As provided in our data privacy addendum, our customers, which are primarily academic institutions, remain the “data controllers” or “businesses” (as such terms are defined in applicable data protection laws) of personal data processed by Raftr in connection with providing our services.  Raftr serves as a “data processor” or “service provider” to its customers under such laws.  This approach is consistent with applicable data privacy laws globally, including in the United States, European Union, and the United Kingdom.

In its role as a data processor/service provider, Raftr agrees to, among other things: (1) process personal data only on behalf of its customers in providing its services; (2) use appropriate technical and organizational measures to protect personal data; (3) assist its customers in fulfilling applicable data subject rights (e.g., access, deletion, correction), performing data protection impact assessments, and responding to regulatory inquiries that involve Raftr’s processing activities; (4) allow for and contribute to audits regarding its data processing activities; and (5) ensure appropriate transfer mechanisms are in place in the event Raftr transfers data across borders from jurisdictions that require such measures.

Given that Raftr’s customers are academic institutions and that information processed by Raftr may also be covered by specific federal and state student privacy laws in the US (e.g., FERPA), Raftr further commits to only processing such student data in accordance with applicable laws, including by fulfilling requests by students and parents under such laws to exercise rights to access or deletion of student data.

Raftr uses certain vendors to assist it in performing its services.  These vendors are considered “subprocessors” or “subcontractors” under applicable data protection and student privacy laws.  Raftr enters into agreements with these vendors requiring them to adhere to protections at least as stringent as those Raftr commits to in its data processing addendum with customers.