This Data Processing Agreement (this “DPA”) forms part of the Terms of Service (“ToS) between Unboxed Technology, LLC (“Unboxed) and the Client and is subject to the Main Contract.

BACKGROUND:

(A) Unboxed provides a cloud-based learning platform (“Spoke”) to Client and its end users (“Users”).

(B) Client is the Controller of Personal Data Processed on behalf of Client by Unboxed, Unboxed is the Processor and Service Provider of Personal Data that it receives from Client and Users.

(C) each being a “Party” and collectively the “Parties”.

IT IS AGREED:

1. DEFINITIONS

1.1: In this DPA and in Recitals (A) to (B) above the following expressions bear the following meanings unless the context otherwise requires:

“CCPA” means the California Consumer Privacy Act of 2018 (and amendments thereto) and any binding regulations promulgated thereunder;

“Commercial Purpose” shall have the meaning set out in the CCPA;

“Data Protection Authority” means, in relation to each of the Parties, the relevant data protection authority or enforcement body in the respective jurisdiction;

“Data Protection Laws” means all applicable legislation and regulations governing the Processing and protection of Personal Data from time to time;

“Controller”, “Data Subject”, “Processing/Process”, and “Processor” shall have the same meanings set out in the GDPR;

“GDPR” means the EU General Data Protection Regulation No 2016/679, the UK GDPR and any national supplementing legislation;

“Main Contract” means Subscription Agreement by and between Unboxed and Client Name dated as of Insert SOW Date;

“Personal Data” means any information or set of information relating to an identified or identifiable individual, including (i) all information that identifies that individual, or that could reasonably be used to identify such individual, (ii) all “personal data” as defined in the GDPR, and (iii) all information that any applicable law treats as personal information, personal data, or similarly protected information, regardless of the medium in which such information is displayed;

“Purposes” are the provision of Spoke to Client and Users as set out in the Main Contract;

“Sale” (including “Sell”) means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, Personal Data to a third party for the third party’s purposes in exchange for monetary or other valuable consideration, or as further defined by the CCPA;

“Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data;

“Service Provider” shall have the same meaning set out in the CCPA.

1.2: In this DPA, unless the contrary intention appears:

1.3: Any reference to this DPA includes any Annexes.

1. OBLIGATIONS

2.1: Both Parties will comply with all applicable Data Protection Laws. Controller will ensure that it has all necessary appropriate consents and notices in place to enable the Processor to Process the Personal Data pursuant to this DPA.

2.2: With respect to the GDPR and as applicable pursuant to other Data Protection Laws, the Processor shall only Process the Personal Data for the Purposes (which for the purpose of this DPA shall constitute the documented instructions of the Controller) and will not Process the Personal Data for any other purpose or in any manner, without the prior consent of the Controller subject to Clause 4.2. With respect to the CCPA, except as permitted for a service provider in regulations implementing or clarifying the CCPA, Unboxed shall not retain, use, sell, or disclose any personal information for any purpose other than for the specific purpose of providing the Services under the Main Contract, or as otherwise permitted by the CCPA, including retaining, using, selling, or disclosing the personal information for a commercial purpose other than to provide the Services under this Main Contract. The Parties acknowledge that any disclosure of Personal Data pursuant to the DPA does not confer any value under this DPA. The provision of Personal Data from Controller to Processor does not constitute a Sale under the CCPA. With respect to the CCPA, Processor hereby certifies that it understands its obligations under this paragraph 2.2 and will comply with them.

2.3: The Processor will ensure that each of its employees and agents are made aware of its obligations under this DPA with regard to the security and protection of the Personal Data and shall require that they enter into binding obligations with the Processor to respect and maintain the confidentiality and security of the Personal Data to the levels of security and protection provided for in this DPA.

2.4: The Processor will not keep the Personal Data longer than is necessary for the Purposes and will, at the choice of the Controller, delete or return all the Personal Data once the Purposes have been fulfilled (save to the extent that there is a lawful obligation on the Processor to store the Personal Data).

2.5: The Processor shall provide reasonable assistance to Controller to facilitate the provision to Data Subjects of rights provided under applicable Data Protection Laws to the extent required by such Data Protection Laws.

2.6: The Processor shall implement and maintain reasonable security measures appropriate to the nature of the Personal Data, in order to protect the Personal Data from a Security Incident. If the Processor becomes aware of such a Security Incident, the Processor will promptly: (a) notify the Controller of the Security Incident promptly but no later than 36 hours of becoming aware; and (b) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Incident.
2.7: Notwithstanding anything to the contrary, Processor undertakes to take commercially reasonable steps to repair any harm any person may suffer due to Processing performed in breach of Data Protection Laws or this DPA, except if Processor proves that it is not liable for such harm.

2.8: The Processor undertakes that in respect to Personal Data it Processes on behalf of the Controller that is subject to the GDPR:

I. the pseudonymisation and encryption of Personal Data;

II. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of systems and services Processing Personal Data;

III. the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;

IV. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of Processing.

I. any legally binding request for disclosure of the Personal Data by a Data Protection Authority or any law enforcement or other competent authority (unless and to the extent prohibited by law from doing so); and

II. any request for access to, or transfer, erasure or rectification of, Personal Data received directly from a Data Subject without responding to that request, unless it has been otherwise authorised by the Controller to do so.

2.9: Unboxed uses aggregated or pseudonymized Personal Data for operating and improving the experience of Spoke. In so far as Unboxed Processes Personal Data for these purposes it does so as a Processor and it will Process this Personal Data pursuant to the Data Protection Laws and the terms of the Unboxed Privacy Policy (https://unboxed.co/privacy-notice).

1. SUB-PROCESSING

3.1: The Processor shall not sub-contract to any third party any of its obligations to Process Personal Data unless all of the following provisions of this Clause 3 have first been complied with:

3.2: For the purpose of Clause 3.1(a), the Controller authorises the use of the sub-Processors in Annex A.

1. ONWARD TRANSFER OF DATA OUTSIDE OF THE USA

4.1: The Processor shall not onward transfer any Personal Data received from the Processor outside the United States of America without prior written consent of the Processor.

4.2: Any such onward transfer of Personal Data shall be subject to an agreement the terms of which are no less robust than the terms included in the this DPA.

4.3: Unboxed and its sub-processors shall put in place appropriate safeguards for such onward transfers where necessary pursuant to Data Protection Laws.
4.4: Unboxed agrees to put in place European Commission-approved standard contractual clauses with Client where requested by the Client.

1. LIABILITY

5.1: The aggregate liability of Unboxed for a breach of this DPA shall be subject to the limitation on the liability provisions under the Main Contract. For the avoidance of doubt, any liability arising under this DPA shall be deemed to be included under the cap on liability under the Main Contract and the cap under the Main Contract shall not apply as a separate liability cap for this DPA.

5.2: Unboxed shall not in any circumstances be liable whether in contract, tort (including for negligence and breach of statutory duty howsoever arising), misrepresentation (whether innocent or negligent), restitution or otherwise, for:

1. TERMINATION

6.1: This DPA may be terminated, with immediate effect, on the agreement of the Parties.

6.2: The termination of this DPA does not exempt either Party from its obligations under this DPA as regard to the processing of the Personal Data. In the event of termination the Processor shall return all Personal Data to the Controller or, at the Controller’s request, erase or destroy all copies of the same unless prevented from doing so by law in which case it will keep such Personal Data confidential and not process it for any purpose other than as directed by the Controller or required by law.

1. GENERAL

7.1: In the event that the Data Protection Laws are amended or replaced by subsequent legislation or regulations or in the event that case law pursuant to the Data Protection Laws require amendments to this DPA in the reasonable opinion of the Processor then the Parties will agree to such amendments to this DPA.

7.2: Failure or neglect by a Party to enforce at any time any of the provisions hereof shall not be construed nor shall be deemed to be a waiver of that Party’s rights hereunder nor in any way affect the validity of the whole or any part of this DPA nor prejudice that Party’s rights to take subsequent action.

7.3: This DPA, the ToS and the Main Contract (and any standard contractual clauses where agreed) supersede and replace any arrangements, representations (excluding fraudulent representations) understandings, promises or agreements made or existing between the Parties constitutes the entire understanding between the Parties hereto regarding the subject matter hereof.

7.4: In the event that any or any part of the terms, conditions or provisions contained in this DPA or any Annex attached or adopted as relative hereto shall be determined by any competent authority to be invalid, unlawful or unenforceable to any extent such term, condition or provision shall to that extent be severed from the remaining terms and conditions which shall continue to be valid and enforceable to the fullest extent permitted by law.

7.5: If and to the extent that either Party (the “Affected Party”) is hindered or prevented by circumstances not within its reasonable ability or control, including, but not limited to, acts of God, severe weather, flood, lightning, fire, acts or omissions of Governments or other competent authority, acts of terrorism, war, military operations, acts or omissions of third parties for whom the Affected Party is not responsible (“Force Majeure”) from performing any of its obligations under this DPA, the Affected Party shall be relieved of liability for failure to perform such obligations for the duration of such Force Majeure event.

7.6: This DPA shall inure to the benefit of and be binding upon the Parties and their respective successors and assigns.

7.7: This DPA may be executed in any number of counterparts, each of which, when executed, shall be an original and all of which together shall constitute one and the same agreement. The Parties each further consent to and acknowledge that a copy of the executed version of this DPA which is retained in electronic form shall constitute an original of this DPA, and that such original shall be relied on by the Parties for subsequent reference and as evidence of this DPA.

7.8: This DPA and any dispute or claim arising out of it or in connection with its subject matter or formation shall be governed by and construed in accordance with the Main Contract.

ANNEX A

PERSONAL DATA PROCESSING DETAILS

1. SUBJECT MATTER OF PROCESSING

Provision of a cloud-based social learning management system and any related technical support to Client and its authorized end users by Unboxed.

1. DURATION OF PROCESSING

The period beginning at the Effective Date and running until termination of the Main Contract plus the period from the expiration of this Agreement until the deletion of all Personal Data by Unboxed in accordance with this Agreement.

1. NATURE OF PROCESSING

Unboxed provides cloud-based social learning management system and any related technical support to Client.

1. PERSONAL DATA CATEGORIES

Client determines the categories of personal data that it processes through the Services. This will include at minimum name, email address and title/role. Unboxed will not process any “Special Categories” of personal data in connection with the Services.

1. DATA SUBJECT TYPES

Data subject about whom personal data is transferred to Unboxed in connection with the Services by, at the direction of, or on behalf of Client including Client’s employees and contractors.

1. SPOKE SUB PROCESSORS & THIRD-PARTY SERVICES