Back to LegalThis Capio Data Processing Agreement and its Schedules (“DPA”) reflects the parties’ agreement with respect to the Processing of Personal Information by us on behalf of you in connection with the Capio Services under the Capio Master School User Agreement available at capio.app/legal/MSA, between you and us (also referred to in this DPA as the “Agreement”).
This DPA is supplemental to, and forms an integral part of, the Agreement and is effective upon its incorporation into the Agreement, which may be specified in the Agreement, an Order Form or an executed amendment to the Agreement. In case of any conflict or inconsistency with the terms of the Agreement, this DPA will take precedence over the terms of the Agreement to the extent of such conflict or inconsistency.
We update these terms from time to time. The term of this DPA will follow the term of the Agreement. Terms not otherwise defined in this DPA will have the meaning as set forth in the Agreement.
Definitions
“California Personal Information” means Personal Data that is subject to the protection of the CCPA.
“CCPA” means California Civil Code Sec. 1798.100 et seq. (also known as the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 or “CPRA”).
“Consumer”, “Business”, “Sell”, “Service Provider”, and “Share” will have the meanings given to them in the CCPA.
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
“Data Privacy Framework” means the EU-U.S. Data Privacy Framework, the Swiss-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. Data Privacy Framework self-certification programs (as applicable) operated by the U.S. Department of Commerce; as may be amended, superseded or replaced.
“Data Privacy Framework Principles” means the Principles and Supplemental Principles contained in the relevant Data Privacy Framework; as may be amended, superseded or replaced.
“Data Protection Laws” means all applicable worldwide legislation relating to data protection and privacy which applies to the respective party in the role of Processing Personal Data in question under the Agreement. This includes the General Data Protection Regulation (GDPR) in the European Union and the UK General Data Protection Regulation (UK GDPR) in the UK. In Canada, it encompasses Federal and Provincial data protection laws, while in India, it includes the Information Technology Act, 2000, its ancillary rules and guidelines, and the Digital Personal Data Protection Act (DPDPA) 2023. In the United States, it covers the Family Education Rights Act (FERPA), the Protection of Pupil Rights Amendment (PPRA), the Children’s Online Privacy Protection Act (COPPA), and applicable state student and consumer privacy laws such as the California Consumer Privacy Act (CCPA). In Australia, it may include the Privacy Act 1998 and its amendments
“Data Subject” means the individual to whom Personal Data relates.
“Europe” means the European Union, the European Economic Area and/or their member states, Switzerland and the United Kingdom.
“European Data” means Personal Data that is subject to the protection of European Data Protection Laws.
“European Data Protection Laws” means data protection laws applicable in Europe, including: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; and (iii) applicable national implementations of (i) and (ii); or (iii) GDPR as it forms parts of the United Kingdom domestic law by virtue of Section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”); and (iv) Swiss Federal Data Protection Act and its Ordinance (“Swiss DPA”); in each case, as may be amended, superseded or replaced.
“Instructions” means the written, documented instructions issued by a Controller to a Processor, and directing the same to perform a specific or general action with regard to Personal Data (including, but not limited to, depersonalizing, blocking, deletion, making available).
“Joint Controller” means two or more controllers who jointly determine the purposes and means of processing.
“Permitted Affiliates” means any of your affiliates that (i) are permitted to use the Services pursuant to the Agreement, but have not signed their own separate agreement with us and are not a “Client” as defined under the Agreement, (ii) qualify as a Controller of Personal Data Processed by us, and (iii) are subject to European Data Protection Laws.
“Personal Information” or “Personal Data” means any information relating to an identified or identifiable individual where (i) such information is contained within Client Data; and (ii) is protected similarly as personal data, personal information, or personally identifiable information under applicable Data Protection Laws.
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed by us and/or our Sub-Processors in connection with the provision of the Services. “Personal Data Breach” will not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
“Processing” means any operation or set of operations which is performed on Personal Data, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction or erasure of Personal Data. The terms “Process”, “Processes” and “Processed” will be construed accordingly.
“Processor” means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controller.
“Standard Contractual Clauses” means the standard contractual clauses annexed to the European Commission’s Decision (EU) 2021/914 of 4 June 2021 currently found here , as may be amended, superseded or replaced.
“Sub-Processor” means any Processor engaged by us or our affiliates to assist in fulfilling our obligations with respect to the provision of the Services under the Agreement. Sub-Processors may include third parties or our affiliates but will exclude any Company employee or consultant.
“UK Addendum” means the International Data Transfer Addendum issued by the UK Information Commissioner under section 119A(1) of the Data Protection Act 2018 currently found at here, as may be amended, superseded, or replaced.
Controller Responsibilities
- Compliance with Laws. Within the scope of the Agreement and in its use of the services, you will be responsible for complying with all requirements that apply to it under applicable Data Protection Laws with respect to its Processing of Personal Data and the Instructions it issues to us. In particular but without prejudice to the generality of the foregoing, you acknowledge and agree that you will be solely responsible for:
- The accuracy, quality, and legality of Client Data and the means by which you acquired Personal Data;
- Complying with all necessary transparency and lawfulness requirements under applicable Data Protection Laws for the collection and use of the Personal Data, including obtaining any necessary consents and authorizations;
- Ensuring you have the right to transfer, or provide access to, the Personal Data to us for Processing in accordance with the terms of the Agreement (including this DPA);
- Ensuring that your Instructions to us regarding the Processing of Personal Data comply with applicable laws, including Data Protection Laws; and
- Informing Company without undue delay if you are not able to comply with your responsibilities under this ‘Compliance with Laws’ section or applicable Data Protection Laws.
- Controller Instructions. The Parties agree that the Agreement (including this DPA), together with your use of the Service in accordance with the Agreement, constitute your complete Instructions to us in relation to the Processing of Personal Data, so long as you may provide additional instructions during the Service term that are consistent with the Agreement, the nature and lawful use of the Service.
- Security. You are responsible for independently determining whether the data security provided for in the Service adequately meets your obligations under applicable Data Protection Laws. You are also responsible for your secure use of the Service, including protecting the security of Personal Data in transit to and from the Service (including to securely backup or encrypt any such Personal Data).
Processor Obligations
- Compliance with Instructions. Company will only Process Personal Data for the purposes described in this DPA or as otherwise agreed within the scope of your lawful Instructions, except where and to the extent otherwise required by applicable law. We are not responsible for compliance with any Data Protection Laws applicable to you or your industry that are not generally applicable to us.
- Conflict of Laws. If we become aware that we cannot Process Personal Data in accordance with your Instructions due to a legal requirement under any applicable law, we will:
- promptly notify you of that legal requirement to the extent permitted by the applicable law; and
- where necessary, cease all Processing (other than merely storing and maintaining the security of the affected Personal Data) until such time as you issue new Instructions with which we are able to comply.
If this provision is invoked, we will not be liable to you under the Agreement for any failure to perform the applicable Services until such time as you issue new lawful Instructions with regard to the Processing.
- Security. We will implement and maintain appropriate technical and organizational measures to protect Personal Data from Personal Data Breaches, as described under Schedule 2 to this DPA (“Security Measures”). Notwithstanding any provision to the contrary, we may modify or update the Security Measures at our discretion provided that such modification or update does not result in a material degradation in the protection offered by the Security Measures.
- Confidentiality. We will ensure that any personnel whom we authorize to Process Personal Data on our behalf, such as to troubleshoot an issue, are appropriately trained, subject to appropriate confidentiality obligations (whether a contractual or statutory duty) with respect to that Personal Data, and will have access for only as long as is necessary.
- Personal Data Breaches. We will notify you without undue delay after we become aware of any Personal Data Breach and will provide timely information relating to the Personal Data Breach as it becomes known or reasonably requested by you. At your request, we will promptly provide you with such reasonable assistance as necessary to enable you to notify relevant Personal Data Breaches to competent authorities and/or affected Data Subjects, if you are required to do so under Data Protection Laws.
- Deletion or Return of Personal Data. We will delete or return all Client Data, including Personal Data (including copies thereof) Processed pursuant to this DPA, on termination or expiration of your Service. This term will apply except where we are required by applicable law to retain some or all of the Client Data, or where we have archived Client Data on back-up systems, which data we will securely isolate and protect from any further Processing and delete in accordance with our deletion practices. You may request the deletion of your account after expiration or termination of your Service by sending a request to our privacy office at dpo@capio.com.
Data Subject Requests
The Service provides you with a number of controls that you can use to retrieve, correct, delete or restrict Personal Data, which you can use to assist it in connection with its obligations under Data Protection Laws, including your obligations relating to responding to requests from Data Subjects to exercise their rights under applicable Data Protection Laws (“Data Subject Requests”).
To the extent that you are unable to independently address a Data Subject Request through the Service, then upon your written request we will provide reasonable assistance to you to respond to any Data Subject Requests or requests from data protection authorities relating to the Processing of Personal Data under the Agreement.
If a Data Subject Request or other communication regarding the Processing of Personal Data under the Agreement is made directly to us, we will promptly inform you and will advise the Data Subject to submit their request to you. You will be solely responsible for responding substantively to any such Data Subject Requests or communications involving Personal Data.
Sub-Processors
You agree we may engage Sub-Processors to Process Personal Data on your behalf, and we do so in three ways. First, we may engage Sub-Processors to assist us with hosting and infrastructure. Second, we may engage with Sub-Processors to support product features and integrations. Third, we may engage with Company affiliates as Sub-Processors for service and support. Some Sub-Processors will apply to you as default, and some Sub-Processors will apply only if you opt-in for a particular product or Service.
We maintain a list of Sub-Processors and Company affiliates. We may update this list from time to time. We will give you the opportunity to object to the engagement of new Sub-Processors on reasonable grounds relating to the protection of Personal Data within 30 days. If you do notify us of such an objection, the parties will discuss your concerns in good faith with a view to achieving a commercially reasonable resolution. If no such resolution can be reached, we will, at our sole discretion, either not appoint the new Sub-Processor, or permit you to suspend or terminate the affected Service in accordance with the termination provisions of the Agreement without liability to either party (but without prejudice to any fees incurred by you prior to suspension or termination).
Where we engage Sub-Processors, we will impose data protection terms on the Sub-Processors that provide at least the same level of protection for Personal Data as those in this DPA, to the extent applicable to the nature of the services provided by such Sub-Processors. We will remain responsible for each Sub-Processor’s compliance with the obligations of this DPA and for any acts or omissions of such Sub-Processor that cause us to breach any of its obligations under this DPA.
Data Transfers
You acknowledge and agree that we may access and Process Personal Data on a global basis as necessary to provide the Service in accordance with the Agreement, and in particular that Personal Data may be transferred to and Processed by Company in the Canada and the United States and to other jurisdictions where Company, or its Sub-Processors have operations. Wherever Personal Data is transferred outside its country of origin, each party will ensure such transfers are made in compliance with the requirements of Data Protection Laws.
Additional Provisions for European Data
- Scope. This ‘Additional Provisions for European Data’ section will apply only with respect to European Data.
- Roles of the Parties. When Processing European Data in accordance with your Instructions, the parties acknowledge and agree that you are acting as the Controller of European Data (either as the Controller, or as a Processor on behalf of another Controller) and Company is the Processor under the Agreement.
- Instructions. If we believe that your Instruction infringes European Data Protection Laws (where applicable), we will inform you without delay.
- Data Protection Impact Assessments and Consultation with Supervisory Authorities. To the extent that the required information is reasonably available to us, and you do not otherwise have access to the required information, we will provide reasonable assistance to you with any data protection impact assessments, and prior consultations with supervisory authorities (for example, the French Data Protection Agency (CNIL), the Berlin Data Protection Authority (BlnBDI) and the UK Information Commissioner’s Office (ICO)) or other competent data privacy authorities to the extent required by European Data Protection Laws.
- Transfer Mechanisms for Data Transfers.
- Company will not transfer European Data to any country or recipient not recognized as providing an adequate level of protection for Personal Data (within the meaning of applicable European Data Protection Laws), unless it first takes all such measures as are necessary to ensure the transfer is in compliance with applicable European Data Protection Laws. Such measures may include (without limitation)
- transferring such data to a recipient that is covered by a suitable framework or other legally adequate transfer mechanism recognized by the relevant authorities or courts as providing an adequate level of protection for Personal Data, including the Data Privacy Framework;
- to a recipient that has achieved binding corporate rules authorization in accordance with European Data Protection Laws; or
- to a recipient that has executed the Standard Contractual Clauses in each case as adopted or approved in accordance with applicable European Data Protection Laws.
Alternative Transfer Mechanism. In the event that Company is required to adopt an alternative transfer mechanism for European Data, in addition to or other than the mechanisms described in sub-section (i) above, such alternative transfer mechanism will apply automatically instead of the mechanisms described in this DPA (but only to the extent such alternative transfer mechanism complies with European Data Protection Laws), and you agree to execute such other documents or take such action as may be reasonably necessary to give legal effect such alternative transfer mechanism.
Additional Provisions for California Personal Information
- Scope. The ‘Additional Provisions for California Personal Information’ section of the DPA will apply only with respect to California Personal Information.
- Roles of the Parties. When processing California Personal Information in accordance with your Instructions, the parties acknowledge and agree that you are a Business and we are a Service Provider for the purposes of the CCPA.
- Responsibilities. We certify that we will Process California Personal Information as a Service Provider strictly for the purpose of performing the Services and Consulting Services under the Agreement (the “Business Purpose”) or as otherwise permitted by the CCPA, including as described in the ‘Usage Data’ section of our Privacy Policy. Further, we certify we:
Will not Sell or Share California Personal Information;
Will not Process California Personal Information outside the direct business relationship between the parties, unless required by applicable law; and
Will not combine the California Personal Information included in Client Data with personal information that we collect or receive from another source (other than information we receive from another source in connection with our obligations as a Service Provider under the Agreement)
- Compliance.
We will:Comply with obligations applicable to us as a Service Provider under the CCPA and; provide California Personal Information with the same level of privacy protection as is required by the CCPA.
We will notify you if we make a determination that we can no longer meet our obligations as a Service Provider under the CCPA.
- Not a Sale. The parties acknowledge and agree that the disclosure of California Personal Information by the Client to Company does not form part of any monetary or other valuable consideration exchanged between the parties.
Parties to this DPA
- Permitted Affiliates. By signing the Agreement, you enter into this DPA (including, where applicable, the Standard Contractual Clauses) on behalf of yourself and in the name and on behalf of your Permitted Affiliates. For the purposes of this DPA only, and except where indicated otherwise, the terms “Client”, “you” and “your” will include you and such Permitted Affiliates.
- Authorization. The legal entity agreeing to this DPA as Client represents that it is authorized to agree to and enter into this DPA for and on behalf of itself and, as applicable, each of its Permitted Affiliates.
- Remedies. The parties agree that:
1. solely the Client entity that is the contracting party to the Agreement will exercise any right or seek any remedy any Permitted Affiliate may have under this DPA on behalf of its Affiliates, and
2. the Client entity that is the contracting party to the Agreement will exercise any such rights under this DPA not separately for each Permitted Affiliate individually but in a combined manner for itself and all of its Permitted Affiliates together.
The Client entity that is the contracting entity is responsible for coordinating all Instructions, authorizations and communications with us under the DPA and will be entitled to make and receive any communications related to this DPA on behalf of its Permitted Affiliates.
Schedule 1 - Details of Processing
Insight Dashboard
A. List of Parties
Data Controller :
Name: The Client, as defined in the Capio Master Services Agreement (on behalf of itself and Permitted Affiliates)
Address: The Customer’s address, as set out in the Order Form
Contact person’s name, position and contact details: The Customer’s contact details, as set out in the Order Form and/or as set out in the Customer’s Account
Activities relevant to the data transferred under these Clauses: Processing of Personal Data in connection with Customer’s use of the Services under the Master Services Agreement.
Role (controller/processor): Controller (either as the Controller; or acting in the capacity of a Controller, as a Processor, on behalf of another Controller)
Data Processor:
Name: Capio
Address: 101 Frederick St, Kitchener, ON, N2H 6R3
Contact details: Director of Privacy and Data Governance, dpo@capio.com
Activities relevant to the data transferred under these Clauses: Processing of Personal Data in connection with Client’s use of the Services under the Capio Master Services Agreement.
Role (controller/processor): Processor.
B. Description of Transfer
Categories of Data Subjects whose Personal Data is Transferred
You may submit Personal Data in the course of using the Service, the extent of which is determined and controlled by you in your sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of Data Subjects:
Prospective applicants to your Institution, your Contacts and other end users including your employees, contractors, collaborators, customers, prospects, suppliers and subcontractors.
Categories of Personal Data Transferred
You may submit Personal Data to the Subscription Services, the extent of which is determined and controlled by you in your sole discretion, and which may include but is not limited to the following categories of Personal Data:
- Prospective applicants identifying profile information
- Prospective applicants application processing stage
Sensitive Data transferred
The parties do not anticipate the transfer of sensitive data.
Frequency of the transfer
Continuous
Nature of the Processing
Personal Data will be Processed in accordance with the Agreement (including this DPA) and may be subject to the following Processing activities:
- Storage and other Processing necessary to provide, maintain and improve the Services provided to you; and/or
- Disclosure in accordance with the Agreement (including this DPA) and/or as compelled by applicable laws.
Purpose of the transfer and further processing
We will Process Personal Data as necessary to provide the Services pursuant to the Agreement, as further specified in the Order Form, and as further instructed by you in your use of the Subscription Services.
Period for which Personal Data will be retained
Subject to the ‘Deletion or Return of Personal Data’ section of this DPA, we will Process Personal Data for the duration of the Agreement, unless otherwise agreed in writing.
Enrolment Planner
A. List of Parties
Data Controller :
Name : The Client, as defined in the Capio Master Services Agreement (on behalf of itself and Permitted Affiliates)
Address : The Customer’s address, as set out in the Order Form
Contact person’s name, position and contact details: The Customer’s contact details, as set out in the Order Form and/or as set out in the Customer’s Account
Activities relevant to the data transferred under these Clauses: Processing of Personal Data in connection with Customer’s use of the Services under the Master Services Agreement.
Role (controller/processor): Controller (either as the Controller; or acting in the capacity of a Controller, as a Processor, on behalf of another Controller)
Data Processor:
Name: Capio
Address: 101 Frederick St, Kitchener, ON, N2H 6R3
Contact details: Director of Privacy and Data Governance, dpo@capio.com
Activities relevant to the data transferred under these Clauses: Processing of Personal Data in connection with Client’s use of the Services under the Master Services Agreement.
Role (controller/processor): Processor
B. Description of Transfer
Categories of Data Subjects whose Personal Data is Transferred
You may submit Personal Data in the course of using the Service, the extent of which is determined and controlled by you in your sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of Data Subjects:
Prospective applicants to your Institution, your Contacts and other end users including your employees, contractors, collaborators, customers, prospects, suppliers and subcontractors.
Categories of Personal Data Transferred
You may submit Personal Data to the Subscription Services, the extent of which is determined and controlled by you in your sole discretion, and which may include but is not limited to the following categories of Personal Data:
- Prospective applicants identifying profile information
- Prospective applicants application processing stage
- Prospective applicants age, nationality, and other demographic information
Sensitive Data transferred
The parties do not anticipate the transfer of sensitive data.
Frequency of the transfer
Continuous
Nature of the Processing
Personal Data will be Processed in accordance with the Agreement (including this DPA) and may be subject to the following Processing activities:
- Storage and other Processing necessary to provide, maintain and improve the Services provided to you; and/or
- Disclosure in accordance with the Agreement (including this DPA) and/or as compelled by applicable laws.
Purpose of the transfer and further processing
We will Process Personal Data as necessary to provide the Services pursuant to the Agreement, as further specified in the Order Form, and as further instructed by you in your use of the Subscription Services.
Period for which Personal Data will be retained
Subject to the ‘Deletion or Return of Personal Data’ section of this DPA, we will Process Personal Data for the duration of the Agreement, unless otherwise agreed in writing.
Application Management System
A.List of Parties
Data Controller:
Name: The Client, as defined in the Capio Master Services Agreement (on behalf of itself and Permitted Affiliates)
Address: The Customer’s address, as set out in the Order Form
Contact person’s name, position and contact details: The Customer’s contact details, as set out in the Order Form and/or as set out in the Customer’s Account
Activities relevant to the data transferred under these Clauses: Processing of Personal Data in connection with Customer’s use of the Services under the Capio Master Services Agreement.
Role (controller/processor): Controller (either as the Controller; or acting in the capacity of a Controller, as a Processor, on behalf of another Controller)
Data Processor:
Name: Capio
Address: 101 Frederick St, Kitchener, ON, N2H 6R3
Contact details: Director of Privacy and Data Governance, dpo@capio.com
Activities relevant to the data transferred under these Clauses: Processing of Personal Data in connection with Client’s use of the Services under the Master Services Agreement.
Role (controller/processor): Processor
B. Description of Transfer
Categories of Data Subjects whose Personal Data is Transferred
You may submit Personal Data in the course of using the Service, the extent of which is determined and controlled by you in your sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of Data Subjects:
Prospective applicants to your Institution, your Contacts and other end users including your employees, contractors, collaborators, customers, prospects, suppliers and subcontractors.
Categories of Personal Data Transferred
You may submit Personal Data to the Subscription Services, the extent of which is determined and controlled by you in your sole discretion, and which may include but is not limited to the following categories of Personal Data:
- Prospective applicants personal details (which may include name, parents/legal guardian’s, gender, date of birth, nationality)
- Prospective applicants contact details (email address, telephone number, address)
- Prospective applicants education qualifications
- Prospective applicants professional / work experience
- Prospective applicants english language qualifications
- Prospective applicants personal statement and or research proposal
- Prospective applicants passport and other government identification information
- Prospective applicants referee information
- Prospective applicants preferences and choices for study
- Prospective applicants information about funding of studies (sponsor information)
- Prospective applicants criminal convictions
- Prospective applicants nominated person or agent with whom application information can be shared
- Prospective applicants socioeconomic background of a candidate including whether they have been in care, their parents’ education and occupational background.
Sensitive Data transferred
Personal information revealing or allowing Sensitive Personal Data to be inferred may be included in the Personal Data shared with the Company on behalf of you by prospective applications. The Company takes all reasonable steps to protect, remove, and restrict access to this data when received from prospective applicants. Categories of Sensitive Personal Data that may be shared include racial or ethnic origin or health data.
Frequency of the transfer
Continuous
Nature of the Processing
Personal Data will be Processed in accordance with the Agreement (including this DPA) and may be subject to the following Processing activities:
- Storage and other Processing necessary to provide, maintain and improve the Services provided to you; and/or
- Disclosure in accordance with the Agreement (including this DPA) and/or as compelled by applicable laws.
Purpose of the transfer and further processing
We will Process Personal Data as necessary to provide the Services pursuant to the Agreement, as further specified in the Order Form, and as further instructed by you in your use of the Subscription Services.
Period for which Personal Data will be retained
Subject to the ‘Deletion or Return of Personal Data’ section of this DPA, we will Process Personal Data for the duration of the Agreement, unless otherwise agreed in writing.
Schedule 2 - Security Measures
Where applicable, this Schedule 3 will serve as Annex II to the EU Standard Contractual Clauses. The following table provides more information regarding the technical and organizational security measures set forth below.
Technical and Organizational Security Measure |
Evidence of Technical and Organizational Security Measure |
|---|---|
|
Measures of pseudonymisation and encryption of personal data |
For the Company Services, (a) the databases that store Personal Information are encrypted using the Advanced Encryption Standard and (b) Student Data is encrypted when in transit between a student/applicant’s browser application and the Company platform using TLS v1.2. |
|
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services |
The Company platform uses tools and mechanisms within Amazon Web Services (“AWS”) to achieve high availability and resiliency. For Company services, the Company infrastructure spans multiple fault-independent AWS availability zones in the USA and Canada. |
|
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident |
Company performs regular backups of Personal Information, which is hosted on AWS’s data center infrastructure. Personal Information that is backed up is retained redundantly across multiple availability zones and encrypted in transit and at rest using Advanced Encryption Standard (AES-256) |
|
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing |
Company performs penetration tests and engages independent third-party entities to conduct application-level penetration tests. Security threats and vulnerabilities that are detected are prioritized, triaged, and remediated promptly. |
|
Measures for user identification and authorisation |
Each user account inside of Company is mapped back to a unique email address which the user enters and validates during the account creation. The system enforces a strong password selection upon account setup. Password reuse is blocked for the previous four passwords. Company’s use of the third party authentication allows students the option of, after registration to the Company system, using their Facebook, Apple, or Google authentication to provide a seamless login to the Company system. If the user has activated MFA to 2FA with one of these three authentication systems the Company application will automatically support it. |
|
Measures for the protection of data during transmission and during storage. |
For the Company Services, (a) the databases that store Personal Information are encrypted using the Advanced Encryption Standard and (b) Personal Information is encrypted when in transit between Student’s browser application and the Services using TLS v1.2. (Only Strong Ciphers are permitted) Company performs regular backups of Personal Information, which is hosted on AWS’s data center infrastructure. Personal information that is backed up is retained redundantly across multiple availability zones and encrypted in transit and at rest using Advanced Encryption Standard (AES-256). The cloud platform for the Company Services are hosted by AWS. The AWS data center infrastructure used in providing the CompanyServices are located in the United States. Additional information about security provided by AWS is available at https://aws.amazon.com/security and https://aws.amazon.com/whitepapers/overview-of-security-processes. Company’s production environment within AWS, where Student Data and the Company Services are hosted, is a logically isolated Virtual Private Cloud (VPC). |
|
Measures for ensuring physical security of locations at which personal data are processed |
AWS data centers that host the Company Services are strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication (2FA) a minimum of two (2) times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff. These facilities are designed to withstand adverse weather and other reasonably predictable natural conditions. Each data center has redundant electrical power systems that are available twenty-four (24) hours a day, seven (7) days a week. Uninterruptible power supplies and on-site generators are available to provide back-up power in the event of an electrical failure. In addition, Company headquarters and office spaces have a physical security program that manages visitors, building entrances, CCTVs (closed circuit televisions), and overall office security. All employees, and contractors are required to possess an access badge, and visitors are required to wear identification badges. |
|
Measures for internal IT and IT security governance and management |
Company maintains a risk-based assessment security program. The framework for the Company's security program includes administrative, organizational, technical, and physical safeguards reasonably designed to protect the Services and confidentiality, integrity, and availability of Personal Information. Company’s security program is intended to be appropriate to the nature of the Services and the size and complexity of Company’s business operations. |
Schedule 3 - Sub-Processors
- on behalf of Company customers;
- in accordance with client instructions as communicated by the Company; and
- in strict accordance with the terms of a written contract between the Company and the sub-processor.
