EdÛcare
Educaire

UnlimitedCourses Plan

Special Offer

25% OFF

Get unlimited access to every course

Unlimited courses for your department all year. Pay with MTN or Orange Money.

EdÛcare Business - Data Processing Addendum

Data Processing Addendum last updated December 1, 2025.

While this Agreement may be translated into another language, the binding version of this Agreement shall be the English language version, and in the event of a conflict between the English version and any translated version, the English version will prevail.

This Data Processing Addendum (“DPA”) forms part of the Master Services Agreement between Customer and EdÛcare, and any Order Forms, and addenda thereto, pursuant to which EdÛcare provides EdÛcare Business services to Customer (the "Agreement"). If the entity signing this DPA is not a party or an Affiliate of a party to any Agreement, then this DPA is not valid and is not legally binding.

The purpose of this DPA is to reflect our agreement about the Processing of Customer Data, including Personal Data, in accordance with the requirements of Data Protection Laws. To the extent EdÛcare, in providing Services set forth in the Agreement, processes Personal Data on behalf of Customer, the provisions of this DPA apply. All capitalized terms not defined below have the meanings assigned to them in the Agreement.

This DPA consists of:

  • The main body of this DPA.
  • Exhibit A – Description of Processing
  • Exhibit B – Technical and Organizational Security Measures

To Execute this DPA:

  • To complete this DPA, sign the main body of this DPA in the signature box below.
  • Unless another execution mechanism is agreed with EdÛcare, submit the completed and signed DPA to your EB sales representative. Upon receipt of your validly completed DPA, this DPA will be legally binding (provided that you have not overwritten or modified any of the terms beyond completing any missing information).

Data Processing Terms

Customer and EdÛcare hereby agree to the following provisions with respect to any Personal Data Customer transmits to EdÛcare by using the Services.

1. DEFINITIONS

  • “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the entity. For purposes of this definition, “control” means direct or indirect ownership or control of more than 50% of the voting interests of the entity.
  • “Brazil LGPD” means Law No. 13.709 of 14 August 2018, General Personal Data Protection Law of Brazil (as amended by Law No. 13.853 of 8 July 2019).
  • “Brazil SCCs” means the Standard Contractual Clauses for International Data Transfers approved by Resolution CD/ANPD No. 19 of August 23, 2024, issued by the Autoridade Nacional de Proteção de Dados (ANPD) (available at: https://www.in.gov.br/en/web/dou/-/resolucao-cd/anpd-n-19-de-23-de-agosto-de-2024-580095396), completed as stated in Section 9.3 below, or any amended or replacement clauses as may be approved and required by ANPD.
  • “Customer Data” means all electronic data submitted by or on behalf of Customer to EdÛcare or collected by EdÛcare for the purposes of providing the Services to Customer.
  • “Data Controller” or “Controller” means the entity that determines the purposes and means of the Processing of Personal Data.
  • “Data Privacy Framework” means the EU-U.S. Data Privacy Framework, the Swiss-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. Data Privacy Framework self-certification programs (as applicable) operated by the U.S. Department of Commerce; as may be amended, superseded, or replaced.
  • “Data Processor” or “Processor” means the entity which Processes Personal Data on behalf of the Data Controller.
  • “Data Protection Laws” means all applicable laws and regulations, including laws and binding regulations of Brazil, the European Union, the European Economic Area and their member states, and the United Kingdom, applicable to the Processing of Personal Data under the Agreement.
  • “Data Subject” means an individual whose Personal Data is subject to Data Protection Laws.
  • “DPF Principles” means the Principles and Supplemental Principles (as detailed here) contained in the relevant Data Privacy Framework, as may be amended, superseded or replaced.
  • “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
  • “Personal Data” means any Customer Data relating to an identified or identifiable natural person protected under Data Protection Laws transmitted to or collected by EdÛcare.
  • “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
  • “Security Documentation” means the information provided to Customer by EdÛcare regarding its data security technical and organizational measures as described in Exhibit B and as may be updated by EdÛcare from time to time as set forth in this DPA.
  • “Security Incident” means an unauthorized disclosure of or access to Personal Data or an accidental or unlawful destruction, loss or alteration of Personal Data that could reasonably require notification under Data Protection Laws.
  • “Services” means the EdÛcare Business subscription provided by EdÛcare to Customer as well as additional service offerings as provided under the Agreement.
  • “2021 Standard Contractual Clauses” or “2021 SCCs” means the standard contractual clauses as set forth in the Annex to the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (available at: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021D0914&qid=1623192961660, completed as described in Section 8 below (“Additional Terms for Transfer of Personal Data”), or any amended or replacement clauses as may be approved and required by the European Commission.
  • “Subprocessor” means any non-EdÛcare or non-EdÛcare Affiliate Data Processor, engaged by EdÛcare to Process Personal Data in connection with the Services.
  • “Supervisory Authority” means an independent public authority which is established by an EU Member State pursuant to the GDPR or the United Kingdom pursuant to the UK Data Protection Act of 2018, or Brazil pursuant to Brazil LGPD.
  • “UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B1.0, in force 21 March 2022) (available at: https://ico.org.uk/media/for-organisations/documents/4019535/addendum-international-data-transfer.docx).

2. PROCESSING OF PERSONAL DATA

2.1 Customer’s Processing of Personal Data. Customer will, in its use of the Services, comply with Data Protection Laws. For the avoidance of doubt, Customer’s instructions to EdÛcare for the Processing of Personal Data must comply with Data Protection Laws. Customer will have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data, including providing any required notices to, and obtaining any necessary consent from, its employees, agents, or third parties to whom it extends the benefits of the Services. For purposes of this DPA, Customer is the Data Controller, or interim Data Processor (where contracting on behalf of its Affiliates) and EdÛcare is the Data Processor.

2.2 EdÛcare’s Processing of Personal Data. EdÛcare will process and use Personal Data on behalf of and only in accordance with instructions (including via email) of Customer and to the extent required by law. Customer hereby acknowledges and agrees that by virtue of using the Services, it gives EdÛcare instructions to process and use Customer Data and Personal Data in order to provide the Services in accordance with the Agreement, as described in Exhibit A, and for the following purposes: (i) Processing initiated by Users in their use of the Services; and (ii) Processing to comply with other documented reasonable instructions provided by User (e.g. via email or support tickets) where such instructions are consistent with the terms of the Agreement. Customer will not submit any Personal Data to EdÛcare which is not relevant to or necessary for the performance of the Services.

2.3 Data Protection Impact Assessment. Upon Customer’s request, EdÛcare will provide Customer with reasonable cooperation and assistance needed to fulfill Customer’s obligations under Data Protection Laws to carry out a data protection impact assessment or similar assessment related to Customer’s use of the Services, to the extent Customer does not otherwise have access to the relevant information. EdÛcare will provide reasonable assistance to Customer in the event of a prior consultation with or required response to enquiries from any competent Supervisory Authority.

3. RIGHTS OF DATA SUBJECTS

3.1 Deletion or Return of Personal Data. Upon termination of this DPA, EdÛcare will (1) make Customer Personal Data available on the platform upon Customer’s written request and (2) delete Customer Personal Data from its systems. Where EdÛcare is required by law to retain any Customer Personal Data, EdÛcare will isolate such data from further Processing and delete it when it is no longer required to be retained.

Notwithstanding the above, if Emtrain Compliance is purchased, then Personal Data processed by Emtrain, Inc. (“Emtrain”) will be retained for up to five (5) years following termination of Customer's account with Emtrain to support Customer's compliance requirements, unless otherwise requested in writing by Customer upon termination of Customer's account with Emtrain.

3.2 Data Subject Requests. EdÛcare will promptly notify Customer if it receives a request from a Data Subject for access to, correction, amendment, or deletion of such Data Subject’s Personal Data. EdÛcare will not respond to any such Data Subject request without being instructed by Customer in writing (including email) except to confirm to the Data Subject that the request relates to Customer. EdÛcare will provide reasonable assistance to Customer in responding to Data Subject requests.

3.3 Complaints or Notices Related to Personal Data. In the event EdÛcare receives any official complaint, notice, or communication that relates to EdÛcare's processing of Personal Data or either party's compliance with Data Protection Laws in connection with Personal Data, to the extent legally permitted, EdÛcare will promptly notify Customer and EdÛcare will provide Customer with commercially reasonable cooperation and assistance in relation to any such complaint, notice, or communication. Where such assistance results in costs to EdÛcare beyond normal operating expenses, Customer will be responsible for reasonable costs.

4. EDÛCARE PERSONNEL

4.1 Confidentiality. EdÛcare will ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities, and have executed written confidentiality agreements. EdÛcare will ensure that such confidentiality obligations survive the termination of the personnel engagement.

4.2 Limitation of Access. EdÛcare will ensure that access to Personal Data is limited to those personnel who require such access to perform the Agreement.

4.3 Data Protection Officer. EdÛcare has appointed a data protection officer who may be reached at privacy@Educaire.com.

5. SUBPROCESSORS

5.1 Appointment of Subprocessors. Customer acknowledges and agrees that EdÛcare and its Affiliates may engage Subprocessors. EdÛcare will only disclose Personal Data to Subprocessors that are parties to written agreements with EdÛcare including obligations no less protective than the obligations of this DPA. EdÛcare will ensure that access to Personal Data is limited to those Subprocessors who require such access to perform their services to EdÛcare for the provision of the Services to Customer. EdÛcare will make available to Customer a current list of Subprocessors and the respective services Subprocessors provide and will thereafter notify Customer prior to appointing any new Subprocessor. The Subprocessor list and updates thereto are available via publishing on EdÛcare’s website (available on the EB site on the left sidebar of the Terms page).

5.2 Objection Right for New Subprocessors. If Customer has a good faith objection to EdÛcare’s use of a new Subprocessor based on the Subprocessor’s inability to comply with Data Protection Laws, then Customer will notify EdÛcare of such objection in writing within 15 days after receipt of EdÛcare’s notice. EdÛcare will use reasonable efforts to (i) recommend a commercially reasonable change to Customer’s configuration or use of the affected Services to avoid processing of Personal Data by said new Subprocessor, or (ii) work with the Subprocessor to ensure that any subprocessing is performed in a manner reasonably satisfactory to Customer. If the parties are not able to find a suitable solution within a reasonable period of time, which will not exceed 60 days, then Customer may, by providing written notice to EdÛcare, terminate any applicable Agreement in respect only to those Services that cannot be provided by EdÛcare without the use of the objected-to new Subprocessor. If the objected-to new Subprocessor is necessary to provide the Services, Customer may terminate the Agreement.

5.3 Liability. EdÛcare will be liable for the acts and omissions of its Subprocessors to the same extent EdÛcare would be liable if performing the services of each Subprocessor directly under the terms of this DPA, except as otherwise set forth in the Agreement.

6. SECURITY; AUDIT RIGHTS

6.1 Controls for the Protection of Personal Data. EdÛcare will maintain appropriate technical and organizational security measures, as described in the Security Documentation, against Security Incidents.

6.2 Audit Rights. Upon Customer's request, and subject to the confidentiality obligations set forth in the Agreement and this DPA, EdÛcare will make available to Customer (or Customer's independent, third-party auditor) information regarding EdÛcare's compliance with the obligations set forth in this DPA. Where such information does not resolve Customer’s concerns regarding EdÛcare’s compliance with its obligations set forth in this DPA, Customer may request an audit of EdÛcare’s policies, procedures, and controls relevant to the protection of Personal Data, but only to the extent required under applicable Data Protection Law. Remote audits will be utilized where possible with on-site audits occurring only where on-site access of the premises is required and only during regular business hours. Customer must provide at least 6 weeks’ prior notice to EdÛcare of a request for such an audit. Before the commencement of any such on-site audit, Customer and EdÛcare will mutually agree upon the scope, timing, and duration of the audit. Customer will promptly notify EdÛcare with information regarding any material non-compliance discovered during the course of an audit. Audits will not occur more than once every 12 months unless required by the instruction of a Supervisory Authority or a further audit is necessary due to a material Security Incident affecting Customer Personal Data Processed by EdÛcare.

7. SECURITY INCIDENT MANAGEMENT AND NOTIFICATION

EdÛcare maintains security incident management policies and procedures, including detailed security incident escalation procedures as further described in the Security Documentation. If EdÛcare has determined that a Security Incident has occurred, EdÛcare will notify Customer without undue delay and provide Customer with relevant information about the Security Incident, including all information required by Data Protection Laws.

8. DATA PRIVACY FRAMEWORK

EdÛcare is self-certified under the Data Privacy Framework. When Personal Data originating from the EEA, the UK, or Switzerland is transferred to EdÛcare, such transfers will be deemed to have an adequate level of protection under European Data Protection Law. EdÛcare will receive the Personal Data under the Data Privacy Framework and, when processing that Personal Data, will comply with the DPF Principles. EdÛcare agrees to assist the Customer in responding to individuals exercising their rights under the DPF Principles, insofar as the request is relevant to the Processing undertaken by EdÛcare. If EdÛcare’s certification under the Data Privacy Framework, or the Data Privacy Framework itself, is withdrawn, terminated, revoked, or otherwise invalidated, section 9 shall apply.

9. ADDITIONAL TERMS FOR TRANSFER OF PERSONAL DATA

9.1 2021 Standard Contractual Clauses. To the extent Personal Data originates from the European Economic Area (EEA), Switzerland, or any other jurisdiction that recognizes the 2021 SCCs as a lawful transfer mechanism, all transfers to and Processing of Personal Data in countries which do not ensure an adequate level of protection (as determined by the European Commission or relevant government authority) and for which no other lawful transfer mechanism is relied upon, are on the basis of and subject to the 2021 SCCs. To the extent the parties at any point during the Term rely on the 2021 SCCs, by executing this DPA, the parties are deemed to be signing the 2021 SCCs with the intention that they take effect in accordance with the terms of this Section 9.1, including Annex I.A, and the parties agree as follows:

  • The Data Exporter is the Customer, and the Data Exporter’s contact information is set forth in Exhibit A, below.
  • The Data Importer is EdÛcare, and EdÛcare’s contact information is set forth in Exhibit A, below.
  • For the purposes of this DPA and the Agreement, Module Two (Transfer Controller to Processor) applies, except where the Data Exporter is a Data Processor in which case Module Three (Transfer Processor to Processor) applies.
  • Clause 7 (Optional Docking Clause) does not apply.
  • Clause 8.9 (Documentation and compliance): the Parties agree that audits and requests for audits pursuant to Clause 8.9 will be done in accordance with Section 6 (Security; Audit Rights) of this DPA.
  • Clause 9(a) (Use of Sub-processors): the Parties elect Option 2 (General Written Authorisation) with a 15-day notice period. Data Exporter consents to Data Importer’s engagement of Subprocessor(s) in accordance with Section 5 (Subprocessors) of this DPA.
  • Clause 11(a) (Redress): the optional section does not apply.
  • Clause 17 (Governing Law): the Parties elect Option 1 and agree that the Clauses will be governed by the laws of Ireland.
  • Clause 18(b) (Choice of Forum and Jurisdiction): the Parties agree that any dispute arising from the Clauses will be resolved by the courts of Ireland.
  • Exhibit A (Description of Processing) will apply to Annex 1
  • Exhibit B (Technical and Organizational Security Measures) will apply to Annex 2
  • The Subprocessor list described in Section 5 (“Subprocessors”) of this DPA applies to Annex 3 of the 2021 SCCs.

9.2 UK Addendum. To the extent Personal Data originates from the United Kingdom (UK), all transfers to and Processing of Personal Data in countries which do not ensure an adequate level of protection (as determined by the UK Secretary of State) and for which no other lawful transfer mechanism is relied upon, are on the basis of and subject to the UK Addendum. To the extent the parties rely on the UK Addendum at any point during the Term, by executing this DPA, the parties are deemed to be signing the UK Addendum to take effect in accordance with the terms of this Section 9.2 which is deemed completed as follows:

  • Table 1 will be populated by the information in Exhibit A (Description of Processing)
  • Table 2: The parties agree the UK Addendum is appended to the 2021 SCCs as modified by Section 9.1 (2021 Standard Contractual Clauses).
  • Table 3 is completed as follows:
    • Annex 1A: List of Parties: Exhibit A (Description of Processing)
    • Annex 1B: Description of Transfer: Exhibit A (Description of Processing)
    • Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: Exhibit B (Technical and Organizational Security Measures)
    • Annex III: List of Sub processors (Modules 2 and 3 only): As described in Section 5 of this DPA.
  • Table 4: The parties elect that neither party may end the UK Addendum with respect to Section 19 of the UK Addendum.

In the event of any conflict between this DPA and (1) the Data Privacy Framework or (2) 2021 SCCs (including the UK Addendum), the (1) Data Privacy Framework or (2) 2021 SCCs (including the UK Addendum) will control and supersede.

9.3 Brazil SCCs. To the extent Personal Data subject to the Brazil LGPD is transferred to a country that does not provide an adequate level of data protection as determined by the ANPD and for which no other lawful transfer mechanism is relied upon, the parties agree to comply with and be bound by the Brazil SCCs. To the extent the parties rely on the Brazil SCCs at any point during the Term, by executing this DPA, the parties are deemed to be signing the Brazil SCCs to take effect in accordance with the terms of this Section 9.3 which is deemed completed as follows:

  • Clause 1.1 (Identification of the Parties):
    • The Data Exporter/Controller is the Customer, and Customer’s contact information is set forth in Exhibit A, below.
    • The Data Importer/Operator is EdÛcare, and EdÛcare’s contact information is set forth in Exhibit A, below.
  • Clause 2.1 (Purpose) is deemed filled in with the information contained in Exhibit A (Description of Processing).
  • Clause 3.1 (Subsequent Transfers): Option B is selected and filled in with the information contained on the Subprocessor list described in Section 5 of this DPA.
  • Clause 4 (Responsibilities of the Parties): Option A is selected and the Exporter is selected for clauses 4.1(a)-(c).
  • Section III (Security Measures): Exhibit B (Technical and Organizational Security Measures) will apply.

In the event of any conflict between the terms of this DPA and the Brazil SCCs, the Brazil SCCs shall prevail to the extent required for compliance with Brazilian data protection laws.

10. ADDITIONAL TERMS FOR PERSONAL DATA OF CALIFORNIA USERS

If Customer is subject to the California Consumer Privacy Act of 2018, as amended (CCPA), EdÛcare shall be considered a “Service Provider” (as such terms is defined in the CCPA), and EdÛcare will not: (a) sell or share Personal Data (as “sell” and “share” is each defined in the CCPA; (b) retain, use, or disclose Personal Data for any purpose other than for the specific purpose of performing the Services; (c) retain, use, or disclose Personal Data for a commercial purpose other than providing the Services; (d) retain, use, or disclose Personal Data outside of the direct business relationship between EdÛcare and Customer; or (e) combine Customer Personal Information with any Personal Information it receives from or on behalf of another person or collects from its own interactions with consumers. EdÛcare certifies that it understands and will comply with the restrictions set out in this Section and will reasonably cooperate and assist Customer with meeting Customer’s CCPA compliance obligations and responding to CCPA-related inquiries, including responding to verifiable consumer requests, taking into account the nature of EdÛcare’s Processing and the information available to EdÛcare.

11. LEGAL EFFECT; TERMINATION

This DPA will only become legally binding between Customer and EdÛcare when fully executed and will terminate when the Agreement terminates, without further action required by either party.

12. CONFLICT

In the event of any conflict or inconsistency between this DPA and the Agreement, this DPA will prevail.

IN WITNESS WHEREOF, the parties have caused this Data Processing Addendum to be duly executed. Each party warrants and represents that its respective signatories whose signatures appear below are on the date of signature duly authorized.

EXHIBIT A: Description of Processing

A. LIST OF PARTIES

1. Data Exporter

  • Data exporter is Customer
  • Name: See signature block of this DPA.
  • Address: See signature block of this DPA.
  • Contact Name, position, contact details: See signature block of this DPA.
  • Activities relevant to data transferred: Exporter is the EdÛcare Customer, exporting personal data described below.
  • Role (Controller/Processor): Controller (detailed in Section 1)

2. Data Importer

  • Name: EdÛcare (as defined in the relevant Agreement), on behalf of itself and its Affiliates
  • Address: 600 Harrison Street — 3rd Floor, San Francisco, CA 94107 (United States)
  • Contact Name, position, contact details: Edward Hu, DPO, privacy@Educaire.com
  • Activities relevant to data transferred: Provider of an online learning platform which Processes Personal Data to provide the Services to Data Exporter.
  • Role (Controller/Processor): Processor (detailed in Section 1)

B. DESCRIPTION OF TRANSFER

Categories of data subjects

Data exporter may submit Personal Data to EdÛcare, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:

  • Employees of Customer or its Affiliates
  • Other users of the Service as Data Exporter authorizes

Categories of personal data transferred

Data exporter may submit Personal Data to EdÛcare, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:

  • Account data (e.g., first and last name, email address, course completion certificates)
  • (Optionally provided) Additional account data like photo, areas of interest, and role.
  • (Optionally enabled by customer) Course reviews and other communications
  • System & session data (e.g. operating system type and version, IP address, approximate location based on IP address, device ID, browser version and language)
  • Platform usage data (e.g. courses enrolled, course progress/completion, features used, date/time)
  • Other categories Personal Data as provided by Customer or as necessary to provide the Services or customer-elected integrations

EdÛcare will make additional technical information available to Customer upon request, such as details available in its EB Privacy Statement (https://www.Educaire.com/terms/eb-privacy/).

Sensitive data transferred (if applicable)

No sensitive data is contemplated to be processed pursuant to the Agreement.

Frequency of the transfer

Personal data will be transferred on a continuous basis for the duration of the Agreement. Data Importer will continue to collect personal data as users interact with the platform.

Nature of the processing

The personal data transferred will be subject to the following basic processing activities:

  • Processing in accordance with the Agreement and applicable Order Form(s);
  • Processing initiated by Users in their use of the Services;
  • Processing to comply with other documented reasonable instructions provided by User (e.g., via email or support tickets) where such instructions are consistent with the terms of the Agreement.

Purpose(s) of the data transfer and further processing

Transfer and further Processing of the Personal Data will occur for the purposes provided for in the Agreement.

Period for which personal data will be retained

Personal Data will be retained for the length of the Agreement or as required by law, with the exception of Personal Data processed by Emtrain. Personal Data processed by Emtrain will be retained for up to five (5) years following termination of Customer's account with Emtrain to support Customer's compliance requirements, unless otherwise requested in writing by Customer upon termination of Customer's account with Emtrain.

Subject matter, nature, and duration of processing (for transfers to sub-processors)

Please refer to the Subprocessor list described in Section 5 (“Subprocessors”) of this DPA for a description of the nature of the services provided by each Subprocessor. As EdÛcare Business services are continuously offered, the duration of the subprocessing is the term of the Agreement.

GDPR supervisory authority

9.1 The competent supervisory authority will be the supervisory authority where Customer is established (or has its EU representative). Where Customer does not have an EU establishment or EU representative, the competent supervisory authority will be in the jurisdiction of the Member State where most of its data subjects are located.

9.2 If the Customer is not subject to GDPR, this section (Section 9 of Exhibit A) will not apply.

EXHIBIT B: Technical and Organizational Security Measures

Please see below for a description of the technical and organizational measures implemented as the data importer, including a description of relevant certifications, to ensure an appropriate level of security, taking into account the nature, scope, context, and purpose of the processing, and the risks for the rights and freedoms of individuals. As our technical and organizational measures apply across our production systems, these apply to all personal data transferred.

Measures of pseudonymization and encryption of personal data

Data protection and cryptography are essential to achieving strong authentication, non-repudiation, and the protection of confidentiality and integrity of data at rest and in transit. These capabilities are used to ensure EdÛcare’s customer data and identities are protected adequately to resist current and projected attacks.

Data protection and cryptography activities include the following:

  • Sensitive data transmissions are protected using Transport Layer Security (e.g., TLS 1.2 or greater), Internet Protocol Security (IPSec), or equivalent secure protocols.
  • Encryption modules, algorithms, and protocols meet industry best practices (e.g., AES-256 ciphers or better).
  • All non-public data at rest are encrypted using cryptographic keys that are separate from the data.
  • Cryptographic keys are stored in an encrypted form. The key encrypting key (KEK), is as strong as the data encrypting key.
  • All cryptographic keys have a defined crypto period and are rotated after personnel with knowledge of the keys are terminated or suspected to be compromised.
  • Data protection and cryptography modules, algorithms, protocols, and security configurations are reviewed on an annual basis, including re-validation of all policy exceptions.
  • Where possible and practical, user data is pseudonymized within our production and/or business systems and processes. By example, user email and name is pseudonymized to a user id for certain customer support activities.

Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services

Timely detection of malicious activities aids in preventing or containing malicious actions before damage can be performed. Vulnerability and patch management reduce exposure to attacks by tracking and remediating vulnerabilities in a timely fashion, as well as by patching systems to reduce their exposure to attack.

Monitoring, vulnerability, and patch management activities include the following:

  • EdÛcare’s systems and cloud services delivering business-critical functions are monitored for performance and availability so failures can be detected.
  • All log entries are synchronized to Coordinated Universal Time (UTC) or a delineated global time zone so the times when events occur are clearly presented to investigators.
  • Security audit logging ties user activity in the information system to a named user or service account.
  • Security audit logs are protected from tampering and are made available to support investigations for one year after the event is logged.
  • Networks are monitored to detect rogue or malicious devices connecting to them, and wireless networks are configured to detect attacks and rogue wireless access points.
  • New applications and servers are assessed for vulnerabilities, and all high-risk vulnerabilities are addressed before becoming operational.
  • Servers are scanned for operating system vulnerabilities using a credentialed vulnerability scanner quarterly (minimum), and all “high” or “critical”-level operating system vulnerabilities are addressed or remediated promptly and on priority basis.
  • Vendor-provided patches are evaluated and installed as recommended by vendors. When security patches cannot be installed for operational reasons, mitigating preventive and detective controls are employed to keep the overall risk acceptable.
  • Monitoring, vulnerability, and patch management security configurations are reviewed on a continuous basis, including re-validation of all policy exceptions.
  • All EdÛcare assets employ controls to detect, prevent, and recover from malicious activity such as ransomware, viruses, spyware, and trojans.

Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

EdÛcare’s infrastructure and data are protected from losses of availability related to system failure, physical destruction, and accidental or malicious incidents. Services, applications, and servers are configured with adequate redundancy and protection to meet business needs in the event of accidental or deliberate incidents targeting their availability.

High availability, disaster recovery, resilience and physical protection activities include the following:

  • Major system upgrades and configuration changes for adequate recoverability are in place to “roll back” the changes within the availability, recovery point, and recovery time requirements.
  • Backup data is sufficiently protected physically and logically so that natural or man-made disasters will not result in the destruction of both the primary copy and the backup.
  • Backup data is encrypted, and encryption keys are encrypted and protected from potential loss or compromise so that data is secure and can be recovered even in the event of catastrophic loss.

Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing

  • Backups, replication processes, and snapshot procedures, where feasible, are regularly tested to verify their proper operation.
  • Disaster recovery capabilities are tested annually to ensure their effectiveness.
  • High availability, disaster recovery, and physical protection configurations are reviewed on an annual basis, including re-validation of all policy exceptions.
  • A SOC 2 Type 2 audit is conducted annually on EdÛcare’s production infrastructure.
  • Regular internal and external vulnerability and penetration assessments are conducted on EdÛcare’s production infrastructure.
  • A vulnerability disclosure program (VDP) is administered via an industry-standard program.

Measures for user identification and authorization

  • All EdÛcare production systems use centralized identity provisioning and de-provisioning and centralized access management where possible.
  • Identity systems provide protective, detective, and audit controls governing administrative changes to the identity system, identity lifecycle actions—including account and permissions provisioning, de-provisioning, and changes.
  • Strong passwords and multi-factor authentication are required for access to EdÛcare production systems.
  • Privileged access rights for information systems are provided based on job function using the concept of Least Privilege.

Measures for the protection of data during transmission

Data protection and cryptography activities include the following for data in transit:

  • Sensitive data transmissions are protected using Transport Layer Security, Internet Protocol Security (IPSec), or equivalent secure protocols.
  • All customer connections to EdÛcare’s Web Application are provided only via Transport Layer Security and only utilizing industry-standard cipher suites.
  • Encryption modules, algorithms, and protocols meet industry best practices (e.g., AES 256 ciphers or better).

Measures for the protection of data during storage

Data protection and cryptography activities include the following for data in rest:

  • Encryption modules, algorithms, and protocols for data at rest (volume and database) adhere to industry best practices (e.g., AES-256 ciphers or better).
  • All non-public data at rest is encrypted using the latest industry-standard cryptography and key management system for secure storage of encryption keys that are separate from the data.

Measures for ensuring physical security of locations at which personal data are processed

EdÛcare maintains physical and environmental controls on its corporate offices, including the following:

  • Facilities are restricted by security cards or a fingerprint ID system. Unauthorized persons are prevented from gaining physical access to premises, buildings, or rooms where data processing systems are located which process and/or use personal data.
  • Physical access to corporate offices or data processing centers is revoked upon employee separation.
  • EdÛcare’s data centers are hosted with industry-leading cloud-service providers, each of which adheres to strict security procedures enforced by guards, surveillance cameras, motion detectors, access control mechanisms, and other measures to prevent equipment and data center facilities from being compromised.
  • Servers themselves are isolated and kept in a private/dedicated cage, secured and monitored 24/7.
  • Buildings are fire protected.
  • Multi-factor authentication is required for server access.

Measures for ensuring events logging

  • Network-connected endpoint systems are configured to forward security logs— including administrator logon and security component configurations—to a central infrastructure for logging and correlation (e.g., Security Information and Event Management, or SIEM)
  • All log entries are synchronized to Coordinated Universal Time (UTC) or a delineated global time zone so the times when events occur are clearly presented to investigators
  • Security audit logging ties user activity in the information system to a named user or service accounts
  • Security audit logs are protected from tampering and are made available to support investigations.

Measures for ensuring system configuration, including default configuration

  • Network configuration changes require approval and are logged for audit and investigation, as required.
  • Network security configurations are regularly reviewed, and all network policy configurations and exceptions are re-validated annually.
  • Where applicable, device start-up configuration files are synchronized with the security settings of the running configuration to prevent weaker rules from running in the event of a device reboot.
  • Before installing a system platform or application, vendor-supplied defaults are always changed.
  • All assets are hardened according to industry benchmarks (e.g., CIS) and/or vendor hardening guidelines.
  • All vendor-supplied default system passwords are changed before installing systems on the network.
  • Systems do not have more than one primary role. Technologies in use by EdÛcare corporate and production environments follow a documented secure configuration standard.

Measures for internal IT and IT security governance and management

  • Security governance oversight includes stakeholders from Information Security, Application Security, Engineering, Legal, HR, and Facilities teams.
  • The Security team and executive leadership have overall governance ownership for enterprise IT systems and information concerning security compliance with EdÛcare’s policies.
  • The Security team regularly meets with stakeholders to discuss security matters and document policy changes or recommendations for enhancements.
  • The Security team tracks security risks and their potential consequences and reports to business leadership on those risks and mitigation needed.
  • EdÛcare audits preventive, detective, and audit controls on an annual basis to ensure their proper design and operation (e.g., SOC 2 Type 2 audit).

Measures for certification/assurance of processes and products

  • EdÛcare complies with applicable contractual, regulatory, statutory, and legal requirements, such as the EU’s General Data Protection Regulation (GDPR), applicable local laws, and Payment Card Industry (PCI-DSS).
  • Application security preventive, detective, and audit controls are verified and tested for proper operation continuously as indicated in the section above regarding “regularly testing, assessing and evaluating the effectiveness of technical and organisational measures”.

Measures for ensuring data minimization

  • EdÛcare has a set of standards for the limitation of collection and retention of personal data to what is required for the delivery of services and as required for legal or security purposes.
  • The product development lifecycle process includes an assessment of data collection and processing and a review from the Data Protection Officer to ensure data minimization.
  • Subprocessor access to personal data is limited to what is necessary to enable the service provided by the subprocessor.

Measures for ensuring data quality

  • Administrators and users are given the ability to correct their data directly on the platform.
  • Where applicable, data validation occurs through syntax checks on web application fields.
  • Additional security measures are employed, as described in the sections above, to ensure that data is not subject to unauthorized alteration, loss, or destruction.

Measures for ensuring limited data retention

  • EdÛcare utilizes an automated deletion and anonymization process that can be initiated by customer request on a per-user or company account basis. The process runs automatically 30-days after the termination of a contract (or 90-day after a Team Plan account termination), with the exception of Personal Data processed by Emtrain, which will be retained for up to five (5) years following termination of Customer's account with Emtrain to support Customer's compliance requirements, unless otherwise requested in writing by Customer upon termination of Customer's account with Emtrain.
  • EdÛcare has a company-wide data retention policy.

Measures for ensuring accountability

  • EdÛcare has implemented mandatory security awareness training programs for all personnel that have access to systems that contain user personal data.
  • EdÛcare requires all personnel to acknowledge in writing, at the time of hire, that they will comply with their confidentiality obligations with respect to user data.
  • EdÛcare has an Information Security Policy that describes data protection obligations and disciplinary actions for employees and contractors who violate them.
  • EdÛcare adheres to a documented security incident response protocol which includes notification to data subjects and data protection authorities as required by law.
  • EdÛcare has appointed a Data Protection Officer with the duties and responsibilities prescribed by law.
  • EdÛcare undergoes an annual SOC 2 Type 2 Audit.

Measures for allowing data portability and ensuring erasure

  • Data subject access requests are handled by the EdÛcare Privacy Team and are returned in CSV format.
  • EdÛcare utilizes an automated deletion and anonymization process that can be initiated by customer request on a per-user or company account basis. The process runs automatically 30-days after the termination of a contract (or 90-day after a Team Plan account termination).

For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter

Before engaging third parties to process personal data, and to assist the data exporter in applying security appropriate to the nature of the data processed and the risks to the rights and freedoms of individuals, security due diligence reviews are conducted. This due diligence process may include but is not limited to:

  • Determining the scope and extent of third party access to EdÛcare information and systems
  • Assessment of the service, involved systems, and data classification
  • Investigation of third party security posture using a security questionnaire drafted by the Legal and the Security Department
  • Review of any IT or Security Audits (i.e., SOC, PCI, Penetration Tests)
  • Negotiation of necessary security improvements
  • Assessment of the ability to provide the necessary service and meet service level objective
  • Review of the threat and vulnerability management process, incident management process, change management process, and staff vetting procedures
  • Operational and financial stability and compliance with legislation

Data processing agreements (DPAs), which require the subprocessor to provide assistance to EdÛcare in the areas listed below, are executed with subprocessors, including,

  • Responding to individuals exercising any data protection rights.
  • Forwarding and cooperating with EdÛcare regarding any inquiry, correspondence, or complaint received from a regulator, court, individual, or other third party.
  • Executing data protection impact assessments (DPIAs).
  • Deletion of data upon request or by self-service.
  • Audit and production of documentation to show compliance with obligations under data protection law and the DPA.