Data privacy agreement

Data Privacy Agreement

This Data Processing Agreement (this "DPA" or "Agreement") supplements the Terms and Conditions (the "Agreement") between EnlightenAI, Inc. ("EnlightenAI," "us," "we") and the entity that is a party to the Agreement ("Organization" or "you"). We may update this Agreement from time to time, and we will provide reasonable notice of any such updates. Any terms not defined in this Agreement shall have the meaning set forth in the Agreement.

1. Definitions
   1. "Affiliate" means (i) an entity of which a party directly or indirectly owns fifty percent (50%) or more of the stock or other equity interest, (ii) an entity that owns at least fifty percent (50%) or more of the stock or other equity interest of a party, or (iii) an entity which is under common control with a party by having at least fifty percent (50%) or more of the stock or other equity interest of such entity and a party owned by the same person, but such entity shall only be deemed to be an Affiliate so long as such ownership exists.
   2. "Authorized Sub-Processor" means a third-party who has a need to know or otherwise access Organization's Personal Data to enable EnlightenAI to perform its obligations under this DPA or the Agreement, and who is either (1) listed in Exhibit B or (2) subsequently authorized under Section 4.2 of this DPA.
   3. "EnlightenAI Account Data" means personal data that relates to EnlightenAI's relationship with Organization, including the names or contact information of individuals authorized by Organization to access Organization's account, including all Business Contact Data. EnlightenAI Account Data also includes any data EnlightenAI may need to collect for the purpose of managing its relationship with Organization, identity verification, or as otherwise required by applicable laws and regulations.
   4. "EnlightenAI Usage Data" means Service usage data collected and processed by EnlightenAI in connection with the provision of the Services, including without limitation data used to identify the source and destination of a communication, activity logs, and data used to optimize and maintain performance of the Services, and to investigate and prevent system abuse.
   5. "Data Exporter" means Organization.
   6. "Data Importer" means EnlightenAI.
   7. "Data Privacy Laws" means all applicable laws, regulations, and other legal or self-regulatory requirements in any jurisdiction relating to privacy, data protection, data security, breach notification, or the Processing of Personal Information, including without limitation, to the extent applicable, the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. ("CCPA"), the Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g ("FERPA"), the General Data Protection Regulation, Regulation (EU) 2016/679 ("GDPR"), the United Kingdom Data Protection Act (2018) ("UK Data Protection Act"), the Virginia Consumer Data Protection Act ("VCDPA"), and the Swiss Federal Act on Data Protection ("Swiss FADP"). For the avoidance of doubt, if EnlightenAI's Processing activities involving Personal Information are not within the scope of a given Data Privacy Law, such law is not applicable for purposes of this Agreement.
   8. "Consumer" means an identified or identifiable natural person about whom Personal Information relates.
   9. "Personal Information" includes "personal data," "personal information," "personally identifiable information," and similar terms, and such terms shall have the same meaning as defined by applicable Data Privacy Laws.
   10. "Process" and "Processing" mean any operation or set of operations performed on Personal Information or on sets of Personal Information, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
   11. "Sub-processor" means an entity appointed by EnlightenAI to Process data on its behalf.
   12. "Security Breach" means any accidental or unlawful acquisition, destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Information.
   13. "Services" shall have the meaning of providing the EnlightenAI Platform as set forth in the Agreement.
2. Relationship of the Parties; Processing of Data
   1. The parties acknowledge and agree that with regard to the processing of Personal Data, Organization may act either as a controller or processor and, except as expressly set forth in this DPA or the Agreement, EnlightenAI is a processor. Organization shall, in its use of the Services, at all times process Personal Data, and provide instructions for the processing of Personal Data, in compliance with Data Privacy Laws. The Organization shall ensure that the processing of Personal Data in accordance with Organization's instructions will not cause EnlightenAI to be in breach of the Data Privacy Laws. Organization is solely responsible for the accuracy, quality, and legality of (i) the Personal Data provided to EnlightenAI by or on behalf of Organization, (ii) the means by which Organization acquired any such Personal Data, and (iii) the instructions it provides to EnlightenAI regarding the processing of such Personal Data. Organization shall not provide or make available to EnlightenAI any Personal Data in violation of the Agreement or otherwise inappropriate for the nature of the Services, and shall indemnify EnlightenAI from all claims and losses in connection therewith.
   2. EnlightenAI shall not process Personal Data (i) for purposes other than those set forth in the Agreement and/or Exhibit A, (ii) in a manner inconsistent with the terms and conditions set forth in this DPA or any other documented instructions provided by Organization, including with regard to transfers of personal data to a third country or an international organization, unless required to do so by Supervisory Authority to which EnlightenAI is subject; in such a case, EnlightenAI shall inform the Organization of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest, or (iii) in violation of Data Privacy Laws. Organization hereby instructs EnlightenAI to process Personal Data in accordance with the foregoing and as part of any processing initiated by Organization in its use of the Services.
      • The subject matter, nature, purpose, and duration of this processing, as well as the types of Personal Data collected and categories of Data Subjects, are described in Exhibit A to this DPA.
      • Following completion of the Services, at Organization's choice, EnlightenAI shall return or delete Organization's Personal Data, unless further storage of such Personal Data is required or authorized by applicable law. If return or destruction is impracticable or prohibited by law, rule or regulation, EnlightenAI shall take measures to block such Personal Data from any further processing (except to the extent necessary for its continued hosting or processing required by law, rule or regulation) and shall continue to appropriately protect the Personal Data remaining in its possession, custody, or control.
      • CCPA, VCDPA, and FERPA Language. The Parties acknowledge and agree that the processing of personal information or personal data that is subject to the CCPA, VCDPA, or FERPA shall be carried out in accordance with the terms set forth in Exhibit C.
3. Confidentiality
   1. EnlightenAI shall ensure that any person it authorizes to process Personal Data has agreed to protect Personal Data in accordance with EnlightenAI's confidentiality obligations in the Agreement. Organization agrees that EnlightenAI may disclose Personal Data to its advisers, auditors or other third parties as reasonably required in connection with the performance of its obligations under this DPA, the Agreement, or the provision of Services to Organization.
4. Authorized Sub-Processors
   1. Organization acknowledges and agrees that EnlightenAI may (1) engage its Affiliates and the Authorized Sub-Processors to this DPA to access and process Personal Data in connection with the Services and (2) from time to time engage additional third parties for the purpose of providing the Services, including without limitation the processing of Personal Data. By way of this DPA, Organization provides general written authorization to EnlightenAI to engage sub-processors as necessary to perform the Services.
   2. A list of EnlightenAI's current Authorized Sub-Processors (the "List") is available on EnlightenAI’s website. Such List may be updated by EnlightenAI from time to time. At least thirty (30) days before enabling any third party other than existing Authorized Sub-Processors to access or participate in the processing of Personal Data, EnlightenAI will add such third party to the List and notify Organization. Organization may object to such an engagement by informing EnlightenAI within ten (10) days of receipt of the aforementioned notice by Organization, provided such objection is in writing and based on reasonable grounds relating to data protection. Organization acknowledges that certain sub-processors are essential to providing the Services and that objecting to the use of a sub-processor may prevent EnlightenAI from offering the Services to Organization.
   3. If Organization reasonably objects to an engagement in accordance with Section 4.2, and EnlightenAI cannot provide a commercially reasonable alternative within a reasonable period of time, Organization may discontinue the use of the affected Service by providing written notice to EnlightenAI. Discontinuation shall not relieve Organization of any fees owed to EnlightenAI under the Agreement.
   4. If Organization does not object to the engagement of a third party in accordance with Section 4.2 within ten (10) days of notice by EnlightenAI, that third party will be deemed an Authorized Sub-Processor for the purposes of this DPA.
   5. EnlightenAI will enter into a written agreement with the Authorized Sub-Processor imposing on the Authorized Sub-Processor data protection obligations comparable to those imposed on EnlightenAI under this DPA with respect to the protection of Personal Data. In case an Authorized Sub-Processor fails to fulfill its data protection obligations under such written agreement with EnlightenAI, EnlightenAI will remain liable to Organization for the performance of the Authorized Sub-Processor's obligations under such agreement.
5. Security of Personal Data
   1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, EnlightenAI shall maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing Personal Data. Exhibit B sets forth additional information about EnlightenAI's technical and organizational security measures.
6. Rights of Data Subjects
   1. EnlightenAI shall, to the extent permitted by law, notify Organization upon receipt of a request by a Data Subject to exercise the Data Subject's right of: access, rectification, erasure, data portability, restriction or cessation of processing, withdrawal of consent to processing, and/or objection to being subject to processing that constitutes automated decision-making (such requests individually and collectively "Data Subject Request(s)"). If EnlightenAI receives a Data Subject Request in relation to Organization's data, EnlightenAI will advise the Data Subject to submit their request to Organization and Organization will be responsible for responding to such request, including, where necessary, by using the functionality of the Services. Organization is solely responsible for ensuring that Data Subject Requests for erasure, restriction or cessation of processing, or withdrawal of consent to processing of any Personal Data are communicated to EnlightenAI, and, if applicable, for ensuring that a record of consent to processing is maintained with respect to each Data Subject.
   2. EnlightenAI shall, at the request of the Organization, and taking into account the nature of the processing applicable to any Data Subject Request, apply appropriate technical and organizational measures to assist Organization in complying with Organization's obligation to respond to such Data Subject Request and/or in demonstrating such compliance, where possible, provided that (i) Organization is itself unable to respond without EnlightenAI's assistance and (ii) EnlightenAI is able to do so in accordance with all applicable laws, rules, and regulations. Organization shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by EnlightenAI.
7. EnlightenAI's Role as a Controller
   1. The parties acknowledge and agree that with respect to EnlightenAI Account Data and EnlightenAI Usage Data, EnlightenAI is an independent controller, not a joint controller with Organization. EnlightenAI will process EnlightenAI Account Data and Usage Data as a controller (i) to manage the relationship with Organization; (ii) to carry out EnlightenAI's core business operations, such as accounting, audits, tax preparation and filing and compliance purposes; (iii) to monitor, investigate, prevent and detect fraud, security incidents and other misuse of the Services, and to prevent harm to Organization; (iv) for identity verification purposes; (v) to comply with legal or regulatory obligations applicable to the processing and retention of Personal Data to which EnlightenAI is subject; and (vi) as otherwise permitted under Data Privacy Laws and in accordance with this DPA and the Agreement. EnlightenAI may also process EnlightenAI Usage Data as a controller to provide, optimize, and maintain the Services, to the extent permitted by Data Privacy Laws. Any processing by EnlightenAI as a controller shall be in accordance with EnlightenAI's privacy policy.
8. Security Breach
   1. EnlightenAI will notify Organization without undue delay of any Security Breach and will assist Organization in Organization's compliance with its Security Breach-related obligations, including without limitation, by:
      • Taking steps to mitigate the effects of the Security Breach and reduce the risk to Consumers whose Personal Information was involved; and
      • Providing Organization with the following information, to the extent known: i. The nature of the Security Breach, including, where possible, how the Security Breach occurred, the categories and approximate number of Consumers concerned, and the categories and approximate number of Personal Information records concerned; ii. The likely consequences of the Security Breach; and iii. Measures taken or proposed to be taken by EnlightenAI to address the Security Breach, including, where appropriate, measures to mitigate its possible adverse effects.
9. Audits
   1. EnlightenAI will make available to Organization all records necessary to demonstrate compliance with this Agreement and will allow for and contribute to audits conducted by Organization or another auditor mandated by Organization, provided that, such audit shall occur no more than once every twelve (12) calendar months, upon reasonable prior written notice, and to the extent EnlightenAI's personnel are required to cooperate thereupon, during EnlightenAI's normal business hours.
10. Return or Destruction of Personal Information
    1. Except to the extent required otherwise by Data Privacy Laws, EnlightenAI will, at the choice of Organization, return to Organization and/or securely destroy all Personal Information upon (a) written request of Organization or (b) termination of the Agreement. Except to the extent prohibited by Data Privacy Laws, EnlightenAI will inform Organization if it is not able to return or delete the Personal Information.
11. Term; Survival
    1. The term of this Agreement shall commence as of the Effective Date and will continue until terminated by the parties upon a 30-day prior written notice or until the underlying Agreement between the parties has been terminated. The provisions of this Agreement shall survive the termination or expiration of this Agreement for so long as EnlightenAI or its subcontractors Process the Personal Information.
12. Conflict
    1. In the event of any conflict or inconsistency among the following documents, the order of precedence will be: (1) the terms of this DPA; (2) the Agreement; and (3) EnlightenAI's privacy policy. Any claims brought in connection with this DPA will be subject to the terms and conditions, including, but not limited to, the exclusions and limitations set forth in the Agreement.

Exhibit A: Details of Data Processing

Nature and Purpose of Processing: EnlightenAI will process Organization's Personal Data as necessary to provide the Services under the Agreement, for the purposes specified in the Agreement and this DPA, and in accordance with Organization's instructions as set forth in this DPA. The nature of processing includes, without limitation:

• Receiving data, including collection, accessing, retrieval, recording, and data entry to confirm Services are being provided to the correct individuals
• Holding data, including storage, organization and structuring
• Using data, including analysis, consultation, and testing
• Updating data, including correcting, adaptation, alteration, alignment and combination
• Protecting data, including restricting, encrypting, and security testing
• Sharing data, including disclosure, dissemination, allowing access or otherwise making available
• Returning data to the data exporter or data subject
• Erasing data, including destruction and deletion

Duration of Processing: EnlightenAI will process Organization's Personal Data as long as required (i) to provide the Platform to Organization under the Agreement; (ii) for EnlightenAI's legitimate business needs; or (iii) by applicable law or regulation. EnlightenAI Account Data and EnlightenAI Usage Data will be processed and stored as set forth in EnlightenAI's privacy policy.

Categories of Data Subjects: Organization business contacts, Organization's end users, including students and teachers.

Categories of Personal Data: EnlightenAI processes Personal Data contained in EnlightenAI Account Data, EnlightenAI Usage Data, and any Personal Data provided by Organization (including any Personal Data Organization collects from its end users and processes through its use of the Services). Categories of Personal Data include:

• Account information (such as name, email address, and credentials)
• Academic information (such as grades, feedback, and learning data)
• Log data, images, audio, text and other data that is provided by Organization

Sensitive Data or Special Categories of Data: None anticipated. EnlightenAI is not responsible for processing any sensitive data unless and until mutually agreed by the parties.

Exhibit B: Technical and Organizational Security Measures

EnlightenAI will implement and maintain the following administrative, technical, physical, and organizational security measures for the Processing of Personal Information:

1. Information Security Policies and Standards: EnlightenAI will maintain written information security policies, standards, and procedures addressing administrative, technical, and physical security controls and procedures. These policies, standards, and procedures shall be kept up to date, and revised whenever relevant changes are made to the information systems that use or store Personal Information.
2. Physical Security: EnlightenAI will maintain commercially reasonable security systems at all EnlightenAI sites at which an information system that uses or stores Personal Information is located that include reasonably restricting access to such Processing Locations, and implementing measures to detect, prevent, and respond to intrusions.
3. Organizational Security: EnlightenAI will maintain information security policies and procedures addressing data disposal, data minimization, data classification, and incident response protocols.
4. Network Security: EnlightenAI maintains commercially reasonable information security policies and procedures addressing network security, including:
   • All data is encrypted at rest and in transit
   • Protection against malicious code
   • Vulnerability management
5. Access Control: EnlightenAI agrees that: (1) only authorized EnlightenAI staff can grant, modify or revoke access to an information system that Processes Personal Information; and (2) it will implement commercially reasonable physical and technical safeguards to create and protect passwords.
6. Virus and Malware Controls: EnlightenAI protects Personal Information from malicious code and will install and maintain anti-virus and malware protection software on any system that handles Personal Information.
7. Personnel: EnlightenAI has implemented and maintains a security awareness program to train employees about their security obligations. Data Personnel follow established security policies and procedures. Disciplinary process is applied if Data Personnel fail to adhere to relevant policies and procedures.
8. Subcontractor Security: EnlightenAI shall only select and contract with subcontractors that are capable of maintaining appropriate security safeguards that are no less onerous than those contained in this Agreement.
9. Business Continuity: EnlightenAI implements disaster recovery and business resumption plans that are kept up to date and revised on a regular basis. EnlightenAI also adjusts its Information Security Program in light of new laws and circumstances, including as EnlightenAI's business and Processing change.
10. System Resilience: EnlightenAI's systems are designed with different components which are independently scalable and redundant. For web servers, additional servers can be started elastically. For the database, hot standby (replicas) exist in different active zones in the primary region and secondary region, which can be promoted to masters.
11. Data Backup and Restoration: EnlightenAI backs up data daily for the last 7 days. Time to recovery once issues are detected is approximately 5 minutes for same-region database master restart/failover.
12. Security Testing: EnlightenAI undergoes regular security assessments and testing, including a combination of manual and technical assessments to determine fitness of security systems.

Exhibit C: U.S. Privacy Laws Exhibit

This U.S. Privacy Laws Exhibit supplements the DPA and includes additional information required by the CCPA, VCDPA, and FERPA. Any terms not defined in this Exhibit shall have the meanings set forth in the DPA and/or the Agreement.

A. CALIFORNIA

1. Definitions
   1. For purposes of this Section A, the terms "Business," "Business Purpose," "Commercial Purpose," "Consumer," "Personal Information," "Processing," "Sell," "Service Provider," "Share," and "Verifiable Consumer Request" shall have the meanings set forth in the CCPA.
   2. All references to "Personal Data," "Controller," "Processor," and "Data Subject" in the DPA shall be deemed to be references to "Personal Information," "Business," "Service Provider," and "Consumer," respectively, as defined in the CCPA.
2. Obligations
   1. Except with respect to EnlightenAI Account Data and EnlightenAI Usage Data (as defined in the DPA), the parties acknowledge and agree that EnlightenAI is a Service Provider for the purposes of the CCPA (to the extent it applies) and EnlightenAI is receiving Personal Information from Organization in order to provide the Services pursuant to the Agreement, which constitutes a Business Purpose.
   2. Organization shall disclose Personal Information to EnlightenAI only for the limited and specified purposes described in Exhibit A to this DPA.
   3. EnlightenAI shall not Sell or Share Personal Information provided by Organization under the Agreement.
   4. EnlightenAI shall not retain, use, or disclose Personal Information provided by Organization pursuant to the Agreement for any purpose, including a Commercial Purpose, other than as necessary for the specific purpose of performing the Services for Organization pursuant to the Agreement, or as otherwise set forth in the Agreement or as permitted by the CCPA.
   5. EnlightenAI shall not retain, use, or disclose Personal Information provided by Organization pursuant to the Agreement outside of the direct business relationship between EnlightenAI and Organization, except where and to the extent permitted by the CCPA.
   6. EnlightenAI shall notify Organization if it makes a determination that it can no longer meet its obligations under the CCPA.
   7. EnlightenAI will not combine Personal Information received from, or on behalf of, Organization with Personal Information that it receives from, or on behalf of, another party, or that it collects from its own interaction with the Consumer.
3. Consumer Rights
   1. EnlightenAI shall assist Organization in responding to Verifiable Consumer Requests to exercise the Consumer's rights under the CCPA as set forth in Section 6 of the DPA.

B. VIRGINIA

1. Definitions
   1. For purposes of this Section B, the terms "Consumer," "Controller," "Personal data," "Processing," and "Processor" shall have the meanings set forth in the VCDPA.
   2. All references to "Data Subject" in this DPA shall be deemed to be references to "Consumer" as defined in the VCDPA.
2. Obligations
   1. Except with respect to EnlightenAI Account Data and EnlightenAI Usage Data (as defined in the DPA), the parties acknowledge and agree that Organization is a Controller and EnlightenAI is a Processor for the purposes of the VCDPA (to the extent it applies).
   2. The nature, purpose, and duration of Processing, as well as the types of Personal Data and categories of Consumers are described in Exhibit A to this DPA.
   3. EnlightenAI shall adhere to Organization's instructions with respect to the Processing of Organization Personal Data and shall assist Organization in meeting its obligations under the VCDPA.

C. FERPA

1. Definitions
   1. For purposes of this Section C, "Education Records" shall have the meaning set forth in FERPA and its implementing regulations at 34 CFR § 99.
2. Obligations
   1. In the event EnlightenAI has access to Education Records, EnlightenAI agrees to:
      • Not use or disclose the Education Records other than for the purpose specified in this DPA and the Agreement.
      • Use reasonable methods to ensure the security and confidentiality of Education Records.
      • Not re-disclose Education Records to any other party without the prior consent of the Organization, except as permitted by FERPA.
      • Upon termination, cancellation, expiration, or other conclusion of the Agreement, return or destroy all Education Records collected pursuant to the Agreement.

Exhibit D: Schedule of Student Data Collection