DATA PROCESSING AGREEMENT — VOCABULOUS
This Data Processing Agreement (the “Agreement”) is between the school whose details are set out in Annex A to this Agreement (the “School”) and Vocabulous Limited (company number 14248178) (the “Vocabulous”) (together the “Parties”).
BACKGROUND
(A) The School wishes to purchase a subscription or enter into a free trial for the use of the website at www.vocabulous.co.uk including its resources (“Product”)
(B) In order to use the Product, the School is required to transfer School Data (as defined below) to Vocabulous which will be used by Vocabulous to set up the School’s account and accounts for students at the School.
(C) The Parties acknowledge that although Vocabulous will determine the School Data that it requires in order to set up the accounts and the steps it needs to take to set up the accounts, Vocabulous will at all times be acting as processor of the School Data and the School will be acting as controller. As a result, the Parties wish to enter into this Agreement.
IT IS AGREED AS FOLLOWS:
1 Definitions and Interpretation
1.1 Capitalised terms and expressions used in this Agreement shall have the following meaning:
1.1.1 “Applicable Laws” means any and all laws, legislation, regulations, statutes, statutory instruments, regulations, edicts, bye-laws, directions or legally binding guidance from government or governmental agencies which whether local, national, international or otherwise that apply to a party and/or this Agreement;
1.1.2 “Business Day” means a day other than a Saturday, Sunday or public holiday in England;
1.1.3 “Contracted Processor” means a Subprocessor;
1.1.4 “Data Protection Laws” means in each case to the extent applicable to the parties and as amended, superseded, replaced or updated from time to time: (i) GDPR; (ii) the UK GDPR; (iii) the Data Protection Act 2018; (iv) the Privacy and Electronic Communications (EC Directive) Regulations 2003; and (v) any other applicable data protection and privacy laws;
1.1.5 “GDPR” means the General Data Protection Regulation ((EU) 2016/679);
1.1.6 “Force Majeure Event” means any event or circumstances outside the reasonable control of either party affecting its ability to perform any of its obligations under this agreement including Act of God, fire, flood, severe weather, epidemic or pandemic, war, revolution, acts of terrorism, riot or civil commotion, trade embargo, strikes, lock-outs or other industrial action, and interruption of utility service;
1.1.7 “School Data” means all Personal Data relating to students and staff at the school that is processed by Vocabulous pursuant to this Agreement;
1.1.8 “Subprocessor” means any person appointed by or on behalf of the Processor to process School Data on behalf of the School in connection with the Agreement; and
1.1.9 “UK GDPR” has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018.
1.2 The terms “Data Subject”, “Personal Data”, “Personal Data Breach”, “Processing” and “Process” and “Supervisory Authority” shall have the same meaning as in the GDPR.
2 Processing of School Data
2.1 The Processor shall:
2.1.1 comply with all applicable Data Protection Laws in the Processing of School Data; and
2.1.2 not Process School Data other than on the School’s documented instructions. The Parties agree that Vocabulous shall be entitled to Process School Data to the extent necessary to allow the School and students of the School to access the Product.
2.2 The School warrants that it has a lawful basis for supplying School Data to the Processor. The School shall indemnify the Processor against all costs, claims, damages, expenses, losses and liabilities incurred by the Processor arising out of or in connection to any failure by the School to have a lawful basis for transferring or making the School Data available to Vocabulous.
3 Vocabulous Personnel
3.1 Vocabulous shall ensure that persons who have access to or process School Data are authorised to access School Data only when such persons have a work related need to access the School Data and that they keep the School Data confidential (either under contractual or statutory obligations).
4 Security
4.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Vocabulous shall in relation to the School Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk.
5 Subprocessing
5.1 Vocabulous may appoint sub-contractors to carry out any or all of its Processing activities provided that equivalent data protection obligations to those set out in this Agreement are imposed in a written contract on that other Processor.
5.2 The School authorises Vocabulous to appoint the third parties set out in Annex B. If Vocabulous wishes to replace any of those Processors or appoint new Processors it shall notify the School. If the School does not raise any objection within 10 Business Days of receiving notification, it shall be deemed to approve the appointment. If the School and Vocabulous, acting reasonably and in good faith, are unable to reach an agreement in relation to the proposed change to subprocessor within a further 10 Business Days, each of the School and Vocabulous shall be entitled to terminate this Agreement and the provision of the Product by Vocabulous to the School.
6 Data Subject Rights
6.1 Vocabulous shall, at no additional cost, take such technical and organisational measures as may be appropriate and promptly provide such information to the School as the School may reasonably require to assist the School to respond to any request from a Data Subject.
6.2 Vocabulous shall:
6.2.1 promptly notify the School if it receives a request from a Data Subject under any Data Protection Law in respect of School Data; and
6.2.2 ensure that it does not respond to that request except on the documented instructions of the School or as required by Applicable Laws to which Vocabulous is subject, in which case Vocabulous shall to the extent permitted by Applicable Laws inform the School of that legal requirement before Vocabulous responds to the request.
7 Personal Data Breach
7.1 Vocabulous shall notify the School without undue delay upon Vocabulous becoming aware of a Personal Data Breach affecting School Data, providing the School with sufficient information to allow the School to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
7.2 Vocabulous shall co-operate with the School and take reasonable commercial steps as are directed by the School to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
8 Data Protection Impact Assessment and Prior Consultation
8.1 Vocabulous shall provide reasonable assistance to the School with any data protection impact assessments, and prior consultations with Supervisory Authorities or other competent data privacy authorities, as required by article 35 or 36 of GDPR, in each case solely in relation to Processing of School Data.
9 Deletion or return of School Data
9.1 Upon written request by the School, Vocabulous shall destroy all School Data (including all copies of the School Data) in its possession or control (including any School Data subcontracted to a third party for processing) unless Vocabulous is required by any law to retain some or all of the School Data.
10 Audit rights
10.1 Vocabulous shall make available to the School on request all information necessary to demonstrate compliance with this Agreement and shall allow audits, including inspections, by the School or an auditor mandated by the School in relation to the Processing of the School Data provided that:
10.1.1 the School shall not exercise its audit rights more than once in a 12 month calendar period;
10.1.2 the School shall give Vocabulous reasonable notice for any audit or inspection; and
10.1.3 the School shall pay all costs associated with the audit except where the audit reveals a breach of this Agreement in which case Vocabulous shall pay all reasonable costs.
11 Data Transfer
11.1 Vocabulous may not transfer or authorize the transfer of School Data to countries outside the UK, the EU and/or the European Economic Area (EEA) without the prior written consent of the School. If School Data Processed under this Agreement is transferred from a country within the UK or European Economic Area to a country outside the UK or European Economic Area, the Parties shall ensure that the School Data us adequately protected. To achieve this, the Parties shall, unless agreed otherwise, rely on UK or EU approved standard contractual clauses for the transfer of School Data.
12 General Terms
12.1 Force Majeure. Neither party will be liable to the other for any delay or non-performance of its obligations under this Agreement arising from any Force Majeure Event, provided that it notifies the other party of the Force Majeure Event and the extent of any resulting delay or prevention and resumes performance of its obligations as soon as reasonably possible following the end of the Force Majeure Event.
12.2 Notices. Notices required to be given under this Agreement must not be sent by email. Notices shall be deemed to have been duly received:
12.2.1 if delivered personally, when left at the registered address of the relevant party or otherwise the address notified by the recipient to the other party in writing;
12.2.2 if sent by pre-paid first class post or recorded delivery, at 9.00am on the second day (excluding weekends and public holidays) after posting; or
12.2.3 if delivered by commercial courier, on the date and at the time that the courier’s delivery receipt is signed
12.3 Anti-Bribery and Modern Slavery. Each party shall comply with the Bribery Act 2010 and the Modern Slavery Act 2015 and shall not do, or omit to do, any act that will cause the other to be in breach of the Bribery Act 2010 or the Modern Slavery Act 2015.
12.4 Assignment and Sub-Contracting. Neither party shall assign, delegate, transfer, charge or otherwise dispose of all or any of its rights and responsibilities under this Agreement without the prior written consent of the other party (such consent not to be unreasonably withheld or delayed).
13 Further Assurance. At any time, each party shall sign all documents and do or cause to be done all further acts and things as that party so requiring may reasonably require to give full effect to the terms of this Agreement.
14 Entire Agreement. This Agreement contains all the terms which the parties have agreed with respect to its subject matter and supersedes all previous agreements and understandings between the parties (whether oral or in writing) relating to such subject matter. Each party confirms that it has not been induced to enter into this agreement by a statement or promise which this agreement does not contain. All warranties, conditions and other terms (whether express or implied) which are not set out in this Agreement are (to the fullest extent permitted by law) excluded from this Agreement.
15 Third Party Rights. For the purposes of the Contracts (Rights of Third Parties) Act 1999 no person who is not a party to this Agreement will have any right to enjoy the benefit or enforce any of the terms of this Agreement.
16 Variation. No variation of this Agreement will be effective unless it is in writing and signed by each of the Parties (or their authorised representatives
17 Waiver. Failure to exercise (or to fully exercise), or any delay in exercising, any right or remedy provided under this Agreement by law will not constitute a waiver of that or any other right or remedy, nor will it preclude or restrict any further exercise of that or any other right or remedy under this Agreement or by law.
18 Severability. If any provision of Agreement is found by any court or administrative body of competent jurisdiction to be invalid, illegal or unenforceable in any jurisdiction then it will be deemed modified to the minimum extent necessary to make it valid, legal and enforceable. If such modification is not possible that provision will be deemed to be omitted from this agreement in so far as this Agreement relates to that jurisdiction and the validity and enforceability of that provision in other jurisdictions and the other provisions of this Agreement will not be affected or impaired.
19 Governing Law and Jurisdiction. This Agreement will be governed by English Law and the Parties submit to the exclusive jurisdiction of the English Courts.
ANNEX A
The School – [insert your school name here]
This Annex A forms part of the Agreement and describes the Processing that Vocabulous will perform on behalf of the School.
Subject matter of Processing
The provision of the Product by Vocabulous to the School
Duration of Processing
The duration of the provision of the Product by Vocabulous to the School
Nature of Processing
Vocabulous will process the School Data only to the extent necessary: to register a subscription of free trial of the Product for the School; to set up accounts for students of the School; and to enable teachers and students to access the Product in accordance with the School’s subscription or free trial. School Data may be transferred to the subprocessors detailed in Annex B.
Data subjects
The School Data to be processed concern the following categories of Data Subjects:
- Students
- Teachers
Categories of data
The School Data to be Processed concern the following categories of data:
- school name and contact information (including school postal address, phone number and email address), teachers’ names and contact information (including email addresses), pupils’ names, ages (optional) and class year groups;
- details of interactions that the School and students of the School have with us regarding the Product, together with any other information that the School and students choose to provide us with, for example, through correspondence and interactions with our customer and technical support teams;
- information collected automatically relating to the Product to include information like a user’s IP address, device type, unique device identification numbers and login information, browser-type and version, time zone setting, operating system and platform, broad geographic location (e.g. country or city-level location) and other technical information;
- information collected automatically relating to the Product about how a user’s device has interacted with the Site, including the pages accessed and links clicked, download errors, length of visits to certain pages, page interaction information, and methods used to browse away from any page;
- the answers provided by users of the Product to the quiz questions and the length of time taken to respond in each case.
Processing operations/Permitted Purpose
The School Data will be obtained, held and used by Vocabulous to enable Vocabulous to carry out its obligations arising from the Agreement entered into between the School and Vocabulous regarding the use by the School and its users of the Product.
ANNEX B
Approved Subcontractors
| Name | Processing | Weblink |
| Dropbox | Electronic data storage and transmission services | www.dropbox.com |
| WordPress | Website design and hosting | www.wordpress.com |
| MemberPress | Database provider | https://memberpress.com/ |
| G-Suite | Cloud provider | https://gsuite.google.com |
| OneDrive | Cloud provider | https://www.microsoft.com/en-gb/microsoft-365/onedrive/online-cloud-storage |
| Adobe Creative Cloud | Third party software for storing and editing videos and images | https://www.adobe.com/uk/creativecloud/ |
| Web Developers – Bow House | Contracted developers who develop and enhance the Site | https://www.bowhouse.co.uk/ |
| Stripe | Third party payment provider for credit card transactions | https://stripe.com |
| Zapier | Third party software for automating subscription processes | https://zapier.com/ |
| QuickBooks | Third party payment provider for invoice handling | https://quickbooks.intuit.com/uk/ |
| WP Engine | Server providers | https://wpengine.com/ |