Data Processing Addendum

Secure Schools’ Service Level Agreement

Updated July 2024

This Data Processing Addendum (“DPA”) is between Customer (“Customer”) and Secure Schools Inc (“Secure Schools”) and supplements the Platform License Agreement made by and between Customer and Secure Schools (“Agreement”). The parties are each referred to herein as “Party” and collectively as the “Parties”. The terms used in this DPA will have the meanings set forth herein. Capitalized terms not otherwise defined herein will have the meanings set forth in the Agreement. Except as modified below, the terms of the Agreement will remain in full force and effect. In the event of inconsistencies between the provisions of this DPA and the Agreement, the provisions of this DPA shall prevail.

1. SECURE SCHOOLS PROCESSING OF PERSONAL INFORMATION AS A PROCESSOR

The following provisions apply when Secure Schools provide Services to Customers that involve the Processing of Customer Personal Information by Secure Schools as a Processor. 

  1. Restrictions on Use of Customer Personal Information.  
    1. The Parties agree that Customer Personal Information is disclosed, used and retained only for the provision of the Services and the Business Purposes and Processing activities set out in Schedule 1. The Parties further agree that the categories of Customer Personal Information processed by Secure Schools under the Agreement are set out in Schedule 1. 
    2. Secure Schools shall Process Customer Personal Information to provide the Services and perform Customer’s obligations under and in accordance with the Agreement only.  Secure Schools will not: (i) Sell or Share any Customer Personal Information; (ii) use, retain or disclose Customer Personal Information outside of the direct business relationship between Secure Schools and Customer unless expressly permitted by Applicable Laws, or for any commercial purposes other than the Business Purposes specified in Schedule I; or (ii) combine Customer Personal Information with Personal Information that Secure Schools received from or on behalf of another person or client, or collects from its own interaction with a person.  
    3. The Parties agree that Secure Schools may use Customer Personal Information to: (i) build or improve the quality of its services; (ii) comply as required with and in compliance with federal, state and local laws; (iii) comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by governmental authorities; (iv) exercise or defend legal claims; and (v) prevent, detect or investigate security incidents, fraud or illegal activity.
  2. Protection of Customer Personal Information. Secure Schools shall implement and maintain reasonable physical, technical and administrative security procedures and processes for all Customer Personal Information that it Processes, consistent with the industry standards and Applicable Laws.  Secure Schools is not responsible for security measures implemented by Customer for Personal Information within the possession or control of Customer, on Customer’s Network or within the control of Customer’s third party provider networks and systems.  
  3. Subprocessor.  All persons appointed by Secure Schools to process Customer Personal Information (“Subprocessors”) will be subject to contract terms that are the same or substantially similar to those in this DPA, including duties of confidentiality.  Secure Schools may continue to use Subprocessors already engaged by it as of the date of this DPA. Details of the current Subprocessors are available at https://www.secureschools.com/security/subprocessors/ (the “Subprocessor URL”). Secure Schools agrees that it is liable to Customer for the breach of the terms of this DPA by a Subprocessor.  Any additional Subprocessor shall be provided to Customer for approval upon 7 days prior notice and if approved shall be added to the Subprocessor URL.  
  4. Data Subject Requests.  In the event Customer notifies Secure Schools of any Data Subject Request, Secure Schools shall honor such request in accordance with Customer’s instruction and Applicable Laws. If Secure Schools receives a request directly from a person, Secure Schools will forward the request to Customer for handling and implement such request in accordance with Customer’s instruction and Applicable Laws.
  5. Return or Disposal.  Unless retention of Customer Personal Information is required by applicable law, Secure Schools shall delete or return (and delete existing copies of) such Customer Personal Information within a reasonable period of time following the earlier of: (i) a request by Customer, or (ii) following the expiration or termination of the Agreement and the termination or completion of Services.  If Secure Schools is unable to delete the Customer Personal Information for reasons permitted by applicable law, Secure Schools shall (i) ensure the privacy, confidentiality and security of such Customer Personal Information, and (ii) delete the Customer Personal Information promptly after the legal reason(s) for the refusal to delete has expired.
  6. Compliance with Laws.  Secure Schools shall: (i) permit Customer to take reasonable and appropriate steps to confirm that Secure Schools uses Customer Personal Information in a manner consistent with Customer’s obligations under Applicable Laws; (ii) permit Customer to take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Information; (iii) subject its employees and each Subprocessor Processing Customer Personal Information to a duty of confidentiality with respect to Customer Personal Information; and (iv) notify Customer if Secure Schools determines that it can no longer meet its obligations under this DPA.
  7. Data Breach. In the event Secure Schools becomes aware of an actual or reasonably suspected Data Breach, Secure Schools shall: (i) promptly communicate the nature and a description of the Data Breach to Customer; and (ii) take commercially reasonable steps to assist Customer with mitigating and remediating the Data Breach.
  8. Audit. Secure Schools shall allow for and contribute to audits on an annual basis (unless there has been a Data Breach or an audit is required by Applicable Laws or a governmental authority), including inspections during normal working hours, by the Customer (or an auditor nominated by the Customer) in relation to the processing of Customer Personal Information by Secure Schools or its Subprocessors, provided Secure Schools is given reasonable notice of such audits and inspections.
  9. Deidentified Data. Secure Schools may publish data regarding trends and performance observed by Secure Schools from its customers and their respective Authorised Users; provided that such data is Deidentified Data. Secure Schools shall (a) take reasonable measures to ensure that the such Deidentified Data cannot be associated with a Consumer, household, or device, (b) publicly commit to maintain and use the Deidentified Data in de-identified form and not to attempt to re-identify the Deidentified Data except as permitted by Applicable Laws, and (c) contractually obligate any recipients of the Deidentified Data to comply with all provisions of this paragraph. 
  10. Customer Obligations. Customer represents and warrants that it has in place all necessary notices and consents legally required to permit the Processing of Customer Personal Information by Secure Schools in connection with the Services.   
2. BUSINESS CONTACT DATA

Each Party acknowledges that it is an independent Controller with respect to Business Contact Data. “Business Contact Data” is Personal Information used in relation to the business relationship between the Parties for the purpose of facilitating the Services. Each Party represents and warrants that it shall limit the use of Business Contact Data to: (i) perform its obligations under the Agreement in connection with the Party’s provision or receipt of the Services and other business or administrative purposes; (ii) comply with applicable legal and regulatory requirements, requests and communications, including from supervisory authorities, courts or tribunals; and (iii) protect its rights and the rights of others in accordance with applicable law.

3. INDEMNIFICATION; LIMITATION OF LIABILITY

Each party acknowledges and agrees that this DPA is subject to the indemnification and limitation of liability provisions in the Agreement.

4. DEFINITIONS

For the purposes of this DPA, the following terms will have the meaning ascribed below:

  1. Applicable Law(s)” shall mean all privacy, security, and data protection laws, rules, regulations, ordinances and regulatory guidance applicable to Secure Schools’ Processing of Customer Personal Information under this DPA, including all related amendments and implementing regulations, all as may be amended, restated or replaced from time to time.
  2. “Business Contact Data” shall mean Personal Information used in relation to the business relationship for the purpose of facilitating the Services.  
  3. “Data Breach” shall mean a “security breach,” “data breach,” and comparable terms as defined under Applicable Law.
  4. “Data Subject Request” shall mean a verified request by an individual to exercise the rights provided to such individual under Applicable Laws with respect to Secure School’s Processing of Customer Personal Information. 
  5. Customer Personal Information” shall mean all Personal Information, including Sensitive Personal Information, that is Processed by or on behalf of, or made available to, Secure Schools in the course of providing the Services under the Agreement.
  6. Personnel” means any employees, agents, contractors or affiliates, that a party uses to perform its obligations or exercise its rights under the Agreement. 
  7. Services” means the services supplied by Secure Schools to Customer under the Agreement. 
  8. Subprocessor” means subcontractors, which process Customer Personal Information on behalf of Secure Schools under this DPA.
  9. The terms  “Business Purpose”, “Consumer”, “Controller”, Personal Information”, “Processor”, “Processing”, “Sale”, “Sensitive Personal Information”, “Share”, and similar terms as otherwise defined under Applicable Laws, shall have the same meaning ascribed to them under Applicable Laws.

 

Schedule 1: Description of Customer Personal Information Processing

1. Subject Matter of Processing

The subject matter of the Processing of Customer Personal Information is set out in the Agreement and this DPA. 

2. Duration of Processing

The duration of the processing activities shall be for the term set forth in the Agreement and the duration of the Services. 

3. Categories of Personal Information

Customer may transfer and Secure Schools may process the following Customer Personal Information in order for Secure Schools to perform Services: all Personal Information stored by Customer on Customer’s Network (including identity, address, financial and educational attainment records and special category data)

4. Business Purposes and Services

The purpose of the processing of Customer Personal Information by Secure Schools is the performance of the Services on behalf of Customer, including the following business purposes:

  • Debugging to identify and repair errors that impair existing intended functionality.
  • Helping to ensure security and integrity to the extent the use of the Customer Personal Information is reasonably necessary and proportionate for these purposes.
  • Undertaking internal research for technological development and demonstration.
  • Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the business, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by the business.
5. Data Subjects 

Consumers whose Personal Information is subject to processing may include: staff, students, parents and contacts of Customer.