Data Processing Agreement

This Data Processing Addendum and its Annexes (this “DPA”) reflect the agreement of We Are Learning AS (“WeAre”) and Customer with respect to the Processing of Personal Data by WeAre on behalf of Customer in connection with the Services provided to Customer pursuant to (i) the standard online terms of service governing Customer’s use of the Services (the “Terms”), (ii) that certain Master Services Agreement (the “MSA”), (iii) an Order Form incorporating the Terms by reference, or (iv) such other agreement governing Customer’s use of the Services entered into between the parties (any such agreement referred to in this DPA as the “Agreement”). Capitalized terms not otherwise defined herein shall have the meanings given to such terms in the Agreement.

1. Definitions “California Personal Information” means Personal Data that is subject to the protection of the CCPA. "CCPA" means California Civil Code Sec. 1798.100 et seq. (also known as the California Consumer Privacy Act of 2018). "Consumer", "Business", "Sell" and "Service Provider" will have the meanings given to them in the CCPA. “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. “Data Protection Laws” means all applicable worldwide legislation relating to data protection and privacy which applies to the respective party in the role of Processing Personal Data in question under the Agreement, including without limitation European Data Protection Laws and the CCPA; in each case as amended, repealed, consolidated or replaced from time to time. “Data Subject” means the individual to whom Personal Data relates. "Europe" means the European Union, the European Economic Area and/or their member states, Switzerland and the United Kingdom. “European Data” means Personal Data that is subject to the protection of European Data Protection Laws. "European Data Protection Laws" means data protection laws applicable in Europe, including: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) ("GDPR"); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; and (iii) applicable national implementations of (i) and (ii); or (iii) GDPR as it forms parts of the United Kingdom domestic law by virtue of Section 3 of the European Union (Withdrawal) Act 2018 ("UK GDPR"); and (iv) Swiss Federal Data Protection Act on 19 June 1992 and its Ordinance ("Swiss DPA"); in each case, as may be amended, superseded or replaced. “Instructions” means the written, documented instructions issued by a Controller to a Processor, and directing the same to perform a specific or general action with regard to Personal Data (including, but not limited to, depersonalizing, blocking, deletion, making available). "Permitted Affiliates" means any of Customer’s Affiliates that (i) are permitted to use the Services pursuant to the Agreement, but have not signed their own separate agreement with WeAre and are not a “Customer” as defined under the Agreement, (ii) qualify as a Controller of Personal Data Processed by WeAre, and (iii) are subject to European Data Protection Laws. “Personal Data” means any information relating to an identified or identifiable individual where (i) such information is contained within Customer Data; and (ii) is protected similarly as personal data, personal information or personally identifiable information under applicable Data Protection Laws. “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed by WeAre and/or WeAre’s Sub-Processors in connection with the provision of the Services. "Personal Data Breach" will not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems. “Processing” means any operation or set of operations which is performed on Personal Data, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction or erasure of Personal Data. The terms “Process”, “Processes” and “Processed” will be construed accordingly. “Processor” means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controller. “Standard Contractual Clauses” means the standard contractual clauses annexed to the European Commission’s Decision (EU) 2021/914 of 4 June 2021 currently found at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en, as may be amended, superseded or replaced. “Sub-Processor” means any Processor engaged by WeAre or WeAre’s Affiliates to assist in fulfilling WeAre’s obligations with respect to the provision of the Services under the Agreement. Sub-Processors may include third parties or WeAre’s Affiliates but will exclude any WeAre employee or consultant. “UK Addendum” means the International Data Transfer Addendum issued by the UK Information Commissioner under section 119A(1) of the Data Protection Act 2018 currently found at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf, as may be amended, superseded, or replaced.
2. ScopeThis DPA is supplemental to, and forms an integral part of, the Agreement. In case of any conflict or inconsistency with the terms of the Agreement, this DPA will take precedence over the terms of the Agreement to the extent of such conflict or inconsistency. Further, the provisions of the Standard Contractual Clauses, where applicable, will take precedence over the terms of this DPA to the extent of such conflict or inconsistency over this DPA to the extent of any discrepancy between the two. This DPA becomes effective from the effective date of the Agreement, or, if this DPA is separately executed, the late last signed below (“Effective Date”) and remains in effect for as long as WeAre Processes Customer Personal Data pursuant to the Agreement. Terms not otherwise defined in this DPA will have the meaning as set forth in the Agreement.
3. Customer Responsibilities Within the scope of the Agreement and in its use of the Services, Customer will be responsible for complying with all requirements that apply to it under applicable Data Protection Laws (including obtaining all necessary consents, permissions and rights) with respect to its lawful Processing of Personal Data and the Instructions it issues to WeAre.Customer shall not issue Instructions that would cause WeAre to Process Customer Personal Data in violation of Data Protection Laws. The parties agree that the Agreement (including this DPA), together with Customer’s use of the Service in accordance with the Agreement, constitute Customer’s complete Instructions to WeAre in relation to the Processing of Personal Data, provided that Customer may provide additional instructions during the subscription term that are consistent with the Agreement and the nature and lawful use of the Services Customer is responsible for making an independent determination as to whether its use of the Services will meet Customer’s requirements and legal obligations under Data Protection Laws. WeAre shall have no obligation to assess the contents or accuracy of Customer Personal Data.
4. WeAre Obligations Compliance with Instructions. WeAre will only Process Personal Data for the purposes described in this DPA or as otherwise agreed within the scope of Customer’s lawful Instructions, except where and to the extent otherwise required by applicable law. WeAre is not responsible for compliance with any Data Protection Laws applicable to Customer or Customer’s industry that are not generally applicable to WeAre. Conflict of Laws. If WeAre becomes aware that WeAre cannot Process Personal Data in accordance with Customer’s Instructions due to a legal requirement under any applicable law, including European Data Protection Laws, WeAre will (i) promptly notify Customer of that legal requirement to the extent permitted by the applicable law; and (ii) where necessary, cease all Processing (other than merely storing and maintaining the security of the affected Personal Data) until such time as Customer issues new Instructions with which WeAre is able to legally comply. If this provision is invoked, WeAre will not be liable to Customer under the Agreement for any failure to perform the applicable Services until such time as Customer issues new lawful Instructions with regard to the Processing. Security. WeAre takes appropriate technical and organizational measures to ensure an adequate level of protection for Customer Personal Data corresponding to the risk of the respective Processing including those described under Annex 2 to this DPA ("Security Measures"). Such Security Measures are in consideration of the state of the art, implementation costs and the type, scope, circumstances, and aims of the Processing as well as the varying likelihood and severity of risk to the rights and freedoms of Data Subjects. Notwithstanding any provision to the contrary, WeAre may modify or update the Security Measures at WeAre’s discretion provided that such modification or update does not result in a material degradation in the protection offered by the Security Measures. Customer has assessed the Security Measures offered by WeAre to meet the standards required by Data Protection Laws as of the Effective Date. Confidentiality. WeAre will ensure that any personnel whom WeAre authorizes to Process Personal Data on WeAre’s behalf is subject to appropriate confidentiality obligations (whether a contractual or statutory duty) with respect to that Personal Data. Personal Data Breaches. WeAre will notify Customer without undue delay after WeAre becomes aware of any Personal Data Breach and, in any case, where feasible, within 72 hours after becoming aware, so as to facilitate the Parties’ compliance with Data Protection Laws. WeAre will provide timely information relating to the Personal Data Breach as it becomes known or reasonably requested by Customer. At Customer’s request, WeAre will, without undue delay, promptly provide Customer with such reasonable assistance as necessary to enable Customer to notify relevant Personal Data Breaches to competent authorities and/or affected Data Subjects, if Customer is required to do so under Data Protection Laws. Deletion or Return of Personal Data. WeAre will delete or return all Personal Data Processed pursuant to this DPA, on termination or expiration of Customer’s Services in accordance with the Agreement, except where WeAre is required by applicable law to retain some or all of the Personal Data. WeAre may retain Customer Personal Data after termination of the Agreement only to the extent and for such period as required by Data Protection Laws. Any Customer Personal Data retained by WeAre under this section shall be Processed in compliance with the terms of this DPA and shall only be Processed as necessary for the purposes specified in the Data Protection Laws requiring its retention.
5. Data Subject Requests The Services provides Customer with a number of controls that Customer can use to retrieve, correct, delete or restrict Personal Data, which Customer can use to assist it in connection with its obligations under Data Protection Laws, including Customer’s obligations relating to responding to requests from Data Subjects to exercise their rights under applicable Data Protection Laws ("Data Subject Requests"). To the extent that Customer is unable to independently address a Data Subject Request through the Services, then upon Customer’s written request WeAre will provide reasonable assistance to Customer to respond to any Data Subject Requests or requests from data protection authorities relating to the Processing of Personal Data under the Agreement. Customer will reimburse WeAre for the commercially reasonable costs arising from this assistance to the extent permitted by applicable Data Protection Laws. If a Data Subject Request or other communication regarding the Processing of Personal Data under the Agreement is made directly to WeAre, WeAre will not respond to such request but will instead forward such request to Customer without undue delay. Customer will be solely responsible for responding substantively to any such Data Subject Requests or communications involving Personal Data. If a Data Subject has a right to data portability with respect to Customer Personal Data, WeAre will ensure that Customer can obtain such data in a structured, common and machine-readable format.
6. Sub-Processors Customer agrees WeAre may engage Sub-Processors to Process Personal Data on Customer’s behalf in accordance with this Section. Customer agrees that WeAre has currently appointed and may continue to use, as Sub-Processors, the third parties and/or WeAre Affiliates listed in Annex 3 to this DPA (the “Sub-Processor List”), subject to WeAre’s compliance with this Section regarding such Sub-Processors. Prior to adding any new or replacing any Sub-Processor on the Sub-Processor List, WeAre shall notify Customer of those changes by email. The Customer shall have the right to object to any such engagement for reasonable and material reasons by sending WeAre a written notice objecting to the engagement of such new Sub-Processor. If Customer fails to object to such change within this time, Customer is deemed to have consented to such change. Where a reasonable and material basis for such objection exists and an amicable resolution fail after discussing Customer’s concerns in good faith, WeAre will, at WeAre’s sole discretion, either not appoint the new Sub-Processor, or the Customer may, as its sole and exclusive remedy, provide written notice to WeAre terminating the Order Form with respect to those aspects of the service which cannot be provided by WeAre without the use of the new Sub-Processor. WeAre will refund Customer any prepaid fees of such Service Order pro-rata from the effective date of such termination with respect to the Services so terminated. The parties agree that by complying with this Section 6.3, WeAre fulfills its obligations under Sections 9 of the Standard Contractual Clauses. Where WeAre engages Sub-Processors, WeAre will impose data protection terms on the Sub-Processors that provide at least the same level of protection for Personal Data as those in this DPA (including, where appropriate, the Standard Contractual Clauses), to the extent applicable to the nature of the services provided by such Sub-Processors. WeAre will remain responsible for each Sub- Processor’s compliance with the obligations of this DPA and shall be liable for any acts or omissions of such Sub-Processor.
7. Data Transfers. Customer acknowledges and agrees that WeAre may access and Process Personal Data as necessary to provide the Services in accordance with the Agreement. Wherever Personal Data is transferred outside its country of origin, each party will ensure such transfers are made in compliance with the requirements of Data Protection Laws.
8. Additional Provisions for European Data Scope. This 'Additional Provisions for European Data' section will apply only with respect to European Data. Roles of the Parties. When Processing European Data in accordance with Customer’s Instructions, the parties acknowledge and agree that Customer is the Controller of European Data and WeAre is the Processor. Data Protection Impact Assessments and Consultation with Supervisory Authorities. To the extent that the required information is reasonably available to WeAre, and Customer does not otherwise have access to the required information, WeAre will provide reasonable assistance to Customer with any data protection impact assessments, and prior consultations with the applicable supervisory or other competent data privacy authorities to the extent required by European Data Protection Laws. Transfer Mechanisms for Data Transfers.WeAre will not transfer European Data to any country or recipient not recognized as providing an adequate level of protection for Personal Data (within the meaning of applicable European Data Protection Laws), unless it first takes all such measures as are necessary to ensure the transfer is in compliance with applicable European Data Protection Laws. Such measures may include (without limitation) transferring such data to a recipient that is covered by a suitable framework or other legally adequate transfer mechanism recognized by the relevant authorities or courts as providing an adequate level of protection for Personal Data, to a recipient that has achieved binding corporate rules authorization in accordance with European Data Protection Laws, or to a recipient that has executed appropriate standard contractual clauses in each case as adopted or approved in accordance with applicable European Data Protection Laws.If any Personal Data transfer between Customer and WeAre requires execution of Standard Contractual Clauses in order to comply with Section 8.4.1 above and European Data Protection Laws (where Customer is the Data Exporter), the parties agree that the Standard Contractual Clauses will be incorporated by reference and form part of the Agreement as follows:EEA Transfers. In relation to European Data that is subject to the GDPR (i) Customer is the "data exporter" and WeAre is the "data importer"; (ii) the Module Two terms apply to the extent the Customer is a Controller of European Data and the Module Three terms apply to the extent the Customer is a Processor of European Data; (iii) in Clause 7, the optional docking clause applies; (iv) in Clause 9, Option 2 applies and changes to Sub-Processors will be notified in accordance with the ‘Sub-Processors’ section of this DPA; (v) in Clause 11, the optional language is deleted; (vi) in Clauses 17 and 18, the parties agree that the governing law and forum for disputes for the Standard Contractual Clauses will be determined in accordance with the Agreement or, if such section does not specify an EU Member State, shall be determined in accordance with applicable European Data Protection Laws; (vii) the Annexes of the Standard Contractual Clauses will be deemed completed with the information set out in the Annexes of this DPA; and (viii) if and to the extent the Standard Contractual Clauses conflict with any provision of this DPA the Standard Contractual Clauses will prevail to the extent of such conflict.UK Transfers. In relation to European Data that is subject to the UK GDPR, the Standard Contractual Clauses will apply in accordance with sub-section (a) and the following modifications (i) the Standard Contractual Clauses will be modified and interpreted in accordance with the UK Addendum, which will be incorporated by reference and form an integral part of the Agreement; (ii) Tables 1, 2 and 3 of the UK Addendum will be deemed completed with the information set out in the Annexes of this DPA and Table 4 will be deemed completed by selecting “either Party may terminate the UK Addendum in accordance with Section 19 of the UK Addendum if the Parties are unable to come to a mutual agreement after a good faith effort to amend this DPA to account for changes arising from a revised Approved Addendum issued by the ICO”; (iii) Part 2 Mandatory Clauses. The Mandatory Clauses of the Approved Addendum, (being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as revised under Section 18 of those Mandatory Clauses) shall apply; and (iv) any conflict between the terms of the Standard Contractual Clauses and the UK Addendum will be resolved in accordance with Section 10 and Section 11 of the UK Addendum. Swiss Transfers. In relation to European Data that is subject to the Swiss DPA, the Standard Contractual Clauses will apply in accordance with sub-section (a) and the following modifications (i) references to "Regulation (EU) 2016/679" will be interpreted as references to the Swiss DPA; (ii) references to "EU", "Union" and "Member State law" will be interpreted as references to Swiss law; and (iii) references to the "competent supervisory authority" and "competent courts" will be replaced with the "the Swiss Federal Data Protection and Information Commissioner " and the "relevant courts in Switzerland".Audit/Demonstration of Compliance.WeAre will make all information reasonably necessary to demonstrate compliance with this DPA available to Customer and allow for and contribute to audits, including inspections conducted by Customer’s auditor in order to assess compliance with this DPA. WeAre will not unreasonably withhold or delay agreement to an auditor selected by Customer. Customer acknowledges and agrees that Customer will primarily exercise Customer’s audit rights under this DPA and Clause 8.9 of the Standard Contractual Clauses by Customer reviewing and inspecting (subject to reasonable confidentiality undertakings): (i) audit reports resulting from penetration tests performed by an independent third-party information security expert; (ii) WeAre’s most recent GDPR Maturity Assessment; and (iii) where available, audit reports resulting from an audit performed by an independent third-party information security expert for WeAre’s hosting Sub-Processors. In connection with any such audits, Customer will take all reasonable endeavors to minimize disruption to WeAre’s business. Customer hereby instructs WeAre to perform audits for purposes of privacy compliance under this DPA as described in this Section 8.5.2. If Customer wishes to alter its above instructions concerning audits, Customer will issue a suggestion for altered audit instructions to WeAre in writing reasonably in advance of the requested audit. Customer will take all reasonable endeavors to minimize disruption to WeAre’s business. The audit and any information arising therefrom shall be considered WeAre’s Confidential Information and may only be shared with a third-party with WeAre’s prior written agreement Customer will not exercise this right more than once per calendar year unless (i) Customer has reasonable grounds to suspect non-compliance with the DPA or (ii) Customer is required to carry out an audit by European Data Protection Laws, a supervisory authority or any similar regulatory authority responsible for enforcement of such laws; or (iii) if an earlier audit has identified non-conformity with this DPA or European Data Protection Laws. Customer shall bear the costs of any audits under this Section 8.5, except to the extent otherwise required by applicable Data Protection Laws or to the extent such audit discloses any material non-compliance with WeAre’s obligations under this Agreement. Nothing herein limits any rights mandated by law, such as supervisory authority and Data Subject rights, including in accordance with the Standard Contractual Clauses.
9. Additional Provisions for California Personal Information Scope. The 'Additional Provisions for California Personal Information' section of the DPA will apply only with respect to California Personal Information. Roles of the Parties. When processing California Personal Information in accordance with Customer’s Instructions, the parties acknowledge and agree that Customer is a Business and WeAre is a Service Provider for the purposes of the CCPA. Responsibilities. The parties agree that WeAre will Process California Personal Information as a Service Provider strictly for the purpose of performing the Services and Consulting Services under the Agreement (the "Business Purpose") or as otherwise permitted by the CCPA, including as described in WeAre’s Privacy Policy.
10. General Provisions Amendments. Notwithstanding anything else to the contrary in the Agreement and without prejudice to the ‘Compliance with Instructions’ or ‘Security’ sections of this DPA, WeAre reserves the right to make updates and changes to this DPA and the terms of the ‘Amendment; No Waiver’ section of the Terms will apply. Severability. If any individual provisions of this DPA are determined to be invalid or unenforceable, the validity and enforceability of the other provisions of this DPA will not be affected. Limitation of Liability. Each Party and each of its Affiliates’ liability, taken in the aggregate, arising out of or related to this DPA (including the Standard Contractual Clauses where applicable), whether in contract, tort or under any other theory of liability, are subject to the limitations and exclusions of liability set out in the Agreement. Governing Law. This DPA will be governed by and construed in accordance with the Agreement, unless required otherwise by applicable Data Protection Laws.
11. Parties to this DPA Permitted Affiliates. By signing the Agreement, Customer enters into this DPA (including, where applicable, the Standard Contractual Clauses) on behalf of Customer’s self and in the name and on behalf of Customer’s Permitted Affiliates. For the purposes of this DPA only, and except where indicated otherwise, the term “Customer” will include Customer and such Permitted Affiliates. Authorization. The legal entity agreeing to this DPA as Customer represents that it is authorized to agree to and enter into this DPA for and on behalf of itself and, as applicable, each of its Permitted Affiliates, or, if Customer is an individual, Customer represents that they are of legal age and capacity to enter into this Agreement and form a binding and enforceable contract under applicable law. Remedies. The parties agree that (i) solely the Customer entity that is the contracting party to the Agreement will exercise any right or seek any remedy any Permitted Affiliate may have under this DPA on behalf of its Affiliates, and (ii) the Customer entity that is the contracting party to the Agreement will exercise any such rights under this DPA not separately for each Permitted Affiliate individually but in a combined manner for itself and all of its Permitted Affiliates together. The Customer entity that is the contracting entity is responsible for coordinating all Instructions, authorizations and communications with WeAre under the DPA and will be entitled to make and receive any communications related to this DPA on behalf of its Permitted Affiliates.