Data Processing Addendum

This Data Processing Addendum (“DPA”) is entered into between McGraw Hill LLC, on behalf of itself and its affiliates (all together “McGraw Hill”) and the entity or individual identified in the agreement (the “Agreement”) that references this DPA (“Supplier”) (together, the “Parties”). This DPA constitutes a supplement to the Agreement for all purposes and is incorporated into the Agreement by this reference. All capitalized terms not defined herein will have the same meaning as in the Agreement.

DEFINITIONS

“McGraw Hill Personal Data” means any Personal Data that is Processed by Supplier in the course of performing its obligations under the Agreement. 

“Personal Data” means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household. 

“Privacy Laws” means all applicable federal, state and local laws, rules and regulations and ordinances and any other privacy and data security statutes, and regulations promulgated and in effect under such statutes, relating to the jurisdictions applicable to the Services and/or the McGraw Hill Personal Data. Privacy Laws include, but are not limited to, the European Union’s (“EU”) General Data Protection Regulation (“GDPR”); the California Consumer Privacy Act (“CCPA”); Swiss Privacy Laws and UK Privacy Laws (as defined in Annex 1); and all other international privacy laws set forth in Annex 1.

“Privacy/Security Incident” means a confirmed incident involving access to or handling of McGraw Hill Personal Data not expressly permitted by this DPA.

“Processing” means access to or any operation or set of operations that is performed on Personal Data or on sets of Personal Data, whether or not by automated means, including but not limited to collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. 

“Services” means the services provided by Supplier to McGraw Hill under the Agreement. 

“Standard Contractual Clauses” means the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, or any such clauses amending, replacing or superseding those by a European Commission Decision or by a decision made by any other authorized body, and any other applicable sets of contractual terms and conditions which the sender and the receiver of Personal Data both sign up to (including, but not limited to, the contractual terms and conditions set out in Annex 1), aimed at protecting Personal Data through contractual obligations in compliance with applicable Privacy Laws when such data leaves one country and goes to another country that is not considered to offer adequate protection to the rights and freedoms of data subjects.

1.1. McGraw Hill Personal Data. Supplier will, and will ensure that its employees or agents will, only Process McGraw Hill Personal Data in accordance with the Agreement, this DPA, and any supplemental written instructions received from McGraw Hill. Supplier will not “sell” (as such term is defined in the CCPA), retain, disclose or use any McGraw Hill Personal Data except: (i) as in accordance with the instructions of McGraw Hill; (ii) as specifically authorized by this DPA and/or Agreement; (iii) as necessary to perform the Services; or (iv) as required by applicable law. With respect to McGraw Hill Personal Data Processed under this DPA, (1) McGraw Hill or the applicable McGraw Hill affiliate acts as the “controller” (or acts on the instructions of a third party that is the “controller”) and Supplier acts as the “processor” under the GDPR and similar Privacy Laws; and (2) McGraw Hill or the applicable McGraw Hill affiliate acts as the “business” under the CCPA (or acts on the instructions of a third party that is the “business”), and Supplier acts as the “service provider” under the CCPA. Supplier will not take any action that would result in Supplier not acting as a processor under the GDPR or similar Privacy Laws in other jurisdictions or as a “service provider” under the CCPA with respect to McGraw Hill Personal Data.

1.2. Carrying out the Services in accordance with the terms of the Agreement will be deemed an instruction by McGraw Hill to Supplier. Any additional or alternate instructions must be agreed between McGraw Hill and Supplier separately in writing.  

2. International Data and International Transfers

2.1. “International McGraw Hill Personal Data” means any McGraw Hill Personal Data the processing of which is subject to the GDPR, Swiss Privacy Laws, or UK Privacy Laws or similar Privacy Laws in other jurisdictions outside the United States. 

2.2. If Supplier Processes International McGraw Hill Personal Data as part of the Services and such data is transferred, directly or via onward transfer, to any jurisdiction not recognized as providing an adequate level of protection for such data under applicable Privacy Laws, Supplier and McGraw Hill will agree to terms for such onward transfer in a form compliant with the Privacy Laws in the applicable jurisdiction(s) such as Module Two (for transfers between a controller and processor) of the Standard Contractual Clauses under Privacy Laws in the EU. 

2.3. For the purposes of the Standard Contractual Clauses, any McGraw Hill affiliate that is the controller of International McGraw Hill Personal Data (or is acting on behalf of the controller of such data) will be the “data exporter,” and Supplier will be the “data importer”. If there is a conflict between this DPA, any other terms in the Agreement, and/or the Standard Contractual Clauses, the Standard Contractual Clauses will take precedence; then, the term which provides a higher standard of protection to the Personal Data will apply. 

2.4. With respect to International McGraw Hill Personal Data, McGraw Hill provides a general authorization to Supplier pursuant to Article 28(2) and, to the extent applicable, “Option 2” (General Written Authorization) of Clause 13(a) and Annex I.3 the Standard Contractual Clauses, to engage Sub-Processors (as defined below), subject to compliance with the requirements in this Section. Information regarding Supplier’s current Sub-Processors, including their location and services provided, will be provided by Supplier to McGraw Hill. This Sub-Processor list may be updated by Supplier from time to time in accordance with this Section. Supplier will provide McGraw Hill with advance notice before a new Sub-Processor processes any International McGraw Hill Personal Data. McGraw Hill may object to the new Sub-Processor on grounds relating to the protection of Personal Data. In such case, Supplier will have the right to cure the objection through one of the following options (to be selected at McGraw Hill’s option): (i) Supplier will cancel its plans to use the Sub-Processor with regards to processing International McGraw Hill Personal Data or will offer an alternative to provide the Services without such Sub-Processor; (ii) Supplier will take the corrective steps requested by McGraw Hill in its objection notice (which address McGraw Hill’s objection(s)) and proceed to use the Sub-Processor; or (iii) McGraw Hill may agree not to use (temporarily or permanently) the particular aspect or feature of the Services that would involve the use of such Sub-Processor. If none of the above options are commercially feasible, in McGraw Hill’s reasonable judgment, and the objection(s) have not been resolved to the satisfaction of the Parties, then McGraw Hill may terminate the Agreement in whole or in part for cause with a pro-rated refund of any pre-paid but unearned fees. Supplier shall remain fully responsible and liable to McGraw Hill for any Sub-Processor’s Processing of Personal Data, including for any failure of the Sub-Processor to fulfil its data protection obligations. 

2.5. With respect to Clause 12(a) of the Standard Contractual Clauses, the Parties agree that: (i) liability between the Parties as contemplated in Clause 12(a) shall be determined by any liability and/or indemnification provisions in the Agreement; and (ii) nothing in Clause 12(a) shall change the interpretation of such liability and/or indemnification provisions in the Agreement.

3. Use of US Student Information. If Supplier Processes information concerning the student end users of McGraw Hill products/services that are residents of the United States as part of the Services, Supplier acknowledges and agrees that: (i) such information will be stored in the United States; (ii) Supplier will not attempt to re-identify such information that has been de-identified; and (iii) Supplier will not sell such information to other organizations or market to students using such information. If students or parents/guardians are requested to agree to any terms in connection with the Services that may result in waiver of any of their rights under Family Educational Rights and Privacy Act of 1974, such terms will be null and void. Supplier will use commercially reasonable efforts to comply with all reasonable requests by McGraw Hill to modify Supplier’s privacy practices and/or information security measures if they are not in compliance with Privacy Laws and/or McGraw Hill’s contractual obligations for Processing the information under this Section. 

4. Compliance with Privacy Laws. When Processing McGraw Hill Personal Data, McGraw Hill and Supplier will comply with all Privacy Laws. Supplier will have in place appropriate technical and organizational policies, procedures and controls as required by applicable Privacy Laws. Supplier will cooperate with, and provide all necessary information and assistance to, McGraw Hill to allow McGraw Hill to meet its obligations under applicable Privacy Laws, including to: (i) respond to requests from individuals to exercise their rights under Privacy Laws (such as the right to access and correct any McGraw Hill Personal Data of such individual stored by Supplier) and (ii) notify any governmental authorities or affected individuals in the event of a Privacy/Security Incident, carry out privacy impact assessments and consult with governmental authorities regarding processing which is the subject of a privacy impact assessment. 

5. Data and System Security. At all times, Supplier will, and will require all third parties to which it discloses McGraw Hill Personal Data to, implement and maintain a comprehensive security program that is designed to protect the security, privacy, confidentiality, and integrity of such data against risks through the use of administrative, technological, and physical safeguards, as set out in the Agreement and the Standard Contractual Clauses agreed to by the Parties, if any. McGraw Hill Personal Data must be encrypted in transmission (including via web interface) in accordance with industry-standard level of encryption, but no less than AES-128-bit. 

6. Subcontractors and Sub-Processors. Where Supplier engages a third party service provider who will Process McGraw Hill Personal Data (“Sub-Processor”), Supplier will: (i) enter into a written agreement; and (ii) ensure that each such written agreement contains terms that are no less protective of McGraw Hill Personal Data than those contained in this DPA. 

7. Security Audit. On McGraw Hill’s request, Supplier will: (i) respond to McGraw Hill’s privacy and security questionnaires and (ii) provide McGraw Hill with information regarding Supplier’s data security measures such as audit reports (e.g. any SOC 2, Statement on Standards for Attestation Engagement (SSAE) 18 SOC 1 Type II (US) covering the Supplier’s operations) and any summaries of test results taken by the Supplier with respect to its security measures. Supplier’s data security measures may be reviewed by McGraw Hill, both through an informal audit of policies and procedures and/or through inspection of security methods no more than once per calendar year; provided however, that McGraw Hill may conduct an inspection or audit at any time if: (i) a Privacy/Security Incident has occurred or McGraw Hill has reasonable grounds to suspect Supplier is not in compliance with its obligations under this DPA; (ii) an audit is required under Privacy Laws; (iii) an audit is required by any supervisory authority; or (iv) otherwise agreed to in writing by the Parties. Supplier will correct any security vulnerability within a reasonable amount of time. 

8. Breach Response. In the event of a Privacy/Security Incident, Supplier will, without undue delay and in any event, within forty-eight (48) hours of detection or notification thereof: (i) notify McGraw Hill of such Privacy/Security Incident, including the type of McGraw Hill Personal Data involved and the extent of such Privacy/Security Incident; (ii) investigate and contain such Privacy/Security Incident and use best efforts to minimize the extent of such Privacy/Security Incident; (iii) not make any public statements with respect to such Privacy/Security Incident that identify McGraw Hill without the prior written approval of McGraw Hill; (iv) provide McGraw Hill with any information that is reasonably requested; and (v) implement a plan to prevent such Privacy/Security Incident from reoccurring. For the avoidance of doubt, any Privacy/Security Incident vulnerability will be remediated and resolved in accordance with leading industry standards.

ANNEX 1

1. International privacy laws. 

1.1 International privacy laws include Switzerland’s Federal Act on Data Protection of June 19, 1992, and the Ordinance to the Federal Act on Data Protection (“FADP”), the Ordinance on Data Protection Certification, and all Swiss laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in Switzerland (“Swiss Privacy Laws”); the United Kingdom’s (“UK”) General Data Protection Regulation, Data Protection Act of 2018, and all laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK (“UK Privacy Laws”); Mexico’s Federal Law on the Protection of Personal Data in the Possession of Private Parties (Ley Federal de Protección de Datos Personales en Posesión de los Particulares) (“Mexican Privacy Laws”).

2. Transfers from the UK.

2.1 To the extent that the International McGraw Hill Personal Data that Supplier Processes contains Personal Data that has been transferred from the UK, either directly or via onward transfer, to the Supplier in any jurisdiction not recognized as providing an adequate level of protection for such data under UK law, Supplier and McGraw Hill agree that Module Two (for transfers between a controller and processor) of the Standard Contractual Clauses (as amended by the international data transfer addendum to the European Commission’s standard contractual clauses for international data transfers issued by the UK Information Commissioner’s Office, signed by the Parties, and incorporated herein by reference) shall govern.  

3. Transfers from Switzerland.

3.1 To the extent that the International McGraw Hill Personal Data that Supplier Processes contains Personal Data that has been transferred from Switzerland, either directly or via onward transfer, to the Supplier in any jurisdiction not recognized as providing an adequate level of protection for such data under Swiss law (a “Swiss Transfer”), Supplier and McGraw Hill agree that Module Two (for transfers between a controller and processor) of the Standard Contractual Clauses shall govern such Swiss Transfers and be incorporated by reference into this DPA. In the event the Switzerland Federal Data Protection and Information Commissioner approves successor or supplemental clauses to legitimize Swiss Transfers to third countries, McGraw Hill may unilaterally amend this DPA to incorporate such approved successor or supplemental clauses by giving notice to Supplier of such amendment. For purposes of Swiss Transfers, the Standard Contractual Clauses are subject to the following additional amendments:

3.2 Any references to the “Clauses” in the Standard Contractual Clauses shall include the amendments set out in Section 2.4 of this DPA, which in the event of any conflict or inconsistency are subject to this Section 2 of Annex 1;

3.3 References to “Regulation (EU) 2016/679” or “that Regulation” are replaced by “FADP” (as defined in the Definitions section of this DPA) and references to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of the FADP. References to “Regulation (EU) 2018/1725” are removed. References to the “Union”, “EU” and “EU Member State” are all replaced with “Switzerland”. The footnotes to the Transfer Clauses do not apply; 

3.4 Clause 6, “Description of the transfer(s)”, is replaced with: “The details of the transfer(s) (and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where Swiss Privacy Laws apply to the data exporter’s processing when making that transfer.”;

3.5 Clause 13(a) and Part C of Annex I are not used; the “competent supervisory authority” is the Switzerland Federal Data Protection and Information Commissioner; and

3.6 The Standard Contractual Clauses shall be understood to also protect the Personal Data of legal entities until the entry into force of the revised FADP.

This Data Processing Addendum (“DPA”) is entered into between McGraw Hill LLC, on behalf of itself and its affiliates (all together “McGraw Hill”) and the entity or individual identified in the agreement (the “Agreement”) that references this DPA (“Supplier”) (together, the “Parties”). This DPA constitutes a supplement to the Agreement for all purposes and is incorporated into the Agreement by this reference. All capitalized terms not defined herein will have the same meaning as in the Agreement.

DEFINITIONS

“McGraw Hill Personal Data” means any Personal Data that is Processed by Supplier in the course of performing its obligations under the Agreement. 

“Personal Data” means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household. 

“Privacy Laws” means all applicable federal, state and local laws, rules and regulations and ordinances and any other privacy and data security statutes, and regulations promulgated and in effect under such statutes, relating to the jurisdictions applicable to the Services and/or the McGraw Hill Personal Data. Privacy Laws include, but are not limited to, the European Union’s (“EU”) General Data Protection Regulation (“GDPR”); the California Consumer Privacy Act (“CCPA”); Swiss Privacy Laws and UK Privacy Laws (as defined in Annex 1); and all other international privacy laws set forth in Annex 1.

“Privacy/Security Incident” means a confirmed incident involving access to or handling of McGraw Hill Personal Data not expressly permitted by this DPA.

“Processing” means access to or any operation or set of operations that is performed on Personal Data or on sets of Personal Data, whether or not by automated means, including but not limited to collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. 

“Services” means the services provided by Supplier to McGraw Hill under the Agreement. 

“Standard Contractual Clauses” means the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, or any such clauses amending, replacing or superseding those by a European Commission Decision or by a decision made by any other authorized body, and any other applicable sets of contractual terms and conditions which the sender and the receiver of Personal Data both sign up to (including, but not limited to, the contractual terms and conditions set out in Annex 1), aimed at protecting Personal Data through contractual obligations in compliance with applicable Privacy Laws when such data leaves one country and goes to another country that is not considered to offer adequate protection to the rights and freedoms of data subjects.

1.1. McGraw Hill Personal Data. Supplier will, and will ensure that its employees or agents will, only Process McGraw Hill Personal Data in accordance with the Agreement, this DPA, and any supplemental written instructions received from McGraw Hill. Supplier will not “sell” (as such term is defined in the CCPA), retain, disclose or use any McGraw Hill Personal Data except: (i) as in accordance with the instructions of McGraw Hill; (ii) as specifically authorized by this DPA and/or Agreement; (iii) as necessary to perform the Services; or (iv) as required by applicable law. With respect to McGraw Hill Personal Data Processed under this DPA, (1) McGraw Hill or the applicable McGraw Hill affiliate acts as the “controller” (or acts on the instructions of a third party that is the “controller”) and Supplier acts as the “processor” under the GDPR and similar Privacy Laws; and (2) McGraw Hill or the applicable McGraw Hill affiliate acts as the “business” under the CCPA (or acts on the instructions of a third party that is the “business”), and Supplier acts as the “service provider” under the CCPA. Supplier will not take any action that would result in Supplier not acting as a processor under the GDPR or similar Privacy Laws in other jurisdictions or as a “service provider” under the CCPA with respect to McGraw Hill Personal Data.

1.2. Carrying out the Services in accordance with the terms of the Agreement will be deemed an instruction by McGraw Hill to Supplier. Any additional or alternate instructions must be agreed between McGraw Hill and Supplier separately in writing.  

2. International Data and International Transfers

2.1. “International McGraw Hill Personal Data” means any McGraw Hill Personal Data the processing of which is subject to the GDPR, Swiss Privacy Laws, or UK Privacy Laws or similar Privacy Laws in other jurisdictions outside the United States. 

2.2. If Supplier Processes International McGraw Hill Personal Data as part of the Services and such data is transferred, directly or via onward transfer, to any jurisdiction not recognized as providing an adequate level of protection for such data under applicable Privacy Laws, Supplier and McGraw Hill will agree to terms for such onward transfer in a form compliant with the Privacy Laws in the applicable jurisdiction(s) such as Module Two (for transfers between a controller and processor) of the Standard Contractual Clauses under Privacy Laws in the EU. 

2.3. For the purposes of the Standard Contractual Clauses, any McGraw Hill affiliate that is the controller of International McGraw Hill Personal Data (or is acting on behalf of the controller of such data) will be the “data exporter,” and Supplier will be the “data importer”. If there is a conflict between this DPA, any other terms in the Agreement, and/or the Standard Contractual Clauses, the Standard Contractual Clauses will take precedence; then, the term which provides a higher standard of protection to the Personal Data will apply. 

2.4. With respect to International McGraw Hill Personal Data, McGraw Hill provides a general authorization to Supplier pursuant to Article 28(2) and, to the extent applicable, “Option 2” (General Written Authorization) of Clause 13(a) and Annex I.3 the Standard Contractual Clauses, to engage Sub-Processors (as defined below), subject to compliance with the requirements in this Section. Information regarding Supplier’s current Sub-Processors, including their location and services provided, will be provided by Supplier to McGraw Hill. This Sub-Processor list may be updated by Supplier from time to time in accordance with this Section. Supplier will provide McGraw Hill with advance notice before a new Sub-Processor processes any International McGraw Hill Personal Data. McGraw Hill may object to the new Sub-Processor on grounds relating to the protection of Personal Data. In such case, Supplier will have the right to cure the objection through one of the following options (to be selected at McGraw Hill’s option): (i) Supplier will cancel its plans to use the Sub-Processor with regards to processing International McGraw Hill Personal Data or will offer an alternative to provide the Services without such Sub-Processor; (ii) Supplier will take the corrective steps requested by McGraw Hill in its objection notice (which address McGraw Hill’s objection(s)) and proceed to use the Sub-Processor; or (iii) McGraw Hill may agree not to use (temporarily or permanently) the particular aspect or feature of the Services that would involve the use of such Sub-Processor. If none of the above options are commercially feasible, in McGraw Hill’s reasonable judgment, and the objection(s) have not been resolved to the satisfaction of the Parties, then McGraw Hill may terminate the Agreement in whole or in part for cause with a pro-rated refund of any pre-paid but unearned fees. Supplier shall remain fully responsible and liable to McGraw Hill for any Sub-Processor’s Processing of Personal Data, including for any failure of the Sub-Processor to fulfil its data protection obligations. 

2.5. With respect to Clause 12(a) of the Standard Contractual Clauses, the Parties agree that: (i) liability between the Parties as contemplated in Clause 12(a) shall be determined by any liability and/or indemnification provisions in the Agreement; and (ii) nothing in Clause 12(a) shall change the interpretation of such liability and/or indemnification provisions in the Agreement.

3. Use of US Student Information. If Supplier Processes information concerning the student end users of McGraw Hill products/services that are residents of the United States as part of the Services, Supplier acknowledges and agrees that: (i) such information will be stored in the United States; (ii) Supplier will not attempt to re-identify such information that has been de-identified; and (iii) Supplier will not sell such information to other organizations or market to students using such information. If students or parents/guardians are requested to agree to any terms in connection with the Services that may result in waiver of any of their rights under Family Educational Rights and Privacy Act of 1974, such terms will be null and void. Supplier will use commercially reasonable efforts to comply with all reasonable requests by McGraw Hill to modify Supplier’s privacy practices and/or information security measures if they are not in compliance with Privacy Laws and/or McGraw Hill’s contractual obligations for Processing the information under this Section. 

4. Compliance with Privacy Laws. When Processing McGraw Hill Personal Data, McGraw Hill and Supplier will comply with all Privacy Laws. Supplier will have in place appropriate technical and organizational policies, procedures and controls as required by applicable Privacy Laws. Supplier will cooperate with, and provide all necessary information and assistance to, McGraw Hill to allow McGraw Hill to meet its obligations under applicable Privacy Laws, including to: (i) respond to requests from individuals to exercise their rights under Privacy Laws (such as the right to access and correct any McGraw Hill Personal Data of such individual stored by Supplier) and (ii) notify any governmental authorities or affected individuals in the event of a Privacy/Security Incident, carry out privacy impact assessments and consult with governmental authorities regarding processing which is the subject of a privacy impact assessment. 

5. Data and System Security. At all times, Supplier will, and will require all third parties to which it discloses McGraw Hill Personal Data to, implement and maintain a comprehensive security program that is designed to protect the security, privacy, confidentiality, and integrity of such data against risks through the use of administrative, technological, and physical safeguards, as set out in the Agreement and the Standard Contractual Clauses agreed to by the Parties, if any. McGraw Hill Personal Data must be encrypted in transmission (including via web interface) in accordance with industry-standard level of encryption, but no less than AES-128-bit. 

6. Subcontractors and Sub-Processors. Where Supplier engages a third party service provider who will Process McGraw Hill Personal Data (“Sub-Processor”), Supplier will: (i) enter into a written agreement; and (ii) ensure that each such written agreement contains terms that are no less protective of McGraw Hill Personal Data than those contained in this DPA. 

7. Security Audit. On McGraw Hill’s request, Supplier will: (i) respond to McGraw Hill’s privacy and security questionnaires and (ii) provide McGraw Hill with information regarding Supplier’s data security measures such as audit reports (e.g. any SOC 2, Statement on Standards for Attestation Engagement (SSAE) 18 SOC 1 Type II (US), or Statement on Auditing Standards (SAS) No. 70 report covering the Supplier’s operations) and any summaries of test results taken by the Supplier with respect to its security measures. Supplier’s data security measures may be reviewed by McGraw Hill, both through an informal audit of policies and procedures and/or through inspection of security methods no more than once per calendar year; provided however, that McGraw Hill may conduct an inspection or audit at any time if: (i) a Privacy/Security Incident has occurred or McGraw Hill has reasonable grounds to suspect Supplier is not in compliance with its obligations under this DPA; (ii) an audit is required under Privacy Laws; (iii) an audit is required by any supervisory authority; or (iv) otherwise agreed to in writing by the Parties. Supplier will correct any security vulnerability within a reasonable amount of time. 

8. Breach Response. In the event of a Privacy/Security Incident, Supplier will, without undue delay and in any event, within forty-eight (48) hours of detection or notification thereof: (i) notify McGraw Hill of such Privacy/Security Incident, including the type of McGraw Hill Personal Data involved and the extent of such Privacy/Security Incident; (ii) investigate and contain such Privacy/Security Incident and use best efforts to minimize the extent of such Privacy/Security Incident; (iii) not make any public statements with respect to such Privacy/Security Incident that identify McGraw Hill without the prior written approval of McGraw Hill; (iv) provide McGraw Hill with any information that is reasonably requested; and (v) implement a plan to prevent such Privacy/Security Incident from reoccurring. For the avoidance of doubt, any Privacy/Security Incident vulnerability will be remediated and resolved in accordance with leading industry standards.

ANNEX 1

1. International privacy laws. 

1.1 International privacy laws includes Switzerland’s Federal Act on Data Protection of June 19, 1992, and the Ordinance to the Federal Act on Data Protection (“FADP”), the Ordinance on Data Protection Certification, and all Swiss laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in Switzerland (“Swiss Privacy Laws”); the United Kingdom’s (“UK”) General Data Protection Regulation, Data Protection Act of 2018, and all laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK (“UK Privacy Laws”).

2. Transfers from the UK.

2.1 To the extent that the International McGraw Hill Personal Data that Supplier Processes contains Personal Data that has been transferred from the UK, either directly or via onward transfer, to the Supplier in any jurisdiction not recognized as providing an adequate level of protection for such data under UK law (a “UK Transfer”), Supplier and McGraw Hill agree that Module Two (for transfers between a controller and processor) of the Standard Contractual Clauses shall govern such UK Transfers and be incorporated by reference into this DPA. In the event the UK Information Commissioner’s Office approves successor or supplemental clauses to legitimize UK Transfers to third countries, McGraw Hill may unilaterally amend this DPA to incorporate such approved successor or supplemental clauses by giving notice to Supplier of such amendment. For purposes of UK Transfers, the Standard Contractual Clauses are subject to the following additional amendments: 

2.2 In addition to the definitions set out in the Standard Contractual Clauses and the Definitions section of this DPA, the following term has the following meaning: (i) “UK GDPR” means the United Kingdom General Data Protection Regulation, as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018. Any references to the “Clauses” in the Standard Contractual Clauses shall include the amendments set out in Section 2.4 of this DPA, which in the event of any conflict or inconsistency are subject to this Section 1 of Annex 1;

2.3 References to “Regulation (EU) 2016/679” or “that Regulation” are replaced by “UK Privacy Laws” (as defined in the Definitions section of this DPA) and references to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK Privacy Laws. References to “Regulation (EU) 2018/1725” are removed. References to the “Union”, “EU” and “EU Member State” are all replaced with the “UK”. The footnotes to the Standard Contractual Clauses do not apply;

2.4 Clause 6, “Description of the transfer(s)”, is replaced with: “The details of the transfer(s) (and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Privacy Laws apply to the data exporter’s processing when making that transfer.”;

2.5 Clause 13(a) and Part C of Annex I are not used; the “competent supervisory authority” is the UK Information Commissioner’s Office;

2.6 Clause 17 is replaced to state: “These Clauses are governed by the laws of England and Wales.”; and

2.7 Clause 18 is replaced to state: “Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”

3. Transfers from Switzerland.

3.1 To the extent that the International McGraw Hill Personal Data that Supplier Processes contains Personal Data that has been transferred from Switzerland, either directly or via onward transfer, to the Supplier in any jurisdiction not recognized as providing an adequate level of protection for such data under Swiss law (a “Swiss Transfer”), Supplier and McGraw Hill agree that Module Two (for transfers between a controller and processor) of the Standard Contractual Clauses shall govern such Swiss Transfers and be incorporated by reference into this DPA. In the event the Switzerland Federal Data Protection and Information Commissioner approves successor or supplemental clauses to legitimize Swiss Transfers to third countries, McGraw Hill may unilaterally amend this DPA to incorporate such approved successor or supplemental clauses by giving notice to Supplier of such amendment. For purposes of Swiss Transfers, the Standard Contractual Clauses are subject to the following additional amendments:

3.2 Any references to the “Clauses” in the Standard Contractual Clauses shall include the amendments set out in Section 2.4 of this DPA, which in the event of any conflict or inconsistency are subject to this Section 2 of Annex 1;

3.3 References to “Regulation (EU) 2016/679” or “that Regulation” are replaced by “FADP” (as defined in the Definitions section of this DPA) and references to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of the FADP. References to “Regulation (EU) 2018/1725” are removed. References to the “Union”, “EU” and “EU Member State” are all replaced with “Switzerland”. The footnotes to the Transfer Clauses do not apply; 

3.4 Clause 6, “Description of the transfer(s)”, is replaced with: “The details of the transfer(s) (and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where Swiss Privacy Laws apply to the data exporter’s processing when making that transfer.”;

3.5 Clause 13(a) and Part C of Annex I are not used; the “competent supervisory authority” is the Switzerland Federal Data Protection and Information Commissioner; and

3.6 The Standard Contractual Clauses shall be understood to also protect the Personal Data of legal entities until the entry into force of the revised FADP.

This Data Processing Addendum (“DPA”) is entered into between McGraw Hill LLC, on behalf of itself and its affiliates (all together “McGraw Hill”) and the entity or individual identified in the agreement (the “Agreement”) that references this DPA (“Supplier”) (together, the “Parties”). This DPA constitutes a supplement to the Agreement for all purposes and is incorporated into the Agreement by this reference. All capitalized terms not defined herein will have the same meaning as in the Agreement.

DEFINITIONS

“McGraw Hill Personal Data” means any Personal Data that is Processed by Supplier in the course of performing its obligations under the Agreement. 

“Personal Data” means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household. 

“Privacy Laws” means all applicable federal, state and local laws, rules and regulations and ordinances and any other privacy and data security statutes, and regulations promulgated and in effect under such statutes, relating to the jurisdictions applicable to the Services and/or the McGraw Hill Personal Data. Privacy Laws include, but are not limited to, the European Union’s (“EU”) General Data Protection Regulation (“GDPR”); the United Kingdom’s (“UK”) General Data Protection Regulation, Data Protection Act of 2018, and all laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK (“UK Privacy Laws”), and the California Consumer Privacy Act (“CCPA”).

“Privacy/Security Incident” means a confirmed incident involving access to or handling of McGraw Hill Personal Data not expressly permitted by this DPA.

“Processing” means access to or any operation or set of operations that is performed on Personal Data or on sets of Personal Data, whether or not by automated means, including but not limited to collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. 

“Services” means the services provided by Supplier to McGraw Hill under the Agreement. 

“Standard Contractual Clauses” means the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, or any such clauses amending, replacing or superseding those by a European Commission Decision or by a decision made any other authorized body, and any other applicable sets of contractual terms and conditions which the sender and the receiver of Personal Data both sign up to (including, but not limited to, the contractual terms and conditions set out in Annex 1), aimed at protecting Personal Data through contractual obligations in compliance with applicable Privacy Laws when such data leaves one country and goes to another country that is not considered to offer adequate protection to the rights and freedoms of data subjects.

1. McGraw Hill Personal Data. Supplier will, and will ensure that its employees or agents will, only Process McGraw Hill Personal Data in accordance with the Agreement, this DPA, and any supplemental written instructions received from McGraw Hill. Supplier will not “sell” (as such term is defined in the CCPA), retain, disclose or use any McGraw Hill Personal Data except: (i) as in accordance with the instructions of McGraw Hill; (ii) as specifically authorized by this DPA and/or Agreement; (iii) as necessary to perform the Services; or (iv) as required by applicable law. With respect to McGraw Hill Personal Data Processed under this DPA, (1) McGraw Hill or the applicable McGraw Hill affiliate acts as the “controller” (or acts on the instructions of a third party that is the “controller”) and Supplier acts as the “processor” under the GDPR and similar Privacy Laws; and (2) McGraw Hill or the applicable McGraw Hill affiliate acts as the “business” under the CCPA (or acts on the instructions of a third party that is the “business”), and Supplier acts as the “service provider” under the CCPA. Supplier will not take any action that would result in Supplier not acting as a processor under the GDPR or similar Privacy Laws in other jurisdictions or as a “service provider” under the CCPA with respect to McGraw Hill Personal Data. 

2. International Data Transfers

2.1. “International McGraw Hill Personal Data” means any McGraw Hill Personal Data the processing of which is subject to the GDPR or UK Privacy Laws or similar Privacy Laws in other jurisdictions outside the United States. With respect to International McGraw Hill Personal Data, McGraw Hill or the applicable McGraw Hill affiliate acts as the "controller" and Supplier acts as the "processor". Supplier will not take any action that would result in Supplier not acting as a "processor" with respect to such McGraw Hill Personal Data. 

2.2. If Supplier Processes International McGraw Hill Personal Data as part of the Services and such data is transferred, directly or via onward transfer, to any jurisdiction not recognized as providing an adequate level of protection for such data under applicable Privacy Laws, Supplier and McGraw Hill will agree to terms for such onward transfer in a form compliant with the Privacy Laws in the applicable jurisdiction(s) such as Module Two (for transfers between a controller and processor) of the Standard Contractual Clauses under Privacy Laws in the EU. 

2.3. For the purposes of the Standard Contractual Clauses, any McGraw Hill affiliate that is the controller of Personal Data of a resident of the applicable jurisdiction (or is acting on behalf of the controller of such data) will be the “data exporter,” and Supplier will be the “data importer”. If there is a conflict between this DPA, any other terms in the Agreement, and/or the Standard Contractual Clauses, the Standard Contractual Clauses will take precedence; then, the term which provides a higher standard of protection to the Personal Data will apply. Carrying out the Services in accordance with the terms of the Agreement will be deemed an instruction by McGraw Hill to Supplier. Any additional or alternate instructions must be agreed between McGraw Hill and Supplier separately in writing. 

2.4. McGraw Hill provides a general authorization to Supplier pursuant to Article 28(2) and, to the extent applicable, “Option 2” (General Written Authorization) of the Standard Contractual Clauses, to engage Sub-Processors (as defined below), subject to compliance with the requirements in this Section. Information regarding Supplier’s current Sub-Processors, including their location and services provided, will be provided by Supplier to McGraw Hill. This Sub-Processor list may be updated by Supplier from time to time in accordance with this Section. Supplier will provide McGraw Hill with advance notice before a new Sub-Processor processes any McGraw Hill Personal Data subject to the GDPR or UK Privacy Laws. McGraw Hill may object to the new Sub-Processor on grounds relating to the protection of Personal Data. In such case, Supplier will have the right to cure the objection through one of the following options (to be selected at McGraw Hill’s option): (i) Supplier will cancel its plans to use the Sub-Processor with regards to processing McGraw Hill Personal Data or will offer an alternative to provide the Services without such Sub-Processor; (ii) Supplier will take the corrective steps requested by McGraw Hill in its objection notice (which address McGraw Hill’s objection(s)) and proceed to use the Sub-Processor; or (iii) McGraw Hill may agree not to use (temporarily or permanently) the particular aspect or feature of the Services that would involve the use of such Sub-Processor. If none of the above options are commercially feasible, in McGraw Hill’s reasonable judgment, and the objection(s) have not been resolved to the satisfaction of the Parties, then McGraw Hill may terminate the Agreement in whole or in part for cause with a pro-rated refund of any pre-paid but unearned fees. Supplier shall remain fully responsible and liable to McGraw Hill for any Sub-Processor’s Processing of Personal Data, including for any failure of the Sub-Processor to fulfil its data protection obligations. 

2.5. With respect to Clause 12(a) of the Standard Contractual Clauses, the Parties agree that: (i) liability between the Parties as contemplated in Clause 12(a) shall be determined by any liability and/or indemnification provisions in the Agreement; and (ii) nothing in Clause 12(a) shall change the interpretation of such liability and/or indemnification provisions in the Agreement.

3. Use of US Student Information. If Supplier Processes information concerning the student end users of McGraw Hill products/services that are residents of the United States as part of the Services, Supplier acknowledges and agrees that: (i) such information will be stored in the United States; (ii) Supplier will not attempt to re-identify such information that has been de-identified; and (iii) Supplier will not sell such information to other organizations or market to students using such information. If students or parents/guardians are requested to agree to any terms in connection with the Services that may result in waiver of any of their rights under Family Educational Rights and Privacy Act of 1974, such terms will be null and void. Supplier will use commercially reasonable efforts to comply with all reasonable requests by McGraw Hill to modify Supplier’s privacy practices and/or information security measures if they are not in compliance with Privacy Laws and/or McGraw Hill’s contractual obligations for Processing the information under this Section. 

4. Compliance with Privacy Laws. When Processing McGraw Hill Personal Data, McGraw Hill and Supplier will comply with all Privacy Laws. Supplier will have in place appropriate technical and organizational policies, procedures and controls as required by applicable Privacy Laws. Supplier will cooperate with, and provide all necessary information and assistance to, McGraw Hill to allow McGraw Hill to meet its obligations under applicable Privacy Laws, including to: (i) respond to requests from individuals to exercise their rights under Privacy Laws (such as the right to access and correct any McGraw Hill Personal Data of such individual stored by Supplier) and (ii) notify any governmental authorities or affected individuals in the event of a Privacy/Security Incident, carry out privacy impact assessments and consult with governmental authorities regarding processing which is the subject of a privacy impact assessment. 

5. Data and System Security. At all times, Supplier will, and will require all third parties to which it discloses McGraw Hill Personal Data to, implement and maintain a comprehensive security program that is designed to protect the security, privacy, confidentiality, and integrity of such data against risks through the use of administrative, technological, and physical safeguards, as set out in the Agreement and the Standard Contractual Clauses agreed to by the Parties, if any. McGraw Hill Personal Data must be encrypted in transmission (including via web interface) in accordance with industry standards level of encryption, but no less than AES-128-bit. 

6. Subcontractors and Sub-Processors. Where Supplier engages a third party service provider who will Process McGraw Hill Personal Data (“Sub-Processor”), Supplier will: (i) enter into a written agreement; and (ii) ensure that each such written agreement contains terms that are no less protective of McGraw Hill Personal Data than those contained in this DPA. 

7. Security Audit. On McGraw Hill’s request, Supplier will: (i) respond to McGraw Hill’s privacy and security questionnaires and (ii) provide McGraw Hill with information regarding Supplier’s data security measures such as audit reports (e.g. any SOC 2, Statement on Standards for Attestation Engagement (SSAE) 18 SOC 1 Type II (US), or Statement on Auditing Standards (SAS) No. 70 report covering the Supplier’s operations) and any summaries of test results taken by the Supplier with respect to its security measures. Supplier’s data security measures may be reviewed by McGraw Hill, both through an informal audit of policies and procedures and/or through inspection of security methods no more than once per calendar year; provided however, that McGraw Hill may conduct an inspection or audit at any time if: (i) a Privacy/Security Incident has occurred or McGraw Hill has reasonable grounds to suspect Supplier is not in compliance with its obligations under this DPA; (ii) an audit is required under Privacy Laws; (iii) an audit is required by any supervisory authority; or (iv) otherwise agreed to in writing by the Parties. Supplier will correct any security vulnerability within a reasonable amount of time. 

8. Breach Response. In the event of a Privacy/Security Incident, Supplier will, without undue delay and in any event, within forty-eight (48) hours of detection or notification thereof: (i) notify McGraw Hill of such Privacy/Security Incident, including the type of McGraw Hill Personal Data involved and the extent of such Privacy/Security Incident; (ii) investigate and contain such Privacy/Security Incident and use best efforts to minimize the extent of such Privacy/Security Incident; (iii) not make any public statements with respect to such Privacy/Security Incident that identify McGraw Hill without the prior written approval of McGraw Hill; (iv) provide McGraw Hill with any information that is reasonably requested; and (v) implement a plan to prevent such Privacy/Security Incident from reoccurring. For the avoidance of doubt, any Privacy/Security Incident vulnerability will be remediated and resolved in accordance with leading industry standards.

ANNEX 1

1. Transfers from the UK.

1.1 To the extent that the McGraw Hill Personal Data that Supplier Processes contains Personal Data that has been transferred from the UK, directly or via onward transfer, to the Supplier in any jurisdiction not recognized as providing an adequate level of protection for such data under UK law (a “UK Transfer”), Supplier and McGraw Hill agree that Module Two (for transfers between a controller and processor) of the Standard Contractual Clauses shall govern such UK Transfers and be incorporated by reference into this DPA. In the event the UK Information Commissioner’s Office approves successor or supplemental clauses to legitimize UK Transfers to third countries, McGraw Hill may unilaterally amend this DPA to incorporate such approved successor or supplemental clauses by giving notice to Supplier of such amendment. For purposes of UK Transfers, the Standard Contractual Clauses are subject to the following additional amendments: 

1.2 In addition to the definitions set out in the Standard Contractual Clauses and the Definitions section of this DPA, the following term has the following meaning: (i) “UK GDPR” means the United Kingdom General Data Protection Regulation, as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018. Any references to the “Clauses” in the Standard Contractual Clauses shall include the amendments set out in Section 2.4 of this DPA;

1.3 References to “Regulation (EU) 2016/679” or “that Regulation” are replaced by “UK Privacy Laws” (as defined in the Definitions section of this DPA) and references to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK Privacy Laws. References to “Regulation (EU) 2018/1725” are removed. References to the “Union”, “EU” and “EU Member State” are all replaced with the “UK”. The footnotes to the Standard Contractual Clauses do not apply;

1.4 Clause 6, “Description of the transfer(s)”, is replaced with: “The details of the transfer(s) (and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Privacy Laws apply to the data exporter’s processing when making that transfer.”;

1.5 Clause 13(a) and Part C of Annex II are not used; the “competent supervisory authority” is the UK Information Commissioner’s Office;

1.6 Clause 17 is replaced to state: “These Clauses are governed by the laws of England and Wales.”; and

1.7 Clause 18 is replaced to state: “Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”

This Data Processing Addendum (“DPA”) is entered into between McGraw Hill LLC, on behalf of itself and its affiliates (all together “McGraw Hill”) and the entity or individual identified in the agreement (the “Agreement”) that references this DPA (“Supplier”). This DPA constitutes a supplement to the Agreement for all purposes and is incorporated into the Agreement by this reference. All capitalized terms not defined herein will have the same meaning as in the Agreement. 

 DEFINITIONS 

 “McGraw Hill Personal Data” means any Personal Data that is Processed by Supplier in the course of performing its obligations under the Agreement. 

“Personal Data” means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household. 

“Privacy Laws” means all applicable federal, state and local laws, rules and regulations and ordinances and any other privacy and data security statutes, and regulations promulgated and in effect under such statutes, relating to the jurisdictions applicable to the Services and/or the McGraw Hill Personal Data.  

“Privacy/Security Incident” means a confirmed incident involving access to or handling of McGraw Hill Personal Data not expressly permitted by this DPA.

“Processing” means access to or the collection, storage or use of McGraw Hill Personal Data. 

“Services” means the services provided by Supplier to McGraw Hill under the Agreement. 

“Standard Contractual Clauses” means the Standard Contractual Clauses pursuant to the European Commission’s Decision (2010/87/EU) notified under document C(2010)593 of February 5, 2010, or any such clauses amending, replacing or superseding those by a European Commission Decision or by a decision made by any other authorized body, and any other applicable sets of contractual terms and conditions which the sender and the receiver of Personal Data both sign up to, aimed at protecting Personal Data through contractual obligations in compliance with applicable Privacy Laws when such data leaves one country and goes to another country that is not considered to offer adequate protection to the rights and freedoms of data subjects.

1. McGraw Hill Personal Data.  Supplier will not sell (as such term is defined in the California Consumer Privacy Act (“CCPA”)), retain, disclose or use any McGraw Hill Personal Data except (i) as in accordance with the instructions of McGraw Hill; (ii) as specifically authorized by this DPA and/or Agreement; (iii) as necessary to perform the Services; or (iv) as required by applicable law. With respect to McGraw Hill Personal Data Processed under this DPA, McGraw Hill or the applicable McGraw Hill affiliate acts as the "business" under the CCPA (or acts on the instructions of a third party that is the "business"), and Supplier acts as the "service provider" under the CCPA. Supplier will not take any action that would result in Supplier not acting as a "service provider" under the CCPA with respect to McGraw Hill Personal Data.  

2. International Data Transfers

2.1. With respect to McGraw Hill Personal Data Processed under this DPA outside of the United States (“International McGraw Hill Personal Data”), McGraw Hill or the applicable McGraw Hill affiliate acts as the "controller" and Supplier acts as the "processor". Supplier will not take any action that would result in Supplier not acting as a "processor" with respect to such McGraw Hill Personal Data. 

2.2. If Supplier Processes International McGraw Hill Personal Data as part of the Services and such data is transferred, directly or via onward transfer, to any jurisdiction not recognized as providing an adequate level of protection for such data under applicable Privacy Laws, Supplier and McGraw Hill will agree to terms for such onward transfer in a form compliant with the Privacy Laws in the applicable jurisdiction(s). 

2.3. For the purposes of the Standard Contractual Clauses under Privacy Laws in the EU, any McGraw Hill affiliate that is the controller of Personal Data of an EU resident (or is acting on behalf of the controller of such data) will be the “data exporter,” and Supplier will be both (1) the “data importer” and (2) “subprocessor co-signing” the Standard Contractual Clauses between such McGraw Hill affiliate(s) and McGraw Hill LLC as processor (as stipulated in footnote 1 to Clause 11(1) of the Standard Contractual Clauses). If there is a conflict between this DPA, any other terms in the Agreement, and/or the Standard Contractual Clauses, the term which provides a higher standard of protection to the Personal Data will apply. Carrying out the Services in accordance with the terms of the Agreement will be deemed an instruction by McGraw Hill to Supplier. Any additional or alternate instructions must be agreed between McGraw Hill and Supplier separately in writing. 

2.4. McGraw Hill provides a general authorization to Supplier, pursuant to Article 28(2) of the General Data Protection Regulation 2016/679, to engage Sub-Processors, subject to compliance with the requirements in this Section. Information regarding Supplier’s current Sub-Processors, including their location and services provided, will be provided by Supplier to McGraw Hill. This Sub-Processor list may be updated by Supplier from time to time in accordance with this Section. Supplier will provide McGraw Hill with advance notice before a new Sub-Processor processes any EU Personal Data. McGraw Hill may object to the new Sub-Processor on grounds relating to the protection of EU Personal Data. In such case, Supplier will have the right to cure the objection through one of the following options (to be selected at McGraw Hill’s option): (i) Supplier will cancel its plans to use the Sub-Processor with regards to processing McGraw Hill Personal Data or will offer an alternative to provide the Services without such Sub-Processor; (ii) Supplier will take the corrective steps requested by McGraw Hill in its objection notice (which address McGraw Hill’s objection(s)) and proceed to use the Sub-Processor; or (iii) McGraw Hill may agree not to use (temporarily or permanently) the particular aspect or feature of the Services that would involve the use of such Sub-Processor. If none of the above options are commercially feasible, in McGraw Hill’s reasonable judgment, and the objection(s) have not been resolved to the satisfaction of the parties, then McGraw Hill may terminate the Agreement in whole or in part for cause with a pro-rated refund of any pre-paid but unearned fees. 

3. Use of US Student Information. If Supplier Processes information concerning the student end users of McGraw Hill products/services that are residents of the United States as part of the Services, Supplier acknowledges and agrees that: (i) such information will be stored in the United States; (ii) Supplier will not attempt to re-identify such information that has been de-identified; and (iii) Supplier will not sell such information to other organizations or market to students using such information. If students or parents/guardians are requested to agree to any terms in connection with the Services that may result in waiver of any of their rights under Family Educational Rights and Privacy Act of 1974 (“FERPA”), such terms will be null and void.  Supplier will use commercially reasonable efforts to comply with all reasonable requests by McGraw Hill to modify Supplier's privacy practices and/or information security measures if they are not in compliance with Privacy Laws and/or McGraw Hill's contractual obligations for Processing the information under this Section. 

4. Compliance with Privacy Laws.  When Processing McGraw Hill Personal Data, McGraw Hill and Supplier will comply with all Privacy Laws.  Supplier will have in place appropriate technical and organizational policies, procedures and controls as required by applicable Privacy Laws.  Supplier will cooperate with, and provide all necessary information and assistance to, McGraw Hill to allow McGraw Hill to meet its obligations under applicable Privacy Laws, including to (i) respond to requests from individuals to exercise their rights under Privacy Laws (such as the right to  access and correct any McGraw Hill Personal Data of such individual stored by Supplier) and (ii) notify any governmental authorities or affected individuals in the event of a security breach, carry out privacy impact assessments and consult with governmental authorities regarding processing which is the subject of a privacy impact assessment. 

5. Data and System Security.  At all times, Supplier will, and will require all third parties to which it discloses McGraw Hill Personal Data to, implement and maintain a comprehensive security program that is designed to protect the security, privacy, confidentiality, and integrity of such data against risks through the use of administrative, technological, and physical safeguards. McGraw Hill Personal Data must be encrypted in transmission (including via web interface) in accordance with industry standards level of encryption, but no less than AES-128-bit. 

6. Subcontractors and Sub-Processors. Where Supplier engages a third party service provider who will Process McGraw Hill Personal Data (Sub-Processor), Supplier will (i) enter into a written agreement; and (ii) ensure that each such written agreement contains terms that are no less protective of McGraw Hill Personal Data than those contained in this DPA.

7. Security Audit. On McGraw Hill’s request, Supplier will (i) respond to McGraw Hill’s privacy and security questionnaires and (ii) provide McGraw Hill with information regarding Supplier’s data security measures such as audit reports (e.g. any SOC 2, Statement on Standards for Attestation Engagement (SSAE) 18 SOC 1 Type II (US), or Statement on Auditing Standards (SAS) No. 70 report covering the Supplier’s operations) and any summaries of test results taken by the Supplier with respect to its security measures. Supplier’s data security measures may be reviewed by McGraw Hill, both through an informal audit of policies and procedures and/or through inspection of security 

This Data Processing Addendum (“DPA”) is entered into between McGraw Hill LLC, on behalf of itself and its affiliates (all together “McGraw Hill”) and the entity or individual identified in the agreement (the “Agreement”) to which this DPA is attached (“Supplier”). This DPA constitutes a supplement to the Agreement for all purposes and is incorporated into the Agreement by this reference. All capitalized terms not defined herein will have the same meaning as in the Agreement.   

DEFINITIONS  

“EU Data Privacy Laws” means the EU Data Protection Directive 95/46/EC and its successor, the General Data Protection Regulation 2016/679, the implementing acts of the Data Protection Directive by the member states of the European Union and/or any other applicable law or regulation relating to the protection of personal data, as defined in European Union Directive 95/46/EC and European Union Regulation 2016/679.

“EU Personal Data” means any personal data as defined in the EU Data Privacy Laws, of a resident of the European Union. 

“McGraw Hill Information” means all information and documents disclosed by McGraw Hill, or which come to Supplier’s attention in the course of performing its obligations under the Agreement, including any metadata. 

“McGraw Hill Personal Data” means any Personally Identifiable Information that is accessed or obtained by Supplier in the course of performing its obligations under the Agreement, including, but not limited to, EU Personal Data, McGraw Hill Information and/or US Student Information.  

“Personally Identifiable Information” means any information that, alone or in combination with other data, could be used to identify an individual. 

“Privacy Laws” means all applicable federal, state and local laws, rules and regulations and ordinances, including without limitation, The Family Educational Rights and Privacy Act of 1974 (FERPA), Children’s Online Privacy Protection Act (COPPA), Health Insurance Portability and Accountability Act (HIPAA), California Consumer Privacy Act (CCPA), EU Data Privacy Laws and the K-12 School Supplier Pledge to Safeguard Student Privacy, available at https://studentprivacypledge.org/privacy-pledge/.  

“Services” means the services provided by Supplier to McGraw Hill under the Agreement. 

“Standard Contractual Clauses” means the Standard Contractual Clauses pursuant to the European Commission’s Decision (2010/87/EU) notified under document C(2010)593 of February 5, 2010, or any such clauses amending, replacing or superseding those by a European Commission Decision or by a decision made by any other authorized body, published by EUR-Lex on the website ec.europa.eu. 

“US Student Information” means all information concerning the student end users of McGraw Hill products/services that are residents of the United States.

1. McGraw Hill Personal Data.  Supplier acknowledges all McGraw Hill Personal Data constitutes valuable assets of and, as between Supplier and McGraw Hill, is proprietary to McGraw Hill.  Supplier shall not disclose or use any McGraw Hill Personal Data except to the extent necessary to carry out its obligations under the Agreement. Supplier acknowledges and agrees that McGraw Hill Personal Data may contain or consist of EU Personal Data.  Processing of EU Personal Data is subject to EU Data Privacy Laws. Supplier shall return or securely destroy all McGraw Hill Personal Data upon McGraw Hill’s request or upon termination or expiration of the Agreement.  Supplier shall ensure that any employees, contractors or other individuals acting under its authority who have access to McGraw Hill Personal Data shall only process such McGraw Hill Personal Data in accordance with McGraw Hill's instructions, unless required to do otherwise by law. 

2. Use of US Student Information. If Supplier processes US Student Information as part of the Services, Supplier acknowledges and agrees that: (i) US Student Information shall be maintained and stored in the United States; (ii) Supplier will not attempt to re-identify de-identified US Student Information; and (iii) Supplier will not sell US Student Information to other organizations or market to students using the US Student Information. If students or parents/guardians are requested to agree to any terms in connection with the Services that may result in waiver of any of their rights under FERPA, such terms shall be null and void. Supplier shall ensure that any employees, contractors or other individuals acting under its authority who have access to US Student Information shall agree in writing to comply with the obligations in this Section.

3. Standard Contractual Clauses.  If Supplier processes EU Personal Data as part of the Services and such EU Personal Data is transferred outside the European Economic Area (“EEA”), Supplier and McGraw Hill shall agree to the terms of the Standard Contractual Clauses which will be attached to this DPA as an exhibit and will apply to the Services provided in relation to all EU Personal Data transferred outside the EEA, either directly or via onward transfer, to any country not recognized by the European Commission as providing an adequate level of protection for EU Personal Data. For the purposes of the Standard Contractual Clauses and the EU Data Privacy Laws, any McGraw Hill affiliate that is the controller of EU Personal Data shall be the “data exporter,” and Supplier shall be both (1) the “data importer” and (2) “subprocessor co-signing” the Standard Contractual Clauses between any McGraw Hill affiliate that is the controller of EU Personal Data and McGraw Hill LLC as processor (as stipulated in footnote 1 to Clause 11(1) of the Standard Contractual Clauses). If there is a conflict between this DPA, any other terms in the Agreement, and/or the Standard Contractual Clauses, the term which provides a higher standard of protection to EU Personal Data shall apply. For the purposes of clause 5(a) of the Standard Contractual Clauses and the EU Data Privacy Laws, carrying out the Services in accordance with the terms of the Agreement shall be deemed an instruction by McGraw Hill to the Supplier. Any additional or alternate instructions must be agreed between McGraw Hill and Supplier separately in writing. If the European Commission adopts a new version of the Standard Contractual Clauses, the parties agree to adapt the Agreement in such manner as may be required to implement the current version. 

4. Compliance with Privacy Laws.  Supplier shall comply with all Privacy Laws.  Supplier shall use commercially reasonable efforts to comply with all requests by McGraw Hill to modify its privacy practices and/or information security measures which McGraw Hill believes in good faith to be required in order for McGraw Hill to comply with Privacy Laws.  Supplier shall have in place appropriate technical and organizational policies, procedures and controls to assist McGraw Hill in complying with its obligations to comply with Privacy Laws, including its obligation to (i) respond to requests from individuals to exercise their rights under Privacy Laws (such as the right to  access and correct any McGraw Hill Personal Data of such individual stored by Supplier) and (ii) notify any governmental authorities or affected individuals in the event of a security breach, carry out privacy impact assessments and consult with governmental authorities regarding processing which is the subject of a privacy impact assessment.

5. Data and System Security.  At all times, Supplier shall, and shall require all third parties to which it discloses McGraw Hill Personal Data and/or any other McGraw Hill Confidential Information (as defined in the Agreement) to, maintain a comprehensive security program that is reasonably designed to protect the security, privacy, confidentiality, and integrity of such data against risks – such as unauthorized access or use, or unintended or inappropriate disclosure – through the use of administrative, technological, and physical safeguards appropriate to the sensitivity of the information. Supplier will store McGraw Hill Personal Data in accordance with Privacy Laws. McGraw Hill Personal Data must be encrypted in transmission (including via web interface) and when stored on a portable device at no less than 128-bit level encryption. Where appropriate, Supplier shall reasonably assist McGraw Hill in ensuring the compliance of McGraw Hill's security program with Privacy Laws in relation to the security of McGraw Hill Personal Data. At McGraw Hill’s request, Supplier shall provide McGraw Hill with documentation regarding its security program. 

6. Subcontractors and Sub-Processors. Where Supplier engages third party service providers who will have access to McGraw Hill Personal Data (Sub-Processor), Supplier will ensure that they meet the requirements in this Section. McGraw Hill provides a general authorization to Supplier, pursuant to Clause 11 of the Standard Contractual Clauses and Article 28(2) of the General Data Protection Regulation 2016/679, to engage Sub-Processors, subject to compliance with the requirements in this Section.
6.1. Sub-Processor Agreements. Supplier will: (i) enter into a written agreement with any Sub-Processor that will process McGraw Hill Personal Data; (ii) ensure that each such written agreement contains terms that are no less protective of McGraw Hill Personal Data than those contained in this DPA; and (iii) be liable for the acts and omissions of its Sub-Processors to the same extent Supplier would be liable if performing the services of each of those Sub-Processors directly under the terms of this DPA.
6.2. Sub-Processor List. Information regarding Supplier’s current Sub-Processors, including their location and services provided, shall be provided by Supplier to McGraw Hill. This Sub-Processor list may be updated by Supplier from time to time in accordance with this Section. 

6.3. Changes to Sub-Processor List. Supplier will provide McGraw Hill with advance notice before a new Sub-Processor processes any EU Personal Data. McGraw Hill may object to the new Sub-Processor on grounds relating to the protection of EU Personal Data. In such case, Supplier shall have the right to cure the objection through one of the following options (to be selected at McGraw Hill’s option): (i) Supplier will cancel its plans to use the Sub-Processor with regards to processing McGraw Hill Personal Data or will offer an alternative to provide the Services without such Sub-Processor; (ii) Supplier will take the corrective steps requested by McGraw Hill in its objection notice (which remove McGraw Hill’s objection(s)) and proceed to use the Sub-Processor; or (iii) McGraw Hill may agree not to use (temporarily or permanently) the particular aspect or feature of the Services that would involve the use of such Sub-Processor. If none of the above options are commercially feasible, in McGraw Hill’s reasonable judgment, and the objection(s) have not been resolved to the satisfaction of the parties, then McGraw Hill may terminate the Agreement in whole or in part for cause with a pro-rated refund of any pre-paid but unearned fees.

7. Security Audit. Supplier will provide McGraw Hill with information regarding Supplier’s data security measures.  Such information shall include, but not be limited to, any SOC 2, SSAE 16 SOC-1 Type II (US), or Statement on Auditing Standards (SAS) No. 70 report covering the Supplier’s operations, and any other audit reports, summaries of test results or equivalent measures taken by the Supplier with respect to its security measures.  Supplier’s data security measures may be reviewed by McGraw Hill, both through an informal audit of policies and procedures and/or through inspection of security methods used within Supplier’s infrastructure, storage, and other physical security.  Should McGraw Hill request an inspection, Supplier will schedule a site visit without undue delay.  Supplier should review its implementation and maintenance of its security review periodically to protect the data in strict compliance with statutory and regulatory requirements.

8. Breach Response. Supplier will provide McGraw Hill with information regarding any failure of its security measures or any actual or suspected security breach related to McGraw Hill Personal Data without undue delay.  In the event of a data security breach that affects any McGraw Hill Personal Data Supplier will, without undue delay: (i) notify McGraw Hill of such breach, including the type of McGraw Hill Personal Data involved and the extent of such breach; (ii) investigate such breach and use best efforts to minimize the extent of such breach; (iii) not make any public statements with respect to such breach without the prior written approval of McGraw Hill; (iv) provide McGraw Hill with any information that is reasonably requested and otherwise cooperate with McGraw Hill; and (v) Supplier will implement a plan to prevent such breach from reoccurring.