Data Processing Addendum
Last Updated Date: May 17, 2018
This Data Processing Addendum (the ”DPA” or ”Addendum”) forms part of GoGuardian’s joint GoGuardian Products Terms of Service and End User License Agreement (available at https://www.goguardian.com/eula.html) (”EULA”) between your Organization (or the ”School”) if the School is located in the European Union (”EU”), European Economic Area (”EEA”), or Switzerland, and Liminex, Inc. doing business as GoGuardian (”GoGuardian”). For purposes of this DPA, the School in this DPA shall be ascribed the same meaning as your Organization in the EULA.
In the event of any conflict between this DPA and the EULA with regard to the processing of Personal Data, this DPA will control to the extent of the conflict. All capitalized terms used but not defined in this DPA shall have the meaning ascribed to them in the EULA. For avoidance of doubt, this DPA shall not apply to Organizations, Schools or GoGuardian customers located outside of the EEA or Switzerland.
In the course of providing our Products under the EULA, GoGuardian may Process certain Personal Data (as such term is defined below) on behalf of the School, and where GoGuardian Processes Personal Data on behalf of the School, the parties agree to comply with the terms and conditions in this DPA in connection with such Personal Data.
- ”Controller” means the entity which determines the purposes and means of the Processing of Personal Data.
- ”Data Protection Laws” means all laws and regulations, including laws and binding regulations of the EU, the EEA and their Member States (including the GDPR) and Switzerland, applicable to the Processing of Personal Data under the EULA.
- ”Data Subject” means the identified or identifiable person to whom Personal Data relates.
- ”GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
- ”Notification Email Address” means the email address of the designated school official for the School.
- ”Personal Data” means any information that relates to an identified or identifiable natural person (i.e. the Data Subject), to the extent that such information is protected as personal data under applicable Data Protection Laws and is submitted by the School or its students (”School Data”) through the Products.
- ”Process” or ”Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- ”Processor” means the entity which Processes Personal Data on behalf of the Controller.
- ”Security Measures” has the meaning given in Section 5.1.
- ”Subprocessor” means any entity engaged by GoGuardian to Process Personal Data in connection with the Products.
- ”Supervisory Authority” means an independent public authority which is established by an EU/EEA Member State or Switzerland pursuant to Data Protection Laws.
PROCESSING OF PERSONAL DATA
- Roles of the Parties and GoGuardian’s Processing of Personal Data. The parties acknowledge and agree that with regard to the Processing of Personal Data, the School is the Controller, GoGuardian is the Processor and that GoGuardian will engage Subprocessors pursuant to the requirements set forth in Section 4 (”Subprocessors”) below. By entering into this DPA, the School instructs GoGuardian to Process Personal Data only in accordance with Data Protection Laws: (a) to provide the Products; (b) as further specified through the School’s use of the Products (including through use of preference options and other functionality of the Products); (c) as documented in the EULA, including this DPA; and (d) as further documented in any other written instructions given by the School and acknowledged by GoGuardian as constituting instructions for purposes of this DPA (together the "Purpose"). GoGuardian may condition the acknowledgement described in (d) on the payment of additional fees or the acceptance of additional terms. GoGuardian acts on behalf of and on the instructions of the School in carrying out the Purpose including with regard to transfers of Personal Data outside the EU/EEA, unless EU/EEA Member State law or Swiss law to which GoGuardian is subject requires other Processing of School Data by GoGuardian, in which case GoGuardian will inform the School (unless that law prohibits GoGuardian from doing so on important grounds of public interest) via the Notification Email Address.
- School’s Processing of Personal Data. The School shall, in its use of the Products and provision of instructions, Process Personal Data in accordance with the requirements of applicable Data Protection Law. The School shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which the School acquired Personal Data.
- Details of the Processing.
- Duration of the Processing. The Term plus the period from the expiry of the Term until deletion of all School Data by GoGuardian in accordance with the DPA.
- Purpose of the Processing. GoGuardian will process School Data for the purposes of providing the Products to the School in accordance with the DPA and as defined under 2.1 above.
- Types of Personal Data Processed. Data relating to school officials, educators, student end users, or other individuals provided to GoGuardian via the Products, by (or at the direction of) the School or by student end users is the type of Personal Data Processed by GoGuardian. The Personal Data provided may include: (a) product set up information, including number of devices, number of students, and network configuration, and a GoGuardian password; (b) information about School personnel and teachers and their permission levels in GoGuardian Products; (c) requests submitted for Product support; (d) chats within GoGuardian Teacher; (e) GoGuardian-generated unique identifiers, and other relevant unique identifiers (f) a student’s school-managed account information: student’s name, email address, Google Profile ID, Google Image URL, organizational unit, and device identifiers necessary to associate a student with a certain device, GoGuardian generated unique/account identifiers for students; (g) depending on Products and features selected by the School, the student’s browsing history, IP address, online content, snapshots; (h) if the School chooses to integrate GoGuardian with another school software system, unique identifiers necessary to connect our systems; and (i) geographic location of devices for the purpose of the School locating and recovering its devices using GoGuardian Admin.
- Categories of Data Subjects Processed. Data Subjects include school officials, teachers, student end users and other individuals about whom data is provided to GoGuardian via our Products by (or at the direction of) the School or by end users.
RIGHTS OF DATA SUBJECTS
- Data Subject Requests. GoGuardian shall, to the extent legally permitted, promptly notify the School if GoGuardian receives any requests from a Data Subject to exercise rights in accordance with Data Protection Laws (each, a ”Data Subject Request”). Taking into account the nature of the Processing, GoGuardian shall assist the School by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the School’s obligation to respond to a Data Subject Request under applicable Data Protection Laws. To the extent legally permitted, the School shall be responsible for any costs arising from GoGuardian’s provision of such assistance, including any fees associated with provision of additional functionality.
- Appointment of Subprocessors. The School acknowledges and agrees that GoGuardian may engage third party Subprocessors in connection with the provision of the Products. GoGuardian will enter into a written agreement with each Subprocessor containing data protection obligations that provide the same data protection obligations for Personal Data as those in this DPA, taking into account the nature of the Products provided by such Subprocessor.
- List of Current Subprocessors and Notification of New Subprocessors. A current list of Subprocessors for the Products, including the identities of those Subprocessors and their country of location, will be provided to the School upon request. GoGuardian shall inform the School of any intended changes concerning the addition or replacement of other Subprocessors, thereby giving the School the opportunity to object to such changes.
- Liability. GoGuardian shall be liable for the acts and omissions of its Subprocessors to the same extent GoGuardian would be liable if performing the Products of each Subprocessor directly under the terms of this DPA.
- GoGuardian’s Security Measures. GoGuardian will implement and maintain technical and organizational measures to protect School Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access (the ”Security Measures”) in accordance with Data Protection Laws. GoGuardian may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Personal Data.
- Security Compliance by GoGuardian Staff. GoGuardian will take appropriate steps to ensure compliance with the Security Measures by its staff to the extent applicable to their scope of performance, including ensuring that all such persons it authorizes to Process School Personal Data have committed themselves to confidentiality.
- GoGuardian’s Security Assistance. The School agrees that GoGuardian will (taking into account the nature of the Processing of School Personal Data and the information available to GoGuardian) assist the School in ensuring compliance with any of the School’s obligations in respect of security of Personal Data (including in case of a Personal Data security incident), in accordance with applicable Data Protection Laws, by implementing and maintaining Security Measures. A current overview of GoGuardian’s Security Measures will be provided to the School upon request.
SCHOOL DATA INCIDENT MANAGEMENT AND NOTIFICATION
- Incident Notification. GoGuardian shall notify the School of any security incident relating to School Personal Data (within the meaning of applicable Data Protection Law) of which GoGuardian becomes aware and which may require a notification to be made to a Supervisory Authority or Data Subject under applicable Data Protection Law or which GoGuardian is required to notify to the School under applicable Data Protection Law (a ”School Data Incident”). GoGuardian shall provide commercially reasonable cooperation and assistance in identifying the cause of such School Data Incident and take commercially reasonable steps to remediate the cause to the extent the remediation is within GoGuardian’s control. The obligations herein shall not apply to security incidents with regard to any Personal Data not processed by GoGuardian on behalf of the School under his DPA.
- Delivery of Notification. Notification(s) of any School Data Incidents will be delivered to a Notification Email Address established by the School. The School is solely responsible for ensuring that the Notification Email Address is current and valid.
- No Assessment of School Data by GoGuardian. GoGuardian will not assess the contents of School Data in order to identify information subject to any specific legal requirements. The School is solely responsible for complying with legal requirements for incident notification applicable to the School and fulfilling any third party notification obligations related to any School Data Incident(s).
- No Acknowledgement of Fault by GoGuardian. GoGuardian’s notification of or response to a School Data Incident under this Section 6 will not be construed as an acknowledgement by GoGuardian of any fault or liability with respect to the School Data Incident.
RETURN AND DELETION OF SCHOOL DATA
- Deletion Upon Termination. Upon termination of the EULA under which GoGuardian is Processing Personal Data, GoGuardian shall, upon the School’s request, and subject to the limitations of the School’s selected Products, return all School Data and copies of such data to the School or securely destroy them and demonstrate to the satisfaction of the School that it has taken such measures, unless applicable law prevents it from returning or destroying all or part of School Data. GoGuardian may only continue to retain the School Data after such date if permitted by the applicable laws to which it is subject.
DEMONSTRATION OF COMPLIANCE
- No more than once per contract year as required by relevant Data Protection Laws and data protection authorities, during GoGuardian’s regular business hours and at the School’s sole expense, GoGuardian will make available to the School all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by the School, pursuant to the agreement of the parties and a confidentiality agreement to GoGuardian’s satisfaction, in a reasonable time and manner. As permitted by relevant law, GoGuardian may fulfill this inspection or audit request by providing the School with an executive summary or SO2 or SOC2-successor or equivalent report by a reputable, independent third party. All information accessed or obtained by the School in connection with this audit shall be considered confidential information of GoGuardian.
- GoGuardian shall inform the School in compliance with and as required by relevant Data Protection Laws, if, in its opinion, a Purpose or any documented instruction it receives from the School with respect to the Processing of Personal Data, infringes or prevents it from complying with Data Protection Laws.
LIMITATION OF LIABILITY
- Liability under the EULA. Each party’s liability, taken together in the aggregate, arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of the EULA, and any reference in such section to the liability of a party means the aggregate liability of that party and its affiliates under the EULA and all DPAs together. For the avoidance of doubt, GoGuardian’s total liability for all claims from the School arising out of or related to the EULA and this DPA shall apply in the aggregate for all claims under both the EULA and any DPA established under the EULA, including by multiple schools within a district, and, in particular, shall not be understood to apply individually and severally to schools within a district that is a contractual party to any such DPA.
SPECIFIC PROVISIONS IN THE EU/EEA AND SWITZERLAND
- Transfers of School Data outside the EU/EEA or Switzerland. If School Data are stored and/or Processed outside the EU/EEA or Switzerland, in such case GoGuardian will in accordance with Data Protection Laws:
- maintain its membership in and comply with the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks with respect to such School Data; or
- offer and comply with an alternative data transfer solution, such as entering into and complying with the Standard Contractual Clauses in accordance with Data Protection Laws, with the School listed as the data exporter of such data and GoGuardian as the importer of such data.