Data Processing Addendum

Last updated June 20th, 2022

This MarbleFlows Data Processing Addendum (“Addendum”) supplements MarbleFlows Terms of Use or other written or electronic agreement that specifically refers to this Addendum (the “Agreement”) between you and MarbleFlows, to the extent the Agreement involves the processing of personal data (as defined below). The purpose of this Addendum is to set out your and MarbleFlows’s obligations in relation to any processing of personal data carried out as part of the Agreement. To the extent that there is any conflict between this Addendum and the Agreement, the terms of this Addendum will take precedence with respect to the parties’ obligations in relation to processing of personal data.

1. Definitions

1.1. In this Addendum: “Data Protection Regulations” means all laws applicable to any personal data processed under or in connection with the Agreement, including: (a) the Privacy and Electronic Communications Directive 2002/58/EC; (b) theGDPR; (c) the Data Protection Act 2018 and all other national legislation implementing or supplementing any of the foregoing; and (d) all associated codes of practice and other binding guidance issued by any competent regulator; all as amended, re-enacted or replaced and in force from time to time;“GDPR” means the General Data Protection Regulation 2016/679; and“Services” means any services to be provided under the Agreement.

1.2. When used in this Addendum, the following terms will have the same meaning as in the Data Protection Regulations: (a) personal data; (b) data controller; (c) data processor; (d) processing; and (e) supervisory authority.

2. Background

2.1. Under the Agreement, MarbleFlows may provide you with Services in relation to any one or more of: (a) user engagement platform software; (b) user engagment management and administration; and (c) support and maintenance.

2.2. This may involve the processing of personal data by MarbleFlows on your behalf as part of the provision of the relevant Services, including personal data relating to your customers, learners or subscribers or other individuals with whom you deal in the course of your business

3. Description of Processing

The processing to be carried out by MarbleFlows is as follows: (a) the nature and subject matter of the processing are as described in 2.1 and the duration of the processing will be throughout the period within which MarbleFlows performs the relevant Services under the Agreement; (b) the purpose of the processing is to enable MarbleFlows to perform the relevant Services under the Agreement; (c) the personal data to be processed will be any personal data you provide in order to enable or facilitate the provision of the Services by MarbleFlows under the Agreement as described inSection 2.1, and the categories of data subjects are as described inSection 2.2; and (d) the obligations and rights of the data controller in relation to the processing are set out below. Read more in Data Privacy.

4. Compliance with the Data Protection Regulations

The parties will comply with (and will ensure that their personnel and subcontractors comply) with the Data Protection Regulations.

5. Relationship and Roles of the Parties

5.1. In relation to the processing of personal data under the Agreement, the parties acknowledge and agree that (a) you are the data controller and (b) MarbleFlows is the data processor.

5.2. MarbleFlows agrees that it will process the personal data in accordance with the terms of the Agreement including this Addendum.

6. Responsible Individuals and Enquiries

Each party will notify the other of the individual within its organisation authorised to respond from time to time to enquiries regarding the personal data and the processing which is the subject of the Agreement. Each party will deal promptly and reasonably with all such enquiries.

7. Processing of personal data by MarbleFlows

7.1. In relation to the processing of personal data under the Agreement, MarbleFlows will:

7.1.1. process the personal data only to the extent necessary in order to provide the Services and then only in accordance with (a) the terms of the Agreement and (b) your documents instructions from time to time as provided in accordance with Section 7.3, unless otherwise required by law. Where MarbleFlows is required by law to process the personal data otherwise than as provided by the Agreement, it will notify you before carrying out the processing concerned (unless the law also prevents MarbleFlows from doing so);

7.1.2. implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks that are presented by the processing, in particular protection against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed under the Agreement;

7.1.3. take all reasonable steps to ensure that only authorised personnel have access to the personal data and that any persons whom it authorises to have access to the personal data will respect and maintain all due confidentiality in relation to the personal data (including by means of an appropriate contractual duty of confidentiality where the persons concerned are not already under such a duty under the law);

7.1.4. not engage any sub-processors in the performance of the Services without your prior written consent and otherwise in accordance with Section 8 at all times;

7.1.5. not do, or omit to do, anything, which would cause you to be in breach of its obligations under the Data Protection Regulations; and

7.1.6. promptly notify you if, in MarbleFlows’s opinion, any instruction given to MarbleFlows infringes the Data Protection Regulations.

7.2. Where applicable in respect of any personal data processed under the Agreement, MarbleFlows will cooperate with and assist you in ensuring compliance with:

7.2.1. your obligations to respond to requests from any data subject(s) seeking to exercise its/their rights under Chapter III of the GDPR, including by notifying you of any written subject access requests MarbleFlows receives relating to your obligations under the Data Protection Regulations; and

7.2.2. your obligations under Articles 32 – 36 of the GDPR to: (a)ensure the security of the processing; (b) notify the relevant supervisory authority, and any data subject(s), where relevant, of any breaches relating to personal data; (c) carry out any data protection impact assessments of the impact of the processing on the protection of personal data; and (d) consult the relevant supervisory authority prior to any processing where a any data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by you to mitigate the risk.

7.3. You hereby instruct MarbleFlows to process personal data to provide the Services in accordance with the Agreement (including this Addendum). You may provide additional instructions to MarbleFlows to process personal data in writing, however MarbleFlows will be obligated to perform such additional instructions only if they are consistent with the terms and scope of the Agreement and this Addendum.

8. Sub-processors

8.1. You hereby agree and provide a general prior authorization that MarbleFlows and its affiliates may engage sub-processors.

8.2. MarbleFlows will ensure that any sub-processor it engages to provide any services on its behalf in connection with the Agreement does so only on the basis of a written agreement that is no less protective than this DPA.

9. Monitoring of MarbleFlows’s Performance

You are, at your expense, entitled to monitor and audit MarbleFlows’s compliance with the Data Protection Regulations and its obligations in relation to data processing under the Agreement at any time during normal business hours not more than once per year. MarbleFlows agrees to provide you promptly with all access, assistance and information that is reasonably necessary to enable the monitoring and audits concerned.

10. Completion of Services

Upon completion of the Services, MarbleFlows will return or delete all personal data processed under the Agreement in accordance with the applicable provisions of the Agreement, except to the extent that MarbleFlows is required by law to retain any copies of the personal data.