Effective Aug. 27, 2020
This Data Processing Agreement (“DPA”) is incorporated by reference into the subscription license agreement (the “License Agreement”) between Respondus, Inc. (“Respondus”) and Licensee (as defined below) for Licensee’s access to and use of Respondus Service(s) (as defined below) and related technical support to Licensee as if completely set forth therein. This DPA reflects the parties’ agreement with respect to the processing and security of Personal Data (also referred to as Personal Information in the License Agreement) from or about Licensee’s students (“Students”) under the License Agreement (“Licensee Data”).
Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the following meaning:
“Agreement” means this Data Processing Agreement and all Annexes.
“Applicable Data Protection Law” means
(i) GDPR and any applicable national data protection laws, as may be amended or superseded from time to time;
(ii) All applicable law about the processing of personal data and privacy.
“Controller,” “Processor,” “Data Subject,” “Personal Data,” and “Processing” shall have the meanings given in Applicable Data Protection Law.
“GDPR” means Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
“Licensee” means the Customer institution that is purchasing a license to operate the Respondus Service.
“Licensee Data” means data, including Personal Data, for which the Licensee is the Controller.
“Privacy Shield” means the EU-US Privacy Shield self-certification program operated by the U.S. Department of Commerce and approved by the European Commission pursuant to Decision C (2016)4176 of July 12, 2016.
“Security Incident” means a breach of Respondus’ security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Licensee Data.
“Service” or “Respondus Service” means the services provided pursuant to a subscription to one or more of the following Respondus products: LockDown Browser and Respondus Monitor. A further description of each Service can be found in the Documentation.
“Standard Contractual Clauses” means Annex 1, attached to and forming part of this DPA pursuant to the European Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC.
“Sub-Processor” means any third-party Processors engaged directly by Respondus to assist with Respondus’ processing of Licensee Data.
“Supervisory Authority” means an independent public authority which is established by an EU Member State pursuant to the GDPR.
Relationship of the Parties
The parties acknowledge and agree that under the License Agreement, Licensee is the Controller and Respondus is a Processor, appointed to process the Licensee Data on the Licensee’s behalf. Each party shall comply with the obligations that apply to it under Applicable Data Protection Law.
Licensee uses the Services to monitor certain activities of its Students, and in doing so it gathers the Licensee Data regarding its Students. The parties acknowledge that Licensee Data contains Personal Data under the Applicable Data Protection Law. Respondus stores and processes some of the Licensee Data on its servers as part of the Services. The Licensee maintains and controls all access to the Licensee Data in its account, and Respondus has access only by virtue of maintaining the servers and providing the software for the Services. The nature of the processing and the type of data processed is described in the Documentation and the duration of the processing is the term specified in the Documentation. Respondus agrees that it will not access any Licensee Data except (i) as necessary for the operation of the Services, as described in the Documentation and (ii) as expressly permitted by the Licensee (together, the “Permitted Purpose”), except where otherwise required by any law applicable to the Licensee.
The parties agree that this DPA and the Documentation constitute Licensee’s documented instructions regarding Respondus’ processing of Licensee Data (“Documented Instructions”). Respondus shall Process Licensee Data on behalf of and only in accordance with Documented Instructions for the following purposes: (i) Processing in accordance with the Documentation; (ii) Processing initiated by Users in their use of the Services; and (iii) Processing to comply with other documented reasonable instructions provided by Licensee (e.g., via email) where such instructions are consistent with the terms of the Agreement.
Confidentiality of Licensee Data
Respondus shall treat Licensee Data as Confidential Information. Respondus will not access or use, or disclose to any third party, any Customer Data, except, in each case, as necessary to maintain or provide the Services, or as necessary to comply with the law or a valid and binding order of a governmental body (such as a subpoena or court order). If compelled to disclose Licensee Data to a governmental body, then Respondus will give Licensee reasonable notice of the demand to allow Licensee to seek a protective order or other appropriate remedy unless Respondus is legally prohibited from doing so. If the Standard Contractual Clauses apply, nothing in this section varies or modifies the Standard Contractual Clauses.
Confidentiality of Respondus Personnel
Respondus will ensure that its personnel engaged in the processing of Licensee Data (i) will process such data only on Documented Instructions from Licensee or as described in this DPA, and (ii) will be obligated to maintain the confidentiality and security of such data. Respondus shall impose appropriate obligations upon its personnel, including relevant obligations regarding confidentiality, data protection and data security. Respondus shall provide periodic data privacy and security training and awareness to its employees with access to Licensee Data, in accordance with applicable Data Protection Requirements and industry standards.
Respondus shall implement and maintain appropriate technical and organizational measures to protect the Licensee Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. Such measures shall have regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the nature, likelihood and severity of the risk to the rights and freedoms of natural persons. Such measures shall include, as appropriate:
a) the pseudonymization or encryption of personal data;
b) ensuring the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
Licensee Data (including any Personal Data therein) in transit over public networks between Licensee and Respondus, or between Respondus data centers, is encrypted.
Respondus also encrypts Licensee Data stored at rest in its hosting servers.
Licensee acknowledges that Respondus’ servers that host the Services are controlled and operated by a third-party hosting provider and that such provider is a Sub-Processor under the Applicable Data Protection Law. Licensee hereby consents to Respondus appointing Amazon Web Services (“AWS”) as such a Sub-Processor. Respondus may change or appoint additional Sub-Processors by posting notice (including the identity and details of the processing to be performed) at the following URL: web.respondus.com/privacy/subprocessors/. Respondus shall impose data protection terms on any Sub-Processor that are consistent with the terms of this DPA and the Applicable Data Protection Laws. If Licensee declines to consent to Respondus’ appointment of a Sub-Processor, Licensee may elect to suspend or terminate the License Agreement and this DPA, subject to payment of all fees due for services rendered.
Licensee acknowledges that Respondus' servers are located outside of the European Economic Area ("EEA") and that the Licensee Data will be transferred outside of the EEA as part of the Services. Licensee is responsible to establish the legal basis for such transfer. To facilitate the transfer, the parties shall take such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Law. Such measures may include (without limitation) transferring the Licensee Data to a recipient in the United States that has certified its compliance with the EU-US Privacy Shield, or to a recipient that has executed standard contractual clauses adopted or approved by the European Commission.
Cooperation and Data Subjects’ Rights
During the Term, Respondus shall provide reasonable assistance to Licensee to respond to (a) a request from a Data Subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable); and (b) any other correspondence, inquiry or complaint received from a Data Subject, regulator or third party in connection with the processing of the Licensee Data as required under Applicable Data Protection Law.
Respondus shall notify the Licensee immediately if it considers that any of the Licensee's instructions infringe the Applicable Data Protection Law.
Should a Data Subject contact Respondus with regard to access, correction or deletion of its personal data (or any other rights under Applicable Data Protection Law), Respondus shall promptly inform the Licensee, and in any case no later than two (2) business days after receipt of any Data Subject requests which identify the Licensee to be contacted, by sending a written notice and attaching a copy of the request sent by the Data Subject; the Licensee authorizes Respondus to inform the Data Subject that Subject’s request was forwarded to the Licensee. If the Data Subject request does not identify the sender’s Data Controller, Respondus will send Data Subject a generic reply with instructions to contact their Data Controller with their request.
To the extent permissible by law, Respondus shall promptly inform the Licensee, and in any case no later than (2) business days after receipt of any communication from (a) a Supervisory Authority in connection with Personal Data processed under this Agreement, or (b) any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law.
Data Protection Impact Assessment
Upon Licensee’s written request and to the extent that Licensee does not otherwise have access to the relevant information and the information is available to Respondus, Respondus shall provide Licensee with reasonable assistance (at Licensee’s cost) needed to fulfill the Licensee’s obligations under the Applicable Data Protection Law to carry out a data protection impact assessment related to Licensee’s use of the Service. Such assistance may include:
A systematic description of the envisaged processing operations and the purpose of the processing;
An assessment of the necessity and proportionality of the processing operations in relation to the Services; and
The measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
To the extent necessary, Respondus shall provide reasonable assistance to the Licensee in the consultation with its relevant Supervisory Authority.
If Respondus becomes aware of an actual Security Incident leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Licensee Data, Respondus will: (a) notify Licensee of the Security Incident without undue delay; (b) take appropriate steps to identify the cause of the Security Incident, minimize harm and secure the Licensee Data; and (c) provide Licensee with information as may be reasonably necessary to assist Licensee with its notification and reporting responsibilities.
The obligation for Respondus to notify under this clause shall include the provision of further information to the Licensee in phases, as details become available.
Respondus will not evaluate the contents of the Licensee Data to identify any specific reporting or other legal obligations that are applicable to the Licensee. Any and all regulatory and/or Data Subject reporting obligations related to the Security Incident are the responsibility of the Licensee. Respondus’ notification of or response to a Security Incident under this DPA will not be construed as an acknowledgement by Respondus of any liability or fault with respect to the Security Incident.
Records of Processing
Respondus shall maintain a written record, even digitally, of all Processing carried out on behalf of the Licensee, in accordance with the provisions under Article 30 of the GDPR. Upon request, and at the expense of the Licensee, Respondus shall also provide an extract, whether complete or partial, of the record.
The Licensee may make such record available to the Supervisory Authority.
Respondus shall maintain complete and accurate records and information to demonstrate its compliance with this DPA and shall make such records available for audit by Licensee or any regulatory authority having jurisdiction. In particular, Respondus shall respond to written audit questions submitted by Licensee or the Licensee’s designated auditor related to Respondus’ processing and protection of Licensee Data. Licensee shall not exercise this right more than one time per year, and all audits shall be performed at Licensee’s expense.
At all times during the Term, Licensee will have the ability to access the Licensee Data.
Respondus will retain Licensee Data for the period of time described in the Documentation. If the subscription is terminated, Respondus will disable Licensee’s access to the Licensee Data. Access can be restored within the retention period by reinstating a valid subscription. The Licensee Data will be deleted at the end of the retention period, unless Respondus is permitted or required by applicable law, or authorized under this DPA, to retain such data.
Upon completion of the processing-related services and/or upon termination of all Processing activities, for any reason, and in any case, no later than the expiry date of this Appointment, and contingent upon the request of the Licensee, Respondus shall destroy all Personal Data processed on behalf of the Licensee, unless a further period of time is provided for the storage of Personal Data under a provision of applicable law. Upon request, Respondus shall provide a written statement confirming the erasure of the Licensee Data along with the erasure all existing copies of the Licensee Data, within and no later than 7 (seven) days from the deletion of the Licensee Data.
US Privacy Shield
Respondus will provide at least the same level of protection for the Licensee Data as is required under the Privacy Shield, and shall promptly notify Licensee if it makes a determination that it can no longer provide this level of protection. In such event, or if Licensee otherwise reasonably believes that Respondus is not protecting the Licensee Data as required under the Privacy Shield, Licensee may either: (a) instruct Respondus to take reasonable and appropriate steps to stop and remediate any unauthorized processing, in which event Respondus shall promptly cooperate with Licensee in good faith to identify, agree and implement such steps: or (b) terminate this DPA and the Agreement without penalty by giving notice to Respondus.
Each Party must keep this Agreement and information it receives about the other Party and its business in connection with this Agreement (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that: (a) disclosure is required by law; (b) the relevant information is already in the public domain.
The Licensee may send notifications and communications under the terms of the DPA to Respondus at the following email address: [email protected]
Notifications and communications by Respondus to the Licensee will be sent via email to the License Administrator registered with Respondus, or as designated by the Licensee.
STANDARD CONTRACTUAL CLAUSES (PROCESSORS)
For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection
The entity indentified as “Licensee” in the DPA
(the data exporter)
PO Box 3247, Redmond, WA 98073, USA
Tel: +1 425 497 0389
E-mail: [email protected]
(the data importer)
each a ‘party’; together ‘the parties’,
have agreed on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.