Data Processing Addendum

October 9, 2024

This Data Processing Addendum (“DPA”) is entered into by and between the customer identified in the Service Order (“Subscriber”) and Skilljar Inc. (“Skilljar”). This DPA is incorporated into and supplemental to the Skilljar Service Subscription Agreement entered into between the parties which governs the provision of the Services by Skilljar to the Subscriber (“Agreement”). Except as modified below, the terms of the Agreement shall remain in full force and effect.

1. Definitions

1.1. Definitions. Capitalized terms not defined herein shall have the meaning given in the Agreement. In this DPA, the following terms (and derivations of such terms) shall have the following meanings:

1.1.1. "Applicable Data Protection Law" means all privacy and data protection laws that apply to Skilljar’s Processing of Data under the Agreement (including but not limited to, in each case to the extent applicable, the California Consumer Privacy Act of 2018 including its associated regulations and as amended, including but not limited to, by the California Privacy Rights Act of 2020 (“CPRA”) (collectively, the “CCPA”), and European Data Protection Law). For the avoidance of doubt, “Applicable Data Protection Law” includes, where applicable, privacy and data protection laws in effect in Colorado, Connecticut, Montana, Oregon, Texas, Utah, or Virginia as of the Effective Date, and qualifying privacy and data protection laws, rules, or regulations effected in other U.S. states during the Term, in each case as amended or superseded from time to time (collectively, “U.S. Data Protection Laws”).

1.1.2. "Controller" means the entity that determines the purposes and means of the Processing of Personal Data;

1.1.3. "Data" means Personal Data provided by Subscriber (directly or indirectly) to Skilljar for Processing under the Agreement as more particularly identified in Appendix A (Processing Particulars);

1.1.4 “Data Subject” shall have equivalent meaning to the term “consumer” as defined in the CCPA and/or U.S. Data Protection Laws and equivalent meaning to the term “data subject” as defined in European Data Protection Law, in each case as such laws apply.

1.1.5. "European Data Protection Law" means all EU and U.K. regulations or other legislation applicable (in whole or in part) to the Processing of Personal Data under the Agreement (such as Regulation (EU) 2016/679 (the "GDPR"), the U.K. GDPR (defined below), and the Swiss Federal Data Protection Act on 19 June 1992 and its Ordinance (“Swiss Addendum”); the national laws of each EEA member state and the U.K. implementing any EU directive applicable (in whole or in part) to the Processing of Personal Data (such as Directive 2002/58/EC); and any other national laws of each EEA member state and the U.K. applicable (in whole or in part) to the Processing of Personal Data; in each case as amended or superseded from time to time.

1.1.6. "Model Clauses" means the standard contractual clauses attached to the European Commission’s Implementing Decision of 4 June 2021 under Article 28 (7) of Regulation (EU) 2016/679 of the European Parliament and of the Council and Article 29 (7) of Regulation (EU) 2018/1725 of the European Parliament and of the Council, on standard contractual clauses, selecting Module Two between controllers and processors in any case where Subscriber is a Controller, and Module Three between processors in any case where Subscriber is a Processor, and excluding optional clauses unless otherwise specified), and any replacement, amendment or restatement of the foregoing, as issued by the European Commission, on or after the effective date of this DPA.

1.1.7. "Personal Data" means any information relating to a Data Subject, the Processing of which is governed by Applicable Data Protection Law; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Where the CCPA applies, ‘Personal Data’ includes “personal information” as defined by the CCPA. Personal Data does not include De-identified Data (as defined in Section 2).

1.1.8. “Processing” means any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organizing, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

1.1.9. "Processor" means an entity that Processes Personal Data on behalf of the Controller. Where applicable, Processor includes “service provider” as defined by the CCPA.

1.1.10. “Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Data.

1.1.11. “Sensitive Data” means any Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions or offences.

1.1.12. “Sub-Processor” means an entity engaged by the Processor or any further sub-contractor to Process Personal Data on behalf of and under the instructions of the Controller.

1.1.13. “U.K. GDPR” means the GDPR, as it forms part of the domestic law of the United Kingdom by virtue of Section 3 of the European Union (Withdrawal) Act 2018.

2. Data Protection

2.1. Relationship of the Parties. As between the parties and for the purposes of this DPA, Subscriber appoints Skilljar as a Processor to Process the Data on behalf of Subscriber. Where applicable, Skilljar is a “service provider” as defined in the CCPA. Each party shall be responsible for complying with its own obligations under Applicable Data Protection Law. In the case of Subscriber, the foregoing obligations include but are not limited to providing notice to Data Subjects, and obtaining and periodically refreshing the consent of Data Subjects, where required, to authorize Subscriber’s transfer of Data to Skilljar in connection with its use of Skilljar’s Services and Subscriber’s own Processing of Data. In the case of Skilljar, the foregoing obligations include but are not limited to assisting Subscriber in meeting Subscriber’s obligations as a Controller under Applicable Data Protection Law on the terms described in this DPA.

2.2. Purpose Limitation. Each party acknowledges and agrees that all Data is disclosed by Subscriber hereunder only for those limited and specified purposes set forth in the Agreement and this DPA. Skilljar shall Process the Data as a Processor only as necessary to perform the Services for Subscriber under the Agreement, and strictly in accordance with the documented instructions of Subscriber (including those in this DPA and the Agreement). In no event shall Skilljar Process the Data for its own purposes or those of any third party. Subscriber shall only give lawful instructions that comply with Applicable Data Protection Law and shall ensure that Skilljar’s Processing of Data, when done in accordance with Subscriber’s instructions, will not cause Skilljar to violate Applicable Data Protection Law. Skilljar shall inform Subscriber if, in its opinion, an instruction infringes Applicable Data Protection Law. In any case where confirmation of a Controller’s instructions is required by Applicable Data Protection Law, the parties agree that the Agreement, together with this DPA, represents the complete and final documented instructions from the Controller of the Data to Skilljar as of the date of this DPA for the Processing of Data. For the avoidance of doubt, Skilljar may anonymize or deidentify Data in accordance with Applicable Data Protection Laws (“Deidentified Data”), provided Skilljar: (i) implements technical safeguards that prohibit re-identification of the Data Subject to whom the information may pertain; (ii) implements business Processes that specifically prohibit reidentification of the Deidentified Data and prevent the inadvertent release of Deidentified Data; and (iii) makes no attempt to reidentify the Deidentified Data.

2.3. International Transfers of Data. Skilljar is located in the United States and Processes the Data in the United States. For Skilljar to perform Services for Subscriber pursuant to the Agreement, Subscriber transfers (directly or indirectly) Personal Data to Skilljar in the United States. For Personal Data subject to European Data Protection Law, Skilljar agrees to abide by and Process the Data in compliance with the Model Clauses, which are incorporated in full by reference and form an integral part of this DPA. To the extent that Skilljar processes Personal Data in a jurisdiction other than the jurisdiction in which the Personal Data was collected, and the processing jurisdiction has not been recognized as providing an adequate level of protection under Applicable Data Protection Laws, Skilljar agrees to comply with such transfer mechanism(s) as have been approved for use under Applicable Data Protection Laws (which may include, in the case of Europe, the Model Clauses in the form attached hereto). For the purposes of the Model Clauses, the parties agree that:

2.3.1. Skilljar is the "data importer" and Subscriber is the "data exporter" (notwithstanding that Subscriber may itself be located outside the EEA/UK and/or a Processor acting on behalf of a third-party Controller);

2.3.2. Appendix A (Processing Particulars), Appendix B (Specific Security Measures), and the List (as defined in Section 2.7) of this DPA shall form Annex I, Annex II, and Annex III of the Model Clauses, respectively;

2.3.3. Option 2 under clause 9 of the Model Clauses will apply with respect to Sub-Processors. Annex III of the Model Clauses shall be subject to General Written Authorization, where “General Written Authorization” means that Skilljar has Subscriber’s general authorization (or the general authorization of the Controller of the Data) for the engagement of sub-Processor(s) from the List (as defined in Section 2.7), which shall be amended from time to time in accordance with the terms of the Agreement, this DPA, and all Applicable Data Protection Law;

2.3.4. Audits described in clause 8.9 of the Model Clauses shall be carried out in accordance with the audit provisions detailed in Section 2.12 of this DPA;

2.3.5. The option under clause 11 of the Model Clauses shall not apply;

2.3.6. For purposes of clauses 17 and 18 of the Model Clauses, this DPA shall be governed by the laws of the Republic of Ireland. Any dispute arising from this DPA shall be resolved by the courts of the Republic of Ireland, and each party agrees to submit themselves to the jurisdiction of the same; and

2.3.7. It is not the intention of either party, nor the effect of this DPA, to contradict or restrict any of the provisions set forth in the Model Clauses. Accordingly, if and to the extent the Model Clauses conflict with any provision of this DPA, the Model Clauses shall prevail to the extent of such conflict with respect to Personal Data Processed pursuant to the Model Clauses. Subscriber warrants it will not knowingly transfer any Sensitive Data to Skilljar which is not necessary for the use of the Services, and agrees that any Sensitive Data submitted to Skilljar for processing under the Agreement will be processed in the same manner as Skilljar processes any other form of Personal Data hereunder.

2.4. Law Enforcement Requests

2.4.1. If Skilljar becomes aware that any law enforcement, regulatory, judicial or governmental authority (an “Authority”) wishes to obtain access to or a copy of some or all Data, whether on a voluntary or a mandatory basis, then unless legally prohibited as part of a mandatory legal compulsion that requires disclosure of Data to such Authority, Skilljar shall:


(a) promptly notify Subscriber of such Authority’s data access request;

(b) inform the Authority that any and all requests or demands for access to Data should be notified to or served upon Subscriber in writing; and

(c) not provide the Authority with access to Data unless and until authorized by Subscriber.

2.4.2. If Skilljar is under a legal prohibition that prevents it from complying with Section 2.4.1(a)-(c) in full, Skilljar shall use reasonable and lawful efforts to challenge such prohibition (and Subscriber acknowledges that such challenge may not always be reasonable or possible in light of the nature, scope, context and purposes of the intended Authority access request). If Skilljar makes a disclosure of Data to an Authority (whether with Subscriber’s authorization or due to a mandatory legal compulsion), Skilljar shall only disclose such Data to the extent Skilljar is legally required to do so.

2.4.3. Section 2.4.1 shall not apply in the event that, taking into account the nature, scope, context and purposes of the intended Authority’s access to the Data, Skilljar has a reasonable and good-faith belief that urgent access is necessary to prevent an imminent risk of serious harm to any individual. In such event, Skilljar shall notify Subscriber as soon as possible following such Authority’s access and provide Subscriber with full details of the same, unless and to the extent that Skilljar is legally prohibited from doing so;

2.4.4. Solely with respect to Data that is subject to the GDPR, and/or where Data whose disclosure is otherwise restricted by Applicable Data Protection Law, Skilljar shall not knowingly disclose Data to an Authority in a massive, disproportionate, and indiscriminate manner that goes beyond what is necessary in a democratic society. Skilljar shall have in place, maintain and comply with a policy governing Personal Data access requests from Authorities which at minimum prohibits:

(a) massive, disproportionate, or indiscriminate disclosure of Personal Data relating to Data Subjects in the EEA and the United Kingdom; and

(b) disclosure of Personal Data relating to Data Subjects in the EEA, and the United Kingdom to an Authority without a subpoena, warrant, writ, decree, summons, or other legally binding order that compels disclosure of such Personal Data.

2.5. Confidentiality of Processing. Skilljar shall ensure that any person that it authorizes to Process the Data (including Skilljar's staff, agents, and subcontractors) shall be subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty) and shall not permit any person to Process the Data who is not under such a duty of confidentiality.

2.6. Security. Skilljar shall implement appropriate technical and organizational measures to protect the Data from (i) accidental or unlawful destruction, and (ii) loss, alteration, unauthorized disclosure of, or access to the Data. For the avoidance of doubt, the parties agree that the security measures identified on Skilljar’s security policy page (available at https://skilljar.com/security), as in effect on the Effective Date of this DPA, are reasonable and appropriate for the Processing of Data hereunder. Skilljar may review and update its security measures from time to time, provided that any such updates are consistent with the requirements of this DPA and do not diminish the security of Skilljar’s Processing activities with respect to the Data.

2.7. Subcontracting. A list of Skilljar’s current Sub-Processors is available at https://skilljar.com/security (the “List”). Skilljar shall keep the List current throughout the term of the Agreement in accordance with this section. From time to time, Skilljar may amend the List to add newly appointed Sub-Processors and to remove terminated Sub-Processors. Skilljar shall not subcontract any Processing of the Data to a third-party Sub-Processor unless Skilljar provides at least thirty (30) days’ prior notice of the addition of any Sub-Processor (including the details of the Processing it performs or will perform, and the location of such Processing). To the extent required by Applicable Data Protection Law, Subscriber shall promptly inform the corresponding Controller of the Data of the specifics of the intended appointment, and in any event no fewer than three (3) business days following receipt of Skilljar’s notice. If Subscriber or the corresponding Controller of the Data objects to Skilljar’s appointment of a third-party Sub-Processor on reasonable grounds relating to the protection of the Data, then either Skilljar will not appoint the Sub-Processor, or Subscriber may elect to suspend or discontinue the affected Services by providing written notice to Skilljar. During the period in which the parties are discussing resolutions to the objected-to Sub-Processor, (a) Subscriber shall not submit any new Personal Data for Processing by Skilljar, and (b) Skilljar shall use commercially reasonable efforts to prevent the objected-to Sub-Processor from Processing any Data submitted prior to the appointment of such Sub-Processor. Subscriber shall notify Skilljar of its objection within fifteen (15) business days after its receipt of Skilljar’s notice, and Subscriber’s objection shall be sent to security@skilljar.com and explain the reasonable grounds for Subscriber’s objection. If a timely objection is not made, Skilljar will be deemed to have been authorized by Subscriber (or, if Subscriber is a Processor of the Data, by the Controller of the Data) to appoint the new Sub-Processor. Skilljar shall impose the same data protection terms on any Sub-Processor it appoints as those provided for by this DPA and Skilljar shall remain fully liable for any breach of Skilljar’s obligations under this DPA that is caused by an act, error, or omission of its Sub-Processor

2.8. Cooperation and Individuals’ Rights. Subscriber is responsible for responding to Data Subject requests using Subscriber’s own access to the relevant Data. Skilljar shall provide all reasonable and timely assistance to enable Subscriber to respond to: (i) any request from an individual to exercise any of its rights under Applicable Data Protection Law, and (ii) any other correspondence received from a regulator or public authority in connection with the Processing of the Data. In the event that any such communication is made directly to Skilljar, Skilljar shall promptly (and in any event, no later than within forty-eight (48) hours of receiving such communication) inform Subscriber providing full details of the same and shall not respond to the communication unless specifically required by law or authorized by Subscriber.

2.9. Data Protection Impact Assessment. Taking into account the nature of the Processing and the information available to Skilljar, Skilljar shall provide Subscriber with reasonable and timely assistance with any data protection impact assessments as required by Applicable Data Protection Law and, where necessary, consultations with data protection authorities.

2.10. Security Incidents. Upon becoming aware of a Security Incident, Skilljar shall inform Subscriber without undue delay and shall provide all such timely information and cooperation to enable Subscriber to fulfill its data breach reporting obligations under (and in accordance with the timescales required by) Applicable Data Protection Law. Skilljar shall further take such measures and actions as are necessary to remedy or mitigate the effects of the Security Incident and shall keep Subscriber informed of all material developments in connection with the Security Incident. Skilljar shall not notify any third parties of a Security Incident affecting the Data unless and to the extent that: (i) Subscriber has agreed to such notification, and/or (ii) notification is required to be made by Skilljar under Applicable Data Protection Law.

2.11. Deletion or Return of Data. Subscriber shall notify Skilljar of its election to have Data returned or deleted within thirty (30) days of termination or expiry of the Agreement (or such other period as may be specified therein). If Subscriber makes a timely election, Skilljar shall return or delete Data pursuant to the election within 60 days. Skilljar may delete all Data after the thirty (30) day period (or such other period specified, as applicable). This requirement shall not apply to the extent that Skilljar is required by applicable laws to retain some or all of the Data, in which event Skilljar shall isolate and protect the Data from any further Processing except to the extent required by such law, shall only retain such Data for as long as it is required under applicable laws, and shall continue to ensure compliance with all Applicable Data Protection Law during such retention.

2.12. Audit. Skilljar uses an external auditor to verify the adequacy of its security measures and controls for its Services. The audit is conducted annually by an independent third-party in accordance with AICPA SOC2 standards and results in the generation of a SOC2 report (“Audit Report”) which is Skilljar’s confidential information. Upon written request, Skilljar shall provide Subscriber with a copy of the most recent Audit Report subject to confidentiality obligations of the Agreement or a non-disclosure agreement covering the Audit Report. If documentation beyond the Audit Report and other information that Skilljar provides to Subscriber is necessary to enable Subscriber to comply with its obligations with respect to the Processing of Data under Applicable Data Protection Law (such as Article 28(3)(h) of GDPR where applicable), Skilljar shall permit Subscriber to audit Skilljar's compliance with this DPA using an independent third party and shall make available all such information, systems, and staff reasonably necessary to conduct such audit. Subscriber shall not exercise its audit rights more than once per year except following a Security Incident or following an instruction by a regulator or public authority. Subscriber shall give Skilljar thirty (30) days prior written notice of its intention to audit, conduct its audit during normal business hours, take all reasonable measures to prevent unnecessary disruption to Skilljar's operations, restrict findings to only data relevant to Subscriber, and provide Skilljar with a copy of the auditor’s report. Skilljar and Subscriber shall mutually agree in advance on the date, scope, duration, and security and confidentiality controls applicable to the audit. Subscriber shall reimburse Skilljar for actual expenses and costs incurred to allow for and contribute to Subscriber’s audit.

2.13. Additional Terms for CCPA Data. With respect to Data that is subject to the CCPA ("CCPA Data"), the parties acknowledge and agree as follows:

2.13.1. The terms “consumer,” “service provider,” “sale,” and “sell”, as used in this section, are as defined in Section 1798.140 of the CCPA, and shall be understood as Processing for purposes of this section.

2.13.2. Skilljar will Process CCPA Data for the limited and specified purposes of providing the Services under the Agreement or as otherwise permitted by the CCPA, and that, except and unless expressly permitted under this DPA, the Agreement, and the CCPA, Skilljar shall not sell any CCPA Data, retain, use, or disclose CCPA Data to any party or for any other purpose (commercial or otherwise) outside of the direct business relationship between Skilljar and Subscriber. Skilljar shall comply with all obligations of the CCPA applicable to service providers and/or contractors, including, without limitation:

(a) notifying Subscriber if Skilljar determines it can no longer meet its obligations under the CCPA;

(b) not combining the CCPA Data relating to a specific consumer with any other data about the same consumer in Skilljar’s possession and/or control, whether received from or on behalf of another person or persons or collected by Skilljar from its own interaction(s) with the consumer; and

(c) ensuring that each and all persons authorized by Skilljar to access the CCPA Data (which may include, without limitation, Skilljar’s employees, independent contractors, Sub-Processors, agents, and other personnel) complies with all of the foregoing obligations.


(d) to the extent required by the CCPA, assisting Subscriber in taking reasonable and appropriate steps (i) to stop and remediate unauthorized use of the Data, and (ii) to ensure that Skilljar Processes the Data in a manner consistent with Subscriber’s obligations under the CCPA.

2.14. Additional Terms for U.S. Laws. With respect to Data that is subject to U.S. Data Protection Laws, Skilljar agrees that it shall adhere to Subscriber’s instructions in the Processing of such Personal Data to the extent required to comply with such laws, and shall assist Subscriber in meeting its obligations under applicable U.S. Data Protection Laws on the terms described in this DPA.

3. Miscellaneous

3.1. The obligations placed upon each party under this DPA shall survive so long as Skilljar and/or its Sub-Processors Process Data on behalf of Subscriber.

3.2. Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict.

3.3. It is not the intention of either party, nor shall it be the effect of this DPA, to contradict or restrict any provision of the Model Clauses and/or any Applicable Data Protection Law. To the extent that any provision of the Model Clauses conflicts with this DPA, the Model Clauses shall prevail to the extent of such conflict with respect to Personal Data which is subject to the Model Clauses. In no event shall this DPA restrict or limit the rights of any Data Subject or of any Authority.

3.4. No amendment to or modification or waiver of this DPA is effective unless:

3.4.1. It is in a physical writing and manually signed by an authorized representative of each party;

3.4.2. Skilljar may amend this DPA without Subscriber’s express prior written consent to the extent indicated in Section 3.4.2(a) or 3.4.2(b), provided that, if Skilljar reasonably determines that there has been a change in the Applicable Data Protection Law, the amendment shall not diminish the privacy or security of the Data below the standards by Applicable Data Protection Law requiring amendments to this DPA:

(a) Skilljar may amend this DPA to the extent that Skilljar determines to be reasonably necessary to comply with Applicable Data Protection Law, provided, however, that no such amendment shall diminish the privacy or security of the Data. Skilljar may amend (including any changes thereto taking effect during the term of this DPA to comply with Applicable Data Protection Law by providing), Skilljar provides written notice of the proposed amendment to Subscriber no fewer than thirty (30) days prior to the effective date of the amendment. Subscriber’s continued use of the Services without timely objection will constitute Subscriber’s acceptance of

(b) Skilljar may amend this DPA for reasons other than as necessary to comply with Applicable Data Protection Law, provided that (i) Skilljar provides notice of the proposed amendment to Subscriber no fewer than sixty (60) days prior to the effective date of the amendment, and (ii) such amendments shall not take effect until the subscription term immediately following the term in which Subscriber receives such notice. If Subscriber does not wish to agree to the proposed amendments to the DPA. Subscriber may object to Skilljar’s proposed amendments by providing written notice to Skilljar at any time before the amendments take effect; provided that Subscriber’s objection must be sent to security@skilljar.com and explain the reasonable grounds for Subscriber’s objection. Subscriber may elect not to renew its subscription in accordance with the Agreement.

In the event of an objection, the parties shall further negotiate in good faith to amend the terms of the DPA affecting Subscriber to the extent reasonably necessary to comply with Applicable Data Protection Law.

3.5. If any provision of this DPA is deemed invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended to ensure its validity and enforceability while preserving the parties’ intentions as closely as possible; or (ii) if that is not possible, then construed in a manner as if the invalid or unenforceable part had never been included herein.

3.6. The term of this DPA will terminate automatically without requiring any further action by either party upon the later of (i) the termination of the Agreement, or (ii) when all Personal Data is removed from Skilljar’s systems and records, and/or is otherwise rendered unavailable to Skilljar for further Processing.

APPENDIX A – PROCESSING PARTICULARS

A. LIST OF PARTIES
Data exporter(s): [Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]

  1. Name: Subscriber set forth in Agreement
    Address: As set forth in the Agreement, or as set forth below.
    Role: Controller or Processor

Data importer(s):

  1. Name: Skilljar Inc.
    Address: 113 Cherry Street, Suite #29434, Seattle, WA 98104
    Role: Processor

B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
Subscriber may submit Personal Data, the extent of which is determined and controlled by Subscriber in its sole discretion, and which may include, but is not limited to, Personal Data relating to the following categories of data subjects:

  • Employees, agents, advisors, and freelancers of Subscriber (who are natural persons); and
  • Subscriber’s users, partners, and customers and the users and employees of those entities.

Categories of personal data transferred
Subscriber may submit Personal Data, the extent of which is determined and controlled by Subscriber (including Subscriber’s users, partners, and customers, in each case as applicable) in its sole discretion, and which may include, but is not limited to, the following types of Personal Data:

  • Identification and contact data (name, title, address, phone number, email address);
  • Employment data (employer, job title, academic and professional qualifications, geographic location, area of responsibility, affiliated organization, area of responsibility and industry);
  • Usage history data;
  • IT related data (IP addresses of visitors to data exporter's customer's websites, online navigation data, browser type, language preferences, pixel data, cookies data, web beacon data);
  • IT information (computer ID, user ID and password, domain name, IP address, log files, software and hardware inventory, software usage pattern tracking information (i.e. cookies and information recorded for operation and training purposes)).

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

No sensitive data is transferred.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

Data is transferred on a continuous basis during the term of the Skilljar Service Subscription Agreement and this DPA.

Nature of the Processing

The nature of the Processing of Subscriber Data is set out in the Skilljar Service Subscription Agreement and this DPA.

Purpose(s) of the data transfer and further Processing

The purpose of the Processing of Subscriber Data are set out in the Skilljar Service Subscription Agreement and this DPA.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

Personal Data shall be retained by Skilljar for no longer than necessary to effect the services set out in the Skilljar Service Subscription Agreement and this DPA, subject to exemptions as set forth in the DPA.

For transfers to (sub-) Processors, also specify subject matter, nature and duration of the Processing

Skilljar transfers the Personal Data listed above to certain Sub-Processors (found at https://skilljar.com/security) for the sole purpose of facilitating Skilljar’s provision of services under the Skilljar Service Subscription Agreement. Sub-Processors have been instructed to retain any Personal Data Processed by Skilljar for no longer than necessary to render sub-Processing services for Skilljar.

C. COMPETENT SUPERVISORY AUTHORITY

For the purposes of any Personal Data subject to the GDPR and/or the GDPR as implemented in the domestic law of the United Kingdom by virtue of Section 3 of the European Union (Withdrawal) Act 2018, where such personal data Processed in accordance with the Model Clauses, the competent supervisory authority shall be as follows: 

(i) where Subscriber is established in an EU member state, the supervisory authority with responsibility for ensuring Subscriber’s compliance with the GDPR shall act as competent supervisory authority;

(ii) where Subscriber is not established in an EU member state, but falls within the extra-territorial scope of the GDPR and has appointed a representative, the supervisory authority of the EU member state in which Subscriber’s representative is established shall act as competent supervisory authority; or

(iii) where Subscriber is not established in an EU member state but falls within the extra-territorial scope of the GDPR without however having to appoint a representative, the supervisory authority of the EU member state in which the Data Subjects are predominantly located shall act as competent supervisory authority. 

In relation to Personal Data that is subject to the U.K. GDPR, the competent supervisory authority is the United Kingdom Information Commissioner’s Office, subject to the additional terms set forth in the International Data Transfer Addendum to the EU Model Clauses attached hereto as “Appendix C.”

In relation to Personal Data that is subject to the data privacy laws of Switzerland, the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner.

APPENDIX B – SPECIFIC SECURITY MEASURES

TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Descriptions of the technical and organizational measures implemented by Skilljar to ensure an appropriate level of security for the Data are available at: https://skilljar.com/security

APPENDIX C – U.K. International Data Transfer Addendum

This U.K. INTERNATIONAL DATA TRANSFER ADDENDUM (“IDTA”) forms a part of the Data Processing Addendum (“DPA”) entered into by and between Skilljar Inc. (“Skilljar”) and the party identified as the Subscriber in the DPA (“Subscriber”). Unless otherwise specified, all capitalized terms used in this IDTA have the meanings provided in the DPA.

1. Scope of IDTA. The obligations set forth in this IDTA apply solely to Personal Data subject to the U.K. GDPR that is Processed under the DPA (“U.K. Personal Data”).

2. Incorporation of the U.K. Addendum. The parties agree that the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, as issued by the U.K. Information Commissioner’s Office under s.119A (1) of the U.K. Data Protection Act 2018 (“U.K. Addendum”) is incorporated by reference into and forms a part of this IDTA as if fully set forth herein. Each party agrees that execution of the DPA (to which this IDTA is attached as an appendix and incorporated by reference) shall have the same effect as if the parties had simultaneously executed a copy of the U.K. Addendum.

3. Interpretation of the Model Clauses. For purposes of Processing U.K. Personal Data, any references in the DPA to the Model Clauses shall be read to incorporate the mandatory amendments to the Model Clauses set forth in the U.K. Addendum.

4. Addendum Terms. Tables 1 through 4 of the U.K. Addendum shall be completed as follows:

a. In Table 1 of the U.K. Addendum, the “Start Date” shall be the Effective Date of the DPA, and the details and contact information for the “data exporter” and the “data importer” shall be as specified in Appendix A of the DPA.

b. In Table 2 of the U.K. Addendum:

i. The version of the Model Clauses incorporated by reference into the DPA shall be the version applicable to this IDTA.

ii. Those provisions of the Model Clauses applicable under Module Two shall apply to this IDTA.

iii. The optional clauses and provisions of the Model Clauses applicable to this IDTA shall be those clauses and provisions specified in Section 2.3 of the DPA.

c. In Table 3 of the U.K. Addendum, the information required in Annexes I (both 1A and 1B), II, and III shall be as provided in Appendices A and B of the DPA, and in the List, respectively.

d. In Table 4 of the U.K. Addendum, if the ICO issues any revisions to the U.K. Addendum after the Effective Date (“ICO Revision”), Subscriber and Skilljar shall each have the right to terminate this IDTA in accordance with the U.K. Addendum, the DPA, and the Agreement. Upon such termination of this IDTA:

i. Skilljar shall cease its Processing of the U.K. Personal Data; and

ii. Each party shall follow the processes described in Section 2.11 of the DPA with respect to the U.K. Personal Data.

Notwithstanding the foregoing, termination of this IDTA in the event of an ICO Revision shall not terminate the DPA, the Agreement, and/or the obligations of either party arising thereunder with respect to Personal Data other than U.K. Personal Data, except and unless expressly agreed by and between the parties.

5. No Amendments. The terms of the U.K. Addendum have not been amended in any way except as expressly stated herein.

The previous version of the Data Processing Addendum can be found here.