Data Processing Addendum
Effective Date: January 1, 2021
This Data Processing Addendum (“DPA”) is entered into as of the Effective Date (defined below) by and between StudentBridge, Inc. and the entity executing this DPA (“Customer”).
StudentBridge provides to Customer services to develop, manage, and provide digital marketing solutions to support student recruitment and retention (“Services”), pursuant to the Agreement between Customer and StudentBridge. This DPA shall continue to be in full force and effect for the duration of the Agreement and shall cease automatically thereafter.
The definitions set forth below will apply to this DPA.
(a) “Agreement” means collectively the written agreements between Customer and StudentBridge related to the Services (whether entered into prior to, on or after the Effective Date of this DPA), including, but not limited to, the Customer Agreement, as well as any Exhibits, Orders, Additional Terms, and amendments thereto.
(b) “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity; “control” meaning direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
(c) “CCPA” is the California Consumer Protection Act.
(d) “Consumer” shall have the meaning given under the CCPA.
(e) “Customer Personal Data” means any Personal Data relating to an identified or identifiable natural person that is Processed by StudentBridge or a Subprocessor in performing the Services.
(f) “Customer Personal Information” means any Personal Information relating to an identified or identifiable natural person that is Processed by StudentBridge or a Service Provider in performing the Services.
(g) “Customer PI/PD/PII” means PI/PD/PII relating to an identified or identifiable natural person that is Processed by StudentBridge in performing the Services.
(h) “Controller” shall have the meaning given under applicable EU Data Protection Law.
(i) “Data Breach” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the Personal Data transmitted, stored or otherwise Processed; it does not include unsuccessful access attempts or similar activities that do not compromise the security of Customer Personal Data.
(j) “EU Data Protection Laws” means the applicable local, national or international laws, rules and regulations of the European Union governing privacy, data protection or the Processing of Personal Data, including to the extent applicable the EU General Data Protection Regulation 2016/679 and the local implementing law of each Member State as amended, replaced or superseded from time to time.
(k) “Data Subject” means the individual about whom Personal Data relates.
(l) “Effective Date” means the last date on which both Parties have executed this DPA.
(m) “GDPR” means EU General Data Protection Regulation 2016/679.
(n) “Sell” and “Selling” shall have the meaning given under the CCPA.
(o) “StudentBridge” means StudentBridge, Inc.
(p) “Personal Data” means information relating to an identified or identifiable natural person, who can be identified, directly or indirectly, as well as other information defined as personal data under applicable EU Data Protection Laws.
(q) “PI/PD/PII” means information that is identified as personal information, personal data, or personally identifiable information under applicable data protection laws, rules and regulations, and includes Personal Information and Personal Data.
(r) “Personal Information” shall have the meaning given under the CCPA.
(s) “Process,” “Processing” or “Processed” shall have the meaning given under EU Data Protection Laws, the CCPA, or other data protection laws, rules or regulations, as applicable.
(t) “Processor” shall have the meaning given under the EU Data Protection Laws.
(u) “Service Provider” shall have the meaning given under the CCPA.
(v) “Subprocessor” means any person or third party engaged by StudentBridge to Process Customer Personal Data.
(w) “Supervisory Authority” means a data protection or other regulatory body or public agency with the jurisdiction to enforce the applicable EU Data Protection Laws.
Capitalized terms used but not defined herein have the meaning given in the Agreement.
B. GENERAL TERMS FOR PI/PD/PII.
1. This DPA will control in the event of a conflict with the terms of the Agreement. Except as modified in this DPA, the terms of the Agreement shall remain in full force and effect.
2. Between StudentBridge and Customer, Customer owns the Customer PI/PD/PII. The parties agree that Customer shall be the sole party that will determine the purposes and means of the processing of Customer PI/PD/PII. StudentBridge shall be allowed to exercise its own discretion in the selection and use of such means as it considers necessary to pursue those purposes, provided that all such discretion is compatible with the requirements of this DPA, in particular Customer’s written instructions. The instructions of Customer are in principle conclusively stipulated and documented in the provisions of this DPA. Individual instructions which deviate from the stipulations of this DPA or which impose additional requirements shall require StudentBridge’s consent.
5. StudentBridge reserves the right to anonymize, deidentify the Customer PI/PD/PII or to aggregate data in a way that does not permit the identification of a natural person, as well as the right to use, reproduce and disclose the data in this form for purposes of designing, further developing, optimizing, and providing its Services to Customer as well as to other users of the Services and for other lawful purposes. The parties agree that the Customer PI/PD/PII rendered anonymous, deidentified or aggregated as above-mentioned are no longer classified as Customer PI/PD/PII in terms of this DPA and will be owned by StudentBridge.
6. It is Customer’s sole responsibility to back-up Customer PI/PD/PII during the Term, and Customer acknowledges that it will not have access to Customer PI/PD/PII through StudentBridge or the Services following the expiration or termination of this Agreement.
7. If agreed to by StudentBridge in the Agreement, StudentBridge will provide Customer PI/PD/PII to the Customer CRM provider set forth in the Agreement (“Customer’s CRM”). As between Customer and StudentBridge, Customer shall be solely responsible for (a) the relationship with Customer’s CRM, including without limitation, the agreement with Customer’s CRM, and (b) all processing of and security of Customer PI/PD/PII in connection with Customer’s CRM.
8. Customer will not and will not assist or knowingly permit any third party to use the Services provided to collect or store PI/PD/PII or pass PI/PD/PII to third parties in violation of applicable laws, rules or regulations, or to misappropriate any part of the Services, or knowingly breach any security measure of StudentBridge, its Subprocessors, or other third parties.
9. Each party agrees to comply with all applicable laws, rules, and regulations in the course of its performance under the Agreement and this DPA.
C. DATA PROCESSING UNDER EU DATA PROTECTION LAWS. To the extent that StudentBridge will be processing Personal Data subject to EU Data Protection Laws on behalf of Customer in the course of the performance of the Agreement with the Customer, the terms of this Section C shall apply.
1.1 Customer appoints StudentBridge as a Processor to Process the Customer Personal Data as set forth in in Annex 1, which contains an overview of the categories of Customer Personal Data, the categories of Data Subjects, and the nature and purposes for which the Customer Personal Data are being processed.
1.2 The Parties agree that StudentBridge is a Processor and Customer may be a Controller or a Processor, to the extent applicable under the EU Data Protection Laws. Each party will comply with the obligations applicable to it under the EU Data Protection Laws with respect to the Processing of Customer Personal Data.
1.3 If Customer is a Processor or Service Provider, Customer warrants to StudentBridge that Customer’s instructions and actions with respect to Customer Personal Data, including its appointment of StudentBridge as another Processor (i.e., a Subprocessor of Customer), have been authorized by the relevant Controller. Customer warrants that one or more lawful bases set forth in EU Data Protection Laws support the lawfulness of the Processing.
1.4 Customer instructs StudentBridge and authorizes StudentBridge to instruct each approved Subprocessor to (A) Process (including disclose) the Customer Personal Data in order to provide the Services, including: (i) to perform StudentBridge’s obligations under the Agreement, to carry out related requests by Customer (including regarding Customer’s account settings and actions requested or initiated via the Services), in response to customer service and support requests, to perform any related technical support and as otherwise set forth in the Agreement, this DPA or other documented instructions of Customer, and (ii) to transfer Customer Personal Data to any country or territory provided Customer has obtained the consent of the data subject to such transfer, and (iii) and to engage Subprocessors provided such complies with Section C.5 of this DPA; and (B) as otherwise required by applicable laws to which StudentBridge is subject.
1.5 StudentBridge will Process Customer Personal Data only on Customer’s documented instructions as set forth in Section C.1.4. StudentBridge will not use or disclose Customer Personal Data, except as set forth in Section C.1.4, or retain Customer Personal Data upon the expiration or termination of the Agreement, except as set forth in Section C.7.
2. Confidentiality and Security
2.1 StudentBridge will take appropriate steps to ensure the reliability of any employee, agent, contractor, or any other person who may have access to Customer Personal Data, ensuring that such individuals are subject to confidentiality obligations or professional or statutory obligations of confidentiality.
2.2 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, StudentBridge will implement and maintain appropriate technical and organizational measures that are designated to provide a level of security appropriate to the risks presented by the Processing of Customer Personal Data, in particular from a Data Breach, and meet the requirements set forth in this DPA and by EU Data Protection Laws applicable to StudentBridge. These measures shall include, at a minimum, the security measures agreed upon by the Parties in Annex 2. StudentBridge shall have the right to modify technical and organizational measures during the term of the Agreement, as long as they continue to comply with the statutory requirements.
2.3 StudentBridge will notify Customer without undue delay after becoming aware of a Data Breach of Customer Personal Data, and such notice will at a minimum include, as available, information so that Customer can meet its obligations to report a Data Breach under the applicable EU Data Protection Laws. StudentBridge will promptly investigate and take commercially reasonable steps to remediate the effects of the Data Breach, to the extent caused by StudentBridge or its Subprocessors.
3. Assistance to Customer
Customer will be responsible for responding to any request from a Data Subject or other third party under applicable EU Data Protection Laws. StudentBridge will promptly notify Customer if it receives a request from a Data Subject or other third party regarding the Customer Personal Data. StudentBridge will, upon the request of Customer and taking into account the nature of the Processing and information available to StudentBridge, provide Customer with reasonable assistance as necessary to Customer’s fulfilment of its obligations to respond to Data Subject requests, complete any privacy impact assessments or engage in any prior consultation with or notification of Supervisory Authorities, to the extent required by applicable EU Data Protection Laws.
4. Audit Rights
Upon Customer’s request and to the extent required by applicable EU Data Protection Laws, StudentBridge will make available to Customer all information necessary to demonstrate StudentBridge’s compliance with this DPA and allow for and contribute to audits, including inspections conducted by a qualified, independent third party auditor. Customer will give StudentBridge reasonable notice of any audit or inspection to be conducted under this Section C.4. Except as otherwise required by applicable law or a relevant Supervisory Authority, any audit or inspection will be conducted within normal business hours, no more than once in any calendar year. With respect to any audits of StudentBridge Subprocessors under this Section C.4, such will only be conducted by a qualified, independent third-party auditor approved by StudentBridge at the cost of Customer.
Customer generally consents to StudentBridge’s engagement of Subprocessors for the Data Processing activities described in this DPA. StudentBridge may continue to use those other Subprocessors currently in use as of the date of this DPA as listed on Annex 3, and may engage other third parties and Subprocessors where Customer has requested Services that require the engagement of such third party (or its services) or Subprocessor. StudentBridge will not appoint any additional Subprocessor(s) without providing Customer with prior notice and the opportunity to object; if within 10 days of receipt of that notice, Customer has not notified StudentBridge in writing of its objection, Customer will be deemed to have agreed to the appointment of the new Subprocessor. An objection may only be raised by Customer for important reasons which have to be proven to StudentBridge. If Customer objects, StudentBridge is entitled to terminate the Agreement on reasonable notice. Prior to any Processing by Subprocessor of Customer Personal Data, StudentBridge will exercise appropriate care in appointing and overseeing authorized Subprocessors and will enter into contractual terms with authorized Subprocessors that are no less protective than the terms set out in this DPA. The parties agree that this requirement is fulfilled if the contract has a level of protection corresponding to this DPA and if the obligations laid down in applicable data protection laws are imposed on the Subprocessor. StudentBridge will remain liable to Customer for the performance of the Subprocessors’ obligations. In general, no authorization is required for contractual relationships with service providers that are not actively Processing Customer Personal Data but are only concerned with the examination or maintenance of data processing procedures or systems by third parties or that involve other additional services, even if access to Customer Personal Data cannot be excluded, as long as StudentBridge takes reasonable steps to protect the confidentiality of Customer Personal Data.
6. Cross-border Transfers
Customer consents to the Processing and transfer of Customer Personal Data outside the jurisdiction in which it was collected. Customer acknowledges that Customer Personal Data may be Processed in the United States and other jurisdictions where Subprocessors are located. The basis of the cross-border transfer will be the explicit consent of the data subject, and Customer will be responsible for obtaining the explicit consent of data subjects to such transfers.
7. Deletion or Return of Customer Personal Data
StudentBridge will delete or fully anonymize the Customer Personal Data within 180 days of the termination of the Agreement, unless continued Processing is subject to a new or amended agreement; if Customer notifies StudentBridge within 60 days of the termination of the Agreement not to delete the Customer Personal Data, StudentBridge will, at the choice of Customer, return a copy of the Customer Personal Data to Customer.
Subject to the applicable limitations of liability set forth in the Agreement, each party (the "Indemnifying Party") shall indemnify and defend the other (the "Indemnified Party") from and against all loss, cost, harm, expense (including reasonable legal fees), liabilities or damage ("Damage") suffered or incurred by the Indemnified Party as a result of the Indemnifying Party's breach of this DPA. The Indemnified Party must give the Indemnifying Party timely written notice of the claim for which indemnity is sought and control of the disposition thereof; provided, that failure to give timely notice will not relieve the Indemnifying Party of its obligations except to the extent that such untimely notice materially impairs the ability of the Indemnifying Party to defend such claim. the Indemnified Party takes reasonable steps and actions to mitigate any ongoing Damage it may suffer as a consequence of the Indemnifying Party's breach. The Indemnified Party must cooperate with the Indemnifying Party’s reasonable requests (at the Indemnifying Party’s expense) in connection with the defense and settlement of such claim. Neither party will settle any claim for which indemnity is sought unless: (i) such settlement includes an unconditional release of the other party from all liability on the claim, or (ii) the other party gives its prior written consent, which will not be unreasonably withheld. The indemnification obligations will not apply to the extent any Third Party Claims arises out of or relates to an Indemnified Party’s breach of this DPA or the Agreement.
D. DATA PROCESSING UNDER THE CCPA.The parties agree to the following terms in this Section D with regard to the processing of Personal Information of Consumers in California:
1. CCPA Criteria. The parties acknowledge that the CCPA applies only to a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners that collects Consumers’ Personal Information or on the behalf of which that information is collected and that alone, or jointly with others, determines the purposes and means of the Processing of Consumers’ Personal Information, that does business in the State of California, and that satisfies one or more of the following thresholds: (A) has annual gross revenues in excess of twenty-five million dollars ($25,000,000), as adjusted pursuant to paragraph (5) of subdivision (a) of CCPA Section 1798.185; (B) alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the Personal Information of 50,000 or more Consumers, Households, or Devices, or (C) derives 50 percent or more of its annual revenues from Selling Consumers’ Personal Information (the “CCPA Criteria”).
(a) StudentBridge represents that it does not meet the CCPA Criteria.
(b) Customer represents that it is not organized or operated for the profit or financial benefit of its shareholders or other owners.
2. StudentBridge’s Obligations. Although it has no legal obligations under the CCPA, StudentBridge agrees to the following:
(a) StudentBridge will not retain, use, or disclose the Customer Personal Information of a California Consumer for any purpose other than for the specific purpose of performing the Services for Customer or as otherwise permitted by the CCPA.
(b) StudentBridge will not Sell the Customer Personal Information of a California Consumer.
3. Customer’s Obligations: Customer will be responsible for responding to any request from a Consumer or other third party under the CCPA, and if StudentBridge receives such a request, it will refer the Consumer or other third party to Customer.
ANNEX 1: DETAILS OF PROCESSING OF CUSTOMER PERSONAL DATA
This Annex 1 describes details of the Processing of Customer Personal Data. To the extent that StudentBridge will be processing Personal Data subject to EU Data Protection Laws on behalf of Customer in the course of the performance of the Agreement with the Customer, the terms of this Annex 1 shall apply.
The subject matter and duration of the Processing are set forth in the Agreement and any order forms or and statements of work thereto (each an “Order Form”).
1. The processing operations, and nature and purpose of the Processing are set forth in the Agreement, and may include, to the extent subject to the Agreement or an Order Form thereto:
- Collection and Processing of Customer Personal Data for Customer’s student recruitment and retention
- Metrics, analytics, monitoring and reporting for content and pages on Customer’s online properties hosted by StudentBridge
- Technology platform delivery services related to the above
2. The types of Customer Personal Data to be Processed by StudentBridge depends on the services and features that Customer decides to implement, and may include Data Subjects’ full names, social media names, email addresses, password, phone number, general profile information, and academic information (such as high school, potential college major and minor areas of study, areas of interest, target date of entry into college, and other information related to academic history); information posted by Data Subjects in the form of messages, conversations, or contributions to discussions; documents, images or other files that may be transmitted or published by Data Subjects via Services; information StudentBridge may receive relating to communications sent by Data Subjects, such as queries or comments concerning the StudentBridge Services; information relating to the real time location of a relevant computer or mobile device, but only where such relevant computer or mobile has been enabled to send StudentBridge location information; certain information from the computer or mobile device of Data Subjects, including the activities performed on the Customer’s web or mobile properties, the type of hardware and software being used (for example, the operating system or browser), IP address, browser and device type, access times, the web page from which the user came, the regions from which the user navigated the web page or mobile application, and the web page(s) or mobile application pages the Data Subject accessed (as applicable).
3. The types of Special Categories of Data to be Processed include: None
4. The categories of Data Subjects to whom Customer Personal Data relates include:
- Visitors to and users of content and pages on Customer’s online properties hosted by StudentBridge
5. The obligations and rights of the Customer are set out in the Agreement and the DPA.
ANNEX 2: TECHNICAL AND ORGANIZATIONAL MEASURES
To the extent that StudentBridge will be processing Personal Data subject to EU Data Protection Laws on behalf of Customer in the course of the performance of the Agreement with the Customer, the terms of this Annex 2 shall apply.
1. StudentBridge has implemented commercially reasonable technical and organizational measures for protecting Customer Personal Data, including with respect to its relevant information processing systems, and reasonable and appropriate technical, physical and administrative measures will be maintained to protect Customer Personal Data under StudentBridge’s possession or control against unauthorized or unlawful Processing or accidental loss, destruction or damage, including:
(a) employees and other personnel that regularly handle Personal Data receive privacy and security training appropriate to their responsibilities;
(b) documented policies, procedures, and processes for managing the security risks related to Processing of Customer Personal Data;
(c) devices, systems, facilities, and assets that Process Customer Personal Data (“assets”), and that are material to the provision of the Services to the Customer are identified and managed;
(d) security risks are identified, and are assessed regularly;
(e) access to assets is limited to authorized users;
(f) access logs are collected and reviewed as appropriate;
(g) remote access to assets is restricted and securely managed;
(h) Customer Personal Data is physically and logically separate from the Personal Data of other Customers;
(i) electronic and paper records containing Customer Personal Data are securely destroyed in accordance with secure destruction policies and procedures;
(j) appropriate technical security solutions are implemented and managed to protect the confidentiality, integrity, and availability of Customer Personal Data;
(k) maintenance and repair of information system components is performed in a controlled and secure manner;
(l) incident response processes and procedures are maintained to provide for timely identification of, response to, and mitigation of detected Events; and
(m) backups and disaster recovery processes are in place.
2. Reasonable steps will be taken in an effort to ensure the reliability of personnel having access to Customer Personal Data.
3. Appropriate due diligence will be conducted on Subprocessors to ensure that each is capable of providing an appropriate level of protection for Personal Data.
ANNEX 3: SUBPROCESSORS
To the extent that StudentBridge will be processing Personal Data subject to EU Data Protection Laws on behalf of Customer in the course of the performance of the Agreement with the Customer, the terms of this Annex 3 shall apply.
StudentBridge has engaged the following Subprocessors as of the date of this DPA, all or which operate in countries outside the European Economic Area without an adequate level of protection for which the Customer has granted its authorization:
Subprocessor Name Country