This Version is Effective October 2, 2018
This Data Processing Agreement ("DPA"), forms part of the subscription license agreement (the "License Agreement") between Respondus, Inc. ("Respondus") and Licensee (as defined below) for Licensee's access to and use of Respondus Service(s) (as defined below) and related technical support to Licensee. This DPA reflects the parties' agreement with respect to the processing and security of Personal Data (also referred to as Personal Information in the License Agreement) from or about Licensee's students and other persons ("Students") under the License Agreement ("Licensee Data").
1. Definitions and interpretation
1.1. In this DPA, the following terms shall have the following meanings:
"Applicable Data Protection Law" means (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the "GDPR") and (ii) any and all applicable national data protection laws made under or pursuant to (i); in each case as may be amended or superseded from time to time.
"Controller," "Processor," "Data Subject," "Personal Data," and "Processing" (and "Process") shall have the meanings given in Applicable Data Protection Law.
"Documentation" means the License Agreement and/or Terms of Service and the User Guide for each Service as provided by Respondus to each Licensee and found at the Respondus website, https://respondus.com/
"Licensee" means the entity that entered into the License Agreement with Respondus for the Respondus Service.
"Privacy Shield" means the EU-US Privacy Shield self-certification program operated by the U.S. Department of Commerce and approved by the European Commission pursuant to Decision C (2016)4176 of July 12, 2016.
"Service" or "Respondus Service" means the services provided pursuant to a subscription to one or more of the following Respondus products: LockDown Browser, Respondus Monitor and StudyMate Campus. A further description of each Service can be found in the Documentation.
"Subprocessor" means any third-party Processors engaged directly by Respondus to assist with Respondus' processing of Licensee Data.
"Security Incident" means "Personal Data Breach" as defined under the GDPR.
1.2. Capitalized terms used but not defined in this DPA shall have the meanings given in the Agreement or in the Applicable Data Protection Law.
2. Data Protection
2.1. Relationship of the parties. The parties acknowledge and agree that under the License Agreement, Licensee is the Data Controller and Respondus is a Data Processor, appointed to process the Licensee Data on Licensee's behalf. Each party shall comply with the obligations that apply to it under Applicable Data Protection Law.
2.2. Purpose and background. Licensee uses the Services to monitor certain activities of its Students and in doing so it gathers the Licensee Data regarding its Students. The parties acknowledge that Licensee Data comprises Personal Data under the Applicable Data Protection Law. Respondus stores and processes some of the Licensee Data on its servers as part of the Services. The Licensee maintains and controls all access to the Licensee Data in its account, and Respondus has access only by virtue of maintaining the servers and providing the software for the Services. The nature of the processing and the type of data processed is described in Documentation and the duration of the processing is the term specified in the License Agreement. Respondus agrees that it will not access any Licensee Data except (i) as necessary for the operation of the Services, as described in the Documentation and (ii) as expressly permitted by the Licensee (together, the "Permitted Purpose"), except where otherwise required by any law applicable to Licensee. Respondus may, however, de-identify Licensee Data ("De-Identified Data") and may process De-Identified Data to maintain and improve the Services.
2.3. International transfers. Licensee acknowledges that Respondus' servers are located outside of the European Economic Area ("EEA") and that the Licensee Data will be transferred outside of the EEA as part of the Services. Licensee is responsible to inform and obtain consent from all Students for such transfer. To facilitate such consent, the parties shall take such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Law. Such measures may include (without limitation) transferring the Licensee Data to a recipient in the United States that has certified its compliance with the EU-US Privacy Shield, or to a recipient that has executed standard contractual clauses adopted or approved by the European Commission.
2.4. Security. Respondus shall implement appropriate technical and organizational measures to protect the Licensee Data from unlawful processing and/or a Security Incident. Such measures shall have regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the nature, likelihood and severity of the risk to the rights and freedoms of natural persons. Such measures shall include, as appropriate:
(a) the pseudonymization or encryption of personal data;
(b) ensuring the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
2.5 Privacy Shield. Respondus will provide at least the same level of protection for the Licensee Data as is required under the Privacy Shield, and shall promptly notify Licensee if it makes a determination that it can no longer provide this level of protection. In such event, or if Licensee otherwise reasonably believes that Respondus is not protecting the Licensee Data as required under the Privacy Shield, Licensee may either: (a) instruct Respondus to take reasonable and appropriate steps to stop and remediate any unauthorized processing, in which event Respondus shall promptly cooperate with Licensee in good faith to identify, agree and implement such steps; or (b) terminate this DPA and the Agreement without penalty by giving notice to Respondus.
2.6 Respondus Personnel. Respondus shall ensure that any person that it authorizes to process the Licensee Data (including Respondus' staff, agents and subcontractors) (an "Authorized Person") shall be subject to a legally-binding duty of confidentiality. Respondus shall ensure that all Authorized Persons maintain the security of all Licensee Data and process the Licensee Data only as necessary for the Permitted Purpose.
2.7. Subprocessing. Licensee acknowledges that Respondus' servers that house the Services are controlled and operated by a third party hosting provider and that such provider is a Subprocessor under the Applicable Data Protection Law. Licensee hereby consents to Respondus appointing Amazon Web Services ("AWS") as such a Subprocessor. Respondus may change or appoint additional Subprocessors by posting notice (including the identity and details of the processing to be performed) at the following URL: web.respondus.com/privacy/subprocessors/. Respondus shall impose data protection terms on any Subprocessor that are consistent with the terms of this DPA and the Applicable Data Protection Laws. Respondus remains fully liable for any breach of this DPA by an act, error or omission of its Subprocessor. If Licensee declines to consent to Respondus' appointment of a Subprocessor, Licensee may elect to suspend or terminate the License Agreement and this DPA, subject to payment of all fees due for services rendered.
3. Cooperation and data subjects' rights
3.1. Assistance. During the Term, Respondus shall provide reasonable assistance to Licensee to respond to (a) any request from a data subject to exercise any of its rights under GDPR (including its rights of access, correction, objection, erasure and data portability, as applicable); and (b) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Licensee Data as required under the GDPR.
3.2. Direct Requests. If Respondus receives any requests from a data subject related to Licensee Data, Respondus shall advise the data subject to provide such request directly to the Licensee, and Licensee shall be responsible for responding to such request.
3.3. Data Protection Impact Assessment. Upon Licensee's written request and to the extent that Licensee does not otherwise have access to the relevant information and the information is available to Respondus, Respondus shall provide Licensee with reasonable assistance (at Licensee's cost) needed to fulfill the Licensee's obligations under the GDPR to carry out a data protection impact assessment related to Licensee's use of the Service. To the extent necessary, Respondus shall provide reasonable assistance to the Licensee in the consultation with its relevant data protection authority.
4. Security incidents
If Respondus becomes aware of an actual Security Incident that involves Licensee Data, Respondus will: (a) notify Licensee of the Security Incident without undue delay; (b) take appropriate steps to identify the cause of the Security Incident, minimize harm and secure the Licensee Data; and (c) provide Licensee with information as may be reasonably necessary to assist Licensee with its notification and reporting responsibilities. Respondus will not evaluate the contents of the Licensee Data to identify any specific reporting or other legal obligations that are applicable to the Licensee. Any and all regulatory and/or data subject reporting obligations related to the Security Incident are the responsibility of the Licensee. Respondus' notification of or response to a Security Incident under this DPA will not be construed as an acknowledgement by Respondus of any liability or fault with respect to the Security Incident.
5. Deletion or return of Licensee Data.
At Licensee's election, Respondus shall destroy all Licensee Data in its possession or control (including in the possession of any Subprocessor) in accordance with Respondus' data retention and destruction procedures and timeframes, unless otherwise agreed with Licensee. This requirement shall not apply: (a) to the extent that Respondus is required by law to retain some or all of the Licensee Data, in which event Respondus shall isolate and protect the Licensee Data from any further processing except to the extent required by such law or (b) to any data stored on back-ups, provided that such data will be destroyed in accordance with Respondus' standard destruction policies for back-up data.
Respondus shall maintain complete and accurate records and information to demonstrate its compliance with this DPA and shall make such records available for audit by Licensee or any regulatory authority having jurisdiction. In particular, Respondus shall respond to written audit questions submitted by Licensee related to Respondus' processing and protection of Licensee Data. Licensee shall not exercise this right more than once per year. Respondus will immediately inform Licensee if it believes that any Licensee instruction violates the Applicable Data Protection Law.
7. Legal Disclosures.
If Respondus is required by any legal or regulatory proceeding or requirement, to disclose any Licensee Data, it will provide Licensee with notice and a copy of the demand as soon as practicable, unless it is legally prohibited from doing so.