Appendix A: Data Processing Addendum (DPA)

This Data Processing Addendum ("DPA") is incorporated into the Zutobi Terms and Conditions ("Agreement") and applies to the extent the Company processes Personal Data on behalf of a Partner.

1. Definitions

Capitalized terms used but not defined herein shall have the meanings given in the Agreement.

  • "CCPA" means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, and any related regulations.
  • "Data Protection Laws" means all applicable data protection and privacy laws, including but not limited to CCPA and FERPA.
  • "FERPA" means the Family Educational Rights and Privacy Act (20 U.S.C. § 1232g; 34 C.F.R. Part 99).
  • "Personal Data" means any information that constitutes "Personal Information" under the CCPA or "Personally Identifiable Information" from "Education Records" under FERPA, that is provided by Partner to the Company for processing.
  • "Processing" shall have the meaning given to it under applicable Data Protection Laws.

2. Roles and Responsibilities

2.1. The parties agree that with respect to Personal Data, Partner is the "Business" (under CCPA) or "Educational Institution" (under FERPA), and the Company is the "Service Provider" (under CCPA) or "School Official" (under FERPA).

2.2. The Company will process Personal Data only on behalf of the Partner and in accordance with the Partner's documented instructions for the sole purpose of providing the Services as described in the Agreement.

2.3. The Company will not (a) sell or share Personal Data; (b) retain, use, or disclose Personal Data for any purpose other than for the specific purpose of performing the Services specified in the Agreement; or (c) combine the Personal Data with personal information that it receives from other sources, except as permitted under Data Protection Laws.

3. FERPA Obligations

3.1. The Company acknowledges its status as a "School Official" under FERPA and agrees to be under the direct control of the Partner with respect to the use and maintenance of Personal Data from education records.

3.2. The Company will use Personal Data from education records only for the purpose for which the disclosure was made (i.e., to provide the Services) and will not re-disclose such information without Partner's consent.

3.3. The Company will assist Partner in fulfilling its obligation to provide parents or eligible students with access to their education records within the legally mandated timeframes.

4. Security Measures

The Company will implement and maintain reasonable and appropriate technical and organizational security measures designed to protect the security, confidentiality, and integrity of Personal Data, and to prevent unauthorized access or a data breach.

5. Sub-processors

Partner provides a general authorization for the Company to engage third-party sub-processors to process Personal Data. The Company will maintain a list of its sub-processors and will provide it to the Partner upon request. The Company will enter into a written agreement with each sub-processor containing data protection obligations no less protective than those in this DPA. The Company shall remain liable for the acts and omissions of its sub-processors.

6. Data Subject Rights

The Company will provide reasonable assistance to the Partner to enable the Partner to respond to requests from individuals exercising their rights under Data Protection Laws (e.g., rights to know, delete, or correct under CCPA).

7. Data Breach

In the event of a confirmed data breach affecting Personal Data, the Company will notify the Partner without undue delay and will provide reasonable cooperation to the Partner in its investigation and response to the breach.

Start learning now
Select Course
Best of the Zutobi blog
Resources
Company
Practice Tests

Country

countryUnited States
countryUnited Kingdom
countryAustralia
countrySverige
countryDeutschland
countryFrance
©2025 Zutobi AB, 4 Peddlers Row, Unit #103, Newark, DE 19702