Last updated
February 27, 2024
This Data Processing Addendum (“Addendum” or
“DPA”) supplements the SchoolTracs Terms of Service
(available at https://www.schooltracs.com/appterms.html), as updated
from time to time between SchoolTracs and Customer governing the
Customer’s use of the Service(s) (the “Agreement”).
This DPA is an agreement between you and entity you represent
(“Customer”, “you” or
“your”) and SchoolTracs Limited
(“SchoolTracs”, “we”,
“our” or “us”). SchoolTracs and
Customer shall be referred together as the
“Parties” and each, a
“Party.”
Applicable Data Protection Laws (defined below) may impose certain
obligations on persons processing Personal Data. This Addendum
illustrates how SchoolTracs will process Customer Personal Data
(defined below) under Applicable Data Protections Laws and is hereby
incorporated by reference into each Agreement. Except as modified
below, the terms of the Agreement shall remain in full force and
effect to the extent they are not inconsistent with this Addendum.
The terms of the Addendum shall otherwise supersede any such
inconsistent terms under the Agreement.
In consideration of the mutual obligations set out in this
Addendum, the parties agree that the terms and conditions set out
below shall be added as an Addendum to the Agreement.
1.1 In this Addendum, the following terms shall have the meanings
set out below and similar terms shall be construed
accordingly:
1.1.1 “Anonymized Data” means anonymized,
de-identified and/or aggregated data that cannot reasonably
identify a Data Subject and is not considered Personal Data under
Applicable Data Protection Laws.
1.1.2 “Applicable Data Protection Laws” means
all applicable domestic and international legislation and
regulations relating to data protection and privacy including the
Hong Kong Personal Data (Privacy) Ordinance.
1.1.3 “Customer Personal Data” means the
Personal Data received from the Customer and processed by a
Contracted Processor on behalf of the Customer pursuant to or in
connection with the Agreement.
1.1.4 “Contracted Processor” means a Processor
or a Subprocessor.
1.1.5 “Controller” means a controller, business,
organization or other like terms under Applicable Data Protection
Laws which is a natural or legal person, public authority, agency
or other body which, alone or jointly with others, determines the
purposes and means of processing of Personal Data.
1.1.6 “Data Breach” means a breach of security
leading to the accidental or unlawful destruction, loss,
alternation, unauthorized disclosure of, or access to, Customer
Personal Data transmitted, stored or otherwise processed by the
Processor, and also includes like terms as defined under
Applicable Data Protection Laws.
1.1.7 “Data Subject Requests” means requests to
exercise data privacy rights under Applicable Data Protection
Laws, including the right to access, correct, and opt-out to
certain processing of Personal Data.
1.1.8 “Personal Data” means any information
relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified,
directly or indirectly, in particular by reference to an
identifier such as a name, an identification number, location
data, an online identifier or to one or more factors specific to
the physical, physiological, genetic, mental, economic, cultural
or social identity of that natural person. Personal Data also
includes information referred to as “personally identifiable
information” or “personal information” under Applicable Data
Protection Laws.
1.1.9 “Process” or "Processing"
means the collection, use, access, processing, transfer,
disclosure, retention, storage and handling of Personal
Data;
1.1.10 “Processor” means a processor, service
provider, contractor or other like terms under Applicable Data
Protection Laws to mean a natural or legal person, public
authority, agency or other body that processes Personal Data on
behalf of a Controller or a Controller makes available to for
processing.
1.1.11 “Restricted Transfer” means (a) a
transfer of Customer Personal Data from the Customer to a
Contracted Processor or (b) an onward transfer of Customer
Personal Data from a Contracted Processor to a Contracted
Processor, or between two establishments of a Contracted Processor
in each case, where such transfer would be prohibited by
Applicable Data Protection Laws (or by the terms of data transfer
agreements put in place to address the data transfer restrictions
of Applicable Data Protection Laws) in the absence of adequate
protections, as provided under Applicable Data Protection
Laws.
1.1.12 “Regulator” means the supervisory
authority, state attorney general or other domestic and
international government authority responsible for investigating
and enforcing Applicable Data Protection Laws.
1.1.13 “Subprocessor” means a subprocessor,
subcontractor or other like terms under Applicable Data Protection
Laws to mean any natural or legal person appointed by or on behalf
of the Processor to process Customer Personal Data on behalf of
the Customer in connection with the Agreement.
2.1 Customer instructs SchoolTracs to Process, and SchoolTracs
shall Process, Customer Personal Data only for the limited and
specified purposes described herein and according to the
Agreement, except for where Processing is required by laws,
applicable to SchoolTracs, relevant regulatory authorities or
courts of competent jurisdiction, in which case SchoolTracs shall
to the extent permitted by such laws, relevant regulatory
authorities or courts of competent jurisdiction inform the
Customer of that requirement before the relevant Processing.
2.2 Customer shall only provide instructions to SchoolTracs that
comply with Applicable Data Protection Laws and Customer
represents and warrants that SchoolTracs’s processing of Customer
Personal Data in accordance with Customer’s instructions shall not
cause SchoolTracs to be in breach of any Applicable Data
Protection Laws.
3. Scope of Data Processing
3.1 Subject Matter: The subject matter of the
Processing under this DPA is the Customer Personal Data.
3.2 Duration. The duration of the data
processing under this DPA is until the termination of the
Agreement in accordance with its terms.
3.3 Purpose. The Purpose of the Processing under
this DPA is the provision of the Service(s) to Customer.
3.4 Nature of the processing. Arrangement,
computation, storage and other Processing necessary for providing
the Service(s) described in the Agreement.
3.5 Type of Customer Personal Data. Customer
Personal Data uploaded to the SchoolTracs Course Management System
by Customer and its employees and agents.
3.6 Categories of data subjects: Customer may
submit Customer Personal Data to the Service(s), the extent of
which is determined and controlled by Customer in its sole
discretion, and which may include, but is not limited to, Personal
Data relating to customers and employees of the Customer.
4. Compliance with Applicable Data Protection Laws
4.1 The Parties shall comply with their respective obligations
under Applicable Data Protection Laws. If SchoolTracs cannot meet
its obligations under this Addendum for any reason, SchoolTracs
shall promptly inform the Customer of its inability to comply in
writing, in which case the Parties shall negotiate in good faith
alternative processing, and if no other alternative processing is
commercially reasonable to any Party , either Party may
immediately suspend any processing and/or terminate, in whole or
in part, the Agreement and this Addendum pursuant to the
Agreement.
4.2 The Customer warrants, represents and agrees that:
4.2.1 it has made and shall maintain throughout the term of the
Agreement all necessary rights, permissions, registrations and
consents in accordance with and as required by Applicable Data
Protection Laws as it requires in respect of SchoolTracs’
Processing of the Customer Personal Data under the Agreement;
4.2.2 it is entitled to transfer the Customer Personal Data to
SchoolTracs so that SchoolTracs may lawfully use, Process and
transfer the Customer Personal Data for the purpose set out
herein;
4.2.3 all relevant third parties, including the applicable Data
Subjects have been notified of, and have given their consent to
the Processing of Customer Personal Data by SchoolTracs, to the
extent required by and in accordance with the Applicable Data
Protection Laws; and
4.2.4 SchoolTracs’s Processing of the Customer Personal Data is
based on legal grounds for Processing as may be required from time
to time by Applicable Data Protection Laws.
5. Security of Processing
5.1 SchoolTracs shall maintain appropriate technical and
organizational measures and security procedures and practices to
process Customer Personal Data, as set out in Annex I of this DPA.
5.2 Customer is responsible for reviewing the information made
available by SchoolTracs relating to data security and making an
independent determination as to whether the Service(s) meet
Customer’s requirements and legal obligations under Applicable
Data Protection Laws.
6. Notification of Data Breach
6.1 SchoolTracs shall without undue delay notify Customer once it
becomes aware of any Data Breach involving Customer Personal Data.
SchoolTracs may assist Customer as reasonably necessary to meet
its obligations in relation to providing notice of a Data Breach
involving Customer Personal Data under Applicable Data Protection
Laws, at Customer’s sole cost.
6.2 Customer is solely responsible for complying with data breach
notification laws applicable to Customer and fulfilling any
third-party notification obligations related to any Data
Breach(s).
7. Duty of Confidentiality
7.1 SchoolTracs shall ensure that any employees authorized to
process Customer Personal Data are subject to an appropriate duty
or statutory obligation of confidentiality.
8.1 SchoolTracs shall provide written responses (on a
confidential basis) to all reasonable requests for information
made by Customer related to its Processing of Customer Personal
Data, including responses to information security and audit
questionnaires that are necessary to confirm SchoolTracs’
compliance with this Addendum, provided that Customer shall not
exercise this right more than once per year, except that this
right may also be exercised in the event Customer is expressly
requested or required to provide this information to a Regulator,
or SchoolTracs has experienced a data breach, or other reasonably
similar basis.
9. SchoolTracs Assistance to Customer
9.1 Taking into account the nature of processing and the
information available to SchoolTracs, SchoolTracs shall provide
commercially reasonable assistance to Customer to comply with the
obligations under Applicable Data Protection Laws, including Data
Subject Requests, Data Protection Impact Assessments and
responding to any Regulator request, investigation or legal
action, at the Customer’s sole cost.
9.2 SchoolTracs shall notify Customer in the event it receives
any Data Subject Request which SchoolTracs is legally obligated to
comply with. To the extent permitted by Applicable Data Protection
Laws, SchoolTracs shall obtain written consent and instructions
from Customer prior to responding to such Data Subject Request.
9.3 Any data collected pursuant to data analytics or monitoring
carried out by SchoolTracs in connection with the provision of the
Service(s) to Customer or otherwise connected with Customer’s use
of the Service(s) may include Personal Data, which Customer hereby
authorizes SchoolTracs to use.
10.1 SchoolTracs has Customer’s general authorization for the
engagement of Subprocessors to process Customer Personal Data on
the Customer’s behalf. The Subprocessors currently engaged by
SchoolTracs and authorized by the Customer are listed in Annex II
.
10.2 SchoolTracs shall enter into a contract with each of its
Subprocessors whereby Subprocessors are bound by contractual data
protection obligations with respect to Customer Personal Data that
are no less onerous than, those contained in this Addendum.
11. International Transfers of Customer Personal Data
11.1 Customer authorises SchoolTracs (and authorises SchoolTracs
to instruct each Subprocessor) to Process the Customer Personal
Data and transfer the Customer Personal Data to any country or
territory, as reasonably necessary for the provision of the
Service(s) under the Agreement and warrants and represents that it
is and will at all relevant times remain duly and effectively
authorised to give the authorisation set out in this Paragraph
11.1 on behalf of any other party on whose behalf Customer acts.
12. Termination, Return or Delete Personal Data
12.1 SchoolTracs will enable Customer to delete Customer Personal
Data during the Term of the Agreement in a manner consistent with
the functionality of the Service.
12.2 The termination or expiration of the Agreement for any
reason shall cause simultaneous termination of this Addendum.
12.3 For one hundred and eighty (180) days following termination
or expiration of the Agreement, Customer shall have the option to
retrieve any remaining Customer Personal Data in accordance with
the Agreement. Thereafter, Customer instructs SchoolTracs to
automatically delete all remaining Customer Personal Data
12.4 SchoolTracs shall not be required to delete Customer
Personal Data (i) to the extent SchoolTracs is required by
applicable law or order of a Regulator to retain some or all of
the Customer Personal Data; (ii) to the extent it is not
commercially reasonable for SchoolTracs to remove Customer
Personal Data from archive or other backup media, SchoolTracs may
retain Customer Personal Data on such media in accordance with its
backup or other disaster recovery procedures. In such event,
SchoolTracs shall continue to comply with the confidentiality and
privacy obligations hereunder until it is no longer in possession
of Customer Personal Data; and (iii) SchoolTracs may retain
Anonymized Data for its own business purposes.
ANNEX 1 : TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE
SECURITY OF THE DATA
This document outlines the technical and organizational measures
implemented by SchoolTracs Ltd to ensure the protection of personal
data processed on behalf of our clients. These measures are designed
to safeguard data against unauthorized or unlawful processing and
against accidental loss, destruction, or damage.
1. Data Processing and Security:
● Data Encryption: Implementing encryption for data in transit and
at rest.
● Access Control: Maintaining strict access control to prevent
unauthorized access to data.
2. Operational Security:
● Network Security: Employing robust network security measures to
protect data.
● Regular Monitoring: Conducting regular monitoring of systems to
detect and address vulnerabilities.
● Incident Response: Maintaining an effective incident response
plan for addressing data breaches or security incidents.
3. Employee Training and Confidentiality:
● Confidentiality Agreements: Ensuring that all employees with
access to sensitive data sign confidentiality agreements.
4. Physical Security:
● Data Center Security: Ensuring the security of physical data
centers and server rooms.
● Access Restrictions: Restricting physical access to critical data
processing facilities.
5. Data Integrity and Resilience:
● Backup and Recovery: Implementing backup and recovery procedures
to ensure data integrity and resilience.
ANNEX 2 : LIST OF SUB-PROCESSORS
| Entity Name |
Corporate Location |
Description of Processing Activities
|
| Amazon Web Services (AWS) |
Seattle, Washington, USA |
Hosting of application servers, databases, and data storage on
AWS EC2, ECS, and RDS services.
|
| Stripe |
San Francisco, California, USA |
Payment processing services for online transactions.
|
| Hotjar |
St Julian's, Malta |
User behavior tracking and analytics for website improvement.
|
| Google Analytics |
Mountain View, California, USA |
Web analytics service for tracking and reporting website
traffic.
|
| Sentry |
San Francisco, California, USA |
Real-time error tracking and monitoring for applications.
|
| Twilio |
San Francisco, California, USA |
Communication services for sending SMS, emails, and voice
messages.
|
| Zendesk (Sell, Support) |
San Francisco, California, USA |
Customer service software and sales CRM for customer support
and engagement.
|
| Zapier |
San Francisco, California, USA |
Automation of workflows by connecting apps and services.
|
| Google Cloud |
Mountain View, California, USA |
Cloud services for sending push notifications and messaging.
|