Data Protection Addendum

Last Updated: 11/3/2021

This Data Protection Addendum (the “Addendum”) is between Parchment LLC, a Delaware limited liability company (referred to herein as “Parchment” or “Service Provider”) and the Parchment Member identified on the Order Form for the purchase of certain Parchment Services between the parties hereto (the “Agreement”), to which this Addendum is incorporated (referred to herein as the “Data Controller” or “Member”) and is effective as of the date last signed below (the “DPA”). The terms of this DPA are hereby incorporated by reference into the terms of the Agreement (defined below).

The parties seek to comply with the Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the fee movement of such data, and repealing Directive 95/46/EC, known as the EU General Data Protection Regulation (“GDPR”) or the California Consumer Privacy Act, Cal. Civ. Code 1798.100 et seq. (“CCPA”) CCPA and GDPR may each be referred to herein as “applicable data protection law”. This DPA shall apply and govern the processing of Personal Data solely to the extent that: 1) Parchment is a data processor or service provider under the terms of applicable data protection law; 2) Data Controller is subject to the applicable data protection law; and 3) Parchment performs processing of Personal Data under the Agreement.

Definitions. The following terms in this DPA shall have the following meanings:
1. “CCPA” means the California Consumer Privacy Act of 2018, as amended (Cal. Civ. Code §§ 1798.100 to 1798.199), and any related regulations or guidance provided by the California Attorney General. Terms defined in the CCPA, including personal information and business purposes, carry the same meaning in this Addendum, provided that this Addendum applies to only to personal information that Service Provider receives or accesses in connection with providing the Services to Member and shall not apply to personal information that Service Provider processes independent of the Services Agreement.
2. “Contracted Business Purposes” means the services described in Service Agreement for which Parchment may receive or access personal information as defined in the CCPA and subject to the CCPA, or as otherwise instructed by Member.
3. “data controller” refers to the natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of personal data, and for purposes of this DPA is identified above as the Data Controller;
4. “data processor” refers to the natural or legal person which, alone or jointly with others, processes personal data on behalf of the data controller, and for the purposes of this DPA is Parchment;
5. “data subject” shall have the meaning given to it in the applicable data protection laws;
6. “technical and organisational security measures” means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
7. “Personal Data” includes “personal data,” “personal information,” and “personally identifiable information,” and such terms have the same meaning as defined in applicable data protection law.
8. “Personal Data Breach” means the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or exfiltration of, or access to, Data Subject Personal Data.
9. “processing” means any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
10. “2021 Standard Contractual Clauses,” means the clauses issued pursuant to the EU Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at http://data.europa.eu/eli/dec_impl/2021/914/oj and completed as described in the “Data Transfers” section below.
11. “2010 Standard Contractual Clauses” means the annex found in the EU Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (available as of September 13, 2019 at data.europa.eu/eli/dec/2010/87/oj), completed as described in the “Data Transfers” section below.
12. “sub-processor” means any data processor affiliate or subcontractor engaged by Parchment for the processing of Personal Data.
Nature and Purpose of the Processing. The processing is being conducted solely for the purpose set forth in the Agreement for the applicable Parchment services detailed in the Agreement (the “Services”) and for the term of the Agreement, which may include fulfilling requests for transcripts and other credential-types and admissions-related documents, including the processing of orders to have a specific document or record sent from a record holder to a record recipient. Parchment has no obligation to monitor the compliance of Member’s use of the Services with applicable data protection law. The terms and conditions of the Agreement, including this DPA, along with Member’s configuration of any settings or options in the Services constitute Member’s complete and final instructions to Parchment regarding the processing of Personal Data, including for purposes of the Standard Contractual Clauses. Without limiting the foregoing:
1. Parchment will not process the Personal Data in a manner inconsistent with Parchment’s role as Member’s “Service Provider” as such term is defined in the CCPA.
2. Parchment will not “sell” the Personal Data, as such term is defined in the CCPA.
Data Controllers. Data Controller provides a limited amount of its client and/or student user data to Parchment. The parties agree that all processing of Personal Data by Parchment and/or any Subprocessor will be performed only pursuant to the instructions from Data Controller as set forth in the Agreement. Parchment understands and agrees that Data Controller has the rights and obligations as set forth in the applicable clauses of the applicable data protection law.
Obligations of Parchment.

Parchment, to the extent it is a data processor under the terms of this DPA and applicable data protection law, agrees:

- - to process Personal Data only under the authority of and on behalf of the written instructions of Data Controller, including as set forth in the Agreement, unless required by law to act without or against such instructions, in such case Parchment shall inform the Data Controller immediately of such legal requirements unless Parchment is legally prohibited from doing so;
  - to ensure that any persons authorized to process Personal Data have confidentiality obligations or are under appropriate fiduciary obligations of confidentiality;
  - all Personal Data processed by Parchment will be stored in the United States;
  - that it has implemented and maintains commercially appropriate technical and organisational security measures appropriate for the nature, scope and type of processing being performed in compliance with the applicable data protection law, and that it has reviewed the technical and organisational security measures of sub-processor (if any);
  - to notify the Data Controller within 48 hours of confirmed knowledge by Parchment of any Personal Data Breach;
  - to the extent Data Controller, in its use of the Services, does not have the ability to address an request regarding Personal Data directly, to provide reasonable assistance to Data Controller to allow it to respond to any request by an data subject seeking to exercise any of his or her rights under applicable data protection law (including rights of access, correction, objection, and erasure, as applicable);
  - to provide reasonable assistance to Data Controller in complying with any legally binding requests related to Personal Data by a law enforcement authority unless otherwise prohibited, including in responding to a Personal Data Breach and complying with any applicable data breach notification laws in connection with a Personal Data Breach and to assist Data Controller with data protection impact assessments and consultations, when and if required;
  - to abide by and cooperate with the requests of the supervisory authority in the EU with regard to the processing of Personal Data;
  - to submit its data processing activities for audit by the Data Controller as required to reasonably demonstrate compliance with its obligations under Article 28 of the GDPR no more than once annually, provided that Data Controller or any third-party representative is bound by obligations of confidentiality for such audit information. For clarity, such audits or inspections are limited to Parchment’s processing of Personal Data subject to the GDPR on behalf of Data Controller only, not any other aspect of Parchment’s business or information systems or other members. Data Controller shall provide Parchment with sixty (60) days prior written notice to an audit, shall conduct an audit in a manner that will result in minimal disruption to Parchment’s business operations, and shall not be entitled to receive data or information of other members or any other confidential information that is not directly relevant for the authorized purposes of the audit. This provision does not grant Data Controller any right to conduct an on-site audit of Parchment’s premises. Data Controller shall reimburse Parchment for any reasonable time expended for an audit at the Parchment’s then-current rates, which shall be made available to Data Controller upon request.; and
  - upon completion of the Services and request by the Data Controller, to destroy or return all Personal Data that has been provided to it by Data Controller from its primary systems, using industry standard methods for data destruction appropriate to the type of Personal Data provided.
Sub-processors. Data Controller acknowledges and agrees that Parchment may engage sub-processors for the processing of Data Subject Personal Data in compliance with applicable law to provide the Services. Parchment shall provide Data Controller with a current list of sub-processors upon written request. Parchment will impose contractual obligations on any sub-processors that are substantially the same as the data protection obligations set forth in this DPA and will remain liable to Data Controller for sub-processors performance of such data protection obligations;
Obligations of Data Controller. Data Controller agrees and represents and warrants to Parchment the following:
1. 1. that it has obtained all necessary rights and consents under applicable data protection law as required for Parchment to perform the Services under the Agreement or otherwise process any Personal Data as contemplated in this DPA;
  2. Data Controller will not instruct Parchment to process Personal Data in violation of applicable law. In the event of a change in the legislation is likely to have a substantial adverse effect on the warranties and obligations provided by this DPA, Data Controller will promptly notify Parchment of such change, in which case Parchment is entitled to suspend the processing of the relevant sub-processors; and
  3. to implement and maintain data protection policies that are compliant with the applicable data protection law.
Data Transfers
1. 1. To the extent legally required and when a legal derogration or a data transfer framework does not apply, with respect to Personal Data transferred from the EEA and Switzerland, the parties are deemed to have signed the 2021 Standard Contractual Clauses, which form part of this DPA and will be deemed completed as follows:
    1. Data Controller acts as exporter and controller and Parchment acts as processor and importer. Module 2 of the 2021 Standard Contractual Clauses applies to transfers of Personal Data from Data Controller to Parchment;
    2. Clause 7 (the optional docking clause) is not included;
    3. Under Clause 9 (Use of sub-processors), the parties select Option 2 (General written authorization). The initial list of sub-processors is set forth Annex III. Parchment shall update that list and provide notice to Data Controller at least ten (10) days in advance of any intended additions or replacements of sub-processors.
    4. Under Clause 11, the optional language requiring that data subjects be permitted to lodge a complaint with an independent dispute resolution body does not apply;
    5. Under Clause 17, the parties choose Option 1 (the law of an EU Member State that allows for third-party beneficiary rights). The parties select the laws of Ireland;
    6. Under Clause 18, the parties select the courts of Ireland;
    7. Annexes IA shall be complete with the parties set forth in the Agreement and shall be deemed executed by the parties upon execution of the Agreement. Annex IB, II, and III of the 2021 Standard Contractual Clauses are set forth below.
  2. With respect to transfers of Personal Data that are subject to the Switzerland Federal Act on Data Protection (“FADP”), the 2021 Standard Contractual Clauses shall be deemed to have the following differences to the extent required by the FADP:
    1. References to the GDPR are to be understood as references to the FADP insofar as the data transfers are subject exclusively to the FADP and not to the GDPR.
    2. The term “member state” shall not be interpreted to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c).
    3. References to personal data in the New EU SCCs also refer to data about identifiable legal entities until the entry into force of revisions to the FADP that eliminate this broader scope.
    4. Under Annex I(C): Where the transfer is subject exclusively to the FADP, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner. Where the transfer is subject to both the FADP and the GDPR, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner insofar as the transfer is governed by the FADP, and the supervisory authority is as set forth in the New EU SCCs insofar as the transfer is governed by the GDPR.
  3. Data Transfers Outside of the United Kingdom. To the extent that the Services involve a transfer of Personal Data from Data Controller in the United Kingdom to Parchment, which is processing Personal Data in the United States, for which UK Data Protection Law (and not the law in any European Economic Area jurisdiction or Switzerland) governs the international nature of the transfer, and a legal derogration or a data transfer framework does not apply, and where such law permits use of the 2010 Standard Contractual Clauses but does not permit use of the 2021 Standard Contractual Clauses, the Parties agree to be bound by the 2010 Standard Contractual Clauses form part of this DPA and take precedence over the rest of this DPA to the extent of any conflict and shall be deemed completed as follows:
    1. Data Controller is the “Data Exporter” and Parchment is the “Data Importer”. Where Clause 9 of the 2010 Standard Contractual Clauses requires specification of the law that governs the Clauses, the parties select the law of the United Kingdom. The “illustrative indemnification clause” labelled “optional” is deemed stricken.
    2. The Data Subjects include students of Data Controller or customers of Data Controller, which may include students, alumni, or authorized users of such Data Controller.
    3. The purpose of the transfer is to allow the Parchment to provide the Services.
    4. The categories of Personal Data include contact information, transcript data, credential data, enrollment verification, attendance records and other educational or identity information.
    5. The recipients of the Personal Data include Parchment employees or sub-processors that reasonably need to process the Data Subject Personal Data to perform the Services and recipients as directed by Data Controller or by the Data Subjects.
    6. Data importer will maintain industry standard administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Personal Data uploaded to the Services.
Liability.
1. The parties agree that nothing herein in this DPA or the Agreement relieves the Member of its respective responsibilities and liabilities under applicable data protection law.
2. Each party’s liability towards the other party under or in connection with this DPA will be limited in accordance with the provisions of the Agreement.
3. Member acknowledges that Parchment is reliant on Member for direction as to the extent to which Parchment is entitled to process Personal Data on behalf of Member in performance of the Services. Consequently, Parchment will not be liability under the Agreement for any claim brought by a data subject arising from any action or omission by Parchment, to the extent that such action or omission resulted from Member’s instructions or from Member’s failure to comply with its obligations under applicable data protection law. The parties agree that the liability of Parchment shall be limited to its own processing operations under this DPA and the Agreement. The parties agree that Parchment will not be liable for any damages arising out of or related to violations of applicable data protection law by the Data Controller related to Data Controller’s acts or omissions not related to the Services.
Ratification. All other terms and conditions in the Agreement are ratified and remain in full force and effect. This DPA is an addendum to the Agreement and shall control and prevail to the extent of any conflict with the Agreement.

ANNEX I

DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred:

- - Students of Data Controller or customers of Data Controller, which may include students, alumni, or authorized users of such Data Controller

Categories of personal data transferred:

- - Contact information, transcript data, credential data, enrollment verification, attendance records and other educational or identity information.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measure:

- - None anticipated, but the Services do not impose a technical restriction on the categories of Personal Data above provided through the Service.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):

- - On a continuous basis during the Agreement.

Nature of the processing: The nature of the Processing is as forth in the Agreement.

Purpose(s) of the data transfer and further processing:

- - The purposes for the data transfer are set forth in the Agreement.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:

- - The data will be retained for the time period needed to accomplish the purposes of processing, unless otherwise required by applicable law.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: Transfers to subprocessors are for the same purposes as transfers to the processor.

COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13: Ireland Data Protection Commissioner

ANNEX II – TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

Security Requirements

The Parties will implement and maintain the following administrative, technical, physical, and organizational security measures for the Processing of Personal Data:

Parties’ Information Security Program includes specific security requirements for its personnel and all subprocessors or agents who have access to Personal Data (“Data Personnel”). The security program covers the following areas:

Information Security Policies and Standards. The Parties will maintain written information security policies, standards and procedures addressing administrative, technical, and physical security controls and procedures. These policies, standards, and procedures shall be kept up to date, and revised whenever relevant changes are made to the information systems that use or store Personal Data.
Physical Security. The Parties will maintain commercially reasonable security systems at all Party sites at which an information system that uses or stores Personal Data is located (“Processing Locations”) that include reasonably restricting access to such Processing Locations, and implementing measures to detect, prevent, and respond to intrusions.
Organizational Security. The Parties will maintain information security policies and procedures addressing acceptable data use standards, data classification, and incident response protocols.
Network Security. The Parties maintains commercially reasonable information security policies and procedures addressing network security.
Access Control. The Parties agree that: (1) only authorized staff can grant, modify or revoke access to an information system that Processes Personal Data; and (2) the Parties will implement commercially reasonable physical and technical safeguards to create and protect passwords.
Virus and Malware Controls. The Parties protect Personal Data from malicious code and will install and maintain anti-virus and malware protection software on all system endpoints that handle Personal Data and will maintain applicable controls on web servers.
Personnel. The Parties have implemented and maintains a security awareness program to train employees about their security obligations. Data Personnel follow established security policies and procedures. Disciplinary process is applied if Data Personnel fail to adhere to relevant policies and procedures.
Business Continuity. The Parties implement disaster recovery and business resumption plans that are kept up to date and revised on a regular basis. The Parties also adjust the Information Security Program in light of new laws and circumstances, including as business and Processing change.

Annex III

List of Subprocessors

See current list of subprocessors available at www.parchment.com/subprocessors.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.