Schedule 1

Data Processing Addendum

1. Definitions

Data Controller” shall mean the entity which alone or jointly with others determines the purposes and means of the Processing of Personal Data. In the Agreement, the Institution is the Data Controller.

Data Discloser means the entity or individual that discloses or shares Personal Data with another party.

Data Processor” shall mean the entity that Processes Personal Data on behalf and under the instruction of the Data Controller. In the Agreement, the Company is the Data Processor.

Data Receiver” means the entity or individual that receives Personal Data from the Data Discloser.

Data Subject” means the individual who is the subject of Personal Data.

Education Records means records that are directly related to a student and maintained by an educational institution or agency.

Personal Data means information that Institution provides or for which Institution provides access to the Company or information which the Company creates or obtains on behalf of Institution, in accordance with this Agreement that: (i) directly or indirectly identifies an individual including, for example, names, signatures, addresses, telephone numbers, email addresses, and other unique identifiers; or (ii) can be used to authenticate an individual including, without limitation, passwords or PINs, user identification and account access credentials or passwords, answers to security questions, and other personal identifiers. The Institution’s business contact information is not by itself Personal Data.

Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.

Privacy Laws” means any applicable law, regulation, or other legal requirement governing the relationship between the Institution and the Company and the services provided under the Agreement including but not limited to, the General Data Protection Regulation ((EU) 2016/679) (“GDPR”), the Family Educational and Privacy Rights Act (“FERPA”).

Processing” or “Process” shall mean any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.

Shared” means any data that is transferred by any means between Company and the Institution.

Supervisory Authority” shall have the meaning given to it in the Privacy Laws.

2. Background.

2.1  The Institution shall be the Data Controller and the Company shall be the Data Processor.

2.2  Both the Institution and the Company shall comply with their obligations under the Privacy Laws in relation to any Personal Data made available by the Institution, which the Company Processes under or for the purposes of this Agreement.

 

3. Purpose of Processing.

The Company shall Process the Personal Data on the Institution’s behalf to provide the following services as part of the Platform:

  1. enable direct communications between the Institution’s End Users;
  2. provide the Administrative Dashboard and Ambassador Panel for the Platform to the Institution, to include analytics and monitoring of activity on the Platform;
  3. enable the collection of supplementary information and Feedback on the use of the Platform by End Users;
  4. the Platform and communications may be available via a web API, the Company website, a mobile app, and other online communications mechanisms, and may include email and SMS notifications; and
  5. Personal Data, including supplementary data and conversational data will be collected via web-based sign-up forms, and via Chat, embedded within the Platform on the web API and the mobile app.

 

4. Data Subjects and Data Controlled.

4.1  Personal Data will be collected from and Processed for the following categories of Data Subjects: End Users, including Prospective Students, Ambassadors, and Institution Staff.

4.2  Personal Data collected from the Data Subjects identified above will include:

  1. Prospective Students: essential data – first name, last name, email address, encrypted password, country; additional data – the degree subject/level of interest (undergraduate/postgraduate), phone number, whether they have already applied to the Institution, and chat conversations and interactions with Ambassadors;
  2. Ambassadors: first name, last name, photo, phone number, email address, encrypted password, country/city/location, languages spoken, academic history (and previous high school; degree/university degree; degree level (undergraduate/postgraduate)); university year (1st, 2nd etc.), an ‘about me’ free text selection and chat conversations and interactions with Prospective Students; and
  3. Institution Staff: first name, last name, email address, encrypted password.

4.3  Personal Data collected about the Data Subjects in respect of all End Users includes:

  1. device-specific information, such as their hardware model, operating system version, unique device identifiers, and mobile network information;
  2. technical information about their computer or mobile device, including where available, their IP address, operating system and browser type, for system administration and analytical purposes; and
  3. details of their visits to the Company website, including the full Uniform Resource Locators (URL) clickstream to, through and from the Company website (including date and time), length of visits to certain pages, and page interaction information (such as scrolling, clicks, and mouse-overs), details of whether you are using the Company website or the TruLeague widget.

Special categories of Personal Data (as such term is defined in the Privacy Laws) will not be Processed under this Agreement.

4.4  Personal Data will be processed or controlled only for the time necessary to enable the service to be provided and in accordance with the Privacy Policies of the Company and the Institution. Institution Staff and Ambassador data will be deleted or irreversibly anonymized within 30 days of an instruction by the Institution. Data subjects may request for unenrollment or deletion as per the terms of use by sending an email to support@truleague.com.

4.5  The default setting for the retention of Personal Data will be two years after the last interaction by the Data Subject. Variation of this setting will require a written instruction from the Institution and may be subject to the technical limitations of the Platform at the time of request.

4.6  The Platform is under continual development, and new features may include additional Data Subjects (such as Institution’s alumni) and additional Personal Data collected (such as further details about Institution Staff using the Platform). The Institution will be asked for written consent to add such additional features, and any such additional Processing will be accompanied by a revised Schedule 2 detailing the types and uses of the Personal Data.

4.7  When the Company directly receives requests from Data Subjects, or anyone acting on their behalf, to exercise their rights under Privacy Laws (“Data Subject Request”), and provided Company can reasonably identify from the information provided that such request relates to the Institution and/or Institution Personal Data, then unless prohibited by applicable law, Company will (a) promptly notify Institution of such request; and (b) not respond to any such request unless required by applicable law to which Company is subject, in which case Company will, to the extent permitted by applicable law, inform Institution of that legal requirement before responding to such request.

5. Data Processor and Data Controller Obligations.

5.1  In its capacity as a Data Processor, the Company shall, and shall require that any sub-contractors who Process Personal Data on its behalf shall:

  1. not Process Personal Data except as necessary to provide the services, and
  2. shall only Process such Personal Data in accordance with this Agreement and only on the Institution’s written instructions;
  3. implement appropriate technical and organizational measures (as such term is defined in the Privacy Laws) to protect Personal Data against unauthorized or unlawful Processing and accidental loss, disclosure, access or damage; comply with its Privacy Policy;
  4. assist the Institution in meeting its obligations as Data Controller to enable Data Subjects to exercise their rights, such as subject access requests, requests for rectification or erasure, or making objections to Processing;
  5. assist the Institution in its obligation to carry out data protection impact assessments (“DPIAs”) and in consulting with the relevant authority if the DPIA indicates an unmitigated high risk to Processing;
  6. notify the Institution immediately if it believes it has been given an instruction that does not comply with Privacy Laws;
  7. delete or return to the Institution all Personal Data upon request or on termination or expiry of this Agreement, unless otherwise required under applicable Privacy Laws;
  8. ensure that persons authorized to access Personal Data are subject to confidentiality obligations, whether by contract or statute;
  9. as soon as reasonably practicable, within the next 24 hours and no later than 72 hours, notify the Institution in writing of any actual or potential Personal Data Breach. The notice will specify (i) the categories and number of Data Subjects concerned, (ii) the categories and number of records involved, (iii) the likely consequences of the Personal Data Breach and (iv) any steps taken to mitigate and address the Personal Data Breach;
  10. transfer Personal Data in compliance with applicable Privacy Laws; and
  11. not subcontract any Processing of Personal Data under less protective terms and security standards than those secured under this Agreement. The Institution hereby grants Company with a general authorization to engage sub-processors to Process Personal Data in order to provide the services contemplated by this Agreement without obtaining any further written, specific authorization from the Institution. The Institution hereby further authorizes the Company to use cloud service providers and hosting services, including but not limited to those detailed in the Company’s Privacy Policy.

The Institution shall ensure that it has all necessary consents and notices in place to enable the lawful transfer of the Personal Data to the Company and the Processing of the Personal Data by the Company in the manner described in this Agreement.

The Institution shall be solely responsible for any automated decision making it makes thorough use of the Platform and Services and shall ensure it implements suitable measures to safeguard the Data Subjects’ rights and freedoms.

The Institution must promptly notify the Company in the event of any withdrawal of any relevant consent by any Data Subject whose Personal Data is Processed pursuant to this Agreement, giving sufficient details of the withdrawal to enable the Company to comply with its obligations under the Privacy Laws.

Each party must immediately notify the other if it becomes aware of a complaint or allegation of breach of the Privacy Laws by any person or an investigation or enforcement action by a regulatory authority, in connection with this Agreement.

5.2  Subject to reasonable notice, the Company shall permit the Institution to monitor, inspect, interview, and audit the staff, facilities, data, documentation, systems, records, internal policies and controls and materials of the Company for the purpose of reviewing the Company’s compliance and ability to comply with the Privacy Laws and promptly give all access, copies of records, information and explanations to the Institution to undertake any such monitoring, inspection, interviews or audits.

 

6. The California Consumer Privacy Act 2018 (“CCPA”) and FERPA.

6.1  In the event that the CCPA should be deemed an applicable Privacy Law, this section addresses CCPA requirements, but should not be construed as a concession that the CCPA is an applicable Privacy Law to this Agreement. For the purposes of the CCPA, the Company does not sell Personal Data. For purposes of this section, the terms “sell” and “share” shall have the meaning given to them in the CCPA.

For the purposes of FERPA, the Company only processes minimal Education Records such as current degrees for current Ambassadors and study areas of interest for Prospective Students.

7. Personal Data Breaches and Reporting Procedures.

7.1  Each party shall comply with its obligation to report a Personal Data Breach to the appropriate Supervisory Authority and (where applicable) the affected Data Subjects under Article 33 of the GDPR and shall each inform the other party of any Personal Data Breach irrespective of whether there is a requirement to notify any Supervisory Authority or Data Subject(s).

7.2  The parties agree to provide reasonable assistance as is necessary to each other to facilitate the handling of any Personal Data Breach in an expeditious and compliant manner.

 

8. Data Security.

Company will implement appropriate technical and organizational measures designed to safeguard Personal Data and to ensure the adequate protection of Personal Data, which measures shall address the requirements of the Privacy Laws.

Availability; Support Services

Availability.

Subject to the terms and conditions of these Terms, Company will use commercially reasonable efforts to make the Platform available with minimal downtime 24 hours a day, 7 days a week; provided, however, that the following are excepted from availability commitments: (a) planned downtime (with regard to which Company will use commercially reasonable efforts to provide at least 72 hours advance notice) and weekly maintenance times, or (b) any unavailability caused by circumstances enumerated under Section 16.10. Certain enhancements to the Platform made generally available at no cost to all customers during the applicable Term will be made available to Institution at no additional charge. However, the availability of some new enhancements to the Platform may require the payment of additional Fees, and Company will determine at its sole discretion whether access to any other such new enhancements will require an additional Fee. These Terms will apply to, and the Platform includes any enhancements, updates, upgrades and new modules to the Platform provided in connection therewith, subsequently provided by Company to Institution hereunder.

Support

Company will provide Technical Support to Institution via both telephone and electronic mail on weekdays during the hours of 9:00 a.m. to 5:00 p.m. Eastern Standard Time, with the exclusion of Federal Holidays (“Support Hours”).

Institution may initiate a helpdesk ticket during Support Hours by calling 617-816-3973 or any time by emailing support@truleague.com.

Company will use commercially reasonable efforts to respond to all Helpdesk tickets within one (1) business day.

Unless agreed in an Order Form, technical support does not include any onsite support.

 

9. Mechanism of Data Transfers.

9.1  Any Data Transfer for the purpose of Processing by the Company (Data Processor) in a country outside the European Economic Area (the “EEA”) shall only take place in compliance as detailed in Schedule 2 to this DPA.

9.2  Where the European Commission has adopted Standard Contractual Clauses (“SCCs”) for international data transfers, and such clauses have not been executed at the same time as this DPA, the Company shall not unduly withhold the execution of such Standard Contractual Clauses where the transfer of Personal Data outside of the EEA is required for the performance of the Agreement.

9.3  The Company shall ensure that any transfer of Personal Data to a third country or an international organization is subject to appropriate safeguards as described in Article 46 of the GDPR, which may include:

  1. Standard Contractual Clauses adopted by the European Commission;
  2. Binding Corporate Rules;
  3. An adequacy decision by the European Commission pursuant to Article 45 of the GDPR;
  4. Approved certification mechanisms together with binding and enforceable commitments; or
  5. Any other lawful transfer mechanism under applicable Privacy Laws.

9.4  The Company will conduct transfer impact assessments as required by applicable law and implement supplementary measures where necessary to ensure that the level of protection of Personal Data is not undermined by the transfer.

9.5  Upon request, the Company will provide the Institution with information about the safeguards in place for any international transfers of Personal Data.

 

10. Sub-processors.

10.1  The Company maintains written contractual controls with all third parties (sub-processors/service providers) that may Process or access Personal Data. These agreements typically include a Master Services Agreement and DPA (and where applicable, Standard Contractual Clauses), confidentiality obligations, security requirements, access limitation/least-privilege, breach notification, restrictions on use/disclosure (including no “selling” of data), data retention limits, and data return/deletion terms upon request or termination.

10.2  The following is a list of authorized sub-processors engaged by the Company to Process Personal Data on behalf of the Institution:

Sub-processor Purpose Data Access
CometChat In-app real-time messaging between prospects/students and ambassadors/staff. Chat messages/content, participant identifiers (e.g., name/email or platform user ID), timestamps, and message metadata needed to deliver the chat experience.
Firebase (Google) App/support services such as authentication support and/or notifications, crash/error reporting, and related telemetry (as configured). Limited user/device identifiers (e.g., tokens), basic account identifiers as needed, and application event/diagnostic data.
Google Cloud (SSO + Maps services) SSO: Enables Google-based authentication/SSO workflows where used.
Maps/Geocoding: Supports location/map features where enabled.		 SSO: Identity attributes required for login (e.g., name, email, unique identifier) and authentication tokens.
Maps: Location queries and related technical metadata needed to render map functionality.
Google Analytics Usage analytics to improve platform experience and performance. Pseudonymous/aggregated usage data (e.g., page views, events, session/device information) as configured.
Microsoft Azure (incl. Outlook/Microsoft SSO) Microsoft identity/SSO and Outlook/Office integration where enabled. Identity attributes (e.g., name/email/unique identifiers), authorization tokens, and limited integration metadata required for the connection.
Azure OpenAI AI features (e.g., summarization, recommendations, smart replies) within the platform. Only the text/content submitted for inference and required context; governed by contractual and configuration controls limiting use to delivering the service.
SendGrid Transactional email delivery (verification codes, alerts, notifications). Email addresses, message content, and delivery metadata required to send emails (retention per configured settings/provider controls).
Geoapify IP-based geolocation enrichment and related analytics/security use cases. Public IP address and derived coarse geolocation results.
OpenAI (API services) AI features (e.g., summarization, classification, drafting assistance) within the platform. Only the text/content submitted for inference and required context; governed by contractual and configuration controls limiting use to delivering the service.
Hotjar UX analytics (heatmaps/session insights) to improve usability and accessibility. Pseudonymous interaction data and technical metadata; configured to minimize/avoid collection of sensitive fields where applicable.
UX Cam Mobile App UX analytics (heatmaps/session insights) to improve usability and accessibility. Pseudonymous interaction data and technical metadata; configured to minimize/avoid collection of sensitive fields where applicable.
Google Workspace (Mail) Operational email communications (e.g., support, implementation coordination, system administration communications). Email addresses and email content exchanged via mailboxes used for operations/support.
AWS (Amazon Web Services) Core cloud infrastructure hosting for the TruLeague platform (compute, storage, databases, logging, security services). Institutional data stored/processed in the platform as necessary to deliver the service (under strict access controls and monitoring).
Google Gemini AI features within the platform. Only the text/content submitted for inference and required context; governed by contractual and configuration controls limiting use to delivering the service.
Scrut Automation (SCRUT) Security/compliance (evidence collection, control tracking, vendor/security documentation). Primarily compliance/security documentation and limited business contact information; not intended for student record processing.

10.3  Each sub-processor listed above is contractually bound to access/process only the minimum data required to perform its defined function, with security and confidentiality obligations, and with data minimization and retention controls aligned to institutional requirements.

10.4  The Company will notify the Institution of any intended changes concerning the addition or replacement of sub-processors, thereby giving the Institution the opportunity to object to such changes. If the Institution does not object within thirty (30) days of receipt of such notice, the new sub-processor shall be deemed approved.

10.5  If the Institution objects to a new sub-processor on reasonable grounds relating to data protection, the parties shall discuss and seek to resolve the matter in good faith. If resolution cannot be achieved, the Institution may terminate the affected services without penalty.

 

Schedule 2

International Data Transfer Addendum

This Schedule 2 sets out the framework for data transfers outside the European Economic Area (“EEA”) in connection with the Data Processing Addendum (“DPA”).

1. Transfer Mechanisms

Where Personal Data originating from the EEA is transferred to a country outside the EEA that has not received an adequacy decision from the European Commission, the Company shall ensure that such transfers are conducted in compliance with one of the following mechanisms:

  1. The European Commission’s Standard Contractual Clauses (Module Two: Controller to Processor, or Module Three: Processor to Processor, as applicable);
  2. Binding Corporate Rules approved by a competent supervisory authority;
  3. Any other valid transfer mechanism approved under the GDPR.

2. Standard Contractual Clauses

Where Standard Contractual Clauses are used as the transfer mechanism:

  1. The parties agree to be bound by the Standard Contractual Clauses as set out in Commission Implementing Decision (EU) 2021/914;
  2. For transfers from the Institution (as data exporter) to the Company (as data importer), Module Two (Controller to Processor) shall apply;
  3. For onward transfers from the Company to sub-processors located outside the EEA, Module Three (Processor to Processor) shall apply;
  4. The optional clauses in Clause 7 (Docking Clause), Clause 11 (Redress), and Clause 17 (Governing Law) shall be included as applicable.

3. UK and Swiss Transfers

For transfers of Personal Data from the United Kingdom or Switzerland:

  1. The UK International Data Transfer Addendum to the EU Standard Contractual Clauses (as issued by the UK Information Commissioner) shall apply to transfers from the UK;
  2. The Swiss Federal Data Protection Act requirements shall be observed for transfers from Switzerland, including application of the Standard Contractual Clauses with necessary modifications.

4. Supplementary Measures

The Company shall implement supplementary technical and organizational measures as necessary to ensure that the transfer of Personal Data affords essentially equivalent protection to that guaranteed within the EEA. Such measures may include:

  1. Encryption of Personal Data in transit and at rest;
  2. Pseudonymization or anonymization where feasible;
  3. Strict access controls and authentication measures;
  4. Regular security assessments and audits.

5. Transfer Impact Assessments

Prior to any transfer to a third country, the Company shall conduct a transfer impact assessment to evaluate whether the destination country provides adequate protection, and shall document the supplementary measures implemented to address any identified risks.