DATA PROCESSING AGREEMENT
Last Revised: May 5, 2022
This data processing agreement (DPA
or Agreement) forms part of the
and Blindside Networks Inc.
This Agreement may be updated from time to time, with any such amended Agreement being dated and available on our website at https://blindsidenetworks.com/dpa-moodle-free-tier/. It is Your obligation to ensure that You have downloaded and signed the most up to date version of this Agreement for your records.
You or Your organisation, as a Data Controller under the GDPR (hereinafter referred to as Controller); and
Blindside Networks Inc., as a Data Processor under the GDPR (hereinafter referred to as Processor);
individually referred to as a Party and together as Parties.
<![if !supportLists]>A. <![endif]>You Process the Personal Data as Controller;
<![if !supportLists]>C. <![endif]>The Parties have reached an agreement on the rights and obligations of Controller and Processor and now wish to record such rights and obligations in this DPA.
NOW THEREFORE THE PARTIES AGREE AS FOLLOWS:
<![if !supportLists]>1. <![endif]>Definitions & Interpretation
<![if !supportLists]>1.1 <![endif]>In this DPA, unless otherwise defined, all capitalised words and expressions shall have the following meaning:
<![if !supportLists]>(a) <![endif]>Data Protection Law means data protection legislation or any statutory equivalent in force applicable to the Processing of Your Personal Data, including the GDPR, the UK GDPR and Data Protection Act(s) and the Consumer Privacy Act (Cal. Civ. Code §§ 1798.100 – 1798.199) (“CCPA”).
<![if !supportLists]>(b) <![endif]>EEA means the European Economic Area.
<![if !supportLists]>(c) <![endif]>GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC. The terms Controller, Processor, Data Subject, Personal Data, Processing, Supervisory Authority shall have the meanings given to them in the GDPR.
<![if !supportLists]>(d) <![endif]>Personal Data Breach means a Security Incident that has led to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Your Personal Data transmitted, stored or otherwise processed by the Processor.
<![if !supportLists]>(e) <![endif]>Standard Contractual Clauses or SCCs means the Commission Decision 2010/87 of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in non-adequate countries, as defined under Directive 95/46/EC of the European Parliament and of the Council (2010/87/EU) and as updated on the 4th June 2021 by Decision 2021/814, a link to which is provided at Schedule 3.
<![if !supportLists]>(f) <![endif]>Security Incident means any breach of security measures used by Processor to secure Your Personal Data.
<![if !supportLists]>(g) <![endif]>Subprocessor means a person or entity subcontracted by Data Processor to Process Your Personal Data.
<![if !supportLists]>(h) <![endif]>Your Personal Data means any Personal Data Processed by Processor on behalf of You pursuant to or in connection with any Master Agreement and/or this DPA.
(a) To the extent of any conflict or inconsistencies between the Master Agreement and this DPA, this DPA shall take precedence, unless otherwise specified herein.
(b) Unless the context indicates a contrary intention, another grammatical form of a defined word or expression has a corresponding meaning.
<![if !supportLists]>2. <![endif]>Processing Your Personal Data
<![if !supportLists]>2.1 <![endif]>For the purpose of this DPA, Blindside Networks Inc. is the Processor of Your Personal Data and You are the Controller.
<![if !supportLists]>2.2 <![endif]>Schedule 1 contains details of the processing activities You have engaged Processor to perform including the categories of Data Subjects, the types of Personal Data and the purpose and nature of the Processing.
<![if !supportLists]>2.3 <![endif]>The Processor will (and will procure that Subprocessors will):
<![if !supportLists]>(a) <![endif]>have no independent rights in relation to Your Personal Data and only Process Your Personal Data on behalf of and for, Your benefit, in accordance with the terms of the Master Agreement and this DPA together with Your instructions, unless required to do so by applicable law to which the Processor is subject, in which case the Processor shall inform You of that legal requirement before the Processing of Your Personal Data;
<![if !supportLists]>(b) <![endif]>not assume any responsibility for determining the purposes for which and the manner in which Your Personal Data is Processed and will only Process Your Personal Data for purposes determined by You; and
<![if !supportLists]>(c) <![endif]>notify You promptly in the event that it is unable to comply with this DPA or its obligations under any Data Protection Law or if it has reason to believe that the legislation applicable to it is likely to have a substantial adverse effect on the obligations provided under this DPA or otherwise prevents it from fulfilling any instructions received from You. If this provision is invoked, Processor will not be liable to You for any failure to perform the applicable services until such time as You issue new instructions regarding the Processing with which the Processor is able to comply.
2.4 For clarity, within the scope of the Master Agreement and this DPA and in relation to Your use of the services: (i) You shall be solely responsible for complying with the statutory requirements relating to data protection and privacy, in particular regarding the disclosure and transfer of Your Personal Data to Processor; (ii) You agree that Your instructions for the Processing of Personal Data shall comply with Data Protection Law; and (iii) You agree to inform Processor without undue delay about any errors or irregularities related to the Processor’s Processing of Your Personal Data.
<![if !supportLists]>3. <![endif]>Rights and obligations of Processor
<![if !supportLists]>(a) <![endif]>take reasonable and appropriate technical and organizational measures that are designed to adequately protect the security, integrity and confidentiality of Your Personal Data and guard against unauthorised or unlawful disclosure, access or Processing, or accidental loss, alteration, damage or destruction, as described in Schedule 2. Such measures shall include (as appropriate) the measures required pursuant to Article 32 of the GDPR;
<![if !supportLists]>(b) <![endif]>only grant access to Your Personal Data to persons under the Processor’s authority who have committed themselves to confidentiality or who are under an appropriate statutory obligation of confidentiality. The classes of persons to whom access has been granted shall be subject to periodic review. Specifically, Subprocessors referred to in Schedule 1 are deemed approved by You;
<![if !supportLists]>(c) <![endif]>assist You by appropriate technical and organisational measures, insofar as this is possible, in the fulfilment of Your obligations to respond to requests by a Data Subject in relation to the exercise of their rights pursuant to Data Protection Law (including access, rectification, restriction, deletion or portability of Personal Data, as applicable) and will (i) inform You without undue delay; and in any event, no later than one (1) month after receipt of a request from a Data Subject in respect of their Personal Data; and (ii) unless otherwise instructed by You, advise the Data Subject to submit their request to You. Such assistance will be provided subject to agreement to any reasonable and duly evidenced cost being charged by the Processor for these services;
<![if !supportLists]>(d) <![endif]>maintain electronic records of complaints or requests from Data Subjects seeking to exercise their rights under Data Protection Law until such time as the records have been securely transferred to You. The Processor shall not respond and shall ensure that Subprocessors do not respond directly to requests from Data Subjects except upon Your written instructions or as required by Data Protection Law;
<![if !supportLists]>(e) <![endif]>assist You in data protection impact assessments (subject to agreement to any reasonable and duly evidenced cost being charged by the Processor for this assistance);
<![if !supportLists]>(f) <![endif]>assist You, at Your cost, in the event of an investigation or audit by a Supervisory Authority, to the extent that such investigation or audit relates to Processor’s Processing of Your Personal Data and inform You as soon as possible if a Supervisory Authority requests an investigation or audit of Processor relating to Processor’s Processing of Your Personal Data; and
<![if !supportLists]>(g) <![endif]>maintain records of all Processing operations under its responsibility that contain at least the minimum information required by Data Protection Law.
<![if !supportLists]>4. <![endif]>Security Incidents
<![if !supportLists]>4.1 <![endif]>The Processor will (and shall procure that all its Subprocessors will) maintain updated electronic records of all discovered Security Incidents. The register shall contain at least a description of the Security Incident, including the date and time the Security Incident was discovered. If a Security Incident is a Personal Data Breach, the register shall also contain an overview of the affected Personal Data and the categories and number of affected Data Subjects.
<![if !supportLists]>4.2 <![endif]>The Processor will (and shall procure that all its Subprocessors will) promptly, but in any event within 48 (forty-eight) hours of becoming aware of an actual or suspected Personal Data Breach, inform You in writing of such Personal Data Breach. The Processor will take prompt steps to remedy any Personal Data Breach and promptly provide You with all relevant information and assistance regarding any such actual or suspected Personal Data Breach. The Processor’s notification of a Personal Data Breach to You will include information sufficient to allow You to meet Your obligations pursuant to Data Protection Law, and at a minimum:
<![if !supportLists]>(a) <![endif]>a description of the Personal Data Breach, including the date and time the Personal Data Breach was discovered;
<![if !supportLists]>(b) <![endif]>an overview of the affected Personal Data and the categories and number of affected Data Subjects;
<![if !supportLists]>(c) <![endif]>information on the (expected) consequences of the Personal Data Breach; and
<![if !supportLists]>(d) <![endif]>a description of the measures taken by the Processor to limit the consequences of the Personal Data Breach.
If the Processor is unable to communicate all required information relating to the Personal Data Breach simultaneously, the Processor shall provide the information as the information becomes available.
The Processor will not provide any statement, communication, press release or other public announcement relating to a Personal Data Breach without Your prior written consent unless otherwise required by Data Protection Law.
<![if !supportLists]>5. <![endif]>Subprocessors
<![if !supportLists]>5.1 <![endif]>You, as the Controller, grant the Processor general written authorisation for the engagement of Subprocessors and any intended changes concerning the addition or replacement of Subprocessors, subject to the proviso that the Processor shall remain fully liable to You for fulfilment of the obligations of the Subprocessor and that the Processor and the Subprocessor have entered into an agreement that imposes obligations on the Subprocessor that are no less restrictive than those imposed on the Processor under this DPA, and provides for sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the Processing will meet the requirements of Data Protection Law and this DPA.
<![if !supportLists]>5.2 <![endif]>The Subprocessors referred to in Schedule 1 are hereby approved by You. If the Processor intends to instruct a Subprocessor other than the companies listed in Schedule 1, the Processor will notify You thereof in writing (email to the email address(es) on record in Processor’s account information for You is sufficient) and will give You the opportunity to object to the engagement of the new Subprocessor within 30 days after being notified. Your objection, if any, must be based on reasonable grounds (e.g. use of the Subprocessor presents a significant risk for the protection of Your Personal Data). If the Parties are unable to resolve such objection within 30 days of Processor’s receipt thereof, either Party may terminate the Agreement by providing written notice to the other Party.
<![if !supportLists]>5.3 <![endif]>If a Subprocessor is engaged, before the Subprocessor first Processes Your Personal Data, the Processor shall carry out adequate due diligence to ensure that the Subprocessor is capable of providing the level of protection for Your Personal Data required by this DPA. In support of such due diligence, You are granted the right to monitor and inspect the Subprocessor’s activities in accordance with this DPA and Data Protection Law, including obtaining information from the Processor on the substance of its contract with the Subprocessor and the Subprocessor’s implementation of its data protection obligations.
<![if !supportLists]>6. <![endif]>Audit Rights
<![if !supportLists]>6.1 <![endif]>Upon Your written request and provided that the Parties have a NDA in place, the Processor will provide You with the results of the most recent data security compliance reports or any audit performed by or on behalf of the Processor that assesses the effectiveness of the Processor’s information security program, system(s), internal controls, and procedures relating to the Processing of Your Personal Data.
<![if !supportLists]>6.2 <![endif]>Upon reasonable advance written notice to the Processor, You may during normal business hours, attend on the Processor’s facilities for the purpose of auditing the Processing and maintenance of Your Personal Data, and the Processor’s compliance with its obligations under this DPA. You will be responsible for the costs and expenses of such audit (or the fees and costs of the third party performing the audit). If the Processor declines to address and correct all deficiencies identified in any such audit, You are entitled to terminate the Master Agreement and this DPA in accordance with its terms.
<![if !supportLists]>7. <![endif]>Data transfers
<![if !supportLists]>7.1 <![endif]>The Processor will comply with Data Protection Law regarding the transfer of Your Personal Data from the EEA to countries outside the EEA. Unless otherwise provided for in Annex 1, the Processor will not transfer or process Your Personal Data outside of the territory of the EEA or outside the territories defined in Annex 1 otherwise than set out in this Agreement. The Processor shall ensure that any such transfer/access is implemented in accordance with this Agreement.
<![if !supportLists]>7.2 <![endif]>To the extent that the Processor is based in a third country that does not provide an adequate level of protection, and the transfer of Your Personal Data is not covered by one or more safeguards provided for in Articles 45, 46 and 47 of the GDPR, the Parties hereby agree to enter into the SCCs, as provided for in Schedule 3.
<![if !supportLists]>7.3 <![endif]>If the Processor intends to transfer Personal Data to an engaged Subprocessor located outside of the EEA and the Processor opts to have such transfer covered by the SCCs, the Processor is hereby authorised to enter into such SCCs in Your name and on Your behalf.
<![if !supportLists]>7.4 <![endif]>At Your request and provided that the Parties have a NDA in place, the Processor shall provide a copy of any document evidencing the implementation of any of the above-mentioned measures to cover the transfer/access of Your Personal Data.
<![if !supportLists]>8. <![endif]>Termination and erasure and return of data
<![if !supportLists]>8.1 <![endif]>On termination of the Master Agreement, or earlier as requested by You, the Processor will destroy, or upon Your written instructions, deliver to You, or enable You to delete by means of the functionality provided by the services, all Your Personal Data in the Processor’s possession, custody and control, except for such information as must be retained under applicable law and insofar as is technically possible.
<![if !supportLists]>8.2 <![endif]>To the extent that the Processor retains any of Your Personal Data beyond termination or expiration of the Master Agreement or as earlier requested by You because such retention is required under applicable law, this DPA will remain in full effect and the Processor will promptly destroy all such Personal Data once such retention is no longer required under applicable laws insofar as is technically possible. At Your request, the Processor will provide You with written confirmation of such destruction.
<![if !supportLists]>8.3 <![endif]>This DPA will expire automatically upon Your Personal Data either being fully returned or destroyed except in so far as required for statutory or contractual purposes.
<![if !supportLists]>9. <![endif]>Liability
<![if !supportLists]>9.1 <![endif]>Notwithstanding provisions of the Master Agreement limiting Processor’s liability (if any), the Processor will be liable only for any direct damages arising out of or in connection with the Processor’s breach of (i) this DPA; (ii) Data Protection Law; or (iiI) Your instructions under this DPA.
<![if !supportLists]>9.2 <![endif]>The Processor’s aggregate liability pursuant to this DPA shall not exceed an amount equal to the total amount of the subscription fees or royalties fees paid or payable by You under the Master Agreement during the immediately preceding twelve (12) month period.
<![if !supportLists]>10. <![endif]>Jurisdiction and venue
<![if !supportLists]>10.1 <![endif]>This DPA and any dispute or claim arising out of it or in connection with it, its subject matter or formation shall be governed by and construed in accordance with the laws of the Province of Ontario and the federal laws of Canada applicable therein, and the Parties irrevocably submit to the non-exclusive jurisdiction of the courts of Ontario.
[WHERE SIGNATURES ARE APPROPRIATE]
Signed on behalf of You (the Data Controller)
By Your Authorised Representative:
Full Name / Title:
Agreed and accepted by Blindside Networks Inc. (the Data Processor)
By Blindside’s Authorised Representative:
Full Name / Title:
This Schedule 1 includes certain details of the Processing of Your Personal Data, as required by Article 28(3) of the GDPR.