer to Vendor in connection with the Services and/or (ii) collected or accessed by Vendor under a Service Agreement(s) via a pixel, cookie, tag, or similar technology on any of Customer’s digital properties.
1.10 “Process” means any operation or set of computer operations performed on Personal Data, including, but not limited to, collection, recording, organization, structuring, storage, access, adaptation, alteration, retrieval, consultation, use, transfer, transmit, sale, rental, disclosure, dissemination, making available, alignment, combination, deletion, erasure, or destruction.
1.11 “Processor” means (i) under and in the context of European Data Protection Law, the data “processor” (as defined by GDPR), (ii) under and in the context of CCPA, a “service provider” (as defined by CCPA), and (iii) under and in the context of any other privacy or data protection law, rule, or regulation applicable to a Party’s performance hereunder, a “processor”, “service provider”, or corresponding term denoting a substantially similar definition, role, and obligations under such law, rule or regulation.
1.12 “Security Incident” means (i) any accidental, unauthorized, or unlawful destruction, loss, alteration, disclosure of, or access to, Personal Data or (ii) any other event that constitutes a “security breach”, “personal data breach”, or substantially similar term with respect to Personal Data under an Applicable Law(s).
1.13 “Service Agreements” or “Agreement” means, collectively, the agreements and/or terms of service (including, as applicable, each of the Statements of Work/SOWs/Orders/Order Forms and exhibits thereunder) between Customer and Vendor.
1.14 “Services” means, collectively, the products and/or services provided by Vendor to Customer under the Service Agreements.
1.15 “Sub-Processor” means a contractor, subcontractor, consultant, third-party service provider, or agent engaged by Vendor for further Processing of Personal Data.
1.16 “UK GDPR” has the meaning ascribed thereto in section 3(10) (as supplemented by section 205(4)) of the UK Data Protection Act 2018 (as amended from time to time).
Data Processing Obligations.
2.1 General.
a) Each Party shall comply with its obligations relating to Personal Data under this DPA and under Applicable Laws at its own cost. With respect to Personal Data, (i) Customer is a Controller and (ii) Vendor is a Processor that acts upon the instructions of Customer, including, without limitation, in accordance with the applicable Service Agreement, this DPA, and any other documented instructions provided by Customer.
b) With regard to Vendor employees engaged in Processing Personal Data, Vendor shall ensure that such employees are informed of the confidential nature of the Personal Data and are subject to appropriate confidentiality obligations sufficient to comply with the terms of the applicable Service Agreement(s) and this DPA, which confidentiality obligations shall survive following termination of this DPA for at least as long as the period(s) required by the applicable Service Agreement(s) and this DPA.
c) Customer will have sole responsibility for the accuracy, quality, and legality of Customer Personal Data and the means by which Customer obtained the Customer Personal Data, including, without limitation, obtaining appropriate consent to collect the Customer Personal Data and share such data with Vendor in accordance with Applicable Laws.
2.2 Standard Contractual Clauses. If Vendor Processes Personal Data relating to an EEA, United Kingdom, or Switzerland data subject (including, without limitation, the transfer of such Personal Data from the EEA, United Kingdom, or Switzerland to a third country not providing an adequate level of protection) outside of the EEA, United Kingdom, and Switzerland, the Processing will be further governed by Schedule I to this Agreement, with Customer as data exporter and Vendor as data importer (together with all Appendixes and Annexes thereto, and as the same may be amended, supplemented, or otherwise modified from time to time, “Personal Data SCCs”), which is incorporated by reference into this DPA solely with respect to Personal Data relating to EEA, United Kingdom and/or Switzerland data subjects. If there is any conflict between (x) the terms and conditions of either this DPA or the applicable Service Agreement(s), on the one hand, and (y) the terms and conditions of the Personal Data SCCs, on the other hand, then, with respect to Personal Data relating to an EEA, United Kingdom and/or Switzerland data subject(s), the terms and conditions of the Personal Data SCCs will prevail and control. Vendor may only transfer Personal Data relating to an EEA, United Kingdom, or Switzerland data subject outside the EEA, United Kingdom, and Switzerland in compliance with Applicable Laws and the Personal Data SCCs.
2.3 CCPA. Without limiting any of the restrictions on or obligations of Vendor under this DPA, under any of the Service Agreements, or under Applicable Laws, with respect to Personal Data relating to a California “consumer” (as defined by CCPA) or household (“CCPA Personal Data”):
a) ### Customer shall be disclosing such CCPA Personal Data under the applicable Service Agreement(s) to Vendor for a “business purpose” (as defined by CCPA), and Vendor shall Process such CCPA Personal Data solely on behalf of Customer and only as necessary to perform such business purpose for Customer; and
b) ### Vendor shall not: (i) “sell” (as defined by CCPA) CCPA Personal Data; or (ii) retain, use, or disclose CCPA Personal Data (x) for any purpose (including a “commercial purpose” (as defined by CCPA)) other than for the specific purpose of performing for Customer the services specified in the particular Service Agreement(s) or (y) outside of the direct business relationship between Vendor and Customer; Vendor certifies that it understands the restrictions set forth in this Section 2.3(b) and shall comply with them; and
c) ### Notwithstanding anything to the contrary in this DPA (including, for purposes of clarification and without limitation, clauses (a) and (b) of this Section 2.3), in no event shall Vendor process any CCPA Personal Data in such a manner as would constitute (i) a sale (as defined by CCPA) of CCPA Personal Data by Customer to Vendor or (ii) on or after January 1, 2023, the sharing (as defined under CCPA (as amended by the California Privacy Rights Act of 2020)) of CCPA Personal Data by Customer with Vendor; and
d) ### If directed by Customer with regard to a particular California consumer or household, Vendor shall delete the CCPA Personal Data of such consumer or household.
2.4 Changes in Applicable Laws. If, due to any change in Applicable Laws, a Party reasonably believes that (a) Vendor ceases to be able to provide a Service(s) in whole or in part (e.g., with respect to a particular jurisdiction) and/or Customer ceases to be able to use a Service(s) in whole or in part under the then-current terms and conditions of the applicable Service Agreement(s) and this DPA, each Party may terminate the applicable Service Agreement(s) (in whole or, if reasonably practicable, in part).
Security.
3.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Vendor will implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risks. Such measures will include reasonable administrative, physical, and technical security controls (including those required by Applicable Laws) that prevent the collection, use, disclosure, or access to Personal Data and Customer confidential information that the Service Agreements do not expressly authorize, including maintaining a comprehensive information security program that safeguards Personal Data and Customer confidential information. These security measures include, but are not limited to: (i) the pseudonymization and encryption of personal data; (ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; and (iii) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
3.2 When assessing the appropriate level of security, account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.
Supplementary Measures and Safeguards.
4.1 Assistance; Risk Assessment.
a) Vendor shall assist Customer to ensure compliance with Applicable Laws in connection with the Processing of Personal Data.
4.2 Orders. Vendor shall notify Customer in writing of any subpoena or other judicial or administrative order by a government authority or proceeding seeking access to or disclosure of Personal Data. Customer shall have the right to defend such action in lieu of and/or on behalf of Vendor. Customer may, if it so chooses, seek a protective order. Vendor shall reasonably cooperate with Customer in such defense.
Notifications.
5.1 Security Incidents. Vendor has and will maintain a security incident response plan that includes procedures to be followed in the event of a Security Incident. Vendor will provide Customer with written notice promptly after discovering a Security Incident (including those affecting Vendor or its Sub-Processors), including any information that Customer is required by law to provide to an applicable regulatory agency or to the individuals whose personal data was involved in the Security Incident.
5.2 Data Subject Requests. Vendor shall (i) promptly notify Customer about any request under Applicable Law(s) with respect to Personal Data received from or on behalf of the applicable data subject and (ii) reasonably cooperate with Customer’s reasonable requests in connection with data subject requests with respect to Personal Data. Vendor shall assist Customer, through appropriate technical and organizational measures, to fulfill its obligations with respect to requests of data subjects seeking to exercise rights under Applicable Law with respect to Personal Data.
Sub-Processors.
6.1 Vendor shall not have Personal Data Processed by a Sub-Processor unless such Sub-Processor is bound by a written agreement with Vendor that includes data protection obligations at least as protective as those contained in this DPA and the applicable Service Agreement(s) and that meet the requirements of Applicable Laws. Vendor is and shall remain fully liable to Customer for any failure by any Sub-Processor to fulfill Vendor’s data protection obligations under Applicable Laws.
6.2 Vendor provides a of lists all Sub-Processors who access Personal Data, available at: [___________] (the “Website”). Customer specifically authorizes and instructs Vendor to engage the Sub-Processors listed on the Website as of the Effective Date. Vendor will notify Customer of any changes to the Sub-Processors listed on the Website and grant Customer the opportunity to object to such change. Upon Customer’s request, Vendor will provide all information necessary to demonstrate that the Sub-Processors will meet all requirements pursuant to Section 6.1. In the case Customer objects to any Sub-Processor, Vendor can choose to either not engage the Sub-Processor or to terminate this DPA with thirty (30) days’ prior written notice.
6.3 Third-party providers that maintain IT systems whereby access to Personal Data is not needed but can technically also not be excluded do not qualify as Sub-Processors within the meaning of this Section 6. They can be engaged based on regular confidentiality undertakings and subject to Vendor’s reasonable monitoring.
Deletion. Vendor shall, at the choice of Customer: (i) delete or return all Customer Data to Customer after such Customer Data is no longer necessary for the provision of the Services, and (ii) delete existing copies of such Customer Data.
Documentation.
8.1 Vendor shall, upon Customer’s request, provide Customer (a) comprehensive documentation of Vendor’s technical and organizational security measures, (b) any and all third-party audits and certifications available with respect to such security measures, and (c) and all other information reasonably necessary to demonstrate compliance with the Vendor’s obligations under this DPA and/or under Applicable Laws.
Term; Termination. This DPA shall remain in effect until (a) all Service Agreements have terminated and (b) all obligations that Vendor has under the Service Agreements and under Applicable Laws with respect to Personal Data, and all rights that Customer has under the Service Agreements and under Applicable Laws with respect to Personal Data, have terminated. Notwithstanding termination of this DPA, any provisions hereof that by their nature are intended to survive, shall survive termination.
Miscellaneous.
10.1 Any notice made pursuant to this DPA will be in writing and will be deemed delivered on (a) the date of delivery if delivered personally, (b) five (5) calendar days (or upon written confirmed receipt) after mailing if duly deposited in registered or certified mail or express commercial carrier, or (c) one (1) calendar day (or upon written confirmed receipt) after being sent by email, addressed to the address or email address designated by Customer, or to such other address or email address as may be hereafter designated by either Party.
10.2 This DPA shall be governed by and construed in accordance with governing law and jurisdiction provisions in the applicable Service Agreements, unless required otherwise by Applicable Laws.
10.3 Neither Party may assign or transfer any part of this DPA without the written consent of the other Party; provided, however, that this DPA, collectively with all Service Agreements, may be assigned without the other Party’s written consent by either Party to a person or entity who acquires, by sale, merger or otherwise, all or substantially all of such assigning Party’s assets, stock or business. Subject to the foregoing, this DPA shall bind and inure to the benefit of the Parties, their respective successors and permitted assigns. Any attempted assignment in violation of this Section 12.3 shall be void and of no effect.
10.4 This DPA is the Parties’ entire agreement relating to its subject and supersedes any prior or contemporaneous agreements on that subject; provided, however, that, notwithstanding the foregoing but subject to the last sentence of this Section 10.4, nothing in this DPA shall be deemed to supersede any of the Service Agreements. All amendments hereto must be executed by both of the Parties and expressly state that they are amending this DPA. Failure to enforce any provision of this DPA shall not constitute a waiver. If any provision of this DPA is found unenforceable, it and any related provisions shall be interpreted to best accomplish the unenforceable provision’s essential purpose. The headings contained in this DPA are for reference purposes only and shall not affect in any way the meaning or interpretation of this DPA. In the event of a conflict between the terms and conditions of this DPA and the terms and conditions of any Service Agreement, the terms and conditions of this DPA shall govern.
10.5 The Parties may execute this DPA in counterparts (including, without limitation, DocuSign and/or other electronic signature, PDF, and other electronic copies), which taken together shall constitute one instrument.
SCHEDULE I
EU SCCs
Definitions
a) “EU SCCs” means the Standard Contractual Clauses issued pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at http://data.europa.eu/eli/dec\_impl/2021/914/oj and completed as described in this Schedule I.
b) “UK SCCs” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, available as of the DPA Effective Date at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/ and completed as described in this Schedule I.
With respect to Personal Data transferred from the European Economic Area, the EU SCCs will apply and form part of this Schedule I, unless the European Commission issues updates to the EU SCCs, in which case the updated EU SCCs will control. Undefined capitalized terms used in this provision will have the meanings given to them (or their functional equivalents) in the definitions in the EU SCCs. For purposes of the EU SCCs, they will be deemed completed as follows:
a) Because Customer is a Controller and Vendor is a Processor of the Personal Data, Module 2 applies.
b) Clause 7 (the optional docking clause) is not included.
c) Under Clause 11 (Redress), the optional requirement that data subjects be permitted to lodge a complaint with an independent dispute resolution body is inapplicable.
d) Under Clause 17 (Governing law), the Parties select Option 1 (the law of an EU Member State that allows for third-party beneficiary rights). The Parties select the law of Ireland.
e) Under Clause 18 (Choice of forum and jurisdiction), the Parties select the courts of Ireland.
f) Annexes I, II and III of the EU SCCs are set forth in Exhibit A to this Schedule I.
g) By entering into this DPA, the Parties are deemed to be signing the EU SCCs.
With respect to Personal Data transferred from the United Kingdom for which the law of the United Kingdom (and not the law in any European Economic Area jurisdiction) governs the international nature of the transfer, the UK SCCs form part of this Schedule I and take precedence over the rest of this Schedule I as set forth in the UK SCCs, unless the United Kingdom issues updates to the UK SCCs, in which case the updated UK SCCs will control. Undefined capitalized terms used in this provision will have the meanings given to them (or their functional equivalents) in the definitions in the UK SCCs. For purposes of the UK SCCs, they will be deemed completed as follows:
a) Table 1 of the UK SCCs:
i. The Parties’ details are the Parties and their affiliates to the extent any of them is involved in such transfer, including those set forth in Exhibit A.
ii. The Key Contacts are the contacts set forth in **Exhibit A**.b) Table 2 of the UK SCCs: The Approved EU SCCs referenced in Table 2 are the EU SCCs as executed by the Parties pursuant to this Schedule I.
c) Table 3 of the UK SCCs: Annex 1A, 1B, II and III are set forth in Exhibit A.
d) Table 4 of the UK SCCs: Either party may terminate the Service Agreements as set forth in Section 19 of the UK SCCs.
e) By entering into the DPA, the Parties are deemed to be signing the UK SCCs and their applicable Tables and Appendix Information.
With respect to Personal Data transferred from Switzerland for which Swiss law (and not the law in any European Economic Area jurisdiction) governs the international nature of the transfer, the EU SCCs will apply and will be deemed to have the following differences to the extent required by the Swiss Federal Act on Data Protection (“FADP”):
a) References to the GDPR in the EU SCCs are to be understood as references to the FADP insofar as the data transfers are subject exclusively to the FADP and not to the GDPR.
b) The term “member state” in the EU SCCs will not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU SCCs.
c) References to Personal Data in the EU SCCs also refer to data about identifiable legal entities until the entry into force of revisions to the FADP that eliminate this broader scope.
d) Under Annex I(C) of the EU SCCs (Competent supervisory authority): where the transfer is subject exclusively to the FADP and not the GDPR, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner, and where the transfer is subject to both the FADP and the GDPR, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner insofar as the transfer is governed by the FADP, and the supervisory authority is as set forth in the EU SCCs insofar as the transfer is governed by the GDPR.
EXHIBIT A
ANNEX I
A. LIST OF PARTIES
Data exporter(s):
Name: Entity identified as “Customer” in the DPA and “Client” in the Agreement.
Address: See the Agreement.
Contact person’s name, position and contact details: See the Agreement.
Activities relevant to the data transferred under these Clauses: To provide Customer with the Services (as defined in the DPA).
Signature and date: See the Agreement.
Role (controller/processor): Controller.
Data importer(s):
Name: ReadySet Solutions Co. (“Vendor”)
Address:
Contact person’s name, position and contact details: Vendor Head of Product – contact@thereadyset.co.
Activities relevant to the data transferred under these Clauses: To provide Customer with the Services (as defined in the DPA).
Role (controller/processor): Processor.
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
Current and prospective employees of Customer (collectively, “Users”).
Categories of personal data transferred
First name, last name, email address, IP address, and any other personal data that may be included in Client Data (as defined in the Service Agreement).
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
If the Services include Vendor’s consulting Services, the Client Data may include personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. Vendor will only use this personal data as necessary to provide the consulting Services to Customer.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
For the duration of the Services pursuant to the Agreement.
Nature of the processing
To provide the Services pursuant to the Agreement.
Purpose(s) of the data transfer and further processing
To provide the Services pursuant to the Agreement.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
As long as necessary to provide the Services pursuant to the Agreement.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
To provide the Services pursuant to the Agreement.
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13
The Supervisory Authority where the Data Exporter is located.
ANNEX II
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
1. General Security Measures
Vendor will comply with industry-standard security measures (including with respect to personnel, hardware and software, storage and networks, access controls, monitoring and logging, vulnerability and breach detection, and incident response measures necessary to protect against unauthorized or accidental access, loss, alteration, disclosure or destruction of personal data), as well as with all applicable data privacy and security laws, regulations and standards.
2. Third-Party Risk Assessments
Vendor conducts security due diligence on third-party service providers to assess and monitor risk. This assessment includes a review of scope of confidential information and personal data transferred to or processed by the service provider and the purpose of the work. Vendor will also conduct a risk assessment which may include the service provider’s organization and technical security measures, the sensitivity of any information processed by the service provider, storage limitations, and data deletion procedures and timelines.
3. LearnWorlds
Vendor’s learning platform is hosted and distributed through LearnWorlds, a white label learning platform.
LearnWorlds' platform's physical infrastructure is hosted and managed within Google Cloud's secure data centers and leverages Google Cloud Platform (GCP) technologies. Google continually manage risk and ensure compliance with industry standards.
Additional information about LearnWorlds' security practices can be found on their Security Overview page: https://www.learnworlds.com/data-security/
4. Contact Information
Vendor’s security team can be reached at contact@thereadyset.co for any security questions.
ANNEX III
LIST OF SUB-PROCESSORS
The controller has authorised the use of the following sub-processors:
Please see:https://thereadyset.co/subprocessors/