Data Processing Addendum

This Data Processing Addendum ("DPA") is an agreement between Abstracted Systems, LLC ("Provider") and you and/or the entity you represent ("Customer"). This DPA is subject to and forms a part of the Master Subscription Agreement entered into between Abstracted Systems and Customer (the "Master Agreement"). Under the Master Agreement, Abstracted Systems provides certain services to Customer that involve Abstracted Systems handling Customer Data, which may include Personal Information (as defined below). This DPA is effective as of the first to occur of the date of Customer's first use of the Services or the date of the Agreement (the "DPA Effective Date"). Customer and Abstracted Systems may be individually referred to herein as a "Party" or together as "Parties".

1. Definitions

1.1 The following definitions and rules of interpretation apply in this DPA.

"Business Purpose" means the Services described in the Master Agreement.

"Data Subject" means an individual who is the subject of the Personal Information and to whom or about whom the Personal Information relates or identifies, directly or indirectly.

"Personal Information" means any information Provider processes for Customer that (a) identifies or relates to an individual who can be identified directly or indirectly from that data alone or in combination with other information in Provider's possession or control or that Provider is likely to have access to, or (b) the relevant Privacy and Data Protection Requirements otherwise define as protected personal information. Personal Information may include Student Data.

"Processing, processes, or process" means any activity that involves the use of Personal Information or that the relevant Privacy and Data Protection Requirements may otherwise include in the definition of processing, processes, or process. It includes obtaining, recording, or holding the data, or carrying out any operation or set of operations on the data including, but not limited to, organizing, amending, retrieving, using, disclosing, erasing, or destroying it. Processing also includes transferring Personal Information to third parties.

"Privacy and Data Protection Requirements" means all applicable federal and state laws and regulations relating to the processing, protection, or privacy of the Personal Information, including but not limited to, FERPA.

"Security Breach" means any act or omission that compromises the security, confidentiality, or integrity of Personal Information or the physical, technical, administrative, or organizational safeguards put in place to protect it and that requires a security breach notification under the applicable Privacy and Data Protection Requirements.

"Student Data" means any information descriptive of a specific student protected as "Education Records" by the Family Educational Rights and Privacy Act ("FERPA") and similarly defined terms under other Privacy and Data Protection Requirements.

1.2 This DPA is subject to the terms of the Master Agreement and is incorporated into the Master Agreement. Interpretations and defined terms set forth in the Master Agreement apply to the interpretation of this DPA.

1.3 In the case of conflict or ambiguity between any of the provisions of this DPA and the provisions of the Master Agreement, the provisions of this DPA will prevail.

2. Processing Purposes

2.1 Customer retains ownership and control of the Personal Information and remains responsible for its compliance obligations under the applicable Privacy and Data Protection Requirements, including providing any required notices and obtaining any required consents, and for the processing instructions it gives to Provider.

2.2 Customer discloses Personal Information to Provider only for the limited and specified Business Purposes.

2.3 In performing the Services, Provider shall be considered a "school official" with "legitimate educational interests" under FERPA. With respect to its use and maintenance of Student Data, Provider shall be under the direct control and supervision of Customer as set forth in this DPA and the Master Agreement.

3. Provider's Obligations

3.1 Provider will only process, retain, use, or disclose the Personal Information to the extent, and in such a manner, as is necessary for the Business Purposes in accordance with Customer's instructions. Provider will not process, retain, use, or disclose the Personal Information for any other purpose, outside of the Parties' business relationship, or in a way that does not comply with this DPA or the Privacy and Data Protection Requirements. Provider will promptly notify Customer if, in its opinion, Customer's instruction would not comply with the Privacy and Data Protection Requirements.

3.2 Provider will promptly comply with any Customer request or instruction requiring Provider to amend, transfer, or delete the Personal Information, or to stop, mitigate, or remedy any unauthorized processing.

3.3 Provider will reasonably assist Customer with meeting Customer's compliance obligations under the Privacy and Data Protection Requirements, taking into account the nature of Provider's processing and the information available to Provider.

3.4 Provider will promptly notify Customer of any changes to Privacy and Data Protection Requirements, or its ability to meet those obligations, that may adversely affect Provider's performance of the Master Agreement or this DPA.

3.5 Customer acknowledges that Provider is under no duty to investigate the completeness, accuracy, or sufficiency of any specific Customer instructions from or the Personal Information other than as required under the Privacy and Data Protection Requirements.

4. Provider's Employees

4.1 Provider will limit Personal Information access to:

1. (a) those employees who require Personal Information access to meet Provider's obligations under this DPA and the Master Agreement; and
2. (b) the part or parts of the Personal Information that those employees require for the performance of their duties.

4.2 Provider will ensure that all employees:

1. (a) are informed of the Personal Information's confidential nature and use restrictions and are obliged to keep the Personal Information confidential;
2. (b) have undertaken training on the Privacy and Data Protection Requirements relating to handling Personal Information and how it applies to their particular duties; and
3. (c) are aware both of Provider's duties and their personal duties and obligations under the Privacy and Data Protection Requirements and this DPA.

5. Security

5.1 Provider will implement appropriate technical and organizational measures designed to safeguard Personal Information against unauthorized or unlawful processing, access, copying, modification, storage, reproduction, display, or distribution, and against accidental loss, destruction, unavailability, or damage.

5.2 Provider will take reasonable precautions to preserve the integrity of any Personal Information it processes and to prevent any corruption or loss of the Personal Information, including but not limited to establishing reasonable back-up and data restoration procedures.

6. Security Breaches

6.1 Provider will promptly notify Customer if it becomes aware of:

1. (a) any unauthorized or unlawful processing of the Personal Information; or
2. (b) any Security Breach.

6.2 Immediately following any unauthorized or unlawful Personal Information processing or Security Breach, the Parties will coordinate with each other to investigate the matter. Provider will reasonably cooperate with Customer in Customer's handling of the matter, including:

1. (a) assisting with any investigation;
2. (b) providing Customer with physical access to any facilities and operations affected; and
3. (c) making available all relevant records, logs, files, data reporting, and other materials required to comply with all Privacy and Data Protection Requirements or as otherwise reasonably required by Customer.

7. Subcontractors

7.1 Provider may only authorize a third party (subcontractor) to process the Personal Information if:

1. (a) Provider enters into a written contract with the subcontractor that contains terms substantially the same as those set out in this DPA; and
2. (b) Provider maintains control over all Personal Information it entrusts to the subcontractor.

8. Data Subject Requests, Complaints, and Third Party Rights

8.1 Provider will notify Customer promptly if it receives a request from a Data Subject to exercise any rights the individual may have regarding their Personal Information, such as access, correction, deletion, or to opt-out of or limit certain activities like sales, disclosures, or other processing actions.

8.2 Provider will notify Customer promptly if it receives any other complaint, notice, or communication that directly or indirectly relates to the Personal Information processing or to either Party's compliance with the Privacy and Data Protection Requirements.

8.3 Provider will provide reasonable cooperation and assistance to Customer in responding to any complaint, notice, communication, or Data Subject request.

8.4 Provider will not disclose the Personal Information to any Data Subject or to a third party unless the disclosure is either at Customer's request or instruction, permitted by this DPA, or is otherwise required by law.

9. Term and Termination

9.1 This DPA will remain in full force and effect so long as:

1. (a) the Master Agreement remains in effect; or
2. (b) Provider retains any Personal Information related to the Master Agreement in its possession or control (the "Term").

9.2 Any provision of this DPA that expressly or by implication should come into or continue in force on or after termination of the Master Agreement in order to protect Personal Information will remain in full force and effect.

10. Data Return and Destruction

10.1 At Customer's request, Provider will give Customer a copy of or access to all or part of Customer's Personal Information in its possession or control in the format and on the media reasonably specified by Customer.

10.2 On termination of the Master Agreement for any reason or expiration of its term, Provider will securely destroy or, if directed in writing by Customer, return and not retain, all or any Personal Information related to this DPA in its possession or control.

10.3 If any law, regulation, or government or regulatory body requires Provider to retain any documents or materials that Provider would otherwise be required to return or destroy, it will notify Customer in writing of that retention requirement, giving details of the documents or materials that it must retain, the legal basis for retention, and establishing a specific timeline for destruction once the retention requirement ends. Provider may only use this retained Personal Information for the required retention reason or audit purposes.

10.4 Upon Customer's request, Provider will certify in writing that it has destroyed the Personal Information after it completes the destruction.

11. General

11.1 The total liability of either Party towards the other Party under or in connection with this DPA will be limited to the maximum monetary or payment-based amount at which that Party's liability is capped under the Master Agreement.

11.2 The governing law terms set forth in the Master Agreement apply to this DPA.