Data Processing Addendum

Last Updated: June 29, 2022

Background

This Thinkific Data Processing Addendum (“Addendum”) forms part of the Self-Serve Terms of Service, the Plus Terms of Service or any other written or electronic agreement for the provision of Services which include the processing of personal data (otherwise referred to in privacy laws as personal information) (the “Agreement”) between you and Thinkific Labs Inc. (“Thinkific”), a British Columbia company with offices at 369 Terminal Ave, Vancouver, British Columbia, V6A 4C4, Canada, to the extent the Agreement involves the processing of personal data (as defined below).

The purpose of this Addendum is to set our obligations in relation to any processing of personal data carried out as part of the Agreement. Only to the extent that there is any conflict or inconsistency between this Addendum and the Agreement, the terms of this Addendum will take precedence.

1. Definitions

1.1. In this Addendum the following words and expressions have the following meanings unless the context otherwise requires:

“Agreement Personal Data” means any personal data which is processed under the Agreement, including this Addendum, as more particularly described in Annex 1;

“Data Protection Laws” means all laws applicable to any personal data processed under or in connection with the Agreement, including to the extent applicable: (a) the Privacy and Electronic Communications Regulations 2003; (b) the General Data Protection Regulation 2016/679 (“GDPR”); (c) the Data Protection Act 2018 and all other national legislation implementing or supplementing any of the foregoing; (d) the California Privacy Rights Act (CPRA) and other US state law; and (e) all associated codes of practice, regulations and other binding guidance issued by any competent regulator; all as amended, re-enacted or replaced and in force from time to time;

“Personal Data Security Incident” means:

1. a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Agreement Personal Data transmitted, stored or otherwise processed; 
2. a discovery or reasonable suspicion that there is a vulnerability in any technological measure used to protect any Agreement Personal Data that has previously been subject to a breach within the scope of paragraph ‎(a), which may result in exploitation or exposure of that Agreement Personal Data; or
3. any defect or vulnerability with the potential to impact the ongoing resilience, security and/or integrity of systems processing Agreement Personal Data; 

“Restricted Transfer” means a transfer of Agreement Personal Data which is undergoing processing or which is intended to be processed after transfer, to a country or territory to which such transfer is prohibited or subject to any requirement to take additional steps to adequately protect the Agreement personal data for the transfer to be lawful under the Data Protection Laws;

“Services” means any services to be provided by or on behalf of Thinkific under the Agreement.

“Standard Contractual Clauses” means the standard contractual clauses for the transfer of personal data to processors established in third countries approved in accordance with Data Protection Laws, completed with such information and incorporating such technical, organisational or other safeguards as you, the customer, may reasonably require; and

“Sub-Processor” means any person (including any Thinkific group company or other third party) appointed, engaged or permitted by Thinkific to process Agreement Personal Data.

1.2. When used in this Addendum, the following terms will have the same meaning as in the Data Protection Laws: (a) personal data; (b) personal information;  (c) controller; (d)businesses; (e) processor; (f) service providers; (g) processing; (h) special categories of personal data; (i) data subjects; (j) consumer; and (k) supervisory authority.

2. Compliance with the Data Protection Laws

The parties will comply with (and will ensure that their personnel and subcontractors comply) with the Data Protection Laws. In particular, Thinkific will comply with all applicable obligations under the CPRA and it shall provide the same level of privacy protection to any Agreement Personal Data as provided under the CPRA.

3. Relationship and Roles of the Parties

3.1. In relation to the processing of Agreement Personal Data, the parties acknowledge and agree that (a) you are the controller (or business) and (b) Thinkific is the processor (or service provider).

3.2. Thinkific agrees that it will process the Agreement Personal Data in accordance with the terms of the Agreement including this Addendum.

4. Responsible Individuals and Enquiries

Each party will notify the other of the individual within its organisation authorised to respond from time to time to enquiries regarding Agreement Personal Data and the processing which is the subject of the Agreement. Each party will deal promptly and reasonably with all such enquiries.

5. Processing of personal data by Thinkific

5.1. Thinkific will:

5.1.1. process the Agreement Personal Data only on your documented instructions, unless otherwise required by law. Accordingly:

5.1.1.1 Thinkific will not sell any Agreement Personal Data received or obtained in connection with performing the Services under the Agreement or share such Agreement Personal Data for cross-context behavioural advertising;

5.1.1.2 Thinkific acknowledges and agrees that any Agreement Personal Data disclosed to it in connection with the Agreement is disclosed only for the limited purpose of providing the Services under the Agreement; 

5.1.1.3 Where Thinkific is required by law to process the Agreement Personal Data, it will notify you before carrying out the processing concerned (unless the law also prohibits Thinkific from doing so);

5.1.1.4 Thinkific shall not retain, use, or disclose Agreement Personal Data received or obtained in connection with performing the Services under the Agreement for any purpose other than for the specific purpose of providing Services under the Agreement or outside of its direct business relationship with you; and

5.1.1.5 Thinkific shall not combine any Agreement Personal Data received or obtained in connection with performing the Services under the Agreement with Personal Data which it may otherwise receive, obtain, or collect.

5.1.2. implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks that are presented by the processing, in particular protection against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Agreement Personal Data transmitted, stored or otherwise processed under the Agreement;

5.1.3. take all reasonable steps to ensure that only authorised personnel have access to the personal data and that any persons whom it authorises to have access to the personal data will respect and maintain all due confidentiality in relation to the personal data (including by means of an appropriate contractual duty of confidentiality where the persons concerned are not already under such a duty under the law);

5.1.4. only engage any additional or replacement Sub-Processors in the performance of the Services in accordance with Section 6;

5.1.5. not do, or omit to do, anything, which would cause you to be in breach of its obligations under the Data Protection Laws; 

5.1.6. promptly notify you if, in Thinkific’s opinion, any instruction given to Thinkific infringes the Data Protection Laws and shall notify you if it determines that it can no longer comply with applicable obligations under the CPRA with respect to Agreement Personal Data received or obtained in connection with performing the Services under the Agreement. Upon receiving such notice or other notice of any non-compliance with the CPRA, you may take reasonable steps to stop and remediate any unauthorized use of Agreement Personal Data received or obtained in connection with performing the Services under the Agreement;

5.1.8 promptly notify you after becoming aware of any Personal Data Security Incident.

5.2 Thinkific may make a Restricted Transfer if it demonstrates or implements an appropriate safeguard for that Restricted Transfer in accordance with Data Protection Laws. Such appropriate safeguards may include:

5.2.1 an appropriate safeguard as directed by you, as determined by you in accordance with Data Protection Laws;

5.2.2 that the country or territory to which the Restricted Transfer is to be made ensures an adequate level of protection for processing of personal data pursuant to adequacy regulations made in accordance with Data Protection Laws; or

5.2.3 an appropriate safeguard provided by Thinkific in accordance with Data Protection Laws, in which case you will execute any documents (including data transfer agreements containing the standard contractual clauses for the transfer of personal data to processors established in third countries) relating to that Restricted Transfer which Thinkific requires you to execute from time to time.

5.3 The qualifications at clause 5.2 will not apply if Thinkific or one of our relevant Sub-Processors is required to make a Restricted Transfer to comply with domestic law to which we are subject, in which case we will notify you of such legal requirement prior to such Restricted Transfer (unless such law prohibits Thinkific from doing so on public interest grounds).

5.4. Where applicable in respect of any Agreement Personal Data, Thinkific will provide reasonable cooperation with you and assist you in ensuring compliance with:

5.4.1. your obligations to respond to requests from any data subject(s) seeking to exercise its/their rights under Data Protection Laws, including by notifying you of any written subject access requests Thinkific receives relating to your obligations under the Data Protection Laws; and

5.4.2. your obligations to, as applicable: (a) ensure the security of the processing; (b) notify the relevant supervisory authority, and any data subject(s), where relevant, of any breaches relating to personal data; (c) carry out any data protection impact assessments of the impact of the processing on the protection of personal data; and (d) consult the relevant supervisory authority prior to any processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by you to mitigate the risk.

5.5. You hereby instruct Thinkific to process Agreement Personal Data to provide the Services in accordance with the Agreement (including this Addendum). You may provide additional instructions to Thinkific to process personal data in writing, however Thinkific will be obligated to perform such additional instructions only if they are consistent with the terms and scope of the Agreement and this Addendum.

6. Sub-processors

6.1. You hereby agree and provide a general prior authorization that Thinkific and its affiliates may engage Sub-Processors.

6.2. Thinkific will ensure that any Sub-Processor it engages to provide any services on its behalf in connection with the Agreement does so only on the basis of a written agreement that specifies the Sub-Processor’s processing activities and imposes on the Sub-Processor and contains no less protective terms than this Addendum. Thinkific will be liable for any act or omission of the Sub-Processor to the same extent as if the act or omission were performed by Thinkific.

6.3. A list of Thinkific’s Sub-Processors is available at https://www.thinkific.com/thinkificsubprocessors/. By entering into this Agreement, you agree to Thinkific’s use of these Sub-Processors. Prior to engaging any additional or replacement Sub-Processor, Thinkific will inform you of any intended changes and, subject to Section 6.4, give you an opportunity to object.

6.4. This Section 6.4 will apply only where and to the extent that you are established within the European Economic Area, the United Kingdom or Switzerland or where otherwise required by Data Protection Laws, including California and other US state law as applicable. In such event, if you object on reasonable grounds relating to data protection to Thinkific’s use of a new Sub-Processor you will promptly, and within 15 days following Thinkific’s notification pursuant to Section 6.3, provide written notice of such objection to Thinkific. Should Thinkific choose to retain the objected-to Sub-Processor, Thinkific will notify you at least 15 days before authorizing the Sub-Processor to process personal data and you may terminate the relevant portion(s) of the Services within 30 days. Upon any termination by you pursuant to this Section 6.4 Thinkific will refund to you any prepaid fees for the terminated portion(s) of the Service that were to be provided after the effective date of termination.

7. Your obligations

You are responsible for independently determining whether the data security provided for in any subscription service offered by Thinkific adequately meets your obligations under applicable Data Protection Laws. You are also responsible for your secure use of any such subscription service, including protecting the security of personal data in transit to and from the subscription service (including to securely backup or encrypt any such personal data).

8. Monitoring of Thinkific’s Performance

You are, at your expense, entitled to monitor and audit Thinkific’s compliance with the Data Protection Laws and its obligations in relation to data processing under the Agreement at any time during normal business hours not more than once per year. Thinkific agrees to promptly provide you with all access, assistance and information that is reasonably necessary to enable the monitoring and audits concerned. If you believe that an on-site audit is necessary, Thinkific agrees to give you reasonable access to its premises (subject to any reasonable confidentiality and security measures), and to any stored personal data and data processing programs it has onsite. You are entitled to have the audit carried out by a reputable third party qualified to carry out such an audit.

9. Completion of Services

Upon completion of the Services, Thinkific will return or delete all Agreement Personal Data in accordance with the applicable provisions of the Agreement, except to the extent that Thinkific is required by law to retain any copies of the Agreement Personal Data.

10. Remedies

Your remedies with respect to any breach by Thinkific of the terms of this Addendum and the overall aggregate liability of Thinkific arising out of, or in connection with the Agreement (including this Addendum) will be subject to any aggregate limitation of liability that has been agreed between the parties under the Agreement (the “Liability Cap”). For the avoidance of doubt, the parties intend and agree that the overall aggregate liability of Thinkific and its affiliates arising out of, or in connection with the Agreement (including this Addendum) will in no event exceed the Liability Cap.

Annex 1

Agreement Personal Data

1. Subject matter and nature of processing
Under the Agreement, Thinkific may provide you with Services in relation to any one or more of: (a) online course platform software and affiliated products; (b) online course management and administration; and (c) support and maintenance. The subject matter and nature of processing is related to any personal data you provide in order to enable or facilitate the provision of the Services by Thinkific under the Agreement.

2. Purpose of processing: Why is the personal data being processed?
To enable Thinkific to perform the relevant Services under the Agreement.

3. What categories of persons does the personal data relate to?
You, your customers, students or subscribers or other individuals with whom you deal in the course of your business.

4. What categories of personal data are being processed?
Identity, Contact, Profile, Financial, Transactional, Usage, Marketing and Communications

5. Is any special category personal data being processed?
Not applicable

6.  Duration of processing
Throughout the period within which Thinkific performs the relevant Services under the Agreement.