1. In this schedule:
1.1. "Data Protection Laws" means all applicable laws relating to personal data, information security and privacy matters including the following:
1.1.1. Regulation (EU) 2016/679 (the General Data Protection Regulation) (“GDPR”);
1.1.2. Directive 2002/58/EC (Directive on Privacy and Electronic Communications) as amended; and
1.1.3. any applicable laws that amend, supplement, supersede, repeal or replace the foregoing, that implement their provisions in national law or that are intended to ensure the continued application of their provisions.
1.2. "Personal Data", "Controller", "Processor" and “Data Subject” have the meanings set out in the GDPR.
2. Each Party shall comply with its obligations under the Data Protection Laws at all times.
3. Both Parties agree and acknowledge that at all times in relation to the receipt or performance of the Services, Customer is the Controller and Involvio is the Processor.
4. Without prejudice to the generality of paragraph 2, Involvio shall not process Personal Data received from Customer other than as necessary for the provision of the Involvio Services, and at no time for its own purpose or for the purposes of any third party.
5. When acting as Processor Involvio shall, at all times:
5.1. Implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the Data Protection Laws and ensure the protection of the rights of Data Subjects;
5.2. process Personal Data only in accordance with the subject matter, duration, nature and purpose of Processing determined by its obligations under this Agreement;
5.3. process Personal Data only on documented instructions from Customer;
5.4. not transfer Personal Data outside the EEA without implementing sufficient safeguards for protecting such personal data, including the imposition of standard contractual clauses covering the transfer of personal data, as approved by the EU Commission. Involvio shall implement such safeguards in relation to all transfers of data to the UK for processing in the event of a ‘no deal Brexit’ or other outcome which results in the UK becoming a third country for the purposes of the GDPR.
5.5. ensure that persons it authorises to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
5.6. take all measures required pursuant to Article 32 of the GDPR and any applicable provision of the Data Protection Laws. This shall include implementing appropriate technical and organisational measures to ensure an appropriate level of security taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons;
5.7. other than as provided in section 7 of this Schedule 1, not engage another Processor (a “SubProcessor”) without the prior written authorisation of Customer. Where Involvio appoints a SubProcessor pursuant to the general written authorisation in section 7 of this Schedule 1, Involvio shall inform the Customer, thereby giving the Customer the opportunity to object to such changes.
5.8. where it engages a Sub-Processor for carrying out specific processing activities on behalf of Customer, impose the same data protection obligations as set out in this Agreement on that SubProcessor by way of a contract or other legal act, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the Processing will meet the requirements of the Data Protection Laws;
5.9. taking into account the nature of the processing, assist Customer by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of Customer’s obligations to respond to requests from a Data Subject for the exercise of the rights of the Data Subject under the Data Protection Laws, including requests for access;
5.10. assist Customer in ensuring compliance with its obligations pursuant to Articles 32 to 36 of the GDPR or any equivalent provision of the Data Protection Laws (Security of Processing, Breach, Impact Assessment and Prior Consultation) taking into account the nature of processing and the information available to the processor;
5.11. at the choice of Customer, delete or return all the Personal Data to Customer after Processing ends, and delete existing copies unless any Applicable Law requires further retention of the Personal Data;
5.12. make available to Customer all information necessary to demonstrate compliance with all its obligations under the Data Protection Laws and allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer; and
5.13. inform Customer if, in its opinion, performance of any of Customer’s instructions would violate the Data Protection Laws or any of them; and
5.14. On becoming aware of a personal data breach at Involvio’s facilities or a sub-processor’s facilities involving Student Data, pursuant to its obligation as processor under Article 33 of the GDPR, Involvio shall without undue delay notify the Customer. Involvio’s notification to the Customer shall, if possible, take place within 36 hours after the Involvio has become aware the breach to enable the Customer to comply with its obligation, if applicable, to report the breach to the supervisory authority within 72 hours.
6. The Customer hereby authorises the following as Sub-Processors in relation to the Involvio Services:
6.1. Airship Group, Inc. - Cloud-based Push Notification Services
6.2. Amazon Web Services, Inc. - Cloud Service Provider
6.3. Atlassian, Inc. - Cloud-based Software Project Management
6.4. Cisco Systems, Inc. - Infrastructure for meetings, calling and messaging
6.5. Customer.io (Peaberry Software, Inc.) - Cloud-based CRM and Marketing Automation Services
6.6. Firebase, Inc. - Cloud-based Web Analytics and Business Suite
6.7. Gong.io, Inc. - Cloud-based Customer Success Services
6.8. Google, Inc. - Cloud Service Provider
6.9. Help Scout PBC - Cloud-based Customer Support Services
6.10. Rollbar - Cloud-based Error Monitoring Services
6.11. salesforce.com, Inc. - Cloud-based Customer Relationship Management Platform
6.12. SendGrid (Twilio, Inc.) - Cloud-based Email Notification Services
6.13. Vitally, Inc. - Cloud-based Customer Success Services
6.14. ScoutAPM - Cloud-based Performance Monitoring Services
6.15. Sqreen (Datadog) - Cloud-based Security Monitoring Services
6.16. Canny, Inc. - Cloud-based Customer Feedback Services
6.17. ExaVault, Inc. - Cloud-based File Transfer Provider
6.18. InsightOps (Rapid7) - Cloud-based Error Monitoring Services
7. The Customer hereby grants Involvio a general written authorisation to appoint such further or replacement Sub-Processors as necessary to carry out the types of processing indicated above, or otherwise in relation to the performance of the Involvio Services, provided, pursuant to Article 28(2) of the GDPR and section 5.7 of this agreement, that Involvio informs the Customer, thereby giving the Customer the opportunity to object to such changes. Such notification shall be given prior to the engagement of further or replacement Sub-processors. The Customer shall only object if the Customer has reasonable and specific grounds for such refusal.
8. The Purpose of Involvio’s processing on behalf of the data controller, the Customer, is to provide Involvio Services described in section 1.1 of the Master Subscription Agreement.
9. The personal data types and subjects processed by Involvio at the direction of the Customer found in section 2.4 of the Master Subscription Agreement shall not be exceeded without written instruction from the Customer.
10. This agreement and any subsequent written communication from Customer relating to processing of personal data constitute the documented instructions for processing by Involvio on behalf of the Customer.