1.1 You (a) are the sole Controller of Applicable Personal Data or (b) You have been instructed by and obtained the authorization of the relevant Controller(s) to agree to the Processing of Applicable Personal Data by Achieve3000 as set out in this DPA. You appoint Achieve3000 as Processor to Process Applicable Personal Data. If there are other Controllers of Applicable Personal Data, You will identify them to Achieve3000 prior to providing their associated Applicable Personal Data to Achieve3000 for Processing.
1.2 A list of categories of Data Subjects, types of Applicable Personal Data, Special Categories of Personal Data and the processing activities is set out in Appendix A to this DPA. The duration of the Processing of Applicable Personal Data corresponds to the duration of the Services) We provide, unless You otherwise direct Achieve3000 in writing. The nature, purpose and subject matter of the Processing is the provision of the Services.
1.3 Achieve3000 will Process Applicable Personal Data according to your written instructions. The scope of your instructions for the Processing of Applicable Personal Data is defined by the Agreement, including this DPA, and, if applicable, your and your Authorized Users’ use and configuration of the features of the Service.
1.4 You may provide further Processing instructions that are legally required (“Additional Instructions”). If Achieve3000 believes an Additional Instruction violates the GDPR or other applicable data protection law, Achieve3000 will inform You without undue delay and may suspend the performance of Processing covered by the Additional Instruction until You have modified or confirmed the lawfulness of the Additional Instruction in writing. If Achieve3000 notifies You that an Additional Instruction is not feasible, You may terminate the affected Service or affected portion thereof by providing Achieve3000 with a written notice within one month after Achieve3000’s notification of the infeasibility of the Additional Instruction. In such case, Achieve3000 will refund a prorated portion of any prepaid charges for the Services period after such termination date.
1.5 You will serve as a single point of contact for Achieve3000. Consistent with Section 1.1, You will undertake to exercise all Controller rights in or over Applicable Personal Data on behalf of any other Controller(s) and to obtain all necessary permissions from such other Controllers. Achieve3000 shall be discharged of its obligation to inform or notify another Controller when Achieve3000 has provided such information or notice to You. Similarly, Achieve3000 will serve as a single point of contact for You with respect to its obligations as a Processor under this DPA.
1.6 Achieve3000 will comply with all EEA data protection laws and regulations (“Data Protection Laws”) in respect of the Services applicable to Processors. Achieve3000 is not responsible for determining the requirements of laws applicable to You as a Controller. As between the parties, You are responsible for determining the lawfulness of the Processing of the Applicable Personal Data. You will not use the Services in conjunction with Personal Data to the extent that doing so would violate applicable Data Protection Laws.
2. Technical and Organizational Measures
2.1 Achieve3000 will implement and maintain technical and organizational measures or “TOMs” to ensure a level of security appropriate to the risk for Achieve3000’s scope of responsibility. The TOMs adopted by Achieve3000 have been documented by Achieve3000 and You may obtain additional information about the TOMs applicable to the Services by connecting to them using this link or contacting Achieve3000.
2.2 TOMs are subject to technical progress and further development. Accordingly, Achieve3000 reserves the right to modify the TOMs provided that the functionality and security of the Services are not degraded.
3. Data Subject Rights and Requests
3.1 To the extent permitted by law, Achieve3000 will inform You of requests from Data Subjects exercising their Data Subject rights (e.g. rectification, deletion and blocking of data) addressed directly to Achieve3000 regarding Applicable Personal Data. You shall be responsible to respond to such requests of Data Subjects. Achieve3000 will reasonably assist You in responding such Data Subject requests in accordance with Section 10.2.
3.2 If a Data Subject brings a claim directly against Achieve3000 for a violation of their Data Subject rights, You will indemnify Achieve3000 for any cost, charge, damages, expenses or loss arising from such a claim, provided that Achieve3000 has notified You about the claim and given You the opportunity to cooperate with Achieve3000 in the defense and settlement of the claim.
4. Third Party Requests and Confidentiality
4.1 Achieve3000 will not disclose Applicable Personal Data to any third party, unless authorized by You or required by law. If a government or Supervisory Authority demands access to Applicable Personal Data, Achieve3000 will notify You prior to disclosure, unless prohibited by law.
4.2 Achieve3000 requires its personnel authorized to Process Applicable Personal Data to commit themselves to confidentiality and not Process such Applicable Personal Data for any other purposes, except on instructions from You or unless required by applicable law.
5.1 Achieve3000 shall allow for and contribute to audits, including inspections, regarding the Processing of Applicable Personal Data that are conducted by You or another auditor mandated by You, in accordance with the following procedures:
a. Upon Your written request, Achieve3000 will provide You or your mandated auditor with the most recent certifications and/or summary audit report(s), if and as applicable, that Achieve3000 has procured to test, assess, or evaluate the effectiveness of the TOMs.
b. Achieve3000 will reasonably cooperate with You by providing available additional information concerning the TOMs, to help You better understand such TOMs or respond to the inquiry of a governmental authority.
c. If further information is needed by You to comply with your own legal obligations or a competent Supervisory Authority’s request, You will so inform Achieve3000 in writing to enable Achieve3000 to provide such information or to grant You access to it.
d. To the extent it is not possible to otherwise satisfy an audit obligation mandated by applicable law, only legally mandated entities (such as a governmental regulatory agency having oversight of Your operations), You, or your mandated auditor may conduct an onsite visit of the facilities used to provide the Serviced. Such visit will be during normal business hours of the applicable facility and will be conducted in a manner that causes minimal disruption to Achieve3000’s business, subject to coordinating the timing of such visit and to reduce any risk to Achieve3000’s other customers.
5.2 Each party will bear its own costs in respect of paragraphs a. and b. of Section 5.1. Any further assistance by Achieve3000 will be provided in accordance with Section 10.2.
6. Return or Deletion of Applicable Personal Data
Upon termination or expiration of the Agreement, Achieve3000 will either delete or return Applicable Personal Data in its possession as set out in the respective DPA Exhibit, unless otherwise required by applicable law.
You authorize Achieve3000 to engage subcontractors to Process Applicable Personal Data (“Subprocessors”). A list of the current Subprocessors is set out in Appendix A. Achieve3000 shall impose substantially similar data protection obligations as set out in this DPA on any Subprocessor prior to the Subprocessor Processing any Applicable Personal Data.
8. Transborder Data Processing
Achieve3000 is a participant in the Privacy Shield framework established by agreement between the European Union and the United States and administered by the International Trade Administration of the US Department of Commerce. As such, export of the Applicable Personal Data to Achieve3000 in the United States is deemed by the European Commission to constitute a transfer to a data importer in a jurisdiction with adequate safeguards.
9. Personal Data Breach
Achieve3000 will notify You without undue delay after becoming aware of a Personal Data Breach with respect to the Services. Achieve3000 will promptly investigate the Personal Data Breach if it occurred on Achieve3000 infrastructure or in another area Achieve3000 is responsible for, and Achieve3000 will assist you as set out in Section 10.
10.1 Achieve3000 will assist You by implementing and maintaining the TOMs, insofar as possible, for the fulfillment of Your obligation to comply with the rights of Data Subjects and in ensuring compliance with Your obligations relating to the security of Processing, the notification of a Personal Data Breach, and the Data Protection Impact Assessment, taking into account the information available to Achieve3000.
10.2 You will make requests for any Achieve3000 assistance referred to in this DPA in writing. Achieve3000 will charge You no more than a reasonable charge to perform such assistance or Additional Instructions, such charges to be set forth in a quote by Achieve3000 and agreed in writing by the You and Us, or as set forth in an applicable change control provision of the Agreement.
TO THE DATA PROCESSING ADDENDUM
This Appendix A is an integral part of the Data Processing Addendum and provides additional details about the Processing of Applicable Personal Data attendant to its provision of the Services.
1. Categories of Data Subjects
The types of Data Subjects whose Applicable Personal Data will be Processed are as follows:
(a) Student users of Achieve3000 Services;
(b) Teachers and other employees of schools and school districts that are customers of Achieve3000 Services and who interact with the Achieve3000 Services.
2. Types of Personal Data Processed
(a) Student’s name;
(b) Student’s school name and location;
(c) Student’s grade level;
(d) Student’s class or curriculum identifier;
(e) As requested by school, student’s ethnicity, gender, socio-economic, or familial background;
(f) Data regarding student’s completion and performance with respect to Services and Service modules;
(g) Names of teachers and school administrators;
(h) Contact information for teachers and school administrators administering Services.
3. Types of Processing Activities Anticipated
Achieve3000 will Process Applicable Personal Data solely to providing the Services, including providing reports regarding student completion of and performance on Service modules. Types of Processing activities associated with Services delivery and reporting include receiving, storing, combining, parsing, transmitting, associating Personal Data with Service accessing, reporting, and performance data, updating, correcting, transforming, reading, assessing and analyzing, and deleting.
The following entities may serve as Subprocessors of Applicable Personal Data in connection with Achieve3000’s provision of the Services:
(a) RLS Education
(b) Rackspace, Inc.
(c) Amazon Web Services