LearnUpon Data Processing Agreement
Effective: 24th May 2018
This Data Processing Agreement forms part of the LearnUpon Terms of Service (the “Principal Agreement”) entered into by and between LearnUpon Limited of 1st Floor Ocean House, Arran Quay, Dublin 7, D07 DHT3, Ireland (“LearnUpon”) and You. “You,” or “Your” refers to the person accessing or using the Platform, or, if the Platform is being used on behalf of an organization, such as your employer, “You,” or “Your” means such organization. The services or items provided under the Principal Agreement (“Services”) may include the processing of Personal Data on Your behalf. The terms “personal data”, “controller”, “processor”, “data subject”, “personal data breach” and “processing” shall have the same meaning as in the EU General Data Protection Regulation 2016/679 (“GDPR”).
“Data Protection Legislation” means all applicable laws and regulations relating to the processing of personal data and privacy including the General Data Protection Regulation 2016/679 (“GDPR”) and any statutory instrument, order, rule or regulation made thereunder, as from time to time amended, extended, re-enacted or consolidated and the terms “data controller”, “data processor”, “process” and “personal data” shall have the meanings given to those terms in such data protection laws and regulations.
1. The Parties shall at all times comply with applicable Data Protection Legislation and may take such actions as they, in their sole discretion, deem necessary to comply with the Data Protection Legislation.
2. The Parties acknowledge that for the purposes of the Data Protection Legislation, You are the data controller and LearnUpon is the data processor. Schedule A sets out the scope, nature and purpose of processing by LearnUpon, the duration of the processing and the types of personal data and categories of data subject.
3. LearnUpon shall, as a data processor and in relation to personal data that it processes on behalf of You comply with its obligations set out in this clause 3: You shall comply with Your obligations as set out in this clause 3:
a. LearnUpon shall act only in accordance with this Agreement, the Principal Agreement and with Your instructions in relation to the processing of personal data (including instructions in relation to the return or destruction of personal data). In the event that a legal requirement prevents LearnUpon from complying with such instructions or requires LearnUpon to disclose the personal data to a third party LearnUpon shall, unless such legal requirement prohibits it from doing so, inform You of the relevant legal requirement before carrying out the relevant processing activities;
b. LearnUpon shall take reasonable steps to ensure the reliability of staff having access to the personal data and that all staff to whom it discloses personal data are made aware that the personal data is confidential information of Yours and subject to this Agreement;
c. LearnUpon shall have and maintain appropriate technical and organisational measures, in accordance with Data Protection Legislation, to prevent unauthorised or unlawful processing of personal data and accidental loss or destruction of, or damage to, personal data, including operating a security strategy. LearnUpon shall maintain such security measures for as long as it is processing the personal data;
d. LearnUpon shall, at Your expense, assist You by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of Your obligation to respond to requests for exercising the data subject rights laid down in Chapter III of the GDPR;
e. LearnUpon shall, at Your choice, destroy or return all personal data to You at the end of the provision of services relating to processing and, within a reasonable amount of time, delete existing copies unless European Union law or a law of a Member State of the European Union requires the storage of the personal data;
f. LearnUpon shall, make available to You, and at Your expense, all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections conducted by You or another auditor authorised by You provided always such inspections and/or audits shall be carried out on reasonable notice, at reasonable intervals and during normal business hours of LearnUpon and upon production of appropriate identity evidencing authority. You undertake to ensure avoidance of disruption (or at least minimise disruption, where avoidance is not possible) to the day to day operations of LearnUpon’s business and/or damage or injury to LearnUpon’s equipment, premises, personnel;
g. LearnUpon uses sub-processors for the purposes of providing access to, ongoing support and development of, the Platform. LearnUpon currently uses the following categories of sub-processors: Cloud Service Providers, Cloud-based Support Services, Cloud-based Email Notification Services. Changes to same will be notified to You by way of updates to these Terms. LearnUpon shall, where it engages another processor for carrying out specific processing activities on behalf of the controller, use reasonable endeavours to ensure that the same data protection obligations as set out in this Agreement shall be imposed on that other processor by way of contract or other legal act under European Union law or the laws of a Member State.
4. You acknowledge that LearnUpon is reliant on You for directions as to the extent to which LearnUpon is entitled to use and process the personal data. Consequently, You shall indemnify and keep indemnified LearnUpon and its permitted assign for: (i) any claim brought by a data subject, any person, or a supervisory authority against LearnUpon (and any damages, fines, awards, expenses, liabilities, and/or losses suffered or incurred by LearnUpon) arising from any action or omission by LearnUpon or its sub-contractor, to the extent that such action or omission resulted from Your instructions except to the extent that same has arisen out of non-compliance by LearnUpon or its sub-contractors with their obligations under Data Protection Legislation; and (ii) any damages, fines, awards, expenses, liabilities, and/or losses suffered or incurred by the LearnUpon (and/or its permitted assigns) arising as a result of a breach by You of Your obligations under Data Protection Legislation.
5. You warrant and represent that You have obtained and/or have in place, all necessary consents, approvals and/or valid legal basis for the lawful transfer of personal data to LearnUpon for the purposes of this Agreement and the provision of services by LearnUpon.
6. Obligations under the Principal Agreement. Nothing in this Agreement reduces Your obligations under the Principal Agreement in relation to the protection of personal data. In the event of any conflict or inconsistency between this Agreement and any standard contractual clauses between the parties, the standard contractual clauses shall prevail.
7. Order of precedence. Subject to clause 6 above, with regard to the subject matter of this Agreement, in the event of inconsistencies between the provisions of this Agreement and any other agreements between the parties, including the Principal Agreement and including (except where explicitly agreed otherwise in writing, signed on behalf of the parties) agreements entered into or purported to be entered into after the date of this Agreement, the provisions of this Agreement shall prevail.
8. Severance. Should any provision of this Agreement be invalid or unenforceable, then the remainder of this Agreement shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
9. Variation. The parties may amend, replace or vary the terms of this Agreement to reflect any changes in Data Protection Legislation or a new requirement under such law (including without limitation any change that may be required following Brexit to allow the transfer of personal data to be made (or continue to be made) without breaching Data Protection Legislation). “Brexit” means the UK ceasing to be a Member State of the European Union, regardless of which countries comprise the UK at such date.
10. Limitation of Liability. For the avoidance of doubt, LearnUpon’s liability arising out of or related to this Agreement, whether in contract, tort or otherwise, is subject to the ‘Liability’ section of the Principal Agreement and any reference in such section to the liability of LearnUpon means the aggregate liability of that party under the Principal Agreement and this Agreement together.
11. Miscellaneous. For the avoidance of doubt, each reference to the Agreement in this Agreement means this Agreement including its Schedules.
Processing by LearnUpon
Nature and Purpose of Processing
LearnUpon will process Personal Data as necessary to perform the Services pursuant to the Agreement, as further specified in the Documentation, and as further instructed by You in Your use of the Services.
Duration of Processing
LearnUpon will process Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing.
Categories of Personal Data
You may submit Personal Data to LearnUpon, the extent of which is determined and controlled by You in Your sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:
- Authorized Users;
- Your employees;
- Your consultants;
- Your customers;
- Your contractors;
- Third parties with which You conduct business.
Type of Personal Data
You may submit Personal Data to LearnUpon, the extent of which is determined and controlled by You in Your sole discretion, and which may include, but is not limited to the following categories of Personal Data:
- First and last name
Description of Security Measures
LearnUpon shall maintain Your Confidential Information so that it is logically segmented from LearnUpon’s and other customers’ information so that only authorized users (i.e., employees, contractors or other LearnUpon service providers) can access Your Confidential Information. LearnUpon shall implement and maintain reasonable and appropriate information security measures (e.g., access controls, user credentialing, access logging and monitoring, penetration testing, hardening, patching, antivirus, IDS/IPS, strong password management policies and encryption in transit and at rest) to protect Your Confidential Information against unauthorized or accidental access, use, disclosure, deletion, loss, or alteration in a manner that at a minimum meets industry standards applicable to the Services. LearnUpon shall store and process Your Confidential Information in an environment in which the requisite security controls have been implemented. LearnUpon shall ensure that IT infrastructure and networks are designed and managed to protect IT systems, information, users, and electronic communications. At minimum, LearnUpon shall ensure that a capability exists to send adequately encrypted attachments (e.g., using modern, strong encryption cyphers) for any ad-hoc transfers.
LearnUpon shall implement multi-factor authentication (at least 2 factors) for remote access to Your resources. LearnUpon shall ensure that all laptop hard disks and other devices containing Your Confidential Information (e.g., USB-memory sticks, netbooks, smartphones, tablet computers, portable media players, etc.) and other removable/back up media containing Your Confidential Information, use adequate full disk encryption. If the disks do not have full disk encryption, LearnUpon shall ensure the secure deletion of all media containing Your Confidential Information.
Any cloud services for Your Confidential Information shall be stored in an encrypted form while at rest and transmitted from or to any cloud service providers over TLS or other equivalent secure channel.