Data Processing Addendum

Last Updated: December 2023

This Data Processing Addendum (“Addendum”) forms part of the Terms and Conditions or any agreement including any electronic agreement between Amplio Learning Technologies Inc. and its affiliate Amplio Learning Technologies Ltd. (“Processor” or when only HIPAA is applicable “Business Associate”) and Entity (“Controller” or when only HIPAA applicable “Covered Entity”) for the purchase of services, including use of or access to the Platform (the “Services” and the “Agreement”) to reflect the parties’ agreement with regard to Processor’s processing of Personal Data.

By accepting or signing the Agreement and/or accessing or using the Services, Entity enters this Addendum. If you do not agree to be bound by and comply with all the terms hereof or may not have the authority on behalf of Entity, you may not access or use the Services.

  1. Interpretation and Conflict of Laws
    This Addendum constitutes a data processing agreement as required by Applicable Data Protection Laws, and/or a Business Associate Agreement as required by HIPAA where Controller and Processor fall under the HIPAA definitions of “Covered Entity” and “Business Associate”. Any processing of Personal Data shall be governed by Applicable Data Protection Laws.
  2. Definitions
    Any term not defined herein shall have the meaning ascribed thereto in the Agreement.
    1. “Applicable Data Protection Laws” means all laws and regulations relating to personal data, privacy or databases, that are applicable to the parties in connection with the Services and the Agreement. This may include without limitation: (a) the Family Educational Rights and Privacy Act (FERPA); (b) the Children’s Online Privacy Protection Act of 1998 (COPPA); (c) HIPAA (as defined below); (d) the Health Information Technology Provisions of American Recovery and Reinvestment Act of 2009 (HITECH) (e) the Israeli Protection of Privacy Law, 5741-1981 and any regulations enacted thereunder and any guidelines and/or instructions published by the Israeli Privacy Protection Authority; (f) the California Consumer Privacy Act and its implementing regulations (CCPA) (g) and any other US federal or state data protection or privacy laws and regulation as may be applicable.
    2. “Approved Jurisdiction” means jurisdiction as may be approved by Applicable Data Protection Laws as having adequate legal protections for personal data.
    3. “Breach Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, Personal Data transmitted, stored or otherwise processed by Processor. When a Breach Incident involves PHI, Breach Incident shall also include a Breach (as defined below).
    4. “Controller”, “Processor”, “Data Subject”, shall have the meaning ascribed to them in Applicable Data Protection Laws.
    5. “HIPAA” means the Health Insurance Portability and Accountability Act of 1996 P.L. No. 104-191, 110 Stat. 1938 (1996) and/or its relevant regulations, including the HIPAA Rules.
    6. “HIPAA Rules” means the Privacy, Security, Breach Notification, and Enforcement Rules of HIPAA.
    7. The following terms used in this Addendum shall have the meaning ascribed thereto in the HIPAA Rules: Business Associate, Covered Entity, Breach, Data Aggregation, Designated Record Set, Disclosure or Disclose, Health Care Operations, Individual, Minimum Necessary Notice of Privacy Practices Required by Law, Secretary, Security Incident, Subcontractor, and Use.
    8. “Personal Data” shall have the meaning ascribed to such term in the Applicable Data Protection Laws and shall refer to such data which Processor processes on behalf of Controller in accordance with Controller’s instructions when providing the Services under the Agreement. Personal Data shall  also include, as applicable, “Sensitive Data” “Special categories of Data”, or “Protected Health Information” (PHI) (including electronic PHI), “Educational Records”, as defined by Applicable Data Protection Laws; (Sensitive Data, Special Categories of Data, PHI and ePHI, collectively “Sensitive Data”).
    9. “process” and “processing” shall have the meanings ascribed to them in the Applicable Data Protection Law.
    10. “Sub-Processor(s)” means a person or Third-Party Services engaged by Processor, including any affiliate, agent or assign of Processor that may process Personal Data on behalf of the Processor.
    11. “Third Country” means any other country, state and/or federation that is not an Approved Jurisdiction. 
  3. Roles of the parties
    1. As between the parties: (1) where FERPA applies, Processor shall be considered as “school official” and may receive PII including “educational records” through its contractual agreements with Controller, because Processor is performing a service that furthers a “legitimate educational interest”; (2) where HIPAA applies, Processor shall be considered as Business Associate and Controller shall be considered as Covered Entity.
    2. Controller shall be considered the sole owner of Personal Data transferred by Controller to the Processor. 
  4. Authorized Use
    1. Processor shall process, including Use and Disclose, Personal Data solely for the Purpose, including carrying out the Services in accordance with the Agreement and/or for any other purpose mentioned in Processor’s Privacy Policy, available at: https://www.ampliolearning.com/privacy-policy/.
    2. Controller hereby agrees that:
      1. Processor may de-identify and/or anonymize and/or aggregate Personal Data in a way that does not enable identification of an individual and may use, share and maintain such data for any purpose and in any way permitted by law.
      2. Processor may use data generated from the Services to conduct research and studies for Processor purposes, in which case if such data contains Personal Data, Processor will de-identify, anonymize and/or aggregate such data prior to use. Processor may collaborate with third party research organizations for research, who may use such de-identified, anonymized and/or aggregated data for their purposes.
      3. In addition, Business Associate: (a) may Use or Disclose PHI as required by law; (b) agrees to make Uses and Disclosures and requests for PHI consistent with Covered Entity’s Minimum Necessary policies and procedures; and (c) may not Use or Disclose PHI in a manner that would violate Subpart E of 45 CFR Part 164 of HIPAA if done by Covered Entity except for the specific Uses and Disclosures set forth above.
      4. Subject to Section 16.2, the duration of the processing shall be for the term of the Agreement and shall apply to all of the Services and/or materials delivered by the Processor pursuant thereto.
      5. The following types of Personal Data may be processed:
        1. End User data may include: names; addresses or geographic data; email addresses; telephone and fax numbers; log-on credentials; gender, home language and Hispanic ethnicity; student, school and/or district names or IDs (including Rostering System IDs, SIS IDs, etc.); audio and/or video recordings; full face photographic images and any comparable images; performance information such as exercises practice, usage and duration; IP addresses and web URLs; cookies (including cookie ID); and statistical data.
        2. Student data may additionally include: birth date or age and/or student grade/graduation year; parent/guardian names and contact information; name and title of Educators and Administrators; administrative and clinical information regarding screening, evaluations and treatments (including IEP); clinical and educational measurements and notes; school attendance; health plan beneficiary number and/or eligibility data; any other information which may constitute educational records under Applicable Data Protection Law.
        3. Educator and/or Administrator data may additionally include title and certification/license numbers.
      6. The following categories of Data Subjects may be affected by the processing: Entities, prospects, End Users including, Students, Student caregivers, Educators, Administrators and any other authorized staff members of Entities, and any other users of the Website.
  5. Compliance with Laws
    1. Each Party shall comply with its respective obligations under the Applicable Data Protection laws.
    2. To the extent Business Associate is to carry out one or more of Covered Entity’s obligation(s) under Subpart E of 45 CFR Part 164 of HIPAA, Business Associate shall comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s).
    3. Controller shall ensure that: (a) Data Subjects are informed of Processor’s processing of Personal Data and all consents and permits from Data Subjects are obtained, as required under Applicable Data Protection Laws; (b) Personal Data will be collected, processed and transferred by Controller in accordance with Applicable Data Protection Laws; and (c) any instruction to Processor in connection with the processing of Personal Data, will be carried out in accordance with Applicable Data Protection Laws.
    4. Controller shall notify Processor of any: (a) limitation(s) in its Minimum Necessary Notice of Privacy Practices Required by Law, (b) changes in, or revocation of, the permission by an Individual to process, Use or Disclose his or her Personal Data; or (c) restriction on the processing, Use or Disclosure of Personal Data that Controller has agreed to or is required to abide by under Applicable Data Protection Laws; all to the extent that such limitations, changes or restrictions may affect Processor’s process, Use or Disclosure of Personal Data.
  6. Special Categories of Personal Data. Controller shall notify Processor prior to the processing if the Personal Data includes special categories of Personal Data, whether any restrictions of processing apply thereto and whether it has special instructions to adhere with. In the event that thereof: (a) Controller shall ensure that all specific consents and permits as required by Applicable Data Protection Laws are obtained for any collection of special categories of Personal Data; (b) Processor acknowledges that the access to special categories of Personal Data will be restricted to staff who have been informed about the sensitivity of the processing and the measures to be followed; and (c) the parties acknowledge that special security measures shall be taken when transferring, accessing or storing such data, and the transferring shall be in compliance with Applicable Data Protection Laws.
  7. Obligation of Confidentiality. Processor shall take reasonable steps to ensure that its employees, agents and/or subcontractors shall have access to Personal Data on a “need to know” basis, and they signed or are otherwise legally obligated to confidentiality obligations at the similar level of the Agreement. Furthermore, the Processor shall train its employees on compliance with Applicable Data Protection Laws.
  8. Security Measures. Processor shall, in relation to Personal Data, implement commercially reasonable security-related policies, standards, and practices commensurate with the size and complexity of Processor’s business, the level of sensitivity of the data collected, handled and stored, and the nature of Processor’s business activities (“Security Measures”), including, as appropriate, the following measures: (a) pseudonymisation and/or encryption of Personal Data; (b) ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (c) ability to quickly restore the availability and access to Personal Data in the event of a physical or technical incident; and (d) maintaining a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing. In addition, Business Associate shall Use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 of HIPAA with respect to ePHI, to prevent Use or Disclosure of PHI other than as provided for by the Agreement.
  9. Assistance with Safeguarding the Rights of Data Subjects
    1. Processor shall reasonably assist Controller in safeguarding Data Subjects’ rights and fulfilling its obligations to respond to data portability, rectification, deletion or blocking requests from Data Subject’s as set forth under Applicable Data Protection Laws.
    2. In addition, Business Associate shall: (a) make available PHI in a Designated Record Set to the Covered Entity as necessary to satisfy covered entity’s obligations under 45 CFR 164.524 of HIPAA (Access Right); (b) make any amendment(s) to PHI in a Designated Record Set as directed or agreed to by Covered Entity pursuant to 45 CFR 164.526 (Right to Amend), or take other measures as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.526 of HIPAA; (c) maintain and make available the information required to provide an accounting of disclosures to the Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.528 of HIPAA.
    3. Where Processor receives any requests from individuals to exercise its right under the Applicable Data Protection Laws Processor will promptly redirect the request to Controller and provide reasonable assistance to exercising the access right.
  10. Assistance with Ensuring Compliance with Applicable Data Protection Laws.
    1. Processor shall reasonably assist Controller in ensuring compliance with privacy obligations of Applicable Data Protection Laws.
    2. When Processor receives any requests from applicable data protection authorities relating to the processing of Personal Data, Processor will promptly redirect the request to Controller.
    3. If Processor receives a legally binding request for the disclosure of Personal Data, Processor shall (to the extent legally permitted) notify Controller upon receipt of such order, demand, or request.
  11. Breach Incidents
    1. As soon as practicable after becoming aware of a Breach Incident, and where HIPAA is applicable no later than 30 days from the discovery of the Breach after becoming aware thereof, Processor will notify Controller and will provide information known to it at such time with respect to the nature, scope and consequences of such Breach Incident.
    2. Processor will use reasonable endeavors to assist Controller in mitigating, where possible, the adverse effects of any Breach Incident.
    3. Processor’s obligations under this Section shall not apply to Breach Incidents that are caused by Controller.
    4. Upon reasonable notice, Processor shall provide reasonable assistance to Controller in compliance with any notification obligations of Breach Incidents to the supervisory authority and communication obligations to Data Subjects, as required under the Applicable Data Protection Laws.
  12. Security Assessments and Audits
    1. Processor shall, upon reasonable and written notice and subject to obligations of confidentiality, allow its data processing policies to be inspected annually by a third party to be agreed upon between Processor and Controller in order to ascertain compliance with this Addendum. Costs of such inspection shall be borne by Controller.
    2. Business Associate shall make its internal practices, books, and records available to the Secretary for purposes of determining compliance with the HIPAA Rules.
    3. Processor shall provide Controller at Controller’s cost and not more than once a year, with reports as reasonably requested by Controller in writing regarding the management and processing of Personal Data.
  13. Transfers to an Approved Jurisdiction and/or Third Country. Unless otherwise prohibited in the Agreement, Controller agrees that Processor may transfer Personal Data to an Approved Jurisdiction and/or a Third Country provided that transfers to a Third Country shall be made subject to safeguards no less protective of Controller and/or Personal Data than those set forth herein and in accordance with the Applicable Data Protection Laws.
  14. Sub-Processors. Unless otherwise prohibited in the Agreement, Controller agrees that Processor may engage Sub-Processors to perform its obligations under the Agreement, provided that they agree to process Personal Data in a manner consistent with and no less protective of Controller and/or Personal Data than the terms of this Addendum, and provided that Processor remains liable for the acts and omissions of such Sub-Processors. A list of Sub-Processors may be provided upon the Controller’s request.
  15. Term and Termination
    1. Term. This Addendum shall be effective as of the effective date of the Agreement and shall terminate on the date the Agreement is terminated and/or Controller terminated for cause as authorized in Section 15.2, whichever is sooner.
    2. Termination for Cause. Each party may terminate this Addendum for cause if they determine the other party has violated a material term of this Addendum and such party has not cured the breach or ended the violation within reasonable time of not less than 30 days.
  16. Deletion and Return at the End of Processing
    1. Upon termination of the Agreement and/or this Addendum, Processor will delete or return to Controller, and instruct its Sub-Processors to delete or return, all existing copies of Personal Data which are in its or its Sub-Processors’ possession.
    2. Notwithstanding the foregoing, Processor may retain Personal Data to the extent and for such period as required: (a) by applicable laws; (b) for the purpose of defending itself against legal claims; and (c) to continue its proper management and administration or to carry out its legal responsibilities. During such time, Processor shall not process such Personal Data other than for the purposes set forth above and subject to the same conditions set out in this Addendum. Processor shall delete or return to Controller such Personal Data when it is no longer needed for the above purposes.
  17. Miscellaneous
    1. Survival. Provisions which by their nature are intended to survive the suspension or termination of this Addendum, shall survive its termination.
    2. Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (a) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (b) construed in a manner as if the invalid or unenforceable part had never been contained therein.
    3. Any claims brought in connection with this Addendum will be subject to the Terms and Conditions, including but not limited to, the exclusions and limitations set forth in the Agreement.
    4. Processor may update the terms of this Addendum from time to time. The then-current terms of this Addendum are available at
      https://www.ampliolearning.com/amplio-learning-technologies-application-terms-and-conditions/.