Data Processing Addendum

December 2, 2022

This Data Processing Addendum (“DPA”) supplements the Skilljar Service Subscription Agreement or other agreement which governs the provision of the Skilljar Services by Skilljar, Inc. (“Skilljar”) to the subscriber of Skilljar’s Services (“Subscriber”) (“Agreement”). This DPA is incorporated by reference into the Agreement. Except as modified below, the terms of the Agreement shall remain in full force and effect.

1. 1. Definitions
      1.1. Definitions: Capitalized terms not defined herein shall have the meaning given in the Agreement. In this DPA, the following terms (and derivations of such terms) shall have the following meanings:

      1.1.1. “Applicable Data Protection Law”means all privacy and data protection laws that apply to Skilljar’s processing of Data under the Agreement (including, where applicable, the California Consumer Privacy Act of 2018 including its associated regulations and as amended (the “CCPA”), and European Data Protection Law).
      
      

      1.1.2. “Controller” means the entity that determines the purposes and means of the processing of Personal Data;
      

      1.1.3. “Data” means Personal Data provided by Subscriber (directly or indirectly) to Skilljar for processing under the Agreement as more particularly identified in Appendix A (Processing Particulars);
      

      1.1.4. “European Data Protection Law” means all EU and U.K. regulations or other legislation applicable (in whole or in part) to the processing of Personal Data under the Agreement (such as Regulation (EU) 2016/679 (the “GDPR”), the U.K. GDPR (defined below), and the Swiss Federal Data Protection Act on 19 June 1992 and its Ordinance (“Swiss Addendum”); the national laws of each EEA member state and the U.K. implementing any EU directive applicable (in whole or in part) to the processing of Personal Data (such as Directive 2002/58/EC); and any other national laws of each EEA member state and the U.K. applicable (in whole or in part) to the Processing of Personal Data; in each case as amended or superseded from time to time.

      1.1.5. “Model Clauses” means the standard contractual clauses attached to the European Commission’s Implementing Decision of 4 June 2021 under Article 28 (7) of Regulation (EU) 2016/679 of the European Parliament and of the Council and Article 29 (7) of Regulation (EU) 2018/1725 of the European Parliament and of the Council, on standard contractual clauses, selecting Module Two between controllers and processors in any case where Subscriber is a Controller, and Module Three between processors in any case where Subscriber is a Processor, and excluding optional clauses unless otherwise specified), and any replacement, amendment or restatement of the foregoing, as issued by the European Commission, on or after the effective date of this DPA.

      1.1.6. “Personal Data” means any information relating to an identified or identifiable natural person (a “Data Subject”), the processing of which is governed by Applicable Data Protection Law; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Where the CCPA applies, ‘Personal Data’ includes “personal information” as defined by the CCPA. Personal Data does not include anonymous or de-identified information or aggregated information derived from Personal Data.

      1.1.7. “processing” means any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organizing, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

      1.1.8. “Processor” means an entity that processes Personal Data on behalf of the Controller. Where applicable, Processor includes “service provider” as defined by the CCPA.

      1.1.9. “Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Data.

      1.1.10. “Sensitive Data” means any Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions or offences.

      1.1.11. “Sub-Processor” means an entity engaged by the Processor or any further sub-contractor to process Personal Data on behalf of and under the instructions of the Controller.

      1.1.12. “U.K. GDPR”means the GDPR, as it forms part of the domestic law of the United Kingdom by virtue of Section 3 of the European Union (Withdrawal) Act 2018.

   2. Data Protection
      
      2.1. Relationship of the parties: As between the parties and for the purposes of this DPA, Subscriber appoints Skilljar as a Processor to process the Data on behalf of Subscriber. Where applicable, Skilljar is a “service provider” as defined in the CCPA. Subscriber shall comply with Applicable Data Protection law, including but not limited to providing notice to Data Subjects, and obtaining and periodically refreshing the consent of Data Subjects, where required, to Subscriber’s use of Skilljar’s Services and Subscriber’s own processing of Data. Subscriber represents and warrants it has and will continue to have the right to transfer Data to Skilljar for processing in accordance with the Agreement and this DPA. Skilljar shall comply with Applicable Data Protection Law and understands and shall comply with the prohibitions on Processors set forth in the CCPA with respect to such Data, including, without limitation and to the extent applicable in each case: (i) selling or sharing any Data (as the terms “sell” and “share” are each defined within the CCPA) where the sale or sharing of such Data is restricted by the CCPA, (ii) disclosing such Data to any party outside of the direct business relationship between Skilljar and Subscriber, or (iii) retaining, using or disclosing such Data for a commercial purpose other than performing the Services as set forth in the Agreement with Subscriber, or as otherwise expressly permitted under this DPA or the Agreement.

      2.2 Purpose limitation: Each party acknowledges and agrees that all Data is disclosed by Subscriber hereunder only for those limited and specified purposes set forth in the Agreement and this DPA. Skilljar shall process the Data as a Processor only as necessary to perform the Services for Subscriber under the Agreement, and strictly in accordance with the documented instructions of Subscriber (including those in this DPA and the Agreement). In no event shall Skilljar process the Data for its own purposes or those of any third party. Skilljar may also anonymize or de identify Data in accordance with Applicable Data Protection Law. Subscriber shall only give lawful instructions that comply with Applicable Data Protection Law and shall ensure that Skilljar’s processing of Data, when done in accordance with Subscriber’s instructions, will not cause Skilljar to violate Applicable Data Protection Law. Skilljar shall inform Subscriber if, in its opinion, an instruction infringes Applicable Data Protection Law. In any case where confirmation of a Controller’s instructions is required by Applicable Data Protection Law, the parties agree that the Agreement, together with this DPA, represents the complete and final documented instructions from the Controller of the Data to Skilljar as of the date of this DPA for the processing of Data. Nothing in this DPA shall be read to limit any obligations of Skilljar to assist Subscriber with Subscriber’s reasonable and appropriate efforts to ensure that Skilljar processes such Data in a manner consistent with each party’s obligations under the CCPA, including (i) the obligation to immediately notify Subscriber if Skilljar determines it can no longer meet its obligations under the CCPA with respect to such Data, and (ii) the obligation not to combine any such Data relating to a specific consumer with any other data about the same consumer in Skilljar’s possession and/or control, whether received from or on behalf of another person or persons or collected by Skilljar from its own interaction(s) with the consumer.

      2.3 International transfers of Data: Skilljar is located in the United States and processes the Data in the United States. For Skilljar to perform Services for Subscriber pursuant to the Agreement, Subscriber transfers (directly or indirectly) Personal Data to Skilljar in the United States. For Personal Data subject to European Data Protection Law, Skilljar agrees to abide by and process the Data in compliance with the Model Clauses, which are incorporated in full by reference and form an integral part of this DPA. For the purposes of the Model Clauses, the parties agree that:

      2.3.1. Skilljar is the “data importer” and Subscriber is the “data exporter” (notwithstanding that Subscriber may itself be located outside the EEA/UK and/or a Processor acting on behalf of a third-party Controller);

      2.3.2. Appendix A (Processing Particulars), Appendix B (Specific Security Measures), and Appendix C (Sub-processor List) of this DPA shall form Annex I, Annex II, and Annex III of the Model Clauses, respectively;

      2.3.3. Option 2 under clause 9 of the Model Clauses will apply with respect to Sub-Processors. Annex III of the Model Clauses shall be subject to General Written Authorization, where “General Written Authorization” means that Skilljar has Subscriber’s general authorization (or the general authorization of the Controller of the Data) for the engagement of sub-processor(s) from the list set forth in Appendix C, which shall be amended from time to time in accordance with the terms of the Agreement, this DPA, and all Applicable Data Protection Law;

      2.3.4. Audits described in clause 8.9 of the Model Clauses shall be carried out in accordance with the audit provisions detailed in Section 2.12 of this DPA;

      2.3.5. The option under clause 11 of the Model Clauses shall not apply;

      2.3.6. For purposes of clauses 17 and 18 of the Model Clauses, this DPA shall be governed by the laws of the Republic of Ireland. Any dispute arising from this DPA shall be resolved by the courts of the Republic of Ireland, and each party agrees to submit themselves to the jurisdiction of the same; and

      2.3.7. It is not the intention of either party, nor the effect of this DPA, to contradict or restrict any of the provisions set forth in the Model Clauses. Accordingly, if and to the extent the Model Clauses conflict with any provision of this DPA, the Model Clauses shall prevail to the extent of such conflict with respect to Personal Data processed pursuant to the Model Clauses. Subscriber warrants it will not transfer any Sensitive Data to Skilljar.

      2.4 Law enforcement requests

      2.4.1. If Skilljar becomes aware that any law enforcement, regulatory, judicial or governmental authority (an “Authority”) wishes to obtain access to or a copy of some or all Data, whether on a voluntary or a mandatory basis, then unless legally prohibited as part of a mandatory legal compulsion that requires disclosure of Data to such Authority, Skilljar shall:

      1. promptly notify Subscriber of such Authority’s data access request;
      2. inform the Authority that any and all requests or demands for access to Data should be notified to or served upon Subscriber in writing; and
      3. not provide the Authority with access to Data unless and until authorized by Subscriber.

      2.4.2. If Skilljar is under a legal prohibition that prevents it from complying with Section 2.4.1(a)-(c) in full, Skilljar shall use reasonable and lawful efforts to challenge such prohibition (and Subscriber acknowledges that such challenge may not always be reasonable or possible in light of the nature, scope, context and purposes of the intended Authority access request). If Skilljar makes a disclosure of Data to an Authority (whether with Subscriber’s authorization or due to a mandatory legal compulsion), Skilljar shall only disclose such Data to the extent Skilljar is legally required to do so.

      2.4.3. Section 2.4.1 shall not apply in the event that, taking into account the nature, scope, context and purposes of the intended Authority’s access to the Data, Skilljar has a reasonable and good-faith belief that urgent access is necessary to prevent an imminent risk of serious harm to any individual. In such event, Skilljar shall notify Subscriber as soon as possible following such Authority’s access and provide Subscriber with full details of the same, unless and to the extent that Skilljar is legally prohibited from doing so;

      2.4.4. Solely with respect to Data that is subject to the GDPR, and/or where Data whose disclosure is otherwise restricted by Applicable Data Protection Law, Skilljar shall not knowingly disclose Data to an Authority in a massive, disproportionate and indiscriminate manner that goes beyond what is necessary in a democratic society. Skilljar shall have in place, maintain and comply with a policy governing Personal Data access requests from Authorities which at minimum prohibits:

      1. massive, disproportionate or indiscriminate disclosure of Personal Data relating to Data Subjects in the EEA and the United Kingdom; and
      2. disclosure of Personal Data relating to data subjects in the EEA, and the United Kingdom to an Authority without a subpoena, warrant, writ, decree, summons or other legally binding order that compels disclosure of such Personal Data.

      2.5. Confidentiality of processing: Skilljar shall ensure that any person that it authorizes to process the Data (including Skilljar’s staff, agents and subcontractors) shall be subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty) and shall not permit any person to process the Data who is not under such a duty of confidentiality.

      2.6. Security: Skilljar shall implement appropriate technical and organizational measures to protect the Data from (i) accidental or unlawful destruction, and (ii) loss, alteration, unauthorised disclosure of, or access to the Data. At a minimum, such measures shall include the security measures identified in Appendix B. With respect to evaluation of the appropriate level of security for the processing of the Data, each party represents and warrants that:

      2.6.1 It has taken due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the Data; and

      2.6.2. It has evaluated the use of encryption and/or pseudonymization for the Data and has determined that the level provided by Skilljar is appropriate for the Data.

      2.6.3. To the extent that the CCPA applies to the processing of the Data, the party has determined that the technical and organizational measures provided by Skilljar is no less than the level of security required by the CCPA.

      2.7. Subcontracting: Skilljar shall not subcontract any processing of the Data to a third-party Sub-Processor unless: (i) Skilljar provides to Subscriber an up-to-date list of its then-current Sub-Processors upon request; and (ii) Skilljar provides at least thirty (30) days’ prior notice of the addition or removal of any Sub-Processor (including the details of the processing it performs or will perform, and the location of such processing). To the extent required by Applicable Data Protection Law, Subscriber shall promptly inform the corresponding Controller of the Data of the specifics of the intended appointment, and in any event no fewer than three (3) business days following receipt of Skilljar’s notice. If Subscriber or the corresponding Controller of the Data objects to Skilljar’s appointment of a third-party Sub-Processor on reasonable grounds relating to the protection of the Data, then either Skilljar will not appoint the Sub-Processor, or Subscriber may elect to suspend or discontinue the affected Services by providing written notice to Skilljar. Subscriber shall notify Skilljar of its objection within ten (10) business days after its receipt of Skilljar’s notice, and Subscriber’s objection shall be sent to security@skilljar.com and explain the reasonable grounds for Subscriber’s objection. If a timely objection is not made, Skilljar will be deemed to have been authorized by Subscriber (or, if Subscriber is a Processor of the Data, by the Controller of the Data) to appoint the new Sub-Processor. Skilljar shall impose the same data protection terms on any Sub-Processor it appoints as those provided for by this DPA and Skilljar shall remain fully liable for any breach of Skilljar’s obligations under this DPA that is caused by an act, error or omission of its Sub-Processor.

      2.8. Cooperation and individuals’ rights: Subscriber is responsible for responding to Data Subject requests using Subscriber’s own access to the relevant Data. Skilljar shall provide all reasonable and timely assistance to enable Subscriber to respond to: (i) any request from an individual to exercise any of its rights under Applicable Data Protection Law, and (ii) any other correspondence received from a regulator or public authority in connection with the processing of the Data. In the event that any such communication is made directly to Skilljar, Skilljar shall promptly (and in any event, no later than within forty-eight (48) hours of receiving such communication) inform Subscriber providing full details of the same and shall not respond to the communication unless specifically required by law or authorized by Subscriber.

      2.9. Data Protection Impact Assessment: Taking into account the nature of the processing and the information available to Skilljar, Skilljar shall provide Subscriber with reasonable and timely assistance with any data protection impact assessments as required by Applicable Data Protection Law and, where necessary, consultations with data protection authorities.

      2.10. Security Incidents: Upon becoming aware of a Security Incident, Skilljar shall inform Subscriber without undue delay and shall provide all such timely information and cooperation to enable Subscriber to fulfil its data breach reporting obligations under (and in accordance with the timescales required by) Applicable Data Protection Law. Skilljar shall further take such measures and actions as are necessary to remedy or mitigate the effects of the Security Incident and shall keep Subscriber informed of all material developments in connection with the Security Incident. Skilljar shall not notify any third parties of a Security Incident affecting the Data unless and to the extent that: (a) Subscriber has agreed to such notification, and/or (b) notification is required to be made by Skilljar under Applicable Data Protection Law.

      2.11. Deletion or return of Data: Upon termination or expiry of the Agreement, Skilljar shall (at Subscriber’s election) delete or return all Data, including copies in Skilljar’s possession or control no later than within sixty (60) days of Subscriber’s election. This requirement shall not apply to the extent that Skilljar is required by applicable laws to retain some or all of the Data, in which event Skilljar shall isolate and protect the Data from any further processing except to the extent required by such law, shall only retain such Data for as long as it is required under applicable laws, and shall continue to ensure compliance with all Applicable Data Protection Law during such retention.

      2.12. Audit: Skilljar uses an external auditor to verify the adequacy of its security measures and controls for its Services. The audit is conducted annually by an independent third-party in accordance with AICPA SOC2 standards and results in the generation of a SOC2 report (“Audit Report”) which is Skilljar’s confidential information. Upon written request, Skilljar shall provide Subscriber with a copy of the most recent Audit Report subject to confidentiality obligations of the Agreement or a non-disclosure agreement covering the Audit Report. If documentation beyond the Audit Report and other information that Skilljar provides to Subscriber is necessary to enable Subscriber to comply with its obligations with respect to the processing of Data under Applicable Data Protection Law (such as Article 28(3)(h) of GDPR where applicable), Skilljar shall permit Subscriber to audit Skilljar’s compliance with this DPA using an independent third party and shall make available all such information, systems and staff reasonably necessary to conduct such audit. Subscriber shall not exercise its audit rights more than once per year except following a Security Incident or following an instruction by a regulator or public authority. Subscriber shall give Skilljar thirty (30) days prior written notice of its intention to audit, conduct its audit during normal business hours, take all reasonable measures to prevent unnecessary disruption to Skilljar’s operations, restrict findings to only data relevant to Subscriber, and provide Skilljar with a copy of the auditor’s report. Skilljar and Subscriber shall mutually agree in advance on the date, scope, duration, and security and confidentiality controls applicable to the audit. Subscriber shall reimburse Skilljar for actual expenses and costs incurred to allow for and contribute to Subscriber’s audit.

   3. Miscellaneous
      
      3.1. The obligations placed upon Skilljar under this DPA shall survive so long as Skilljar and/or its Sub-Processors process Data on behalf of Subscriber.

      3.2 Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict.

      3.3 It is not the intention of either party, nor shall it be the effect of this DPA, to contradict or restrict any provision of the Model Clauses and/or any Applicable Data Protection Law. To the extent that any provision of the Model Clauses conflicts with this DPA, the Model Clauses shall prevail to the extent of such conflict with respect to Personal Data which is subject to the Model Clauses. In no event shall this DPA restrict or limit the rights of any Data Subject or of any Authority. If there is a change in law requiring any change to this DPA to enable either party to continue to comply with Applicable Data Protection Law, the parties will negotiate in good faith to amend this DPA to the extent reasonably necessary to comply with Applicable Data Protection Law.

      3.4 If any provision of this DPA is deemed invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended to ensure its validity and enforceability while preserving the parties’ intentions as closely as possible; or (ii) if that is not possible, then construed in a manner as if the invalid or unenforceable part had never been included herein.

      3.5 Skilljar may update the terms of this DPA from time to time; provided, however, Skilljar shall provide at least thirty (30) days prior written notice to Subscriber when an update is made.

      3.6 The term of this DPA will terminate automatically without requiring any further action by either party upon the later of (i) the termination of the Agreement, or (ii) when all Personal Data is removed from Skilljar’s systems and records, and/or is otherwise rendered unavailable to Skilljar for further Processing.

    

   APPENDIX A – PROCESSING PARTICULARS

   1. 1. 1. LIST OF PARTIES
            Data exporter(s): [Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]
            
            1. Name: Subscriber set forth in Agreement
               Address: As set forth in the Agreement, or as set forth below.
               Role: Controller or Processor

            Data importer(s):

            1. Name: Skilljar Inc.
               Address: 113 Cherry Street, Suite #29434, Seattle, WA 98104
               Role: Processor
         2. DESCRIPTION OF TRANSFER
            Categories of data subjects whose personal data is transferred
            Subscriber may submit Personal Data, the extent of which is determined and controlled by Subscriber in its sole discretion, and which may include, but is not limited to, Personal Data relating to the following categories of data subjects:
            • Employees, agents, advisors, freelancers of Subscriber (who are natural persons); and
            • Subscriber’s users, partners, and customers and the users and employees of those entities.

            Categories of personal data transferred
            Subscriber may submit Personal Data, the extent of which is determined and controlled by Subscriber (including Subscriber’s users, partners, and customers, in each case as applicable) in its sole discretion, and which may include, but is not limited to, the following types of Personal Data:

            • Identification and contact data (name, title, address, phone number, email address);
            • Employment data (employer, job title, academic and professional qualifications, geographic location, area of responsibility, affiliated organization, area of responsibility and industry);
            • Purchase and usage history data;
            • IT related data (IP addresses of visitors to data exporter’s customer’s websites, online navigation data, browser type, language preferences, pixel data, cookies data, web beacon data);
            • IT information (computer ID, user ID and password, domain name, IP address, log files, software and hardware inventory, software usage pattern tracking information (i.e. cookies and information recorded for operation and training purposes); and
            • If the parties mutually agree on expanded use case, financial information (account details, payment information.

            Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
            No sensitive data is transferred.

            The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
            Data is transferred on a continuous basis during the term of the Skilljar Service Subscription Agreement and this DPA.
            
            Nature of the processing
            The nature of the processing of Subscriber Data is set out in the Skilljar Service Subscription Agreement and this DPA.
            
            Purpose(s) of the data transfer and further processing
            The purpose of the processing of Subscriber Data are set out in the Skilljar Service Subscription Agreement and this DPA.
            
            The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
            Personal Data shall be retained by Skilljar for no longer than necessary to effect the services set out in the Skilljar Service Subscription Agreement and this DPA, subject to exemptions as set forth in Section 2.11 of this DPA.
            
            For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
            Skilljar transfers the Personal Data listed above to certain Sub-Processors (listed in Appendix C) for the sole purpose of facilitating Skilljar’s provision of services under the Skilljar Service Subscription Agreement. Sub-Processors have been instructed to retain any Personal Data processed by Skilljar for no longer than necessary to render sub-processing services for Skilljar.
            

       

   APPENDIX B – SPECIFIC SECURITY MEASURES

   TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

   Description of the technical and organizational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

   1. 1. Measures of pseudonymization and encryption of personal data; measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services
         Network Security
         Skilljar services are accessible only over HTTPS. Traffic over HTTPS is encrypted and is protected from interception by unauthorized third parties. Skilljar uses only strong encryption algorithms with a key length of at least 128 bits.
         All network access, both within the datacenter and between the datacenter and outside services, is restricted by firewall and routing rules. Network access is logged and logs are retained for a minimum of 30 days.
         Skilljar servers are only accessible through HTTPS and deny access to other ports, except that SSH access (protected by TLS and private key authentication) is enabled for administration. Administrative access is granted only to select employees of Skilljar, based on role and business need.
         Access to databases used in the Skilljar Services is provided via an encrypted link (TLS).
      2. Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing
         Development Process
         Skilljar developers have been trained in secure coding practices. Skilljar application architecture includes mitigation measures for common security flaws such as the OWASP Top 10. The Skilljar application uses industry standard, high-strength algorithms including AES and bcrypt. Periodic security tests are conducted, including using scanning and fuzzing tools to check for vulnerabilities.
      3. Measures for user identification and authorization
         Authentication
         Clients login to Skilljar using a password which is known only to them and done only over secure (HTTPS) connections. Clients are required to have reasonably strong passwords. Passwords are not stored unencrypted; instead, as is standard practice, only a secure hash of the password is stored in the database. Because the hash is relatively expensive to compute, and because a “salting” method is used, brute-force guessing attempts are relatively ineffective, and password reverse-engineering is difficult even if the hash value were to be obtained by a malicious party.
         When clients enable end users to connect to Skilljar using user-supplied credentials (Single Sign On), this is done using security tokens, OAuth, or SAML 2.0, and in those cases, no credentials need to be stored in the Skilljar system.
      4. Measures for the protection of data during transmission; measures for the protection of data during storage
         Hosting and Physical Security
         Skilljar servers are hosted on Heroku, an application platform that in turn uses services provided by Amazon Web Services (AWS). As such, Skilljar inherits the control environment which Amazon maintains and demonstrates via SSAE16 SOC 1, 2 and 3, ISO 27001 and FedRAMP/FISMA reports and certifications. Web servers and databases run on servers in secure datacenters. Physical access is restricted to authorized personnel. Premises are monitored and access is logged.
      5. Measures for ensuring physical security of locations at which personal data are processed
         Isolation of Services
         Skilljar servers run in Linux virtual machines which are isolated from one another and from the underlying hardware layer. Server processes are restricted to a particular directory and do not have access to the local filesystem.
         Employee Screening and Policies
         As a condition of employment, all Skilljar employees undergo pre-employment background checks and agree to company policies including security and acceptable use policies.
         Security Issues
         Skilljar considers the security of its systems a top priority. Skilljar has implemented a responsible disclosure policy to ensure that problems are addressed quickly and safely. Members of Skilljar’s personnel are granted access to Personal Data only to the extent strictly necessary for the implementation, management and monitoring of the Agreement. Skilljar ensures that all persons authorized to process the personal data have committed themselves to confidentiality.
      6. Measures for certification/assurance of processes and products
         SOC 2 Audited
         Skilljar is committed to maintaining the security of its subscribers’ information. Skilljar has completed a Service Organization Controls 2 (SOC 2) audit with a 3rd-party evaluator (Grant Thornton) certified by The American Institute of CPAs (AICPA). This audit uses the Trust Services Principles, published by the AICPA, to evaluate the effectiveness of a service organization’s controls. Skilljar represents and warrants that it will continue to maintain its certified SOC 2 status.
         Salesforce.com Security Review
         Skilljar has successfully completed the Salesforce.com Security Review and is now listed on the Salesforce AppExchange.

   APPENDIX C – LIST OF SUB-PROCESSORS

   The controller has authorized the use of the following sub-processors:

   	Name	Address	Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorized):
   1	Amazon Web Services	1200 12th Ave S, Ste 1200, Seattle, WA 98144	Hosting services
   2	Heroku	The Landmark @ 1 Market St., Suite 300, San Francisco, CA, 94105	Database and hosting services
   3	JW Platform	2 Park Ave, New York, NY 10016	Video hosting and streaming services
   4	Twilio	375 Beal Street, Suite 300, San Francisco, CA 94105	SendGrid email management and sending services
   5	Google	1600 Amphitheatre Pkwy, Mountain View, CA 94043	Anonymizes IP addresses and provides application usage analytics
   6	Elastic	800 West El Camino Real, Suite 350, Mountain View, CA 94040	Application logs
   7	Sentry	45 Fremont St., 8th Floor, San Francisco, CA 94105	Application error reporting
   8	New Relic	188 Spear St., San Francisco, CA 98105	Application Monitoring
   9	MemCachier	3477 1/2 17th Street, San Francisco, CA 94110	Application data caching
   10	84codes	20 S. Sarah St, St. Louis, MO, 63108 U.S.	CloudAMQP distributed processing queues

   APPENDIX D – COMPETENT SUPERVISORY AUTHORITY

   For the purposes of any Personal Data subject to the GDPR and/or the GDPR as implemented in the domestic law of the United Kingdom by virtue of Section 3 of the European Union (Withdrawal) Act 2018, where such personal data processed in accordance with the Model Clauses, the competent supervisory authority shall be as follows:
   (i) where Subscriber is established in an EU member state, the supervisory authority with responsibility for ensuring Subscriber’s compliance with the GDPR shall act as competent supervisory authority;
   (j) where Subscriber is not established in an EU member state, but falls within the extra-territorial scope of the GDPR and has appointed a representative, the supervisory authority of the EU member state in which Subscriber’s representative is established shall act as competent supervisory authority; or
   (k) where Subscriber is not established in an EU member state but falls within the extra-territorial scope of the GDPR without however having to appoint a representative, the supervisory authority of the EU member state in which the Data Subjects are predominantly located shall act as competent supervisory authority.

   In relation to Personal Data that is subject to the U.K. GDPR, the competent supervisory authority is the United Kingdom Information Commissioner’s Office, subject to the additional terms set forth in the International Data Transfer Addendum to the EU Model Clauses attached hereto as “Appendix E”.

   In relation to Personal Data that is subject to the data privacy laws of Switzerland, the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner.

   APPENDIX E – U.K. International Data Transfer Addendum

   This U.K. INTERNATIONAL DATA TRANSFER ADDENDUM (“IDTA”) forms a part of the Data Processing Addendum (“DPA”) entered into by and between Skilljar, Inc. (“Skilljar”) and the party identified as the Subscriber in the DPA (“Subscriber”). Unless otherwise specified, all capitalized terms used in this IDTA have the meanings provided in the DPA.

   1. Scope of IDTA. The obligations set forth in this IDTA apply solely to Personal Data subject to the U.K. GDPR that is processed under the DPA (“U.K. Personal Data”).
   2. Incorporation of the U.K. Addendum. The parties agree that the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, as issued by the U.K. Information Commissioner’s Office under s.119A (1) of the U.K. Data Protection Act 2018 (“U.K. Addendum”) is incorporated by reference into and forms a part of this IDTA as if fully set forth herein. Each party agrees that execution of the DPA (to which this IDTA is attached as an appendix and incorporated by reference) shall have the same effect as if the parties had simultaneously executed a copy of the U.K. Addendum.
   3. Interpretation of the Model Clauses. For purposes of Processing U.K. Personal Data, any references in the DPA to the Model Clauses shall be read to incorporate the mandatory amendments to the Model Clauses set forth in the U.K. Addendum.
   4. Addendum Terms. Tables 1 through 4 of the U.K. Addendum shall be completed as follows:
   1. In Table 1 of the U.K. Addendum, the “Start Date” shall be the Effective Date of the DPA, and the details and contact information for the “data exporter” and the “data importer” shall be as specified in Appendix I of the DPA.
   2. In Table 2 of the U.K. Addendum:

   i. The version of the Model Clauses incorporated by reference into the DPA shall be the version applicable to this IDTA.

   ii. Those provisions of the Model Clauses applicable under Module Two shall apply to this IDTA.

   iii. The optional clauses and provisions of the Model Clauses applicable to this IDTA shall be those clauses and provisions specified in Section 2.3 of the DPA.

   3. In Table 3 of the U.K. Addendum, the information required in Annexes I (both 1A and 1B), II, and III shall be as provided in Appendices A, B, and C of the DPA, respectively.
   4. In Table 4 of the U.K. Addendum, if the ICO issues any revisions to the U.K. Addendum after the Effective Date (“ICO Revision”), Subscriber and Skilljar shall each have the right to terminate this IDTA in accordance with the U.K. Addendum, the DPA, and the Agreement. Upon such termination of this IDTA:

      i. Skilljar shall cease its Processing of the U.K. Personal Data; and

      ii. Each party shall follow the processes described in Section 2.11 of the DPA with respect to the U.K. Personal Data.

      Notwithstanding the foregoing, termination of this IDTA in the event of an ICO Revision shall not terminate the DPA, the Agreement, and/or the obligations of either party arising thereunder with respect to Personal Data other than U.K. Personal Data, except and unless expressly agreed by and between the parties.

   5. No Amendments. The terms of the U.K. Addendum have not been amended in any way except as expressly stated herein.

   Skilljar Data Processing Addendum (December 2, 2022)