DATA PROCESSING AGREEMENT
In accordance with worldwide Regulation on personal data privacy and security, this Data Processing Agreement ("Agreement") enters into force if and when the Services entail processing of the Tutor’s Personal Data and will form part of the Tutor Terms & Conditions for Access and Use of ClassTrack Services. The terms used in this Agreement shall have the meanings set forth in this Agreement. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Terms & Conditions. Except as modified below, the terms of the Terms & Conditions shall remain in full force and effect.
1.1 In this Agreement, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:
1.1.1 "Applicable Laws" means any national and international applicable law on privacy and security with respect to all the Personal Data, in respect of which the Controller is subject to any other Data Protection Laws;
1.1.2 "Controller" means either ClassTrack or the Tutor, on a case-by-case basis, which determines the purpose and means of processing the Personal Data;
1.1.3 "Processor" means ClassTrack or the Tutor (or a subprocessor), on a case-by-case basis, which processes Personal Data on behalf of the Controller;
1.1.4 "Personal Data" means any Personal Data Processed by a Processor on behalf of the Controller pursuant to or in connection with the Terms & Conditions;
1.1.5 "Services" means the ClassTrack Services that will be supplied pursuant to the specifications in the Tutor Terms & Conditions and any subsequent specific Agreements;
1.1.6 "subprocessor" means any third-party service provider, appointed by or on behalf of the Processor to Process Personal Data on behalf of the Controller in connection with the Terms & Conditions.
2.2. ClassTrack will collect data from the Tutorr Students and the Tutorr services through the Tutorr use of the ClassTrack Services. All data (including all text, sound, video, or image files) that the Tutor provide to ClassTrack through use of the ClassTrack Service and all data ClassTrack collects from the Tutorr Students through the Tutorr use of the ClassTrack Services is considered “Platform Data.” ClassTrack may use the Tutorr Platform Data for the purpose of providing, improving and adding new features to the ClassTrack Services.
2.3. The Tutor agrees that they will comply with all laws, rules, regulations, decrees, statutes, or other enactments, orders, mandates or resolutions relating to data security, data protection and/or privacy, and any implementing, derivative or related legislation, rule, regulation, and regulatory guidance (“Data Protection Laws”), including providing legally adequate privacy notices to Students. The Tutor will ensure that Students consent to transfer and use of data and information to ClassTrack in connection with Tutor’s services and ClassTrack Services, including but not limited to Tutor names, passwords, other information relating to an identified or identifiable natural person, and any other data or information that constitutes personal data or personal information under any applicable Data Protection Law (“Personal Data”). The Tutor must make the Students aware that Platform Data will be available for use by ClassTrack.
2.4. Platform Data may be transferred to, and stored and processed in Canada, in the United States, in the European Union, in India or any other country in which ClassTrack, its Affiliates or its subcontractors operate. The Tutor appoints ClassTrack to perform any such transfer of Platform Data to any such country and to store and process personal data in order to provide the ClassTrack Services.
2.5. California Consumer Privacy Act (the “CCPA” USA). ClassTrack will control and process Platform Data including Personal Data within the scope of the CCPA on the Tutorr behalf and, not retain, use, or disclose that data for any purpose other than for the purposes set out in these Terms and as permitted under the CCPA, including under any “sale” exemption. In no event will ClassTrack sell any such Platform Data. These CCPA terms do not limit or reduce any data protection commitments ClassTrack makes to the Tutor in these Terms or any other agreement between the Tutor and ClassTrack.
3. The Background and Object of the Agreement
3.1. The Tutor accepted the Terms & Conditions when the Tutor first accessed and/or first used the ClassTrack Services. This Agreement comes into force if and when the Tutor chooses to initiate the use of the Classtrack Services. The Agreement is an appendix to the Terms & Conditions, and does not imply any changes to the commercial terms between the parties.
3.2. The object of this Agreement is to set out the rights and obligations pursuant to the Applicable Laws on the Processing of Personal Data. This Agreement shall ensure that the Personal Data regarding the data subjects and the Data Principals, as the case may be, is not used in a non-compliant manner or compromised to un-authorized parties.
3.3. This Agreement governs the Processor’s handling of Personal Data on behalf of the Controller, and shall ensure that the Personal Data only is processed in compliance with Applicable Laws and according to the Controller’s documented instructions.
3.4. In the case that the Controller processes special categories of Personal Data, this must specifically be agreed upon with the Processor in advance of such Processing.
4. The Purpose of the Agreement
4.1. The Processor may process any Personal Data as a part of the collaboration, as set out in the Terms & Conditions.
4.2. In accordance with the Terms & Conditions, the ClassTrack Services are provided as Software as a Service, and the Controller may choose to enter and store Personal Data in the Services. The Controller has defined the purposes and has ensured that the processing of the Personal Data is lawful before the Personal Data is entered and stored in the Services.
4.3. The Personal Data that will be processed by the Processor, will be the information that the Controller enters and stores on the systems that the Processor operates.
4.4. ClassTrack will not typically access the Personal Data, but the Tutor specifically gives the right to ClassTrack to access the Tutor account and operate on its data, strictly whenever is necessary, and for maintenance purposes. The Personal Data is only to be stored in the Processor's operating environment and then it goes through the automatic processes in the Services that is specified in the Terms & Conditions and other potential subsequent Agreements. Where Personal Data is stored in the operating environment that is part of the Processor’s Services, the Processor shall only monitor and provide support on the Services and not process the Personal Data in any way other than what is stipulated in the Terms & Conditions. If the Controller wants the Processor to carry out any other form of processing of the Personal Data, the Controller must make the request by a written change order to the Processor. Further/other processing of the Personal Data as a result of such a change order may lead to increased costs for the Processor and must thus be covered by the Controller.
4.5. Where the Controller stores the Personal Data in their own operating environment, the Processor will typically not be able to access the Personal Data unless the Controller provides such access. The Processor shall only monitor and provide support on the Services and not process the Personal Data in any way other than what is stipulated in the Terms & Conditions. If the Controller wants the Processor to carry out any other form of processing of the Personal Data, the Controller must make the request by a written change order to the Processor and then provide access to the Personal Data. Further/other processing of the Personal Data as a result of such a change order may lead to increased costs for the Processor and must thus be covered by the Controller.
5. Specific Terms
5.1. The terms of this Section (the “Specific Terms”) apply to the extent the Tutor account includes information related to an identified or identifiable natural person that is subject to the European Union General Data Protection Regulation (the “GDPR”), the US California Consumer Privacy Act (the “CCPA”), or to the Indian Personal Data Protection Bill (the “PDPB”). Lower case terms used but not defined in these Terms such as “personal data,” “personal data breach,” “processing,” “controller,” “processor,” “subprocessor” and “data subject” will have the same meaning as set forth in the Applicable Laws. These Specific Terms do not apply where ClassTrack is a controller of the personal data of its customers.
5.2. Compliance with the Applicable Laws and Processing of Personal Data. The Tutor and ClassTrack agree to comply with all applicable provisions of the Applicable Laws. The Tutor agree the Tutor are the controller of personal data and ClassTrack is the processor of such personal data, except when the Tutor act as a controller or processor of personal data, in which case ClassTrack is a processor or subprocessor. ClassTrack will process personal data only on the Tutor documented instructions. The Tutor agree that these Terms, any other written Service Agreement with ClassTrack, and the Tutor use and configuration of features in the ClassTrack Services are the Tutor complete and final documented instructions to ClassTrack for the processing of personal data. In any instance where the data protection laws apply and the Tutor is a processor, the Tutor warrants to ClassTrack that the Tutor’s instructions, including appointment of ClassTrack as a processor or subprocessor, have been authorized by the relevant controller.
5.3. Processing Details. The Tutor and ClassTrack acknowledge and agree that:
a) the nature and purpose of the processing is to provide the ClassTrack Services pursuant to these documented instructions;
b) the subject matter of the processing is limited to personal data within the scope of the GDPR, CCPA and PDPB;
c) the duration of the processing shall be for the duration of the Tutor right to use the ClassTrack Services and until all personal data is deleted, or returned in accordance with the Tutor instructions; d) the types of personal data processed by the ClassTrack Services include those expressly identified in GDPR, CCPA and PDPB;
e) the categories of data subjects (data principals) are Students, employees, collaborators, and contractors;
f) ClassTrack will process and transfer the personal data only on these documented instructions, unless required to do so by the Applicable Laws to which ClassTrack is subject; in such a case, ClassTrack shall inform the Tutor of that legal requirement before processing (unless that law prohibits such information on important grounds of public interest); and
g) ClassTrack will ensure that its personnel engaged in the processing of personal data (i) will comply with subsection (f) herein and (ii) have committed to maintain the confidentiality of any personal data even after their engagement ends.
5.3. data subject Rights; Assistance with Requests. ClassTrack will make the personal data of data subjects and data principals, as the case may be, available to the Tutor and provide the Tutor the ability to fulfill data subject requests under the Applicable Laws, both in a manner consistent with the functionality of the ClassTrack Services and ClassTrack’s role as a processor. ClassTrack shall comply with the Tutor’s reasonable requests to assist with the Tutor’s response to such a data subject request. If ClassTrack receives a request from the Tutor’s data subject or data principal to exercise one or more of its rights under the Applicable Laws in connection with the services for which ClassTrack is a data processor or subprocessor, ClassTrack will redirect the data subject or data principal to make its request directly to the Tutor. The Tutor will be responsible for responding to any such request, including, where necessary, by using the functionality of the ClassTrack Services.
5.4. Records of Processing Activities and Reasonable Assistance. ClassTrack shall maintain all records required the Applicable Laws and, to the extent applicable to the processing of personal data on the Tutor’s behalf, make them available to the Tutor upon request. ClassTrack will provide the Tutor reasonable assistance in compliance with the obligations instituted by the Applicable Laws, taking into account the nature of the processing and the information available to ClassTrack.
5.5. Data Security. The Tutor and ClassTrack will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia, as appropriate:
a) the pseudonymization and encryption of personal data;
b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
5.6. Notice and Controls on use of subprocessors. ClassTrack may hire third parties to provide certain limited or ancillary services on its behalf. ClassTrack will provide the Tutor a list of subprocessors upon request. The Tutor consents to the engagement of these third parties and ClassTrack Affiliates as subprocessors of personal data if such consent is required under law. ClassTrack will inform the Tutor of new subprocessors it engages. The Tutor may object to new subprocessors by providing written notice to ClassTrack that includes an explanation of the grounds for objection.
ClassTrack is responsible for its subprocessor’s compliance with ClassTrack’s obligations under the Applicable Laws. When engaging any subprocessor, ClassTrack will ensure via a written contract that the subprocessor may access and use personal data only to deliver the services ClassTrack has retained them to provide and is prohibited from using personal data for any other purpose. ClassTrack will ensure that subprocessors are bound by written agreements that require them to provide at least the level of data protection required of ClassTrack by this Data Processing Agreement.
5.7. Personal Data Breach. ClassTrack shall notify the Tutor without undue delay after becoming aware of a personal data breach. Such notification will include that information a processor must provide to a controller under any applicable law to the extent such information is reasonably available to ClassTrack.
ClassTrack shall make reasonable efforts to assist the Tutor in fulfilling the Tutor’s obligation to notify the relevant supervisory authority and data subjects or data principals of a personal data breach.
5.8. Audit. ClassTrack will conduct in its sole discretion audits of its compliance with the applicable data protection laws. Each audit will be performed by qualified, independent, third party and/or internal security auditors at ClassTrack’s selection and expense. Each audit will result in the generation of an audit report (“ClassTrack Audit Report”), which ClassTrack will make available to the Tutor upon request. The ClassTrack Audit Report will be ClassTrack’s Proprietary Information and will clearly disclose any material findings by the auditor. ClassTrack will promptly remediate issues raised in any ClassTrack Audit Report to the satisfaction of the auditor.
5.9. Transfer of personal data. All transfers of personal data to a third country or an international organization will be subject to appropriate safeguards as described in the Applicable Laws and such transfers and safeguards will be documented. ClassTrack agrees to notify the Tutor in the event that it makes a determination that it can no longer meet its obligation to provide the same level of protection as required.
5.10. Supplementation and Term. ClassTrack may modify or supplement this document, (a) if required to do so by a supervisory authority or other government or regulatory entity, (b) if necessary, to comply with applicable law, or (c) to adhere to an approved code of conduct or certification mechanism approved or certified. Without prejudice to the Applicable Laws, ClassTrack may from time to time provide additional information and detail about how it will execute these Terms in its service-specific technical, privacy, or policy documentation. These Terms become effective upon the later of (a) the start of enforcement of the or (b) The Tutor’s use of the ClassTrack Services.
6. Controller’s Obligations
6.1. The Controller shall provide the Processor with written instructions on the processing of the Personal Data on behalf of the Controller, hereunder transferring the Personal Data to any country or territory as reasonably necessary for the provision of the Services and consistent with the Terms & Conditions and in accordance with Applicable Laws.
6.2. The Controller shall ensure that the processing of the Personal Data is lawful.
6.3. The Controller shall authorize the Processor to provide each subprocessor with the same written instructions that the Processor has been provided with.
6.4. The Controller has provided the data subjects or the data principals with the necessary information according to Applicable Laws; and it is the responsibility of the Controller to collect any consents from the data subjects for the processing of Personal Data taking place in accordance with the Terms & Conditions.
7. The Processor’s obligations
7.1. The Processor shall only process the Personal Data on behalf of the Controller and on written instructions from the Controller, and for the sole purpose and to the extent necessary to provide the Services, in accordance with the terms in this Agreement and Applicable Laws.
7.2. The Processor shall not process the Personal Data other than on the Controller’s documented instructions unless Processing is required by Applicable Laws to which the Processor is subject, in which case the Processor shall to the extent permitted by Applicable Laws inform the Controller of that legal requirement before the relevant Processing of that Personal Data.
7.3. The Processor does not have the right of use of the Personal Data, and may therefore not process them for their own purposes under any circumstances.
7.4. The Processor has carried out the technical and organizational security measures in order to protect the Personal Data from loss, misuse or un-authorized alternation or dissemination, or against other illegal processing. These measures represent a level of security appropriate to the risks represented by the processing, taking into account the costs of the implementation.
7.5. The Controller has, unless otherwise agreed or pursuant to Applicable Laws, the right to access the Personal Data being processed and the systems used for this purpose. The Processor shall provide necessary assistance for such access to be given.
7.6. The Processor is subject to confidentiality regarding the documentation and the Personal Data for which it gains access to under this Agreement. This provision also applies after the termination of this Agreement.
7.7. The Processor may freely choose where it geographically stores the Personal Data. The Controller may at any time require information on where the Personal Data is stored.
8. Processor’s Personnel
8.1. The Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor of the Processor who is given access to the Personal Data.
8.2. The Processor shall ensure in each case that access is strictly limited to those individuals who need to know/have access to the relevant Personal Data, as strictly necessary for the purposes of the Terms & Conditions, and to comply with Applicable Laws in the context of that individual's duties to the Processor.
8.3. The Processor shall ensure that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality. The obligations of confidentiality will survive the termination of the personnel engagement.
9.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor shall in relation to the Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk.
9.2. In assessing the appropriate level of security, the Processor shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.
9.3. The Controller confirms that the Processor has provided sufficient guarantees that they will implement appropriate technical and organizational measures that ensure that the processing meets the requirements of Applicable Laws, hereunder the protection of the data subjects’ rights.
9.4. The Controller confirms to have assessed any security measures specifically stated in the Terms & Conditions and thus accepted by the Controller, and the Controller is responsible (as between the parties and to data subjects and supervisory authorities) if those measures in themselves do not meet the Applicable Laws.
10.1. The Controller authorizes the Processor to appoint subprocessors in accordance with this section and any restrictions in the Terms & Conditions.
10.2. The Processor may continue to use those subprocessors already engaged by the Processor as of the date this Agreement enters into force, subject to the Processor in each case as soon as practicable meeting the obligations set out in section 10.4.
10.3. The Processor shall give the Controller prior written notice of the appointment of any new subprocessor, including full details of the Processing to be undertaken by the subprocessor. If, within 2 weeks of receipt of that notice, the Controller notifies the Processor in writing of any objections (on reasonable grounds) to the proposed appointment, the Processor shall not appoint (or disclose any Personal Data to) that proposed subprocessor until reasonable steps have been taken to address the objections raised by the Controller, and the Controller has been provided with a reasonable written explanation of the steps taken.
10.4. The Processor is responsible for the Suprocessor’s performance in regards of the processing of Personal Data.
10.5. With respect to each subprocessor, the Processor shall:
• before the subprocessor’s first processing of the Personal Data (or, where relevant, in accordance with section 5.2), ensure that the subprocessor does not process Personal Data covered by this Agreement in any way that is not necessary for the performance of the Services, and that the Personal Data is not given to anyone else without this being specified in this Agreement or is permitted by the Controller in a prior written notice;
• ensure that the arrangement between the Processor and the subprocessor, is governed by a written contract including terms which offer at least the same level of protection for the Personal Data as those set out in this Agreement and meet the requirements of Applicable Laws; and
• provide to the Controller for review such copies of the Processors' agreements with subprocessors (which may be redacted to remove confidential commercial information not relevant to the requirements of this Agreement) as the Controller may request from time to time.
11. Deletion or return of the Personal Data
11.1. Subject to sections 11.2. and 11.3. the Processor shall as soon as possible and within 4 weeks of the date of cessation of any Services involving the Processing of the Personal Data (the "Cessation Date"), delete and procure the deletion of all copies of those Personal Data.
11.2. Subject to section 8.3., the Controller may in its absolute discretion by written notice to the Processor within 1 week of the Cessation Date require the Processor to (a) return a complete copy of all of the Personal Data to the Controller; and (b) delete and procure the deletion of all other copies of the Personal Data Processed by the Processor. The Processor shall comply with any such written request within 5 weeks of the Cessation Date.
11.3. The Processor may retain and store the Personal Data to the extent required by Applicable Laws and only to the extent and for such period as required by Applicable Laws. Such cases always entail the provision that the Processor ensures the confidentiality of all such Personal Data and ensures that such Personal Data is only Processed as necessary for the purpose(s) specified in the Applicable Laws requiring its storage and for no other purpose.
12. Transfers to Third Countries
12.1. If the Controller by form of written instruction to the Processor prior to any such processing, instructs the Processor to transfer Personal Data to a Third Country, the Controller (as "Data Exporter") and processor/subprocessor (as "Data Importer") must enter into an agreement that includes the Standard Contractual Clauses.
12.2. The Standard Contractual Clauses shall come into effect under section 9.1 on the later of:
• the data exporter becoming a party to them;
• the data importer becoming a party to them; and
• commencement of the relevant Restricted Transfer.
13. Governing law and jurisdiction
13.1. This Agreement shall be subject to and interpreted in accordance with laws of the Canada and any applicable international laws. The parties to this Agreement hereby submit to the jurisdiction of the Courts of Canada.
14. Order of precedence
14.1. Nothing in this Agreement reduces the Processor’s obligations under the Terms & Conditions in relation to the protection of Personal Data or permits the Processor to Process (or permit the Processing of) Personal Data in a manner which is prohibited by the Terms & Conditions.
14.2. In the event of inconsistencies between the provisions of this Agreement and any other agreements between the parties, including the Terms & Conditions (except where explicitly agreed otherwise in writing) the provisions of this Agreement shall prevail.
15. Changes in Data Protection Laws, etc.
15.1. The parties shall revise this Data Processing Agreement in the event of relevant changes to the Applicable Laws.
16.1. Should any provision of this Agreement be invalid or unenforceable, then the remainder of this Agreement shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
17. Liability and liability limitations
17.1. Each party is responsible for that party’s processing of Personal Data being in accordance with the Applicable Laws.