Data Processing Addendum
Last Revised 24-April-2023
This Data Processing Addendum (“DPA”), and applicable Schedules, apply to the extent that SchoolStatus, LLC and its Affiliates (“Company”) processes Personal Data on behalf of the entity (“Client”) identified in the agreement to which this DPA is attached (the “Agreement”) in order to provide the services as provided therein (the “Services”). Capitalized terms not specifically defined herein shall have the meaning set out in the Agreement. In the event of a conflict between the terms of the Agreement as they relate to the processing of Data and this DPA, the DPA shall prevail.
- “Affiliates” means a company or other legal entity which is under common ownership or control with SchoolStatus LLC, or which is a subsidiary or parent company of SchoolStatus LLC.
- “Data Subject” has the meaning assigned to the term “data subject” or “consumer” under applicable Privacy Laws and shall include identified or identifiable natural persons to whom the Personal Data relates.
- “Personal Data” means any data relating to a Data Subject provided by (or on behalf of) Client to Company in connection with the Services.
- “Privacy Laws” means laws regarding the Processing of Personal Data.
- “Process” or “Processing” means any operation or set of operations that are performed on Personal Data or sets of Personal Data, whether or not by automated means, including, collection, recording, organization, structuring, storage, analysis, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
- “Security Incident” means any situation in which Company confirms that Personal Data under Company’s management has been accessed, disclosed, altered, lost, destroyed, or used by unauthorized persons in an unauthorized manner having a material impact on Client or Data Subjects’ rights.
- “Sell”, “selling”, “sale”, or “sold” means the provision of Personal Data in exchange for monetary or other valuable consideration, and includes the meaning given in subdivision (ad)(1) of Cal. Civ. Code §1798.140.
- “Share”, “sharing”, or “shared” means the provision of Personal Data to support targeted advertising based on online behavioral profiling online, and includes the meaning given in subdivision (ah)(1) of Cal. Civ. Code §1798.140.
- “Subprocessor” means any third-party service provider engaged by Company and which receives Personal Data for Processing activities to be carried out on behalf of Client. Subprocessors do not include third parties with whom Client, or Client’s employees or beneficiaries accessing the Services, directs Company to share Personal Data (such as, e.g., common carriers or payment processors).
RELATIONSHIP OF PARTIES
- Appointment as Data Processor. Client appoints Company to Process Personal Data. Client acknowledges and agrees that, as part of providing the Services, Company has the right to use Personal Data relating to or obtained in connection with the operation, support, or use of the Services for its legitimate internal business purposes, such as to enhance its services, to comply with all applicable laws (including law enforcement requests), to ensure the internal security of the Services, to prevent fraud or mitigate risk, or any other purposes permitted by applicable law, the Agreement, or this DPA (each of the foregoing, along with the provision of Services, a “Permitted Service Purpose” collectively the “Permitted Service Purposes”). Aggregate data about the usage of Company’s systems which does not identify any individual is not Personal Data under this DPA.
- Client Obligations. Client represents, warrants and covenants that: (i) it shall comply with its obligations under law; and (ii) it has provided all notices, and obtained all consents and rights, necessary under law for Company to Process Data and provide the Services. Without limiting any payment obligations under the Agreement, Client shall immediately notify Company and cease use of the Services in the event and to the extent any required authorization or legal basis for Processing is revoked or terminated.
OBLIGATIONS OF DATA PROCESSOR
- Customer Instructions. Client agrees that the Agreement, combined with this DPA, including the Permitted Service Purposes, constitute the entirety of Client’s documented instructions regarding the Services and the Processing of Data (“Documented Instructions”). Company may Process Personal Data in accordance with Documented Instructions or pursuant to the Permitted Purposes. To the extent required by law, Company shall notify Client promptly prior to any such Processing outside of instructions. Company may, but is not required to, rely on additional Processing instructions from Client outside the scope of the Documented Instructions, unless otherwise subsequently agreed to in writing by both Company and Client. Client is solely responsible for determining the lawfulness of the Documented Instructions it provides to Company and shall only provide Company with instructions that are lawful.
- Requirements of Processing. As required by applicable Privacy Laws, Company shall notify Client if Company determines that it can no longer meet its obligations under such laws or this DPA.
- No Sale of Personal Data. To the extent required to ensure compliance with applicable Privacy Laws, Company certifies that it shall not (i) Sell or Share the Personal Data; (ii) retain, use or disclose the Persona Data for any purpose other than the provision of Services including to retain, use, or disclose the Personal Data for a commercial purpose other than a Permitted Service Purpose; and (iii) retain, use, or disclose the Personal Data outside of the direct business relationship between Company and Client except at client’s direction, including the Documented Instructions.
- Combination of Personal Data. As required for compliance with applicable Privacy Laws, Company shall not combine Personal Data received in connection with performing Services under the Agreement and this DPA with Personal Data it receives from another source except where permitted by the Permitted Service Purposes.
- Information Security Program. Company’s information security procedures are documented at [link] and may be updated from time-to-time. Client agrees that it has been afforded an adequate opportunity to review Company’s technical and security controls with regard to the Services.
- Pre-Authorized Subprocessors. Client agrees that Company can share Personal Data with Subprocessors for the Permitted Service Purposes. As required by Privacy Laws, Company shall impose contractual obligations on Subprocessors designed to support Company’s data protection obligations hereunder.
- Information Obligations. Company shall notify Client of any Security Incident in compliance with any applicable Privacy Laws. Company will not provide any public notice of a Security Incident that mentions Client without first consulting Client. Notice to law enforcement and/or Company’s advisors shall not be deemed a public notice hereunder. Company’s obligation to report or respond to a Security Incident under this section is not and will not be construed as an acknowledgement by Company of any fault or liability of Company with respect to such Security Incident.
COOPERATION AND ASSISTANCE
- Data Subject Rights. As required to comply with applicable Privacy Laws, Company shall inform Client following Company’s receipt of any inquiry or request from a Data Subject regarding the Processing of their Personal Data that Company identifies as relating to Client. At Client’s sole expense, Company will provide assistance upon written notice from Client requiring Company to access, amend, or delete any Personal Data, or to stop, mitigate or remedy any unauthorized Processing in accordance with any data subject’s right required by applicable Privacy Laws. Company shall have no liability for its failure to provide Services or perform its obligations if caused by its compliance with the previous sentence.
- Regulatory Assistance. If a governmental or regulatory authority sends Company a written inquiry, notice, or demand related to Personal Data, Company will attempt to redirect the authority to request such information from Client. If compelled to disclose Personal Data to a government or regulatory authority, Company will give Client reasonable notice of the demand to allow Client to seek a protective order or similar remedy if Company is legally permitted to do so. As required by law, and at Client’s sole expense, Company shall reasonably assist Client with a response to a governmental or regulatory authority’s investigation or inquiry as it relates to Client’s Personal Data. However, in no case will Company be required to undertake any action or make any representation or statement against the advice of its counsel.
- Compliance Assistance. Company shall reasonably assist Client with any other compliance action or procedure required by applicable Privacy Laws, at Client’s sole expense. However, in no case will Company be required to undertake any action or make any representation or statement against the advice of its counsel.
ACKNOWLEDGEMENTS, REPRESENTATIONS, AND WARRANTIES
- Student Information. Client understands that the Services may inherently involve the collection, Processing, receipt, and storage of Personal Data and educational records covered by Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g and other laws. Client further understands that this Personal Data may include (without limitation) a student’s first and last name, email address, ID number, school affiliation, age and grade, parents’ names and identities, contact information, and other relevant information depending upon the specific Services. Client further understands that all Personal Data collected and used by the Services may be transmitted over the public internet and stored using commercially-available, third-party cloud storage. Subject to Company’s obligation to adhere to all the terms of this DPA, Client, not Company, bears sole responsibility to ensure that the provision of data to and processing of data by Company complies with law and any requirements applicable to Client.
- Consents and Notices. Client represents, warrants and covenants that it has collected or will provide all legally required notices and collect all legally required consents necessary to permit Company’s Processing of Personal Data for the Permitted Service Purposes.
- Lawful Use. Client agrees that that will use the Services only in compliance with law and that it will ensure that all its users use the Services in compliance with law, the Agreement, and Company’s Terms & Conditions, available at www.schoolstatus.com/terms-and-conditions or as communicated by Company to Client.
- Minor Students. Client represents, warrants, and covenants that: (1) Client has full legal authority to consent to Company’s collection of Personal Data through the Services from all Data Subjects, including where relevant, students under the age of eighteen (18); and (2) Client’s use of the Services for the collection, use, Processing, and Sharing (if any) of Personal Data is and will only be in an educational context for the use and benefit of Client as an educational institution, and not for any other commercial purpose, and (3) Client will use the Services only in compliance with law, including relevant Privacy Laws.
- Disclaimer of Warranties. All disclaimers of warranty and limitations of liability in favor of Company shall apply as described in the Agreement.
- Indemnification. Client agrees to indemnify, defend, and hold Company, its affiliates, and each of their respective directors, officers, managers, employees, members, shareholders and agents and all of their respective successors and permitted assigns (collectively, the “Indemnified Parties”) harmless from and against any and all judgments, expenses, fines, penalties, or other losses (including reasonable attorney’s fees) which may be suffered by, imposed on, or incurred by any of the Indemnified Parties as a result of any third party claims arising from: (i) any breach of this DPA by Client, its agents, vendors, or employees (ii) Client’s violation of any Privacy Laws; and/or (iii) Company’s reliance on any instructions provided by Client.
- Any costs and expenses incurred by Company for which Client is responsible under this DPA shall not be subject to any limitation of liability clause otherwise agreed between the parties, including within the Agreement.
DATA RETENTION AND DESTRUCTION
- Data Destruction. Within thirty (30) days after the effective date of termination or expiration of the Agreement, or within thirty (30) days of receipt of a written request by Client, Company will delete Personal Data in its possession, except that Company may always retain such Personal Data (1) to the extent Company is required to do so under an applicable law, including, but not limited to, any applicable Privacy Law; (2) as reasonably necessary for the establishment of, exercise of, or defense against legal claims; or (3) in archival business records. Company may retain and use a copy of Personal Data following the termination of the Agreement which has been cleansed in a commercially reasonable manner of all attributes capable of identifying a Data Subject. This includes, but is not limited to, aggregated data derived from Personal Data.