BLINDSIDE NETWORKS DATA PROCESSING AGREEMENT
Last Revised: May 5, 2022.
This data processing agreement (DPA
or Agreement) forms part of the
terms of use, service terms or other agreement between You as Data Controller
and Blindside Networks Inc. as Data Processor
(Master Agreement). For clarity, any
reference to Master Agreement in this DPA shall be construed as reference to
the existing contractual arrangement(s) that applies between the Parties
pursuant to which the Processor has agreed to process Personal Data on behalf
of You. In the absence of any Master Agreement, this DPA shall act as a
standalone data processing agreement.
This Agreement may be updated from time to time, with any such amended
Agreement being dated and available on our website at https://blindsidenetworks.com/dpa-moodle-free-tier/. It is Your obligation to ensure that You have downloaded and signed the
most up to date version of this Agreement for your records.
BETWEEN:
You or Your
organisation, as a Data Controller under the GDPR (hereinafter referred to as Controller); and
Blindside Networks Inc., as a Data Processor under the GDPR (hereinafter
referred to as Processor);
individually referred to as a Party
and together as Parties.
WHEREAS:
<![if !supportLists]>A.
<![endif]>You Process the
Personal Data as Controller;
<![if !supportLists]>B.
<![endif]>You have
appointed Blindside Networks Inc. as Processor to provide services as referred
to in the Master Agreement or other terms of use, whereby Processor will
Process the Personal Data on behalf of You, the Controller;
<![if !supportLists]>C.
<![endif]>The Parties have
reached an agreement on the rights and obligations of Controller and Processor
and now wish to record such rights and obligations in this DPA.
NOW THEREFORE THE
PARTIES AGREE AS FOLLOWS:
<![if !supportLists]>1.
<![endif]>Definitions & Interpretation
<![if !supportLists]>1.1
<![endif]>In this DPA,
unless otherwise defined, all capitalised words and expressions shall have the
following meaning:
<![if !supportLists]>(a)
<![endif]>Data Protection Law means data
protection legislation or any statutory equivalent in force applicable to the
Processing of Your Personal Data, including the GDPR, the UK GDPR and Data
Protection Act(s) and the Consumer Privacy Act (Cal. Civ. Code §§ 1798.100 –
1798.199) (“CCPA”).
<![if !supportLists]>(b)
<![endif]>EEA means the European Economic Area.
<![if !supportLists]>(c)
<![endif]>GDPR means Regulation (EU)
2016/679 of the European Parliament and of the Council of 27 April 2016 on the
protection of natural persons with regard to the processing of personal data
and on the free movement of such data, and repealing Directive 95/46/EC. The terms Controller, Processor, Data Subject,
Personal Data, Processing, Supervisory Authority shall have the meanings
given to them in the GDPR.
<![if !supportLists]>(d)
<![endif]>Personal Data Breach means a Security
Incident that has led to the accidental or unlawful destruction, loss,
alteration, unauthorised disclosure of, or access to Your Personal Data
transmitted, stored or otherwise processed by the Processor.
<![if !supportLists]>(e)
<![endif]>Standard Contractual Clauses or SCCs means the Commission Decision 2010/87 of 5 February 2010 on standard
contractual clauses for the transfer of personal data to processors established
in non-adequate countries, as defined under Directive 95/46/EC of the European
Parliament and of the Council (2010/87/EU) and as updated on the 4th June 2021
by Decision 2021/814, a link to which is provided at Schedule 3.
<![if !supportLists]>(f)
<![endif]>Security Incident means any breach
of security measures used by Processor to secure Your Personal Data.
<![if !supportLists]>(g)
<![endif]>Subprocessor means a person or entity subcontracted by Data Processor to Process Your
Personal Data.
<![if !supportLists]>(h)
<![endif]>Your Personal Data means any
Personal Data Processed by Processor on behalf of You pursuant to or in
connection with any Master Agreement and/or this DPA.
1.2 Interpretation
(a) To
the extent of any conflict or inconsistencies between the Master Agreement and
this DPA, this DPA shall take precedence, unless otherwise specified herein.
(b) Unless
the context indicates a contrary intention, another grammatical form of a
defined word or expression has a corresponding meaning.
<![if !supportLists]>2.
<![endif]>Processing Your Personal Data
<![if !supportLists]>2.1
<![endif]>For the purpose of this
DPA, Blindside Networks Inc. is the Processor of Your Personal Data and You are
the Controller.
<![if !supportLists]>2.2
<![endif]>Schedule 1
contains details of the processing activities You have engaged Processor to
perform including the categories of Data Subjects, the types of Personal Data and
the purpose and nature of the Processing.
<![if !supportLists]>2.3
<![endif]>The Processor
will (and will procure that Subprocessors will):
<![if !supportLists]>(a)
<![endif]>have no
independent rights in relation to Your Personal Data and only Process Your
Personal Data on behalf of and for, Your benefit, in accordance with the terms
of the Master Agreement and this DPA together with Your instructions, unless
required to do so by applicable law to which the Processor is subject, in which
case the Processor shall inform You of that legal requirement before the
Processing of Your Personal Data;
<![if !supportLists]>(b)
<![endif]>not assume any
responsibility for determining the purposes for which and the manner in which
Your Personal Data is Processed and will only Process Your Personal Data for
purposes determined by You; and
<![if !supportLists]>(c)
<![endif]>notify You
promptly in the event that it is unable to comply with this DPA or its
obligations under any Data Protection Law or if it has reason to believe that
the legislation applicable to it is likely to have a substantial adverse effect on the obligations
provided under this DPA or otherwise prevents it from fulfilling any
instructions received from You. If this provision is invoked, Processor will
not be liable to You for any failure to perform the applicable services until such
time as You issue new instructions regarding the Processing with which the
Processor is able to comply.
2.4 For
clarity, within the scope of the Master Agreement and this DPA and in relation
to Your use of the services: (i) You shall be solely responsible
for complying with the statutory requirements relating to data protection and
privacy, in particular regarding the disclosure and transfer of Your Personal
Data to Processor; (ii) You agree that Your instructions for the Processing of
Personal Data shall comply with Data Protection Law; and (iii) You agree to
inform Processor without undue delay about any errors or irregularities related
to the Processor’s Processing of Your Personal Data.
<![if !supportLists]>3.
<![endif]>Rights and obligations of
Processor
<![if !supportLists]>3.1
<![endif]>The Processor will:
<![if !supportLists]>(a)
<![endif]>take reasonable
and appropriate technical and organizational measures that are designed to adequately
protect the security, integrity and confidentiality of Your Personal Data and
guard against unauthorised or unlawful disclosure, access or Processing, or accidental
loss, alteration, damage or destruction, as described in Schedule 2. Such measures shall include (as appropriate)
the measures required pursuant to Article 32 of the GDPR;
<![if !supportLists]>(b)
<![endif]>only grant access
to Your Personal Data to persons under the Processor’s authority who have
committed themselves to confidentiality or who are under an appropriate
statutory obligation of confidentiality. The classes of persons to whom access
has been granted shall be subject to periodic review. Specifically, Subprocessors referred to in Schedule 1 are deemed approved
by You;
<![if !supportLists]>(c)
<![endif]>assist You by
appropriate technical and organisational measures, insofar as this is possible,
in the fulfilment of Your obligations to respond to requests by a Data Subject
in relation to the exercise of their rights pursuant to Data Protection Law (including
access, rectification, restriction, deletion or portability of Personal Data,
as applicable) and will (i) inform You without undue
delay; and in any event, no later than one (1) month after receipt of a request
from a Data Subject in respect of their Personal Data; and (ii) unless
otherwise instructed by You, advise the Data Subject to submit their request to
You. Such assistance will be provided subject to agreement to any reasonable
and duly evidenced cost being charged by the Processor for these services;
<![if !supportLists]>(d)
<![endif]>maintain
electronic records of complaints or requests from Data Subjects seeking to
exercise their rights under Data Protection Law until such time as the records
have been securely transferred to You. The Processor shall not respond and
shall ensure that Subprocessors do not respond
directly to requests from Data Subjects except upon Your written instructions
or as required by Data Protection Law;
<![if !supportLists]>(e)
<![endif]>assist You in
data protection impact assessments (subject to agreement to any reasonable and
duly evidenced cost being charged by the Processor for this assistance);
<![if !supportLists]>(f)
<![endif]>assist You, at
Your cost, in the event of an investigation or audit by a Supervisory
Authority, to the extent that such investigation or audit relates to
Processor’s Processing of Your Personal Data and inform You as soon as possible
if a Supervisory Authority requests an investigation or audit of Processor
relating to Processor’s Processing of Your Personal Data; and
<![if !supportLists]>(g)
<![endif]>maintain records
of all Processing operations under its responsibility that contain at least the
minimum information required by Data Protection Law.
<![if !supportLists]>4.
<![endif]>Security Incidents
<![if !supportLists]>4.1
<![endif]>The Processor will
(and shall procure that all its Subprocessors will)
maintain updated electronic records of all discovered Security Incidents. The register shall contain at least a
description of the Security Incident, including the date and time the Security
Incident was discovered. If a Security Incident is a Personal Data Breach, the register
shall also contain an overview of the affected Personal Data and the categories
and number of affected Data Subjects.
<![if !supportLists]>4.2
<![endif]>The Processor
will (and shall procure that all its Subprocessors
will) promptly, but in any event within 48 (forty-eight) hours of becoming
aware of an actual or suspected Personal Data Breach, inform You in writing of such
Personal Data Breach. The Processor will
take prompt steps to remedy any Personal Data Breach and promptly provide You
with all relevant information and assistance regarding any such actual or
suspected Personal Data Breach. The Processor’s
notification of a Personal Data Breach to You will include information
sufficient to allow You to meet Your obligations pursuant to Data Protection
Law, and at a minimum:
<![if !supportLists]>(a)
<![endif]>a description of
the Personal Data Breach, including the date and time the Personal Data Breach
was discovered;
<![if !supportLists]>(b)
<![endif]>an overview of
the affected Personal Data and the categories and number of affected Data
Subjects;
<![if !supportLists]>(c)
<![endif]>information on
the (expected) consequences of the Personal Data Breach; and
<![if !supportLists]>(d)
<![endif]>a description of
the measures taken by the Processor to limit the consequences of the Personal
Data Breach.
If
the Processor is unable to communicate all required information relating to the
Personal Data Breach simultaneously, the Processor shall provide the
information as the information becomes available.
The Processor will not provide any
statement, communication, press release or other public announcement relating
to a Personal Data Breach without Your prior written consent unless otherwise
required by Data Protection Law.
<![if !supportLists]>5.
<![endif]>Subprocessors
<![if !supportLists]>5.1
<![endif]>You, as the
Controller, grant the Processor general written authorisation for the
engagement of Subprocessors and any intended changes
concerning the addition or replacement of Subprocessors,
subject to the proviso that the Processor shall remain fully liable to You for
fulfilment of the obligations of the Subprocessor and
that the Processor and the Subprocessor have entered
into an agreement that imposes obligations on the Subprocessor
that are no less restrictive than those imposed on the Processor under this
DPA, and provides for sufficient guarantees to implement appropriate technical
and organisational measures in such a manner that the Processing will meet the
requirements of Data Protection Law and this DPA.
<![if !supportLists]>5.2
<![endif]>The Subprocessors referred to in Schedule 1 are hereby approved
by You. If the Processor intends to
instruct a Subprocessor other than the companies
listed in Schedule 1, the Processor will notify You thereof in writing (email
to the email address(es) on record in Processor’s account information for You is
sufficient) and will give You the opportunity to object to the engagement of
the new Subprocessor within 30 days after being
notified. Your objection, if any, must be based on reasonable grounds (e.g. use
of the Subprocessor presents a significant risk for
the protection of Your Personal Data). If
the Parties are unable to resolve such objection within 30 days of Processor’s
receipt thereof, either Party may terminate the Agreement by providing written
notice to the other Party.
<![if !supportLists]>5.3
<![endif]>If a Subprocessor is engaged, before the Subprocessor
first Processes Your Personal Data, the Processor shall carry out adequate due
diligence to ensure that the Subprocessor is capable
of providing the level of protection for Your Personal Data required by this
DPA. In support of such due diligence,
You are granted the right to monitor and inspect the Subprocessor’s
activities in accordance with this DPA and Data Protection Law, including
obtaining information from the Processor on the substance of its contract with
the Subprocessor and the Subprocessor’s
implementation of its data protection obligations.
<![if !supportLists]>6.
<![endif]>Audit Rights
<![if !supportLists]>6.1
<![endif]>Upon Your written
request and provided that the Parties have a NDA in place, the Processor will
provide You with the results of the most recent data security compliance
reports or any audit performed by or on behalf of the Processor that assesses
the effectiveness of the Processor’s information security program, system(s),
internal controls, and procedures relating to the Processing of Your Personal
Data.
<![if !supportLists]>6.2
<![endif]>Upon reasonable
advance written notice to the Processor, You may during normal business hours,
attend on the Processor’s facilities for the purpose of auditing the Processing
and maintenance of Your Personal Data, and the Processor’s compliance with its
obligations under this DPA. You will be responsible for the costs and expenses
of such audit (or the fees and costs of the third party performing the audit). If the Processor declines to address and
correct all deficiencies identified in any such audit, You are entitled to
terminate the Master Agreement and this DPA in accordance with its terms.
.
<![if !supportLists]>7.
<![endif]>Data transfers
<![if !supportLists]>7.1
<![endif]>The Processor will
comply with Data Protection Law regarding the transfer of Your Personal Data
from the EEA to countries outside the EEA. Unless otherwise provided for in
Annex 1, the Processor will not transfer or process Your Personal Data outside
of the territory of the EEA or outside the territories defined in Annex 1
otherwise than set out in this Agreement. The Processor shall ensure that any
such transfer/access is implemented in accordance with this Agreement.
<![if !supportLists]>7.2
<![endif]>To the extent
that the Processor is based in a third country that does not provide an
adequate level of protection, and the transfer of Your Personal Data is not
covered by one or more safeguards provided for in Articles 45, 46 and 47 of the
GDPR, the Parties hereby agree to enter into the SCCs, as provided for in
Schedule 3.
<![if !supportLists]>7.3
<![endif]>If the Processor
intends to transfer Personal Data to an engaged Subprocessor
located outside of the EEA and the Processor opts to have such transfer covered
by the SCCs, the Processor is hereby authorised to enter into such SCCs in Your
name and on Your behalf.
<![if !supportLists]>7.4
<![endif]>At Your request
and provided that the Parties have a NDA in place, the Processor shall provide
a copy of any document evidencing the implementation of any of the
above-mentioned measures to cover the transfer/access of Your Personal Data.
<![if !supportLists]>8.
<![endif]>Termination and erasure and return
of data
<![if !supportLists]>8.1
<![endif]>On termination of
the Master Agreement, or earlier as requested by You, the Processor will
destroy, or upon Your written instructions, deliver to You, or enable You to
delete by means of the functionality provided by the services, all Your
Personal Data in the Processor’s possession, custody and control, except for
such information as must be retained under applicable law and insofar as is
technically possible.
<![if !supportLists]>8.2
<![endif]>To the extent
that the Processor retains any of Your Personal Data beyond termination or
expiration of the Master Agreement or as earlier requested by You because such
retention is required under applicable law, this DPA will remain in full effect
and the Processor will promptly destroy all such Personal Data once such
retention is no longer required under applicable laws insofar as is technically
possible. At Your request, the Processor will provide You with written
confirmation of such destruction.
<![if !supportLists]>8.3
<![endif]>This DPA will
expire automatically upon Your Personal Data either being fully returned or
destroyed except in so far as required for statutory or contractual purposes.
<![if !supportLists]>9.
<![endif]>Liability
<![if !supportLists]>9.1
<![endif]>Notwithstanding
provisions of the Master Agreement limiting Processor’s liability (if any), the
Processor will be liable only for any direct damages arising out of or in
connection with the Processor’s breach of (i) this
DPA; (ii) Data Protection Law; or (iiI) Your
instructions under this DPA.
<![if !supportLists]>9.2
<![endif]>The Processor’s
aggregate liability pursuant to this DPA shall not exceed an amount equal to
the total amount of the subscription fees or royalties fees paid or payable by
You under the Master Agreement during the immediately preceding twelve (12)
month period.
<![if !supportLists]>10.
<![endif]>Jurisdiction and venue
<![if !supportLists]>10.1 <![endif]>This DPA and any dispute or claim arising out of it or in connection
with it, its subject matter or formation shall be governed by and construed in
accordance with the laws of the Province of Ontario and the federal laws of
Canada applicable therein, and the Parties irrevocably submit to the
non-exclusive jurisdiction of the courts of Ontario.
[WHERE SIGNATURES ARE APPROPRIATE]
Signed on behalf of You (the
By Your
________________________________
Full Name /
_______________________________
Date: _________________________
| Agreed and accepted by Blindside
By Blindside’s Authorised Representative:
______________________________
Full Name /
_______________________________
Date: _________________________
|
Schedule 1
Details of Processing Activities
This Schedule 1 includes certain details of the
Processing of Your Personal Data, as required by Article 28(3) of the GDPR.
For Moodle Customers | Subject matter and duration of The subject matter and duration of the Processing Description of all Personal Data BigBlueButton
When You and/or Your end
<![if !supportLists]>– <![if !supportLists]>– <![if !supportLists]>– <![if !supportLists]>– <![if !supportLists]>–
Description of all Personal Data collected during
In addition to the
<![if !supportLists]>– <![if !supportLists]>– <![if !supportLists]>– <![if !supportLists]>– <![if !supportLists]>– <![if !supportLists]>– <![if !supportLists]>– <![if !supportLists]>–
In relation to the
Description of Processing activities (Nature
Depending on Your |
Subprocessors | Digital Ocean
Amazon Web Services – Cloud
Elastic Cloud
|
Schedule 2
Security
Measures
1. The
Data Processor will ensure that in determining the appropriate security
measures for all Personal Data processed on Your behalf the following matters
are taken into consideration:
<![if !supportLists]>A.
<![endif]>the
nature of the Personal Data;
<![if !supportLists]>B.
<![endif]>the
nature, scope, context and purposes of the Processing activity; and
<![if !supportLists]>C.
<![endif]>the
harm that might result from unlawful or unauthorised Processing or accidental
loss, damage or destruction of the Personal Data.
2. In
assessing the appropriate level of security, the Data Processor shall:
A. undertake a risk assessment of all new Processing
activities to allocate responsibility for implementing a relevant policy to
specific individuals or team members;
B. ensure appropriate security safeguards and
virus protection are in place to protect hardware and software used in Processing
Personal Data in accordance with best industry practice;
C. ensure storage of Personal Data is maintained
at secure and (where applicable) local locations to avoid unnecessary cross
border data transfers in conformity with best industry practice and access by
personnel to such Personal Data is password restricted and monitored;
D. have secure methods in place for the transfer
of Personal Data whether in physical form (for instance, by using couriers
rather than standard post) or electronic form (for instance, by using
encryption);
E. take reasonable steps to ensure the
reliability of all employees or other individuals who have access to Your
Personal Data and to ensure such employees and individuals are informed of the
confidential nature of the Personal Data and their compliance obligations in
this Agreement; and
F. have strong and concise systems and processes
implemented for detecting and dealing with security breaches.
Schedule 3
Where
Personal Data is required to be transferred to a Data Processor located outside
the EEA, the SCCs as outlined on the official website of the European Union https://eur-lex.europa.eu/homepage.html at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32004D0915 are hereby incorporated and shall apply by
reference thereto.
Where
Personal Data is not transferred outside the EEA (or other safeguards have been
implemented for the specific transfer in question) this Schedule 3 shall not
apply.