EdÛcare
Educaire

UnlimitedCourses Plan

Special Offer

25% OFF

Get unlimited access to every course

Unlimited courses for your department all year. Pay with MTN or Orange Money.

EdÛcare Data Processing Agreement

Data Processing Agreement last updated April 9, 2025.

This Data Processing Agreement (“DPA”) is entered into by and between EdÛcare, Inc. (on behalf of itself and its affiliates, hereinafter referred to as, “EdÛcare”) and the entity identified as the “Vendor” in the applicable EdÛcare ordering document or Agreement.

This DPA forms part of one or more agreements entered into between EdÛcare and Vendor pursuant to which Vendor provides certain services to EdÛcare (the “Agreement”). This DPA is incorporated into the relevant Agreement attached or incorporated by reference into the ordering documentation entered into by the Vendor (including SCC’s as defined herein). This DPA is effective as of the earlier of the Agreement’s effective date or when Service Provider first had access to or otherwise processed EdÛcare Personal Data (“Effective Date”).

In the event of any conflict between this DPA and any other agreement between the Parties, the terms of this DPA will control and supersede any other agreement.

1. DEFINITIONS

The terms used in this DPA will have the meanings given to them below:

  • 1.1 Applicable Data Protection Law: means all applicable international, federal, national, and state privacy and data protection laws that apply to the processing of Personal Data that is the subject matter of the Agreement, and all amendments, extensions, or replacements to such laws (including, but not limited to European Data Protection Law and the CCPA).
  • 1.2 CCPA: means the California Consumer Privacy Act, California Civil Code sections 1798.100 et seq., its implementing regulations, and any amendments thereto, including the California Privacy Rights Act and its implementing regulations.
  • 1.3 Controller: means the entity that determines the purposes and means of the processing of Personal Data. Controller may be EdÛcare or, if EdÛcare is a processor, EdÛcare’s enterprise customer.
  • 1.4 Data Privacy Framework: means the EU-U.S. Data Privacy Framework, the Swiss-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. Data Privacy Framework self-certification programs (as applicable) operated by the U.S. Department of Commerce; as may be amended, superseded, or replaced.
  • 1.5 DPF Principles: means the Principles and Supplemental Principles (as detailed here) contained in the relevant Data Privacy Framework, as may be amended, superseded or replaced.
  • 1.6 European Data Protection Law: means, as applicable, the EU General Data Protection Regulation 2016/679 ("GDPR") and any applicable national laws made under the GDPR; the Swiss Revised Federal Data Protection Act (revFADP); and/or the UK Data Protection Act of 2018.
  • 1.7 Personal Data: means (1) any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person and (2) any information deemed “personal information,” “personal data,” or similar term as defined under Applicable Data Protection Law.
  • 1.8 Processing: means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
  • 1.9 Processor: means an entity that processes Personal Data on behalf of the Controller. In the instances where EdÛcare is a Controller, Vendor is a Processor. In the instances where EdÛcare is a Processor, Vendor is a Subprocessor.
  • 1.10 Security Incident: means the unauthorized, accidental, or unlawful destruction, loss, alteration, disclosure, or access of any EdÛcare Data, and (2) any adverse cybersecurity event that affects EdÛcare personal data or is legally required to be notified to a government authority.
  • 1.11 2021 Standard Contractual Clauses (“2021 SCCs”): means the standard contractual clauses for the transfer of EEA personal data as set forth in the Annex to the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at: (https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021D0914&qid=1623192961660)
  • 1.12 Subprocessor: means an entity that processes Personal Data on behalf of a Processor. The term Subprocessor will also include, for the purposes of this DPA, downstream Subprocessors of Vendor in the instances where Vendor is a Subprocessor of EdÛcare.
  • 1.13 EdÛcare Data: means (i) Personal Data provided or made available to Vendor by EdÛcare, (ii) Personal Data collected by Vendor on behalf of EdÛcare, (iii) Personal Data generated by EdÛcare’s use of Vendor’s services, and (iv) Personal Data derived from (i)-(iii).
  • 1.14 EdÛcare Business: means a service provided by EdÛcare to certain customers, as described at business.Educaire.com.
  • 1.15 UK Addendum: means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B1.0, in force 21 March 2022) (incorporated here by reference and available at: https://ico.org.uk/media/for-organisations/documents/4019535/addendum-international-data-transfer.docx)

2. DATA PROTECTION

2.1 Relationship of the Parties: If EdÛcare is the Controller of the EdÛcare Data Processed by Vendor (such as EdÛcare Data provided to Vendor relating to EdÛcare’s marketplace users, employees, prospective or actual job applicants, or suppliers), then Vendor is a Processor as to that data. If EdÛcare is the Processor of the EdÛcare Data Processed by Vendor for which a third party (such as a customer of EdÛcare Business) is the Controller, then EdÛcare appoints Vendor is a Subprocessor as to that data.

2.2 Purpose limitation: EdÛcare discloses Personal Data solely for the limited and specified purpose of obtaining the services under the Agreement (“Services”). Vendor will process EdÛcare Data only for purpose of providing the services under the Agreement, and strictly in accordance with the documented instructions of EdÛcare (the "Permitted Purpose"). In no event will Vendor process EdÛcare Data for its own purposes or those of any third party. Vendor will comply with and process all EdÛcare Data in accordance with Applicable Data Protection Law. If Vendor is ever unsure as to the parameters or lawfulness of the instructions issued by EdÛcare, Vendor will promptly seek clarification or further instructions from EdÛcare.

Vendor will not, within the meaning of the CCPA: (i) sell or share EdÛcare Data; (ii) retain, use, or disclose EdÛcare Data for any purpose other than for the specific purpose of performing the Services; (iii) retain, use, or disclose EdÛcare Data for a commercial purpose other than providing the Services; (iv) retain, use, or disclose EdÛcare Data outside of the direct business relationship between EdÛcare and Vendor; or (v) combine EdÛcare Data with Personal Data it receives from any other source, including from data subjects themselves, except for business purposes permitted by CCPA, but in no case may Vendor use EdÛcare data for Vendor’s advertising or marketing purposes. If Vendor becomes aware of its inability to meet any obligations under this DPA, Vendor will immediately notify EdÛcare whereafter EdÛcare may take reasonable and appropriate steps to stop and remediate unauthorized Processing of EdÛcare Data.

2.3 International transfers of Personal Data: Where the Vendor is certified under the Data Privacy Framework, transfers by EdÛcare of EdÛcare Data originating from the EEA, Switzerland or the UK (“EdÛcare European Data”) and Processing of EdÛcare European Data by the Vendor will be deemed to have an adequate level of protection under European Data Protection Law. In such circumstances, when EdÛcare Data originating from the EEA, the UK, or Switzerland is transferred to Vendor, Vendor will receive the Personal Data under the Data Privacy Framework and, when processing that EdÛcare Data, will comply with the DPF Principles. Vendor agrees to assist EdÛcare in responding to individuals, insofar as relevant to the Processing undertaken by Vendor, exercising their rights under the DPF Principles. Where the Vendor’s self-certification under the Data Privacy Framework, or the Data Privacy Framework itself, is withdrawn, terminated, revoked, or otherwise invalidated, the remainder of this section 2.3 shall apply.

To the extent EdÛcare Data originates from the European Economic Area (EEA), Switzerland, or any other jurisdiction that recognizes the 2021 SCCs as a lawful transfer mechanism, all transfers to and Processing of EdÛcare Data in countries which do not ensure an adequate level of protection (as determined by the European Commission or relevant government authority) and for which no other lawful transfer mechanism is relied upon, are on the basis of and subject to the 2021 SCCs which are incorporated here by reference. To the extent the parties rely on the 2021 SCCs, by executing this DPA, the parties are deemed to be signing the 2021 SCCs, including Annex I.A. The 2021 SCCs are deemed completed as follows:

  • Module 2 applies to those transfers in which EdÛcare is the data controller and Vendor is the data processor (as described in Section 2.1 (Relationship of the Parties)).
  • Module 3 applies to those transfers in which EdÛcare is the data processor and Vendor is the subprocessor (as described in Section 2.1 (Relationship of the Parties)).
  • Clause 7 (Optional Docking Clause): does not apply.
  • Clause 9(a) (Use of sub-processors): the Parties elect Option 2 (General written authorization) with a 30-day notice period.
  • Clause 11(a) (Redress): the optional section does not apply.
  • Clause 17 (Governing law): the Parties elect Option 1 and agree that the Clauses will be governed by the law of Ireland.
  • Clause 18(b) (Choice of forum and jurisdiction): the Parties agree that disputes arising from the Clauses will be resolved in the courts of Ireland.
  • Annex I of the applicable SOW (Description of Processing) will apply to Annex I.
  • Annex II of the applicable SOW (Technical and Organizational Security Measures) will apply to Annex II.
  • Annex III of the applicable SOW (List of Authorized Subprocessors) will apply to Annex III.

To the extent Personal Data originates from the United Kingdom (UK), all transfers to and Processing of Personal Data in countries which do not ensure an adequate level of protection (as determined by the UK Secretary of State) and for which no other lawful transfer mechanism is relied upon, are on the basis of and subject to the UK Addendum, which is incorporated here by reference. To the extent the parties rely on the UK Addendum, by executing this DPA, the parties are deemed to be signing the UK Addendum which is deemed completed as follows:

  • Table 1 will be populated by the information in Annex I of the applicable SOW (Description of Processing)
  • Table 2: The parties agree the UK Addendum is appended to the 2021 SCCs as modified by Section 2.3 (International transfers of Personal Data).
  • Table 3 is completed as follows:
    • Annex 1A: List of Parties: Annex I of the applicable SOW (Description of Processing)
    • Annex 1B: Description of Transfer: Annex I of the applicable SOW (Description of Processing)
    • Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: Annex II of the relevant SOW (Technical and Organizational Security Measures)
    • Annex III: List of Sub processors (Modules 2 and 3 only): Annex III of the applicable SOW (List of Authorized Sub processors)
  • Table 4: The parties elect that neither party may end the UK Addendum with respect to Section 19 of the UK Addendum.

In the event of any conflict between this DPA and (1) the Data Privacy Framework or (2) 2021 SCCs (including the UK Addendum), the (1) Data Privacy Framework or (2) 2021 SCCs (including the UK Addendum) will control and supersede.

2.4 Onward Transfers: Vendor will ensure that all onward transfers of EdÛcare Data are made (1) pursuant to a lawful transfer mechanism under Applicable Data Protection Law or (2) to a country deemed by the European Commission or competent government authority to provide a level of adequate protection such that no transfer mechanism is required.

2.5 Confidentiality of processing: Vendor will keep strictly confidential all EdÛcare Data. Vendor will ensure that any person that it authorises to process EdÛcare Data (including Vendor's staff, agents, and subcontractors) (“Authorized Persons”) will be subject to a strict duty of confidentiality and will not permit any person to process EdÛcare Data who is not under such a duty of confidentiality. Vendor will ensure that only Authorized Persons will have access to, and process, EdÛcare Data, and that such access and processing will be limited to the extent strictly necessary to achieve the Permitted Purpose. Vendor will ensure that Authorized Persons (i) are informed of the confidential nature of EdÛcare Data, (ii) have received appropriate security and privacy training and continue to receive such training annually, and (iii) have executed written confidentiality agreements. Vendor accepts responsibility for any breach of this DPA caused by the act, error, or omission of an Authorized Person.

2.6 Security: Vendor will at all times ensure an adequate level of protection for EdÛcare Data, wherever processed, in accordance with the requirements of Applicable Data Protection Law. Vendor will implement appropriate technical and organizational measures to protect EdÛcare Data from Security Incidents. Vendor will apply and continue to apply the security measures identified in Annex II of the relevant SOW or measures that exceed the protections provided for in Annex II of the relevant SOW. Upon request, Vendor shall provide copies of any existing relevant external information security certifications, audit report summaries and/or other documentation reasonably required by EdÛcare to verify Vendor’s compliance with this DPA.

2.7 Subprocessing: EdÛcare authorizes Vendor’s shall not subcontract any Processing of Personal Data to a Subprocessor without the prior written consent of EdÛcare. Notwithstanding, the foregoing, EdÛcare consents to the Vendor’s engagement of its current Sub-Processors as approved by EdÛcare in Annex III of the relevant SOW Vendor may engage additional Subprocessors if Vendor provides 15-business-days advanced written notice to EdÛcare at privacy@Educaire.com, and EdÛcare does not object to the additional Subprocessor(s). If EdÛcare objects to any additional Subprocessor, then either (i) Vendor will not appoint the Subprocessor or (ii) EdÛcare may elect to suspend or terminate the Agreement without penalty. Vendor may not appoint any Subprocessor to process EdÛcare Data without conducting adequate prior use diligence to ensure that the Subprocessor will provide the level of protection for Personal Data as required by this Agreement and by Applicable Data Protection Law. In all cases, Vendor will impose substantially similar data protection terms that are no less protective of Personal Data than provided for by this DPA on each Subprocessor it appoints. Vendor will remain fully liable for any breach of this DPA or violation of Applicable Data Protection Law that is caused by an act, error, or omission of its Subprocessor(s). Upon request, Vendor will provide to EdÛcare copies of its data processing agreement with any Subprocessor (which may be redacted to remove confidential information not relevant to the requirements of this DPA).

2.8 Cooperation and individuals' rights: Vendor will implement appropriate technical and organizational measures to assist EdÛcare and will provide such assistance in responding to: (i) any request from an individual to exercise any of its rights under Applicable Data Protection Law; and (ii) any other correspondence, enquiry, or complaint received from an individual, regulator, court, or other third party in connection with the processing of EdÛcare Data. If such communication is made directly to Vendor, Vendor will promptly (and in any event within two business days), provide full details of such communication to EdÛcare, and will not respond to the communication unless specifically required by law or instructed by EdÛcare.

2.9 Complaints or Notices Related to Personal Data: In the event Vendor receives any complaint, notice, or communication that relates to Vendor’s processing of EdÛcare Data, Vendor will promptly (and in any event within two business days) notify EdÛcare and provide EdÛcare with reasonable cooperation and assistance in relation to the complaint, notice, or communication.

2.10 Data Protection Impact Assessment: If EdÛcare or Vendor believes or becomes aware that its processing of EdÛcare Data is likely to result in a high risk to the data protection rights and freedoms of individuals, then Vendor will provide EdÛcare with all such reasonable and timely assistance as EdÛcare may require to conduct a data protection impact assessment and, if necessary, consult with the relevant data protection authority.

2.11 Security incidents: Upon becoming aware of a Security Incident, Vendor will inform EdÛcare at legal@Educaire.com without undue delay (and, in any event, within 24 hours) and will provide all such timely information and cooperation as EdÛcare may require to fulfill its data breach reporting obligations (including mandatory timeframes) under Applicable Data Protection Law and relevant contractual obligations owed by EdÛcare to its customers. Vendor will take all such measures and actions as necessary to remedy or mitigate the effects of the Security Incident and will keep EdÛcare informed of all developments in connection with the Security Incident. Vendor will not notify any third parties that Security Incident has affected EdÛcare Data unless and to the extent that: (a) EdÛcare has agreed to such notification, or (b) notification is required to be made by Vendor under Applicable Data Protection Laws in which case Vendor will give prior notice to EdÛcare before making the notification.

2.12 Deletion or return of EdÛcare Data: Upon request by EdÛcare, or upon termination of the Agreement, Vendor will (at EdÛcare's election) delete or return to EdÛcare all EdÛcare Data, including any EdÛcare Data subcontracted to a third party for processing, within thirty (30) days of termination of the Agreement or EdÛcare’s request (whichever is earlier). If Vendor is required by law to retain any EdÛcare Data, then Vendor will isolate and protect EdÛcare Data from any further processing except to the extent required by such law. Upon request, Vendor will certify to EdÛcare in writing that it and each Subprocessor has fully complied with this clause upon deleting or returning EdÛcare Data.

2.13 Audit: Vendor will make available to EdÛcare all information necessary to demonstrate compliance with its obligations as a Processor or Subprocessor under this DPA and Applicable Data Protection Law. Vendor represents and warrants that information provided in any written privacy, security, or artificial intelligence related questionnaire or assessment is true, accurate, and fully addresses the requested matter. Vendor will immediately notify EdÛcare if any information changes or needs to be updated. Vendor will maintain a record of all categories of processing activities carried out on behalf of EdÛcare containing, at a minimum, the information required under Applicable Data Protection Law, which will be made available to EdÛcare upon request. Subject to reasonable prior notice, Vendor will permit EdÛcare (or its appointed third-party auditors) to audit Vendor's compliance with this DPA and will make available to EdÛcare all information, systems, and staff necessary for EdÛcare (or its third-party auditors) to conduct such audit. Vendor acknowledges that EdÛcare (or its third-party auditors) may enter Vendor’s premises for the purposes of conducting this audit where necessary, provided that: (i) EdÛcare gives Vendor reasonable prior notice of its intention to audit, (ii) conducts its audit during normal business hours, and (iii) takes all reasonable measures to prevent unnecessary disruption to Vendor's operations. EdÛcare may exercise its audit rights under this Section upon 2-business-days prior notice: (i) when required or requested by a government authority; or (ii) if EdÛcare believes an audit is necessary due to a Security Incident. Vendor will promptly respond to any written audit questions submitted to it by EdÛcare. If any audit or inspection reveals any material non-compliance by Supplier with its obligations under Applicable Data Protection Law or any material breach by Vendor of its obligations under this DPA, then: (i) Vendor will promptly resolve, at its own cost and expense, all material data protection and security issues discovered by EdÛcare, and (ii) Vendor will bear its own costs and pay the reasonable costs of EdÛcare, or its appointed auditors, of the audit or inspection. If Vendor is unable to promptly resolve all data protection and security issues discovered by EdÛcare, then EdÛcare may terminate the Agreement without penalty.

2.14 Government requests: Upon receipt of any request for disclosure of (or information relating to) EdÛcare Data by any government, including governmental bodies and law enforcement agencies, then Vendor will, to the extent allowed by law, (i) promptly notify EdÛcare of receipt of the request and forward the request to EdÛcare, and (ii) make good faith assertions of all available legal defenses and/or comply with any requests from EdÛcare to oppose the request. If Vendor is legally compelled to disclose EdÛcare Data, Vendor will promptly notify EdÛcare, unless legally prohibited from doing so, and limit the scope of any disclosure to what is strictly necessary to respond to the request.

2.15 Indemnity: Vendor will indemnify EdÛcare from and against all loss, harm, cost (including reasonable attorney's fees), fines, expense, and liability that EdÛcare may suffer or incur as a result of Vendor's breach or non-compliance with this DPA or Applicable Data Protection Law. Any limitation of liability provisions contained in the Agreement do not apply to Vendor’s indemnity obligations in this DPA.

2.16 General cooperation to remediate: If Applicable Data Protection Law or a government authority deems that the transfer or Processing of EdÛcare Data under this DPA is no longer lawful or otherwise permitted, then the Parties agree to remediate the Processing (by amendment to this DPA or otherwise) to meet the necessary standards or requirements. If Vendor is unable to remediate the processing, then EdÛcare will be entitled to terminate the Agreement (and any other agreement between the Parties relating to the provision of services by Vendor to EdÛcare) without penalty.

2.17 Updates: EdÛcare may update this DPA from time-to-time in order to reflect changes in Applicable Data Protection Law. An updated copy shall be made publicly available on a www.Educaire.com page.

3. TERM

3.1 Generally: Notwithstanding any other provision in the Agreement or this DPA, Vendor’s obligations under this DPA will survive so long as Vendor or its Subprocessors Process EdÛcare Data. In the event Vendor has factually disappeared, ceased to exist in law, or has become insolvent, EdÛcare will have the right to immediately terminate the Agreement without penalty and to instruct Vendor to erase or return the personal data.