DATA PROCESSING AGREEMENT
This Data Processing Agreement (this “Agreement”) is by and between Terra Dotta, LLC (“Terra Dotta”) and any educational institution and other organizations that purchases Terra Dotta’s services (“Client”). This Agreement (i) applies if Client is a data controller subject to GDPR (defined below) and Terra Dotta is its data processor with respect to Personal Data, and (ii) contains additional terms relating to privacy and security. This Agreement serves as a supplement to the Software as a Service Agreement (the “Client Agreement”) entered into by the parties. Capitalized terms used in this Agreement but not defined have the meaning set forth in the Client Agreement or under GDPR, as applicable.
For good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the parties agree as follows:
Definitions. As used herein the following terms shall have the following definitions:
- "controller", "processor", "data subject", “personal data” and "processing" (and "process") shall have the meanings given in Privacy Laws, as applicable to the processing of Client Personal Data under this Agreement.
- “Client Personal Data” means personal data supplied by Client or its users to Terra Dotta in connection with the Terra Dotta Services provided under the Client Agreement.
- “GDPR” means the General Data Protection Regulation, Regulation (EU) 2016/679.
- “Terra Dotta Software” means Terra Dotta’s standard software solution that assists institutions in managing study abroad and international education programs and international travel by its students, faculty and personnel.
- “Privacy Laws” means all applicable U.S. and international laws that regulate the use, disclosure and processing of personal data. Privacy Laws include as applicable GDPR and other applicable laws that specify privacy, data protection, security or security breach notification obligations that apply to personal data.
- “Terra Dotta Services” means the Software-as-a-Service, hosting, technical support and other services provided by Terra Dotta to Client, solely to the extent agreed by the parties pursuant to the Client Agreement.
- Roles of the Parties under GDPR. The parties acknowledge and agree that Client is the controller and Terra Dotta is a processor with regard to the processing by Terra Dotta of Client Personal Data under this Agreement. The subject matter, nature and purpose of Terra Dotta’s processing are limited to providing the Terra Dotta Services under the Client Agreement. The duration of the processing is the term of the Client Agreement. Data subjects include authorized users of Client as defined in the Client Agreement.
- Instructions for Processing. Terra Dotta shall process Client Personal Data only to provide Terra Dotta Services in accordance with the Client Agreement and this Agreement, which the parties agree serve as Client’s documented instructions. Client may provide additional instructions to Terra Dotta to process Client Personal Data, provided that Terra Dotta shall be obligated to perform such additional instructions only if they are required under applicable law and consistent with the terms and scope of the Client Agreement and this Agreement. Client represents and warrants that any instructions provided by Client do not violate any Privacy Laws, and Client will indemnify Terra Dotta for all costs (including reasonable attorney fees) Terra Dotta may incur if Client instructions do violate Privacy Laws.
- Terra Dotta Personnel. Terra Dotta shall require its personnel who have access to Client Personal Data to: (a) receive appropriate training on their responsibilities regarding the handling and safeguarding of Client Personal Data, and (b) agree to comply with confidentiality obligations that survive the termination of such personnel’s employment.
- Security Measures. Client and Terra Dotta each shall maintain (taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons), appropriate technical and organizational measures to protect against loss, alteration, unauthorized disclosure of, or access to Client Personal Data.
- Compliance with Privacy Laws. Client and Terra Dotta each agree to comply with all Privacy Laws. As between the parties, Client shall be solely responsible for the accuracy, quality, and legality of Client Personal Data and the means by which Client obtained Client Personal Data.
- Privacy Shield. Terra Dotta is self-certified under the EU-U.S. Privacy Shield Framework maintained by the U.S. Department of Commerce (“Privacy Shield”) and complies with Privacy Shield requirements for handling, collecting and transferring Personal Data from the EEA and Switzerland to the United States in connection with the Terra Dotta Services. Terra Dotta will remain certified for the term of the Client Agreement so long as the Privacy Shield is recognized as a valid transfer mechanism under GDPR.
- Rights of Data Subjects. To the extent permitted by law, Terra Dotta will tell data subjects who make requests to Terra Dotta exercising their data subject rights (such as deletion, rectification, and data portability requests) with respect to Client Personal Data to contact Client directly regarding such request. Client shall be solely responsible for responding to such requests from data subjects. If the Terra Dotta Software does not provide Client the ability to respond to such requests, then, upon Client’s request, Terra Dotta will provide reasonable assistance to Client to respond to such requests. Depending on the nature of such assistance, Terra Dotta reserves the right to charge Client for assistance with such requests.
- Security Incidents. Each party shall, to the extent permitted by law, notify the other party without undue delay after becoming aware of a personal data breach involving Client Personal Data (“Security Incident”). Each party shall provide reasonably requested assistance to the other party in dealing with any Security Incident, taking into account the nature of processing and the information available to such party. Neither party shall make any public announcement about a Security Incident without the prior written consent of the other party, unless required by applicable law.
- Deletion of Client Personal Data. Upon termination or expiration of the Client Agreement, Terra Dotta will delete Client Personal Data in its possession as set forth in the Client Agreement, unless otherwise permitted by applicable law.
- Government Access Requests. Unless prohibited by applicable law or a legally-binding request of law enforcement, Terra Dotta shall promptly notify Client of any request by a government agency or law enforcement authority for access to or copy of Client Personal Data.
- Audits. Subject to reasonable notice, and at Client’s expense (including fees and expenses to compensate Terra Dotta for its time and out of pocket costs involved in responding to any audit request), Terra Dotta shall provide Client with reasonably requested information regarding Terra Dotta’s security program and systems and procedures that are applicable to the Terra Dotta Services, as necessary to demonstrate Terra Dotta’s compliance with Privacy Laws, and as reasonably necessary to allow for audits of the same. Audits will occur at most annually or following notice of a Security Incident.
- Subprocessors. Client grants a general authorization to Terra Dotta to appoint subprocessors to support the performance of the Terra Dotta Services, including data center providers. Upon request, Terra Dotta will provide Client with a list of such subprocessors. If Client has an objection to any such subprocessor, Terra Dotta will work with Client to address any such concerns. Terra Dotta will ensure that any subprocessor it engages on its behalf in connection with this Agreement agrees in a written contract to subprocessor terms substantially as protective of Client Personal Data as those imposed on Terra Dotta in this Agreement (the "Subprocessor Terms"). Terra Dotta shall be liable to Client for any breach by a subprocessor of any of the Subprocessor Terms.
- Entire Agreement; Conflict: This Agreement supersedes and replaces all prior and contemporaneous statements, understandings, and communications, oral and written, with regard to the subject matter of this Agreement. If there is any conflict between this Agreement and the Client Agreement, the terms of this Agreement shall control. Except as expressly set forth in this Agreement, the terms of the Client Agreement shall remain in place. For the avoidance of doubt, the parties intend that the limitations on liability clauses in the Client Agreement shall apply to this Agreement.