This Data Privacy Addendum (“Addendum”) between Raftr (“Raftr”, “we”, “us”, or “our”) and the entity named on the signature page of the Agreement (“Customer”, “you”, or “your”), amends the current version of the agreement or terms and conditions between you and us (the “Agreement”).  Raftr and Customer are together referred to herein as the “Parties.”  If any terms of this Addendum conflict with any terms of the Agreement, the terms of this Addendum govern.  

1. Scope.  In connection with the services we provide you under the Agreement (“Services”), you may provide to us personal information of your employees, students, and other individuals.  This Addendum governs how we Process such Personal Information and our security requirements with respect to such Personal Information.    
2. Definitions. 
   1. “Data Privacy Laws” means all applicable laws, regulations, and other legal or self-regulatory requirements in any jurisdiction relating to privacy, data protection, data security, breach notification, or the Processing of Personal Information, including without limitation, to the extent applicable, the EU General Data Protection Directive as well as the equivalent implementations in EU member states, the UK, and Switzerland (“GDPR”); the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., as amended by the California Privacy Rights Act of 2020 along with any associated regulations (“CCPA”); and similar privacy laws in effect in any other U.S. states.  Data Privacy Laws also includes any state student privacy laws that are directly applicable to Customer and to Customer’s provision of Personal Information to Raftr (“Student Privacy Laws”). If our Processing activities involving Personal Information are not within the scope of a given Data Privacy Law, such law is not applicable for purposes of this Addendum. For example, if a Data Privacy Law applies to only residents of a certain state, our obligations under this Addendum that relate to such Data Privacy Law will only apply to Data Subjects who are residents of that state.
   2. “Data Subject” means an identified or identifiable natural person about whom Personal Information relates. 
   3. “EU SCCs” means the Standard Contractual Clauses issued pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, located http://data.europa.eu/eli/dec_impl/2021/914/oj, and completed as set forth in Section 7 below.
   4. De-Identified Information (DII): means information for which Raftr removes or obscures any Personal Information such that the identity of the individual can no longer be reasonably ascertained.
   5. “Personal Information” includes “personal information,” “personal data,” and “personally identifiable information” that you provide to us about Data Subjects pursuant to the Agreement and such terms will have the same meaning as defined by applicable Data Privacy Laws. 
   6. “Process” and “Processing” mean any operation or set of operations performed on Personal Information or on sets of Personal Information, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
   7. “Security Breach” means any accidental or unlawful acquisition, destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Information of one or more Data Subjects.
   8. “Student Data” includes any Personal Information obtained from a student for use for a school purpose that is governed by applicable U.S. state Student Privacy Laws. 
   9. “Subprocessor” means a party other than Customer or Raftr, who assists Raftr in providing the Services. 
   10. “Third Party” means an entity that is not Raftr or Customer.
   11. “UK SCCs” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (available as of the Effective Date at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf).
3. Scope and Purposes of Processing. We will Process any Data Subject’s Personal Information and/or Student Data: (a) to fulfill our obligations to you under the Agreement, including this Addendum; (b) on your behalf and per any written instructions you provide us; and (c) in compliance with applicable Data Privacy Laws. 
4. Personal Information Processing. Raftr will:
   1. Ensure that the persons we authorize to Process Personal Information and/or Student Data are bound to confidentiality obligations and comply with all applicable provisions of Data Privacy Laws;
   2. Upon your written request, provide you reasonable assistance in fulfilling your obligation to respond to bona fide requests from Data Subjects to exercise their rights under Data Privacy Laws (e.g., access or deletion requests);
   3. Promptly notify you of any bona fide requests for access to or information about our Processing of any Data Subject’s Personal Information and/or Student Data on your behalf, unless prohibited by Data Privacy Laws;
   4. Provide you reasonable assistance in connection with fulfilling your obligations required by applicable Data Privacy Laws to they extent they involve our Processing of Personal Information;
   5. Not “sell” or “share” for purposes of “cross-context behavioral advertising” or “targeted advertising”  (as defined by applicable Data Privacy Laws) any Personal Information;
   6. Not retain, use, or disclose Personal Information and/or Student Data outside of the direct business relationship between you and us;
   7. Not attempt to (i) re-identify any pseudonymized, anonymized, or aggregate Personal Information and/or Student Data, or DII, or (ii) link or otherwise create a relationship between Personal Information and non-Personal Information or any other information, without your express written permission;
   8. Comply with any applicable restrictions under applicable Data Privacy Laws on combining Personal Information with personal information that we receive from, or on behalf of, another person or persons, or that we collect from any interaction between us and any individual; and
   9. Promptly notify you if we determine that (i) we can no longer meet our obligations under this Addendum or applicable Data Privacy Laws; or (ii) in our opinion, an instruction from you infringes applicable Data Privacy Laws.
5. Student Data 
   1. Data Ownership And Authorized Access
      1. All Student Data transmitted to Raftr pursuant to this Addendum is and will continue to be the property of and under your control, or the party who provided such data (such as the student or parent.). Raftr acknowledges and agrees that all copies of such Student Data transmitted to Raftr are also subject to the provisions of this Addendum in the same manner as the original Student Data. The Parties agree that as between them, all rights, including all intellectual property rights in and to Student Data contemplated per this Addendum shall remain your exclusive property. 
      2. You shall establish reasonable procedures by which a parent, legal guardian, or eligible student may review Student Data, correct erroneous Student Data, and transfer Student Data to a personal account, if applicable, and consistent with the functionality of Services. Raftr shall cooperate and respond within ten (10) days to your request to view or correct Student Data as necessary in compliance with applicable Data Privacy Laws.  In the event that a parent or other individual contacts Raftr to review any of the Student Data accessed pursuant to the Services, Raftr shall refer the parent or individual to you, and you will follow the necessary and proper procedures regarding the requested Student Data. 
      3. To the extent technically feasible, Raftr shall, at your request, transfer Student Data to a separate student account upon termination of the Services; provided, however, such transfer shall only apply to Student Data that is severable from the Services. 
      4. Should a Third Party, including, but not limited to law enforcement or government entities, contact Raftr with a request for Student Data held by Raftr pursuant to the Agreement, Raftr shall redirect the Third Party to request the data directly from you and shall cooperate with you to collect the required Student Data. Raftr shall notify you in advance of a compelled disclosure to a Third Party, unless legally prohibited.
      5. Raftr shall enter into written agreements with all Subprocessors performing functions pursuant to this Addendum, whereby the Subprocessors agree to protect Student Data in manner consistent with the terms of this Addendum.
   2. Duties of Customer
      1. You shall provide Student Data for the purposes of the Addendum in compliance with Data Privacy Laws.
      2. You shall notify Raftr promptly of any known or suspected unauthorized access to the Services. You will assist Raftr in any efforts by Raftr to investigate and respond to any unauthorized access. 
   3. Duties of Raftr
      1. Raftr acknowledges and agrees that, except as provided herein, it shall not make any re-disclosure of any Student Data or any portion thereof, without the express written consent of the Customer, unless the Student Data has been de-identified to become DII, or there is a court order or lawfully issued subpoena for the Student Data. Pursuant to Section 8, Raftr may also disclose Student Data to Subprocessors.
      2. DII may be used by Raftr for any purposes, including development, research, and improvement of other educational sites, services, or applications, as any other member of the public or party would be able to use DII in accordance with Data Privacy Laws. Raftr agrees not to attempt to re-identify DII and not to transfer DII to any party unless that party agrees not to attempt re-identification.  
      3. Raftr shall de-identify, dispose of, or delete all Student Data obtained under the Addendum  pursuant to your written request, and enable you to export such data within a reasonable time of the date of termination and according to a schedule and procedure as the parties may reasonably agree.  At your request, Raftr shall provide written notification to you when the Student Data has been de-identified, deleted, or disposed of by Raftr at your request. The duty to dispose of Student Data shall not extend to data that has been de-identified or placed in a separate student account, pursuant to this Addendum. 
6. Data Security. We will implement appropriate administrative, technical, physical, and organizational measures to protect any Data Subject’s Personal Information and/or Student Data consistent with industry standards.  For example: (a) reasonable technical and organizational measures to protect against unauthorized or unlawful processing of such Personal Information and accidental loss of or damage to such Personal Information; (b) physical access controls; (c) data access and data transfer controls; (d) internal and external vulnerability scans; and (e) incident response procedures. You have the right to take reasonable and appropriate steps to stop and remediate unauthorized Processing of Personal Information and/or Student Data.
7. Security Breach. We will notify you promptly following our confirmation of any Security Breach.  We will comply with the Security Breach-related obligations directly applicable to us under Data Privacy Laws and will assist you in your compliance with your Security Breach-related obligations, including (a) taking reasonable steps to mitigate the adverse effects of the Security Breach, and (b) providing you information, to the extent known, about the nature of the Security Breach, the likely consequences of the Security Breach, and the measures we have taken to address the Security Breach.
8. Subprocessors. You acknowledge and agree that we may use affiliates and Subprocessors to Process Personal Information and/or Student Data in accordance with the provisions within this Addendum and Data Privacy Laws, provided we are responsible for their compliance with the relevant obligations of this Agreement (including this Addendum).   If we engage any Subprocessors to Process Personal Information and/or Student Data, we will:
   1. Take reasonable steps to select and retain Subprocessors that are capable of maintaining appropriate privacy and security measures.  
   2. Enter into a written contract requiring each Subprocessors to comply with obligations that are no less restrictive than those imposed on us under this Addendum; and
   3. Maintain an up-to-date list of Subprocessors available upon request. Where required by applicable Data Privacy Laws, we will provide you with reasonable notice of any new Subprocessors added to the list prior to transferring or making available Personal Information and/or Student Data to such new Subprocessors. In the event you object to a new Subprocessors, we will cooperate in good faith to resolve the objection.
9. Audits. We will make available to you all information necessary to demonstrate compliance with this Addendum and will allow for and contribute to audits, including inspections, conducted by you or another auditor mandated by you, and that is not reasonably objected to by us; provided that such audit shall occur not more than once every twelve (12) calendar months, upon reasonable prior written notice, and to the extent our personnel are required to cooperate therewith, only during our normal business hours.
10. Data Transfers.
    1. We will not engage in any cross-border Processing of Personal Information, or transmit, directly or indirectly, any Personal Information to any country outside of the country from which such Personal Information was collected, without complying with applicable Data Privacy Laws. Where we engage in an onward transfer of Personal Information, we will ensure that a lawful data transfer mechanism is in place prior to transferring Personal Information from one country to another. 
    2. To the extent legally required, by signing this Addendum, the Parties are deemed to have signed the EU SCCs, which form part of this Addendum and (except as described in Section 7(c) and (d) below) will be deemed completed as follows:
       1. Module 2 of the EU SCCs applies to transfers of Personal Information from you (as a controller) to us (as a processor);
       2. Clause 7 (the optional docking clause) is included;
       3. Under Clause 9 (Use of sub-processors), the Parties selectOption 2 (General written authorization). 
       4. Under Clause 11 (Redress), the optional language regarding an independent dispute resolution body shall not be deemed to be included;
       5. Under Clause 17 (Governing law), the Parties choose Option 1 (the law of an EU Member State that allows for third-Party beneficiary rights).  The Parties select the laws of Ireland;
       6. Under Clause 18 (Choice of forum and jurisdiction), the Parties select the courts of Ireland; 
       7. Annex I(A) and I(B) (List of Parties) is as provided in the Agreement. 
       8. Under Annex I(C) (Competent supervisory authority), the Parties shall follow the rules for identifying such authority under Clause 13 and, to the extent legally permissible, select the Irish Data Protection Commission; and
       9. Annex II (Technical and organizational measures) is as provided in Section 6 above.
    3. With respect to Personal Information transferred from the United Kingdom for which United Kingdom law (and not the law in any European Economic Area jurisdiction or Switzerland) governs the international nature of the transfer, the UK SCCs form part of this Addendum and takes precedence over the rest of this Addendum as set forth in the UK SCCs. Undefined capitalized terms used in this provision shall mean the definitions in the UK SCCs. For purposes of the UK SCCs, they shall be deemed completed as follows:  (i) the Parties’ details shall be the Parties and their affiliates to the extent any of them is involved in such transfer; (ii) the Key Contacts shall be the contacts provided in the Agreement; (iii) the Approved EU SCCs referenced in Table 2 shall be the EU SCCs as executed by the Parties; (iv) Annex 1A, 1B, II, and III shall be set as forth in the Agreement and this Addendum; (v) either Party may end this Addendum as set out in Section 19 of the UK SCCs; and (vi) by entering into this Addendum, the Parties are deemed to be signing the UK SCCs and agree that the Addendum will be governed by the laws of England and Wales and enforced by the courts and relevant supervisory authorities in England and Wales.
    4. For transfers of Personal Information that are subject to the FADP, the EU SCCs form part of this Addendum as set forth in Section 7(b) of this Addendum, but with the following differences to the extent required by the FADP: (i) references to the GDPR in the EU SCCs are to be understood as references to the FADP insofar as the data transfers are subject exclusively to the FADP and not to the GDPR; (ii) the term “member state” in EU SCCs shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU SCCs; and (iii) the relevant supervisory authority is the Swiss Federal Data Protection and Information Commissioner (for transfers subject to the FADP and not the GDPR), or both such Commissioner and the supervisory authority identified in the EU SCCs (where the FADP and GDPR apply, respectively).
11. Term; Survival; Return or Destruction of Personal Information and/or Student Data. The effective date of this Addendum is the date of the Agreement.  The provisions of this Addendum survive the termination or expiration of the Agreement for so long as we or our Subprocessors Process any Data Subject’s Personal Information and/or Student Data.  Upon your written request at termination of the Agreement, we will (a) return and/or securely destroy all Personal Information and/or Student Data in our possession, except to the extent required otherwise by Data Privacy Laws, and (b) certify our compliance with this Section.