Schedule 1

Data Processing Addendum

1. Definitions

“Data Controller” shall mean the entity which alone or jointly with others determines the purposes and means of the Processing of Personal Data. In the Agreement, the Institution is the Data Controller.

“Data Discloser” means the entity or individual that discloses or shares Personal Data with another party.

“Data Processor” shall mean the entity that Processes Personal Data on behalf and under the instruction of the Data Controller. In the Agreement, the Company is the Data Processor.

“Data Receiver” means the entity or individual that receives Personal Data from the Data Discloser.

“Data Subject” means the individual who is the subject of Personal Data.

“Education Records” means records that are directly related to a student and maintained by an educational institution or agency.

“Personal Data” means information that Institution provides or for which Institution provides access to the Company or information which the Company creates or obtains on behalf of Institution, in accordance with this Agreement that: (i) directly or indirectly identifies an individual including, for example, names, signatures, addresses, telephone numbers, email addresses, and other unique identifiers; or (ii) can be used to authenticate an individual including, without limitation, passwords or PINs, user identification and account access credentials or passwords, answers to security questions, and other personal identifiers. The Institution’s business contact information is not by itself Personal Data.

“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.

“Privacy Laws” means any applicable law, regulation, or other legal requirement governing the relationship between the Institution and the Company and the services provided under the Agreement including but not limited to, the General Data Protection Regulation ((EU) 2016/679) (“GDPR”), the Family Educational and Privacy Rights Act (“FERPA”).

“Processing” or “Process” shall mean any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.

“Shared” means any data that is transferred by any means between Company and the Institution.

“Supervisory Authority” shall have the meaning given to it in the Privacy Laws.

2. Background.

2.1  The Institution shall be the Data Controller and the Company shall be the Data Processor.

2.2  Both the Institution and the Company shall comply with their obligations under the Privacy Laws in relation to any Personal Data made available by the Institution, which the Company Processes under or for the purposes of this Agreement.

3. Purpose of Processing.

The Company shall Process the Personal Data on the Institution’s behalf to provide the following services as part of the Platform:

1. enable direct communications between the Institution’s End Users;
2. provide the Administrative Dashboard and Ambassador Panel for the Platform to the Institution, to include analytics and monitoring of activity on the Platform;
3. enable the collection of supplementary information and Feedback on the use of the Platform by End Users;
4. the Platform and communications may be available via a web API, the Company website, a mobile app, and other online communications mechanisms, and may include email and SMS notifications; and
5. Personal Data, including supplementary data and conversational data will be collected via web-based sign-up forms, and via Chat, embedded within the Platform on the web API and the mobile app.

4. Data Subjects and Data Controlled.

4.1  Personal Data will be collected from and Processed for the following categories of Data Subjects: End Users, including Prospective Students, Ambassadors, and Institution Staff.

4.2  Personal Data collected from the Data Subjects identified above will include:

1. Prospective Students: essential data – first name, last name, email address, encrypted password, country; additional data – the degree subject/level of interest (undergraduate/postgraduate), phone number, whether they have already applied to the Institution, and chat conversations and interactions with Ambassadors;
2. Ambassadors: first name, last name, photo, phone number, email address, encrypted password, country/city/location, languages spoken, academic history (and previous high school; degree/university degree; degree level (undergraduate/postgraduate)); university year (1st, 2nd etc.), an ‘about me’ free text selection and chat conversations and interactions with Prospective Students; and
3. Institution Staff: first name, last name, email address, encrypted password.

4.3  Personal Data collected about the Data Subjects in respect of all End Users includes:

1. device-specific information, such as their hardware model, operating system version, unique device identifiers, and mobile network information;
2. technical information about their computer or mobile device, including where available, their IP address, operating system and browser type, for system administration and analytical purposes; and
3. details of their visits to the Company website, including the full Uniform Resource Locators (URL) clickstream to, through and from the Company website (including date and time), length of visits to certain pages, and page interaction information (such as scrolling, clicks, and mouse-overs), details of whether you are using the Company website or the TruLeague widget.

Special categories of Personal Data (as such term is defined in the Privacy Laws) will not be Processed under this Agreement.

4.4  Personal Data will be processed or controlled only for the time necessary to enable the service to be provided and in accordance with the Privacy Policies of the Company and the Institution. Institution Staff and Ambassador data will be deleted or irreversibly anonymized within 30 days of an instruction by the Institution. Data subjects may request for unenrollment or deletion as per the terms of use by sending an email to support@truleague.com.

4.5  The default setting for the retention of Personal Data will be two years after the last interaction by the Data Subject. Variation of this setting will require a written instruction from the Institution and may be subject to the technical limitations of the Platform at the time of request.

4.6  The Platform is under continual development, and new features may include additional Data Subjects (such as Institution’s alumni) and additional Personal Data collected (such as further details about Institution Staff using the Platform). The Institution will be asked for written consent to add such additional features, and any such additional Processing will be accompanied by a revised Schedule 2 detailing the types and uses of the Personal Data.

4.7  When the Company directly receives requests from Data Subjects, or anyone acting on their behalf, to exercise their rights under Privacy Laws (“Data Subject Request”), and provided Company can reasonably identify from the information provided that such request relates to the Institution and/or Institution Personal Data, then unless prohibited by applicable law, Company will (a) promptly notify Institution of such request; and (b) not respond to any such request unless required by applicable law to which Company is subject, in which case Company will, to the extent permitted by applicable law, inform Institution of that legal requirement before responding to such request.

5. Data Processor and Data Controller Obligations.

5.1  In its capacity as a Data Processor, the Company shall, and shall require that any sub-contractors who Process Personal Data on its behalf shall:

1. not Process Personal Data except as necessary to provide the services, and
2. shall only Process such Personal Data in accordance with this Agreement and only on the Institution’s written instructions;
3. implement appropriate technical and organizational measures (as such term is defined in the Privacy Laws) to protect Personal Data against unauthorized or unlawful Processing and accidental loss, disclosure, access or damage; comply with its Privacy Policy;
4. assist the Institution in meeting its obligations as Data Controller to enable Data Subjects to exercise their rights, such as subject access requests, requests for rectification or erasure, or making objections to Processing;
5. assist the Institution in its obligation to carry out data protection impact assessments (“DPIAs”) and in consulting with the relevant authority if the DPIA indicates an unmitigated high risk to Processing;
6. notify the Institution immediately if it believes it has been given an instruction that does not comply with Privacy Laws;
7. delete or return to the Institution all Personal Data upon request or on termination or expiry of this Agreement, unless otherwise required under applicable Privacy Laws;
8. ensure that persons authorized to access Personal Data are subject to confidentiality obligations, whether by contract or statute;
9. as soon as reasonably practicable, within the next 24 hours and no later than 72 hours, notify the Institution in writing of any actual or potential Personal Data Breach. The notice will specify (i) the categories and number of Data Subjects concerned, (ii) the categories and number of records involved, (iii) the likely consequences of the Personal Data Breach and (iv) any steps taken to mitigate and address the Personal Data Breach;
10. transfer Personal Data in compliance with applicable Privacy Laws; and
11. not subcontract any Processing of Personal Data under less protective terms and security standards than those secured under this Agreement. The Institution hereby grants Company with a general authorization to engage sub-processors to Process Personal Data in order to provide the services contemplated by this Agreement without obtaining any further written, specific authorization from the Institution. The Institution hereby further authorizes the Company to use cloud service providers and hosting services, including but not limited to those detailed in the Company’s Privacy Policy.

The Institution shall ensure that it has all necessary consents and notices in place to enable the lawful transfer of the Personal Data to the Company and the Processing of the Personal Data by the Company in the manner described in this Agreement.

The Institution shall be solely responsible for any automated decision making it makes thorough use of the Platform and Services and shall ensure it implements suitable measures to safeguard the Data Subjects’ rights and freedoms.

The Institution must promptly notify the Company in the event of any withdrawal of any relevant consent by any Data Subject whose Personal Data is Processed pursuant to this Agreement, giving sufficient details of the withdrawal to enable the Company to comply with its obligations under the Privacy Laws.

Each party must immediately notify the other if it becomes aware of a complaint or allegation of breach of the Privacy Laws by any person or an investigation or enforcement action by a regulatory authority, in connection with this Agreement.

5.2  Subject to reasonable notice, the Company shall permit the Institution to monitor, inspect, interview, and audit the staff, facilities, data, documentation, systems, records, internal policies and controls and materials of the Company for the purpose of reviewing the Company’s compliance and ability to comply with the Privacy Laws and promptly give all access, copies of records, information and explanations to the Institution to undertake any such monitoring, inspection, interviews or audits.

6. The California Consumer Privacy Act 2018 (“CCPA”) and FERPA.

6.1  In the event that the CCPA should be deemed an applicable Privacy Law, this section addresses CCPA requirements, but should not be construed as a concession that the CCPA is an applicable Privacy Law to this Agreement. For the purposes of the CCPA, the Company does not sell Personal Data. For purposes of this section, the terms “sell” and “share” shall have the meaning given to them in the CCPA.

For the purposes of FERPA, the Company only processes minimal Education Records such as current degrees for current Ambassadors and study areas of interest for Prospective Students.

7. Personal Data Breaches and Reporting Procedures.

7.1  Each party shall comply with its obligation to report a Personal Data Breach to the appropriate Supervisory Authority and (where applicable) the affected Data Subjects under Article 33 of the GDPR and shall each inform the other party of any Personal Data Breach irrespective of whether there is a requirement to notify any Supervisory Authority or Data Subject(s).

7.2  The parties agree to provide reasonable assistance as is necessary to each other to facilitate the handling of any Personal Data Breach in an expeditious and compliant manner.

8. Data Security.

Company will implement appropriate technical and organizational measures designed to safeguard Personal Data and to ensure the adequate protection of Personal Data, which measures shall address the requirements of the Privacy Laws.

Availability; Support Services

Availability.

Subject to the terms and conditions of these Terms, Company will use commercially reasonable efforts to make the Platform available with minimal downtime 24 hours a day, 7 days a week; provided, however, that the following are excepted from availability commitments: (a) planned downtime (with regard to which Company will use commercially reasonable efforts to provide at least 72 hours advance notice) and weekly maintenance times, or (b) any unavailability caused by circumstances enumerated under Section 16.10. Certain enhancements to the Platform made generally available at no cost to all customers during the applicable Term will be made available to Institution at no additional charge. However, the availability of some new enhancements to the Platform may require the payment of additional Fees, and Company will determine at its sole discretion whether access to any other such new enhancements will require an additional Fee. These Terms will apply to, and the Platform includes any enhancements, updates, upgrades and new modules to the Platform provided in connection therewith, subsequently provided by Company to Institution hereunder.

Support

Company will provide Technical Support to Institution via both telephone and electronic mail on weekdays during the hours of 9:00 a.m. to 5:00 p.m. Eastern Standard Time, with the exclusion of Federal Holidays (“Support Hours”).

Institution may initiate a helpdesk ticket during Support Hours by calling 617-816-3973 or any time by emailing support@truleague.com.

Company will use commercially reasonable efforts to respond to all Helpdesk tickets within one (1) business day.

Unless agreed in an Order Form, technical support does not include any onsite support.