Data Processing Addendum.

This Data Processing Addendum (DPA) forms part of the Terms of Use, or other written agreement entered into between Touch-Type Read and Spell Limited (TTRS or us) and you (a User who is a School Member or a Tutor as defined in our Terms of Use) that incorporates this Addendum by reference (the “Agreement”), and governs the Processing of Personal Information by TTRS in providing its services (the “Service”) pursuant to the Agreement. This DPA is effective upon its incorporation into the Agreement. Upon its incorporation into the Agreement, the DPA will form a part of the Agreement.

 

Definitions

Applicable Laws

  1. means the following to the extent forming part of the law of United Kingdom (or a part of the United Kingdom) as applicable and binding on either party or the Services:
  1. any law, statute, regulation, byelaw or subordinate legislation in force from time to time;
  2. the common law and laws of equity as applicable to the parties from time to time;
  3. any binding court order, judgment or decree; or
  4. any applicable direction, policy, rule or order made or given by any regulatory body having jurisdiction over a party or any of that party’s assets, resources or business;

Controller

  1. means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.;

Data Protection Laws

  1. means as applicable and binding on either party or the Services:
  1. the GDPR;
  2. the Data Protection Act;
  3. any laws which implement or supplement any such laws; and
  4. any laws that replace, extend, re-enact, consolidate or amend any of the foregoing;

Data Protection Losses

  1. means all liabilities, including all:
  1. costs (including legal costs), claims, demands, actions, settlements, interest, charges, procedures, expenses, losses and damages (including relating to material or non-material damage); and
  2. to the extent permitted by Applicable Law:
  1. administrative fines, penalties, sanctions, liabilities or other remedies imposed by a Data Protection Supervisory Authority;
  2. compensation which is ordered by a court or Data Protection Supervisory Authority to be paid to a Data Subject; and
  3. the reasonable costs of compliance with investigations by a Data Protection Supervisory Authority;

Data Protection Supervisory Authority

  1. means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Data Protection Laws;

Data Subject

  1. means any individual that has Personal Information Processed under this Addendum;

Data Subject Request

  1. means a request made by a Data Subject to exercise any rights of Data Subjects under the GDPR;

GDPR

  1. means the General Data Protection Regulation, Regulation (EU) 2016/679, as it forms part of domestic law in the United Kingdom by virtue of section 3 of the European Union (Withdrawal) Act 2018 (including as further amended or modified by the laws of the United Kingdom or of a part of the United Kingdom from time to time);

Instruction

means the written, documented instruction, issued by Controller to Processor, and directing the same to perform a specific action with regard to Personal Data (including, but not limited to, depersonalising, blocking, deletion, making available).

International Recipient

  1. means the organisations, bodies, persons and other recipients to which Transfers of Protected Data are prohibited under clause 6.2 without your prior written authorisation;

Lawful Safeguards

  1. means such legally enforceable mechanism(s) for Transfers of Personal Data as may be permitted under Data Protection Laws from time to time;

Party

Means either the Processor or the Controller

Parties

Means both the Processor and the Controller.

Personal Data or Personal Information

  1. means any data relating to an identified or identifiable individual where such data is provided to us or collected in connection with provision of the Service under the Agreement and is protected similarly as personally identifiable information under applicable Data Protection Law.;

Personal Data Breach

  1. means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Protected Data;

processing

  1. means any operation or set of operations performed on Personal Information, encompassing the collection, recording, organisation, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction of Personal Information.

Processing End Date

  1. means the earlier of:
  1. the end of the provision of the relevant Services related to processing of the Protected Data; or
  2. once processing by the us of any Protected Data is no longer required for the purpose of our performance of our relevant obligations under this Addendum;

Processing Instructions

  1. has the meaning given to that term in clause 2.1.1;

Processor

  1. means a natural or legal person, public authority, agency, or other body that processes Personal Data on behalf of the Controller.

Protected Data

  1. means Personal Data received from you or on your behalf in connection with the performance of our obligations under this Addendum;

Services

means the educational support services offered by TTRS that necessitates the processing of the Personal Data.

Sub-Processor

  1. means a Processor engaged by Us or by any other Sub-Processor for carrying out processing activities in respect of the Protected Data on your behalf; and

Transfer

  1. bears the same meaning as the word ‘transfer’ in Article 44 of the GDPR. Related expressions such as Transfers and Transferring shall be construed accordingly;

Specific interpretive provision(s)

In this Addendum:

  1. references to any Applicable Laws (including to the Data Protection Laws and each of them) and to terms defined in such Applicable Laws shall be replaced with or incorporate (as the case may be) references to any Applicable Laws replacing, amending, extending, re-enacting or consolidating such Applicable Law (including any new Data Protection Laws from time to time) and the equivalent terms defined in such Applicable Laws, once in force and applicable; and
  2. a reference to a law includes all subordinate legislation made under that law.
  3. The clauses herein shall take priority over any similar provisions contained in other agreements between the parties.

 

Data Processing Provisions

  1. Processor and Controller

  1. The parties agree that, for the Protected Data, you shall be the Controller and we shall be the Processor.
  2. We shall process Protected Data:
  1. in compliance with the obligations of Processors under Data Protection Laws in respect of the performance of our obligations under this Addendum; and
  2. in compliance with the terms of this Addendum.
  1. You shall comply with:
  1. all Data Protection Laws in connection with the processing of Protected Data, the Services and the exercise and performance of its respective rights and obligations under this Addendum, including maintaining all relevant regulatory registrations and notifications as required under Data Protection Laws; and
  2. the terms of this Addendum.
  1. You warrant, represents and undertakes, that at all times:
  1. the processing of all Protected Data (if processed in accordance with this Addendum) shall comply in all respects with Data Protection Laws, including in terms of its collection, use and storage;
  2. fair processing and all other appropriate notices have been provided to the Data Subjects of the Protected Data (and all necessary consents from such Data Subjects obtained and at all times maintained) to the extent required by Data Protection Laws in connection with all processing activities in respect of the Protected Data which may be undertaken by us and our Sub-Processors in accordance with this Addendum;
  3. the Protected Data is accurate and up to date;
  4. you shall establish and maintain adequate security measures to safeguard the Protected Data in your possession or control (including from unauthorised or unlawful destruction, corruption, processing or disclosure);
  5. you shall maintain complete and accurate backups of all Protected Data provided to us  (or anyone acting on its behalf) so as to be able to immediately recover and reconstitute such Protected Data in the event of loss, damage or corruption of such Protected Data by us or any other person;
  6. all instructions given by you to us in respect of Personal Data shall at all times be in accordance with Data Protection Laws; and
  7. where required by the Data Protection Laws, you have provided notice to any and all data subjects and has received requisite consent from the data subject or its legally authorised representative or guardian.
  1. Instructions and Details of Processing

  1. Insofar as we processes Protected Data on your behalf, we:
  1. unless required to do otherwise by Applicable Law, shall (and shall take steps to ensure each person acting under its authority shall) process the Protected Data only on and in accordance with the your documented instructions as set out in this Addendum, as updated from time to time in accordance with your instructions (Processing Instructions);
  2. if Applicable Law requires us to process Protected Data other than in accordance with the Processing Instructions, we shall notify the you of any such requirement before processing the Protected Data (unless Applicable Law prohibits such information on important grounds of public interest); and
  3. shall promptly inform you if we become aware of a Processing Instruction that, in our opinion, infringes Data Protection Laws.
  1. You agree that:
  1. We (and each Sub-Processor) are not obliged to undertake any processing of Protected Data that we reasonably believe infringes any Data Protection Laws and shall not be liable (or subject to any reduction or set-off ) to the extent that we (or any Sub-Processor) delayed in or fails to perform any obligation under this Addendum as a result of not undertaking any processing in such circumstances; and
  2. without prejudice to any other right or remedy we may have, in the event that you fail to resolve any Processing Instruction notified to us under clause 2.1.3 such that it is lawful in our reasonable opinion within one much of such notification then we may terminate this Addendum for material breach.
  1. The processing of Protected Data to be carried out by us under this Addendum shall comprise the processing set out in Schedule 1, as may be updated from time to time.
  1. Technical and Organisational Measures

  1. We take the appropriate technical and organisational measures to adequately protect Personal Information against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Information. We:
  1. have in place the security measures set out in Schedule 2; and
  2. taking into account the nature of the processing, will assist you insofar as is possible in the fulfilment of your obligations to respond to Data Subject Requests relating to Protected Data. The parties have agreed that (taking into account the nature of the processing) our  compliance with clause 5.1 shall constitute our sole obligations under this clause 3.1.2.
  1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, We will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, and including inter alia as appropriate:
  1. the pseudonymisation and encryption of personal data;
  2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  3. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
  4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
  1. During the period in which we processes any Protected Data, you shall undertake a documented assessment at least every 24 months of whether the security measures implemented in accordance with clause 3.1 are sufficient (taking into account the state of technical development and the nature of processing) to protect the Protected Data against accidental, unauthorised or unlawful destruction, loss, alteration, disclosure or access. You shall notify us within 30 days with full details of the assessment and its outcome and of any additional measures you believe are required as a result of the assessment.
  2. We shall assist you in ensuring compliance with the right in 3.2, by inter alia providing you with information concerning the technical and organisational measures already implemented by us along with all other information necessary for you to exercise your rights under 3.2.
  3. In assessing the appropriate level of security, account will be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
  4. Notwithstanding any provision to the contrary, we may modify or update our security measures at our discretion provided that such modification or update does not result in a material degradation in the protection offered by the Addendum.
  1. Sub-Processors and Confidentiality

  1. Subject to clause 4.2, we shall not engage (nor permit any other Sub-Processor to engage) any Sub-Processor for carrying out any processing activities in respect of the Protected Data without your prior written (either specific or general) authorisation of that specific Sub-Processor.
  2. You hereby authorise the appointment of the Sub-Processors listed;

Sub-Processor

Location

Processing this Sub-Processor is authorised to undertake

Microsoft Azure

Netherlands, EU

Cloud infrastructure for our apps and services

Intercom

United states

Customer interactions and support

Chargebee

United States

Customer payments

Paypal

EU

Customer payments

Stripe

EU

Customer payments

Chartmogul

Germany

Business analysis

Hotjar

Ireland

Site analytics (web) and customer interactions (website), heatmaps and session recordings

Luckyorange

EU

Site analytics (web), heatmaps and session recordings

Google, Inc

USA

Site analytics (web) and customer interactions (email)

Jotform

Germany

Form generator

Livestorm

USA

Webinar tools

Getbeamer

USA

Customer interactions and support

Segment.io

USA

Customer data management

Accredible

USA

Digital badge and certificate platform

Trello.com

USA

Data management

Refersion

USA

Affiliate marketing management

Quickbooks

EU

Financial management and bookkeeping

  1. If we intend to use Sub-Processors other than the companies listed herein, we will notify the Controller thereof in writing by email and will give you the opportunity to confirm or object the new sub-Processors within 14 days after being notified.
  2. The Controller shall have the right to review all sub-Processor’s activities in accordance with this DPA and the Data Protection Legislation, including to obtain information from the Processor, upon written request, on the substance of the contract and the implementation of the data protection obligations under the Sub-Processing contract.
  3. In the event that you fail to comply with any of your obligations in clause 4.3 or withhold any requested authorisation further to clause 4.3, we may terminate this Addendum with a 14 days notice.
  4. We shall:
  1. prior to the relevant Sub-Processor carrying out any processing activities in respect of the Protected Data, ensure each Sub-Processor is appointed under a written contract containing materially the same obligations as under clauses 1 to 11 (inclusive) (including those obligations relating to sufficient guarantees to implement appropriate technical and organisational measures) that is enforceable by Us;
  2. ensure each such Sub-Processor complies with all such obligations; and
  3. remain fully liable for all the acts and omissions of each Sub-Processor as if they were its own.
  1. We shall ensure that all persons authorised by it (or by any Sub-Processor) to process Protected Data are subject to a binding written contractual obligation to keep the Protected Data confidential (except where disclosure is required in accordance with Applicable Law, in which case we shall, where practicable and not prohibited by Applicable Law, notify you of any such requirement before such disclosure).
  2. At your request, we shall demonstrate that the persons authorised under our authority are subject to the abovementioned confidentiality.
  1. Assistance with the Controller's Compliance and Data Subject rights

  1. As the controller, you are responsible for handling any requests from Data Subjects with respect to their Personal Information which is Processed under this Addendum. If such a request is made directly to us, we will promptly inform you and will advise the Data Subjects to submit their request to you. You are and shall be solely responsible for responding to any Data Subjects’ requests. We will provide reasonable assistance to enable you to comply with the request from Data Subjects with respect to their Personal Information, to the extent permitted by the Data Protection Laws. You shall reimburse us for the costs arising from this assistance.
  2. We shall provide such assistance as you may reasonably require (taking into account the nature of processing and the information available to us) in ensuring compliance with your obligations under Data Protection Laws with respect to:
  1. the right to be informed when collecting personal data from the data subject;
  2. the right to be informed when personal data have not been obtained from the data subject;
  3. the right of access by the data subject;
  4. the right to rectification;
  5. the right to erasure (‘the right to be forgotten’);
  6. the right to restriction of processing;
  7. notification obligation regarding rectification or erasure of personal data or restriction of processing h. the right to data portability;
  8. the right to object;
  9. the right not to be subject to a decision based solely on automated processing, including profiling

provided that you shall pay for all work, time, costs and expenses incurred by us  or any Sub-Processor(s) in connection with providing the assistance in this clause 5.2 and clause 5.3.

  1. Taking into account the nature of the processing and the information available to us, we shall assist you in ensuring compliance with:
  1. security of processing;
  2. data protection impact assessments (as such term is defined in Data Protection Laws);
  3. prior consultation with a Data Protection Supervisory Authority regarding high-risk processing; and
  4. notifications to the Data Protection Supervisory Authority and/or communications to Data Subjects in response to any Personal Data Breach,
  1. International Transfers

  1. We have databases stored on servers operated by Microsoft Azure located in the Netherlands in the EEA.
  2. Subject to clause 6.3, We shall not Transfer any Protected Data:
  1. to any country or territory outside the EEA; and/or
  2. to an organisation and/or its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries, without your prior written authorisation except where required by Applicable Law (in which case the provisions of clause 2.1 shall apply) and we shall always take place in compliance with Chapter V GDPR.
  3. The Controller acknowledges and agrees that, in connection with the performance of the services under the Agreement, we will need to transfer some of the Personal Data to the United States as some of our Sub-Processors operate there. We have implemented appropriate safeguards for such transfers. Such measures may include (without limitation) transferring the Personal Data to a recipient in a country that the United Kingdom has decided provides adequate protection for personal data, to a recipient that has achieved binding corporate rules authorisation in accordance with Applicable Data Protection Law, to a recipient that has executed standard contractual clauses adopted or approved by the United Kingdom.
  4. All Transfers of Protected Data by to an International Recipient shall:
  5. be effected by way of the Lawful Safeguards in accordance with this Addendum; and
  6. be made pursuant to a written contract ( which includes the EU Standard Contractual Clauses for the transfer of personal data to processors established in third countries), which contains equivalent obligations on each Sub-Processor in respect of Transfers to International Recipients as apply to us under any of this clause 6.
  1. The provisions of this Addendum shall constitute your instructions with respect to Transfers of Protected Data to International Recipients for the purposes of this Addendum.
  2. We (and/or each of our Sub-Processor) are not obliged to make any unlawful Transfer of Protected Data and shall not be liable to the extent that it (or any Sub-Processor) is delayed in or fails to perform any obligation under this Addendum due to the unavailability of a valid Lawful Safeguard for any of the Transfers authorised by you.
  1. Records, Information and Audit

  1. In accordance with Data Protection Laws binding us, we shall maintain written records of all categories of processing activities carried out on your behalf.
  2. In accordance with Data Protection Laws, we shall make available to you such information as is reasonably necessary to demonstrate the our compliance with our obligations under Article 28 of the GDPR, and allow for and contribute to audits, including inspections, by you (or another auditor mandated by you ) for this purpose, subject to you:
  1. giving us reasonable prior notice of such information request, audit and/or inspection required by you;
  2. ensuring that all information obtained or generated by you or its auditor(s) in connection with such information requests, inspections and audits is kept strictly confidential (save for disclosure to a Data Protection Supervisory Authority or as otherwise required by Applicable Law);
  3. hereby agreeing that we shall be entitled to withhold information that is commercially sensitive or confidential to us or our other users/client/customers.
  4. ensuring that such audit or inspection is undertaken during normal business hours, with minimal disruption to our business, the Sub-Processors’ businesses and the business of any of our users/client/customers or of any of the Sub-Processors; and
  5. paying us for all work, time, costs and expenses incurred by us or any Sub-Processor(s) in connection with the provision of information and allowing for and contributing to inspections and audits.
  1. Breach Notification

  1. In respect of any Personal Data Breach, we shall, without undue delay:
  1. notify you of the Personal Data Breach; and
  2. provide you with details of the Personal Data Breach.
  1. Deletion or Return of Protected Data and Copies

  1. We acknowledge and agree that as the Processor, following the termination or expiry of the Agreement, we will delete all Personal Information processed pursuant to this DPA. We may be required to keep backup copies to the extent required to comply with Data Protection Laws. Before termination or expiration of the Agreement and by way of issuing an Instruction, you shall stipulate the reasonable method and format to return any Personal Information before it is deleted. You will be responsible for any additional cost arising in connection with the return or deletion of Personal Information.
  1. Liability, Indemnities and Compensation Claims

  1. Except to the extent to which we are liable under clause 10.2, you shall indemnify us and keep us indemnified in respect of all Data Protection Losses suffered or incurred by, awarded against or agreed to be paid by us and any Sub-Processor arising from or in connection with any:
  1. your non-compliance with the Data Protection Laws; or
  2. processing carried out pursuant to any Processing Instruction that infringes any Data Protection Law.
  1. We shall be liable for Data Protection Losses (howsoever arising, whether in contract, tort (including negligence) or otherwise) under or in connection with this Addendum:
  1. only to the extent caused by the processing of Protected Data under this Addendum and directly resulting from our breach of clauses 1 to 11 (inclusive); and
  2. in no circumstances to the extent that any Data Protection Losses (or the circumstances giving rise to them) are contributed to or caused by any breach of this Addendum by you (including in accordance with clause 2.1.3(b)).
  1. This clause 10 is intended to apply to the allocation of liability for Data Protection Losses as between the parties, including with respect to compensation to Data Subjects, notwithstanding any provisions under Data Protection Laws to the contrary, except:
  1. to the extent not permitted by Applicable Law (including Data Protection Laws); and
  2. that it does not affect the liability of either party to any Data Subject.
  1. Survival of Data Protection Provisions

  1. Clauses 1 to 8 (inclusive) shall survive expiry or termination (for any reason) of this Addendum and continue until no Protected Data remains in the possession or control of the Supplier or any Sub-Processor. The termination or expiry of such clauses shall be without prejudice to any accrued rights or remedies of either party under any such clauses at the time of such termination or expiry.
  2. Clauses 9 to 11 (inclusive) shall survive expiry or termination (for any reason) of this Addendum and continue indefinitely.
  1. Miscellaneous

  1. We may update and change any part or all of this DPA as needed to comply with Data Protection Legislation. If we update or change this DPA, the updated version will be posted at [insert the link address to this document] and we will inform you through email. The updated DPA will become effective and binding on the next business day after it is posted. When we change the DPA, the “Last Modified” date above will be updated to reflect the date of the most recent version. If you do not agree with a modification to the DPA, you must notify us in writing within thirty (30) days after receiving notice of modification and then previous modification will remain effective until your renewal date.
  2. In case of any conflict, this Addendum shall take precedence over the Privacy Policy. Where individual provisions of this Addendum are invalid or unenforceable, the validity and enforceability of the other provisions of this Addendum shall not be affected.
  3. The legal entity agreeing to this Addendum as Controller represents that it is authorized to agree to and enter into this Addendum for, and is agreeing to this DPA solely on behalf of, the Controller.
  1. Data Protection Contact

Our Data Protection officer may be contacted through the details below:

Contact details

Name -  Peter Driver

Email address:  support@readandspell.com

Postal address:   TTRS Administration, Chislehurst Business Centre, 1 Bromley Lane, Chislehurst, Kent  BR7 6LH, United Kingdom

Telephone number:    +44 (0)20 8144 1964.

 

Your data protection contact will be as stated in your account on our website.

 

 

  1. DATA PROCESSING DETAILS
  1. Subject-matter of processing: 

The subject matter of the processing is the Personal Data (including but not limited to that of the students and data subjects) provided to us by you (the Controller) in respect of the Services under this Addendum and our Terms of Use.

  1. Duration of the processing:

The duration of the processing is the duration of the provision of the Services under this Addendum and our Terms of Use until disposal of the Personal Data in accordance with this Addendum.

  1. Nature and purpose of the processing:

Our processing of personal data on your behalf shall mainly pertain to the provision of our Services to you.

  1. Type of Personal Data:

We will process the following types of Personal Data about the Data Subjects

  1. Name;
  2. E-mail address; (optional for students, compulsory for admin/teacher accounts)
  3. Organisation name;
  4. Position/Title (Optional);
  5. Phone number (Optional);
  6. Country of access;
  7. Attendance at classes and use of the platform;
  8. Internet Protocol (IP) address;
  9. registration information;
  10. Assessment result and performance information;

 

  1. Processing Instructions

Our processing of personal data on your behalf may commence when the Services commence. You hereby instruct us to process the Personal Data to perform our Services to you.

 

  1. TECHNICAL AND ORGANISATIONAL MEASURES
  1. We shall implement and maintain the following technical and organisational security measures to protect the Protected Data:
  1. Use secure databases for storage. We currently have databases stored on servers operated by Microsoft Azure.
  2. Prevent unauthorised access to Processing systems by using means of physical access control,
  3. Prevent Processing systems from being used without authorization by requiring strong passwords, two-steps login, change management, and access logging.
  4. Limit access rights and privileges to only persons entitled to access the Processing system and gain access to the Personal Information as they are entitled and ensure Personal Information cannot be read, copied, modified, or deleted without authorization.
  5. Encrypt all data transmitted, communicated, or stored ensuring that Personal Information that may be included in such data cannot be read, copied, modified, or deleted without authorization.
  6. Allow only integrations into Processing systems through secure web services and from data sources controlled by the Controller
  7. Log an audit trail to document whether and by whom Personal Information has been entered into, modified in, or removed from Processors systems.
  8. Ensuring that Personal Information is Processed solely in accordance with the instructions of the Controller.
  9. Perform Back-ups on a regular basis to ensure that Personal Information is protected against accidental destruction or loss.
  10. We shall hereafter be entitled and under obligation to make decisions about the technical and organisational security measures that are to be applied to create the necessary (and agreed) level of data security