Data Protection Addendum

This Data Protection Addendum (the “Addendum”) is between Parchment LLC, a Delaware limited liability company (referred to herein as “Parchment” or “Service Provider”) and the Parchment Member identified on the Order Form for the purchase of certain Parchment Services between the parties hereto (the “Agreement”), to which this Addendum is incorporated (referred to herein as the “Data Controller” or “Member”) and is effective as of the date last signed below (the “DPA”). The terms of this DPA are hereby incorporated by reference into the terms of the Agreement (defined below).

The parties seek to comply with the Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the fee movement of such data, and repealing Directive 95/46/EC, known as the EU General Data Protection Regulation (“GDPR”) or the California Consumer Privacy Act, Cal. Civ. Code 1798.100 et seq. (“CCPA”) CCPA and GDPR may each be referred to herein as “applicable data protection law”. This DPA shall apply and govern the processing of Personal Data solely to the extent that: 1) Parchment is a data processor or service provider under the terms of applicable data protection law; 2) Data Controller is subject to the applicable data protection law; and 3) Parchment performs processing of Personal Data under the Agreement.

  1. Definitions. The following terms in this DPA shall have the following meanings:
    1. “CCPA” means the California Consumer Privacy Act of 2018, as amended (Cal. Civ. Code §§ 1798.100 to 1798.199), and any related regulations or guidance provided by the California Attorney General. Terms defined in the CCPA, including personal information and business purposes, carry the same meaning in this Addendum, provided that this Addendum applies to only to personal information that Service Provider receives or accesses in connection with providing the Services to Member and shall not apply to personal information that Service Provider processes independent of the Services Agreement.
    2. “Contracted Business Purposes” means the services described in Service Agreement for which Parchment may receive or access personal information as defined in the CCPA and subject to the CCPA, or as otherwise instructed by Member.
    3. “data controller” refers to the natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of personal data, and for purposes of this DPA is identified above as the Data Controller;
    4. “data processor” refers to the natural or legal person which, alone or jointly with others, processes personal data on behalf of the data controller, and for the purposes of this DPA is Parchment;
    5. “data subject” shall have the meaning given to it in the applicable data protection laws;
    6. “technical and organizational security measures” means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
    7. “Personal Data” includes “personal data,” “personal information,” and “personally identifiable information,” and such terms have the same meaning as defined in applicable data protection law.
    8. “Personal Data Breach” means the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or exfiltration of, or access to, EU Data Subject Personal Data.
    9. “processing” means any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
    10. “Standard Contractual Clauses” means the annex found in the EU Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (available as of September 13, 2019 at, completed as described in the “Data Transfers” section below.
    11. “sub-processor” means any data processor affiliate or subcontractor engaged by Parchment for the processing of Personal Data.
  2. Nature and Purpose of the Processing. The processing is being conducted solely for the purpose set forth in the Agreement for the applicable Parchment services detailed in the Agreement (the “Services”) and for the term of the Agreement, which may include fulfilling requests for transcripts and other credential-types and admissions-related documents, including the processing of orders to have a specific document or record sent from a record holder to a record recipient. Parchment has no obligation to monitor the compliance of Member’s use of the Services with applicable data protection law. The terms and conditions of the Agreement, including this DPA, along with Member’s configuration of any settings or options in the Services constitute Member’s complete and final instructions to Parchment regarding the processing of Personal Data, including for purposes of the Standard Contractual Clauses. Without limiting the foregoing:
      1. Parchment will not process the Personal Data in a manner inconsistent with Parchment’s role as Member’s “Service Provider” as such term is defined in the CCPA.
      2. Parchment will not “sell” the Personal Data, as such term is defined in the CCPA.
  3. Data Controllers. Data Controller provides a limited amount of its client and/or student user data to Parchment. The parties agree that all processing of Personal Data by Parchment and/or any Subprocessor will be performed only pursuant to the instructions from Data Controller as set forth in the Agreement. Parchment understands and agrees that Data Controller has the rights and obligations as set forth in the applicable clauses of the applicable data protection law.
  4. Obligations of Parchment. Parchment, to the extent it is a data processor under the terms of this DPA and applicable data protection law, agrees:
      1. to process Personal Data only under the authority of and on behalf of the written instructions of Data Controller, including as set forth in the Agreement, unless required by law to act without or against such instructions, in such case Parchment shall inform the Data Controller immediately of such legal requirements unless Parchment is legally prohibited from doing so;
      2. to ensure that any persons authorized to process Personal Data have confidentiality obligations or are under appropriate fiduciary obligations of confidentiality;
      3. all Personal Data processed by Parchment will be stored in the United States;
      4. that it has implemented and maintains commercially appropriate technical and organisational security measures appropriate for the nature, scope and type of processing being performed in compliance with the applicable data protection law, and that it has reviewed the technical and organisational security measures of sub-processor (if any);
      5. to notify the Data Controller within 48 hours of confirmed knowledge by Parchment of any Personal Data Breach;
      6. to the extent Data Controller, in its use of the Services, does not have the ability to address an request regarding Personal Data directly, to provide reasonable assistance to Data Controller to allow it to respond to any request by an data subject seeking to exercise any of his or her rights under applicable data protection law (including rights of access, correction, objection, and erasure, as applicable);
      7. to provide reasonable assistance to Data Controller in complying with any legally binding requests related to Personal Data by a law enforcement authority unless otherwise prohibited, including in responding to a Personal Data Breach and complying with any applicable data breach notification laws in connection with a Personal Data Breach and to assist Data Controller with data protection impact assessments and consultations, when and if required;
      8. to abide by and cooperate with the requests of the supervisory authority in the EU with regard to the processing of Personal Data;
      9. to submit its data processing activities for audit by the Data Controller as required to reasonably demonstrate compliance with its obligations under Article 28 of the GDPR no more than once annually, provided that Data Controller or any third-party representative is bound by obligations of confidentiality for such audit information.  For clarity, such audits or inspections are limited to Parchment’s processing of Personal Data subject to the GDPR on behalf of Data Controller only, not any other aspect of Parchment’s business or information systems or other members. Data Controller shall provide Parchment with sixty (60) days prior written notice to an audit, shall conduct an audit in a manner that will result in minimal disruption to Parchment’s business operations, and shall not be entitled to receive data or information of other members or any other confidential information that is not directly relevant for the authorized purposes of the audit. This provision does not grant Data Controller any right to conduct an on-site audit of Parchment’s premises. Data Controller shall reimburse Parchment for any reasonable time expended for an audit at the Parchment’s then-current rates, which shall be made available to Data Controller upon request.; and
        upon completion of the Services and request by the Data Controller, to destroy or return all Personal Data that has been provided to it by Data Controller from its primary systems, using industry standard methods for data destruction appropriate to the type of Personal Data provided.
  5. Sub-processors. Data Controller acknowledges and agrees that Parchment may engage sub-processors for the processing of EU Data Subject Personal Data in compliance with applicable law to provide the Services.  Parchment shall provide Data Controller with a current list of sub-processors upon written request. Parchment will impose contractual obligations on any sub-processors that are substantially the same as the data protection obligations set forth in this DPA and will remain liable to Data Controller for sub-processors performance of such data protection obligations;
  6. Obligations of Data Controller. Data Controller agrees and represents and warrants to Parchment the following:
      1. that it has obtained all necessary rights and consents under applicable data protection law as required for Parchment to perform the Services under the Agreement or otherwise process any Personal Data as contemplated in this DPA;
      2. Data Controller will not instruct Parchment to process Personal Data in violation of applicable law. In the event of a change in the legislation is likely to have a substantial adverse effect on the warranties and obligations provided by this DPA, Data Controller will promptly notify Parchment of such change, in which case Parchment is entitled to suspend the processing of the relevant sub-processors; and to implement and maintain data protection policies that are compliant with the applicable data protection law.
  7. Data Transfers
        1. Data Transfers Outside of the EU.  To the extent that the Services involve a transfer ofcPersonal Data from Data Controller in the United Kingdom, EEA or Switzerland to Parchment, which is processing Personal Data in the United States, and a legal derogration or a data transfer framework does not apply, the Parties agree to be bound by the standard contractual clauses for the transfer of Personal Data to processors established in third countries (Commission Decision 2010/87/EU) (“Standard Contractual Clauses”) available here  If there is a conflict between the Standard Contractual Clauses and the Agreement, the Standard Contractual Clauses will prevail.  For purposes of the Standard Contractual Clauses:
          1. The clauses shall be governed by the laws of the jurisdiction from which the data is exported.
          2. Data Controller is the “Data Exporter” and Parchment is the “Data Importer”.
          3. The EU Data Subjects include students of Data Controller or customers of Data Controller, which may include students, alumni, or authorized users of such Data Controller.
          4. The purpose of the transfer is to allow the Parchment to provide the Services.
          5. The categories of Personal Data include contact information, transcript data, credential data, enrollment verification, attendance records and other educational or identity information.
          6. The recipients of the Personal Data include Parchment employees or sub-processors that reasonably need to process the EU Data Subject Personal Data to perform the Services and recipients as directed by Data Controller or by the EU Data Subjects.
          7. Data importer will maintain industry standard administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Personal Data uploaded to the SCC Services.
  8. Liability
            1. The parties agree that nothing herein in this DPA or the Agreement relieves the Member of its respective responsibilities and liabilities under applicable data protection law.
            2. Each party’s liability towards the other party under or in connection with this DPA will be limited in accordance with the provisions of the Agreement.
            3. Member acknowledges that Parchment is reliant on Member for direction as to the extent to which Parchment is entitled to process Personal Data on behalf of Member in performance of the Services. Consequently, Parchment will not be liability under the Agreement for any claim brought by a data subject arising from any action or omission by Parchment, to the extent that such action or omission resulted from Member’s instructions or from Member’s failure to comply with its obligations under applicable data protection law. The parties agree that the liability of Parchment shall be limited to its own processing operations under this DPA and the Agreement. The parties agree that Parchment will not be liable for any damages arising out of or related to violations of applicable data protection law by the Data Controller related to Data Conroller’s acts or omissions not related to the Services.
  9. Ratification. All other terms and conditions in the Agreement are ratified and remain in full force and effect. This DPA is an addendum to the Agreement and shall control and prevail to the extent of any conflict with the Agreement.