Data processing agreement

Coursebricks, "us", "we", or "our" refers to Coursebricks Ltd.

This Data Processing Agreement forms part of the Software as a Service Agreement ("Principal Agreement") between the client entity that is a party to the Principal Agreement ("Client", "you", "Data Controller" or "Controller") and Coursebricks ("Data Processor" or "Processor"), together as the "Parties". The Data Controller and the Data Processor are individually referred to as a "Party" and collectively referred to as the "Parties".

Whereas:

1. The Data Processor provides Services to the Data Controller as part of their contractual relationship regulated by one or more separate agreements, written or verbal, ("Principal Agreement") which currently governs their relationship including that related to the protection and management of data.
2. In providing the Services, the Data Processor may collect or otherwise process Personal Data sourced from the Data Controller within the meaning of Data Protection Laws.
3. The Parties are aware that Regulation (EU) 2016/679 … (GDPR), is the new global bar for privacy rights, security and compliance.
4. The Parties agree to enter into this Data Processing Agreement ("DPA"), which regulates the data protection obligations of the Parties when processing the Personal Data.
5. The conditions contained within this DPA supplement any Principal Agreement in respect of the aspects related to the processing of data and supersede any provisions of the Principal Agreement in the event of a conflict.
6. Any terms not defined in this DPA shall have the meaning set forth in the Principal Agreement.

1. Definitions

1. The following definitions and rules of interpretation apply within this agreement:

   • Affiliate: an entity that owns or controls, is owned or controlled by or is under common control or ownership of either Party.
   • Anonymous Data: Personal Data that has been processed in such a manner that it can no longer be attributed to an identified or identifiable natural person.
   • Authorised Employees: employees or contractors who need to access Personal Data to perform obligations under this DPA.
   • Data Protection Laws: includes the GDPR, the Data Protection Act (UK), and all applicable privacy legislation.
   • Data Controller, Data Subject, Personal Data Breach, Data Processor, Consent, Third Party: have the meaning given in the GDPR.
   • Data Protection Officer: person responsible for data protection within the Data Processor.
   • EEA: European Economic Area and Switzerland.
   • Effective Date: the date on which this DPA is accepted by both Parties.
   • Instruction: a written or electronic direction issued by the Data Controller to the Data Processor regarding Personal Data.
   • Legitimate Business Interest: processing necessary for performing a contract or agreed service.
   • Personal Data: any information relating to a Data Subject processed on behalf of the Data Controller.
   • Processing: any operation performed on Personal Data (collection, storage, alteration, deletion, etc.).
   • Services: any product or service provided by the Data Processor.
   • Special Categories of Personal Data include:
     • Racial or ethnic origin
     • Political opinions
     • Religious
     • Philosophical beliefs
     • Trade union membership
     • Genetic data
     • Biometric data
     • Data concerning Health
     • Data concerning Sex Life
     • Data concerning Sexual Orientation
   • Standard Contractual Clauses: as defined by EU Commission Implementing Decision (EU) 2021/914.
   • Sub-processor: any third party engaged by the Data Processor to assist in fulfilling obligations.
   • Supervisory Authority: the authority responsible for privacy matters in the relevant jurisdiction.
   • Technical and Organisational Measures: measures aimed at protecting Personal Data from loss, misuse, or unauthorized access.
   • Third Party: any person or entity other than the Parties.

2. This DPA covers all Affiliates of the respective Party.

3. "Clause", "schedule", "paragraph" refer to sections of this DPA.

4. Headings do not affect interpretation.

5. "Person" includes individuals and corporate entities.

6. References to "company" include corporations and other legal entities.

7. Singular includes plural and vice versa.

8. Gender references include all genders.

9. "Include" means "include without limitation".

10. References to statutes include amendments, re-enactments, and related legislation.

11. "Writing" includes letter or email.

12. English is the governing language of this Agreement.

2. Term

1. This DPA commences on the Effective Date and continues for the duration of any valid agreement covering the provision of Services.
2. Except as changed by this DPA, the Principal Agreement remains unchanged. In the event of a conflict, this DPA prevails.

3. Type and purpose of use of data

1. The Data Processor agrees to process Personal Data only on documented instructions of the Data Controller, unless required to do so by EU or UK law.
2. The Data Processor shall inform the Data Controller if instructions appear to infringe applicable laws.
3. The Data Processor may process the following Personal Data for the following purposes:

Categories of Data

4. Authorised Employees of the Data Processor may be granted access to Personal Data as required for Services.
5. Personal Data shall only be processed for the purposes listed in this DPA.

4. Processing of Personal Data

1. The Data Controller is solely responsible for:
   • the accuracy, quality, and legality of Personal Data provided,
   • the means by which the Personal Data was acquired,
   • and the Instructions it issues to the Data Processor.
2. The Data Controller shall not provide Personal Data in violation of the DPA and shall indemnify the Processor for related claims or losses.

5. Data retention

1. Personal Data will be retained in accordance with the Data Processor’s Data Retention Policy, available at https://coursebricks.io/privacy-policy/.
2. Data will be retained only as long as necessary for Services, subject to:
   • Data Subject rights under applicable law
   • Legal retention requirements
   • Government/regulatory requests
3. Retention periods:

Retention Table

6. Data Controller’s obligations & rights

1. The Data Controller shall be responsible for assessing whether Personal Data can be processed lawfully and for safeguarding the rights of the Data Subjects. The Data Controller shall ensure in its area of responsibility that the necessary legal requirements are so that the Processor can provide the agreed services in a way that does not violate any legal regulations.

2. In case the Data Controller intends to conduct (or mandate a third party to conduct) an audit at Processor’s working premises, the Data Controller shall give reasonable notice of at least two (2) working days to Processor. The time and duration of the audit shall be agreed to by both Parties. The results of the audit shall be recorded by both Parties in writing.

7. Data Processor’s obligations

1. In fulfilling its obligations, the Data Processor shall:

   • Ensure that persons authorised to Process the Personal Data (including Authorised Employees) have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

   • Not engage any Sub-Processors except those listed at https://coursebricks.io/sub-processors, without informing the Controller of intended changes and giving the Controller the opportunity to object and terminate their Service.

   • Ensure any Sub-Processor is bound by the same data protection obligations set out in this DPA.

   • Remain fully liable to the Data Controller for any Sub-Processor’s failure to meet its obligations and notify the Controller of any such failure.

   • Assist the Data Controller, through appropriate Technical and Organisational Measures, in fulfilling Data Subject rights obligations under GDPR.

   • Inform the Data Controller of any Personal Data Breach (including suspected breaches), regardless of cause.

   • At the Controller’s choice, delete or return all Personal Data after the end of the Services, unless EU or UK law requires retention.

   • Make available all information necessary to demonstrate compliance with this DPA.

   • Carry out regular tests and self-audits to ensure processing conforms with this DPA.

   • Allow for and contribute to reasonable audits or inspections mandated by the Controller for verifying compliance.

   • Inform the Controller in text form of any requests from Data Subjects, Supervisory Authorities, or other third parties relating to the Personal Data, and refer data subjects directly to the Controller.

8. Sub-Processors

1. The Data Controller acknowledges, agrees and provides general written authorisation allowing the Processor to engage Sub-Processors to access and Process Personal Data in connection with the Services in line with Article 28 GDPR.

2. A list of current Sub-Processors is available at: https://coursebricks.io/sub-processors

3. At least ten (10) days before instructing any new Sub-Processor (other than those already listed), the Data Processor will notify the Data Controller.

   • If the Controller objects, the Processor must allow termination of the Services without loss if exercised within ten (10) days.
   • Termination does not relieve the Controller of fees previously owed.
   • If the Controller does not object within ten (10) days, the new Sub-Processor is deemed approved.

4. Any objection must be based on reasonable grounds relating to data protection.

5. The Data Processor shall ensure every Sub-Processor is contractually bound by obligations no less protective than those in this DPA.

6. Upon request, the Data Processor shall provide a copy of the Sub-Processor agreement (redacted where necessary to protect confidential information).

7. The Data Processor shall include a third-party beneficiary clause allowing the Controller to terminate the Sub-Processor contract and instruct erasure/return of Personal Data if the Data Processor ceases to exist, becomes insolvent, or otherwise cannot fulfill its obligations.

9. Rights of Data Subjects

1. The Parties recognise and acknowledge the rights of Data Subjects under Data Protection Law, including rights of access, rectification, restriction, erasure, data portability, cessation of Processing, withdrawal of consent, and/or objection ("Data Subject Request(s)").

2. The Data Processor shall, to the extent permitted by law, promptly notify the Controller upon receipt of any Data Subject Request.

3. At the Controller’s request, and taking into account the nature of the Processing, the Data Processor shall assist in responding to Data Subject Requests, subject to charges based on current rate cards, provided that:

   • The Controller is unable to respond without the Processor’s assistance; and
   • The Processor is able to assist in accordance with applicable laws and regulations.

10. Transferring data outside the EEA

1. The Data Processor is located within the EEA and shall endeavour to process Personal Data within the EEA. The Data Controller authorises storage of Personal Data outside the EEA as set out in Schedule A.

2. Transfers to third countries or international organisations shall occur only based on documented instructions of the Controller or under legal requirements applicable to the Data Processor.

3. Where Sub-Processors engaged under Clause 8 transfer Personal Data outside the EEA, those transfers must comply with GDPR using Standard Contractual Clauses where applicable.

4. Any such transfer must ensure that Personal Data will be stored and processed in conformity with Data Protection Laws and that appropriate Technical and Organisational Measures are applied.

5. Through this DPA, the Data Controller consents to the storage of Personal Data in all the locations defined in Schedule A.

11. Third party requests for disclosure of Personal Data

1. Unless prohibited by applicable law, the Data Processor shall promptly notify the Data Controller of:

   • Any request for the transfer of Personal Data covered by the DPA by any governmental, regulatory, or Supervisory Authority.
   • Any request for access received directly from a Third Party.
   • Any requirement by law, court order, warrant, subpoena or other legal judicial process to disclose Personal Data to any person or entity other than the Controller.

2. The Data Processor shall provide all reasonable assistance to the Data Controller, subject to a charge based on its current rates, to enable the Data Controller to respond, object or challenge any such demands, inquiries, communications, requests or complaints, and to meet applicable statutory or regulatory deadlines.

12. Security

1. Taking into account the state of the art, implementation costs, and the nature, scope, context and purposes of Processing, as well as the risks to the rights and freedoms of natural persons, the Data Processor shall implement appropriate Technical and Organisational Measures to protect Personal Data. These Measures are listed in Schedule B.

2. The Data Controller is responsible for reviewing the information made available by the Data Processor regarding data security and determining whether these Measures meet the Data Controller’s legal obligations. The Data Controller acknowledges that the Measures may evolve over time, provided such updates do not degrade the overall security of the Services.

3. The Data Processor shall keep the Data Controller’s Personal Data logically separate from data processed on behalf of any other Third Party or its own data.

13. Reliability of personnel

1. The Parties shall take all reasonable steps to ensure the reliability of any Authorised Employees and staff of Sub-Processors who may have access to Personal Data, ensuring that access is strictly limited to individuals who need it to fulfil obligations under the Principal Agreement.

2. The Data Processor shall ensure that all Authorised Employees and Sub-Processors are aware of the confidential nature of the Personal Data and have executed confidentiality agreements preventing them from disclosing or otherwise Processing any Personal Data except in accordance with contractual obligations and relevant laws.

14. Personal Data breach and notification

1. In the event of a Personal Data Breach, the Data Processor shall cooperate with and assist the Data Controller in complying with its obligations under the GDPR.

2. In the event of a Personal Data Breach concerning Personal Data processed by the Data Controller, the Data Controller shall inform the Data Processor in writing within 72 hours of becoming aware of it. The Data Processor shall assist the Data Controller in notifying the relevant Supervisory Authority.

3. In the event of a Personal Data Breach concerning Personal Data processed by the Data Processor, the Data Processor shall inform the Controller in writing without undue delay upon becoming aware of it.

4. The notification referenced in Clause 14.3 shall include:

   • A detailed description of the Personal Data Breach.
   • The type of data affected.
   • The identity of each affected person (or approximate counts if not possible).
   • The name and contact details of the Data Protection Officer or other contact point.
   • A description of the likely consequences of the Breach.
   • A description of the measures taken or proposed to be taken to address the Breach.

5. The Data Processor agrees to provide the Controller with all information reasonably necessary for the Controller to comply with GDPR obligations.

6. The Data Processor agrees to cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation and remediation of any Personal Data Breach.

7. The Parties shall not release or publish any notice, press release, communication or report concerning any Personal Data Breach without written approval from the other Party.

15. Modifications & notices

1. Notices relating to this DPA must be in writing and sent to the official place of business or registered office of the relevant Party, or via email to the principal contact of record for the Controller.

2. Each Party undertakes to keep the other informed of any change in the contact details for notices.

16. Non-compliance & termination

1. If the Data Processor breaches its obligations under this DPA, the Data Controller may instruct the Data Processor to suspend processing of Personal Data until compliance is restored or until the DPA is terminated. The Data Processor shall promptly inform the Controller if it is unable to comply.

2. The Data Controller may terminate the DPA with respect to Personal Data if:

   • Processing has been suspended under Clause 16.1 and compliance is not restored within a reasonable time (and in any case within one month).
   • The Data Processor is in substantial or persistent breach of these Clauses or its obligations under the GDPR.
   • The Data Processor fails to comply with a binding decision of a competent court or supervisory authority.

3. The Data Processor may terminate the DPA if, after informing the Controller that its instructions infringe legal requirements (per Clause 3.2), the Controller insists on compliance with those instructions.

4. Upon termination:

   • Upon the Controller’s request, the Data Processor shall furnish all Personal Data in an agreed format, subject to applicable charges.
   • Subject to the applicable data retention policy, the Data Processor shall securely delete any Personal Data in its possession.

Schedule A

Type of processing

The table below defines a list of types of processing related to Personal Data, and the storage location for that processing.

Processing Table

Schedule B

Technical & organisational measures

The Data Processor has implemented measures to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

Technical and organisational security measures

Security Measures Table