McGraw Hill Data Privacy Addendum

v6 04/25/2023

This Data Processing Addendum (“DPA”) is entered into between McGraw Hill LLC, on behalf of itself and its affiliates (all together “McGraw Hill”) and the entity or individual identified in the agreement (the “Agreement”) that references this DPA (“Supplier”) (together, the “Parties”). This DPA constitutes a supplement to the Agreement for all purposes and is incorporated into the Agreement by this reference. All capitalized terms not defined herein will have the same meaning as in the Agreement.

DEFINITIONS

“Controller” means an individual who, or entity that, alone or jointly determines the purposes and means of Processing Personal Data. “Controller” shall be understood to include “Business” and analogous terms under Privacy Laws.

“Deidentified Data” means data that cannot reasonably be used to infer information about, or otherwise be linked to, a particular individual or household and where such data is processed only in accordance with Section 4 of this DPA.

“McGraw Hill Personal Data” means any Personal Data that is Processed by Supplier in the course of performing its obligations under the Agreement, as specified in Annex 2 of this DPA.

“Personal Data” means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household.

“Privacy Laws” means all applicable federal, state and local laws, rules and regulations and ordinances and any other privacy and data security statutes, and regulations promulgated and in effect under such statutes, relating to the jurisdictions applicable to the Services and/or the McGraw Hill Personal Data. Privacy Laws include, but are not limited to, the European Union’s (“EU”) General Data Protection Regulation (“GDPR”); the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (together, the “CCPA”); U.S. state or federal consumer Privacy Laws; UK Privacy Laws (as defined in Annex 1); and all other international privacy laws set forth in Annex 1.

“Privacy/Security Incident” means a confirmed incident involving access to or handling of McGraw Hill Personal Data not expressly permitted by this DPA.

“Processing” and variations thereof (e.g., “Process”) means access to or any operation or set of operations that is performed on Personal Data or on sets of Personal Data, whether or not by automated means, including but not limited to collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Processor” means an individual who, or entity that, Processes Personal Data on behalf of a Controller. “Processor” includes “Service Provider” and analogous terms as defined under applicable Privacy Laws.

“Services” means the services provided by Supplier to McGraw Hill under the Agreement.

“Standard Contractual Clauses” means the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, or any such clauses amending, replacing or superseding those by a European Commission Decision or by a decision made by any other authorized body, and any other applicable sets of contractual terms and conditions which the sender and the receiver of Personal Data both sign up to (including, but not limited to, the contractual terms and conditions set out in Annex 1), aimed at protecting Personal Data through contractual obligations in compliance with applicable Privacy Laws when such data leaves one country and goes to another country that is not considered to offer adequate protection to the rights and freedoms of data subjects.

1. McGraw Hill Personal Data.

1.1. With respect to McGraw Hill Personal Data Processed under this DPA, the Parties agree that McGraw Hill is the Controller (or acts on the instructions of a third party that is the Controller) and Supplier Processes Personal Data as a Processor on behalf of McGraw Hill under applicable Privacy Laws. For the avoidance of doubt, to the extent the Processing of Personal Data is subject to the CCPA, McGraw Hill is the “Business” and Supplier is the “Service Provider” (as those terms are defined by the CCPA).

1.2. Supplier will, and will ensure that its employees or agents will, only Process McGraw Hill Personal Data in accordance with the Agreement, this DPA, and any supplemental written instructions received from McGraw Hill. Supplier will not take any action that would result in Supplier not acting as a Processor under the applicable Privacy Laws in other jurisdictions or as a “Service Provider” under the CCPA with respect to McGraw Hill Personal Data.

1.3. Carrying out the Services in accordance with the terms of the Agreement will be deemed an instruction by McGraw Hill to Supplier. Any additional or alternate instructions must be agreed between McGraw Hill and Supplier separately in writing.

1.4. When Processing McGraw Hill Personal Data, Supplier will ensure that each person Processing Personal Data is subject to a duty of confidentiality with respect to the Personal Data.

1.5. McGraw Hill may, upon providing reasonable notice to Supplier, take all reasonable and appropriate steps to prevent, stop, or remediate any unauthorized Processing of McGraw Hill Personal Data.

1.6. Supplier agrees to promptly notify McGraw Hill if it can no longer comply with Privacy Laws or its obligations under the Agreement or this DPA.

1.7. Upon written request by McGraw Hill, Supplier will, at McGraw Hill’s choice, promptly delete or return all McGraw Hill Personal Data and shall certify deletion or return (as applicable) of all such McGraw Hill Personal Data, including all copies of such McGraw Hill Personal Data, unless retention of the McGraw Hill Personal Data is required by law. Upon termination of the Agreement, unless otherwise agreed between the Parties, Supplier will promptly delete all McGraw Hill Personal Data and shall certify deletion of such McGraw Hill Personal Data, unless retention of the McGraw Hill Personal Data is required by law.

1.8. Supplier will not “sell,” “share” (as such terms are defined in the CCPA), retain, disclose, use or otherwise Process any McGraw Hill Personal Data except: (i) as in accordance with the instructions of McGraw Hill; (ii) as specifically authorized by this DPA and/or Agreement; (iii) as necessary to perform the Services; or (iv) as required by applicable law. In any event, Supplier will not retain, disclose, use, or otherwise Process any McGraw Hill Personal Data outside of the direct business relationship between McGraw Hill and Supplier.

1.9. Supplier will not combine any McGraw Hill Personal Data with Personal Data that Supplier receives from or on behalf of any other third party or collects from Supplier’s own interactions with Data Subjects, provided that Supplier may so combine Personal Data for a purpose permitted under Privacy Laws if directed to do so by McGraw Hill or as otherwise expressly permitted by the Privacy Laws, provided all such Processing is done in accordance with Section 1.10 of this DPA.

1.10. The parties agree that Supplier will only Process McGraw Hill Personal Data for the limited and specified purposes set forth in Annex 2 to this DPA.

1.11. When Processing McGraw Hill Personal Data, McGraw Hill and Supplier will comply with all Privacy Laws, including by providing no less than the level of privacy protection as required by Privacy Laws.

1.12. Supplier will cooperate with, and provide all necessary information and assistance to, McGraw Hill to allow McGraw Hill to meet its obligations under applicable Privacy Laws, including to: (i) respond to requests from individuals to exercise their rights under Privacy Laws (such as the right to access and correct any McGraw Hill Personal Data of such individual stored by Supplier) and (ii) notify any governmental authorities or affected individuals in the event of a Privacy/Security Incident, carry out privacy impact assessments and consult with governmental authorities regarding processing which is the subject of a privacy impact assessment.

2. International Data and International Transfers.

2.1. “International McGraw Hill Personal Data” means any McGraw Hill Personal Data the processing of which is subject to the GDPR, UK Privacy Laws, or similar Privacy Laws in other jurisdictions outside the United States.

2.2. If Supplier Processes International McGraw Hill Personal Data as part of the Services and such data is transferred, directly or via onward transfer, to any jurisdiction not recognized as providing an adequate level of protection for such data under applicable Privacy Laws, Supplier and McGraw Hill will agree to terms for such onward transfer in a form compliant with the Privacy Laws in the applicable jurisdiction(s) such as Module Two (for transfers between a controller and processor) of the Standard Contractual Clauses under Privacy Laws in the EU.

2.3. For the purposes of the Standard Contractual Clauses, any McGraw Hill affiliate that is the Controller of International McGraw Hill Personal Data (or is acting on behalf of the Controller of such data) will be the “data exporter,” and Supplier will be the “data importer”. If there is a conflict between this DPA, any other terms in the Agreement, and/or the Standard Contractual Clauses, the Standard Contractual Clauses will take precedence; then, the term which provides a higher standard of protection to the Personal Data will apply.

2.4. With respect to Clause 12(a) of the Standard Contractual Clauses, the Parties agree that: (i) liability between the Parties as contemplated in Clause 12(a) shall be determined by any liability and/or indemnification provisions in the Agreement; and (ii) nothing in Clause 12(a) shall change the interpretation of such liability and/or indemnification provisions in the Agreement.

3. Deidentified Data.

3.1. To the extent McGraw Hill discloses or otherwise makes available Deidentified Data to Supplier, Supplier shall (i) adopt reasonable measures to prevent such Deidentified Data from being used to infer information about, or otherwise being linked to, a particular natural person or household; (ii) publicly commit to maintain and use such Deidentified Data in a deidentified form and to not attempt to re-identify the Deidentified Data, and (iii) before sharing Deidentified Data with any other party, including Sub-Processors, contractors, or any other persons (“Recipients”), contractually obligate any such Recipients to comply with all requirements of Section 8 this of the DPA (including imposing this requirement on any further Recipients).

3.2. Supplier shall remain fully liable for any failure by Supplier or its employees, Sub-Processors, agents, or contractors to comply with obligations relating to Deidentified Data.

4. Use of U.S. Student Information. If Supplier Processes information concerning the student end users of McGraw Hill products/services that are residents of the United States as part of the Services, Supplier acknowledges and agrees that: (i) such information will be stored in the United States; (ii) Supplier will not attempt to re-identify such information that has been de-identified; and (iii) Supplier will not sell such information to other organizations or market to students using such information. If students or parents/guardians are requested to agree to any terms in connection with the Services that may result in waiver of any of their rights under Family Educational Rights and Privacy Act of 1974, such terms will be null and void. Supplier shall comply with all reasonable requests by McGraw Hill to modify Supplier’s privacy practices and/or information security measures if they are not in compliance with Privacy Laws and/or McGraw Hill’s contractual obligations for Processing the information under this Section.

5. Data and System Security.

5.1. Supplier will have in place appropriate technical and organizational policies, procedures and controls as required by applicable Privacy Laws.

5.2. At all times, Supplier will, and will require all third parties to which it discloses McGraw Hill Personal Data to, implement and maintain a comprehensive security program that is designed to protect the security, privacy, confidentiality, and integrity of such data against risks through the use of administrative, technological, and physical safeguards, as set out in the Agreement and the Standard Contractual Clauses agreed to by the Parties, if any. McGraw Hill Personal Data must be encrypted in transmission (including via web interface) in accordance with industry-standard level of encryption, but no less than AES-128-bit.

6. Subcontractors and Sub-Processors.

6.1. Where Supplier engages a third party service provider who will Process McGraw Hill Personal Data (“Sub-Processor”), Supplier will: (i) enter into a written agreement; and (ii) ensure that each such written agreement contains terms that are no less protective of McGraw Hill Personal Data than those contained in this DPA.

6.2. McGraw Hill provides a general authorization to Supplier to engage Sub-Processors, subject to compliance with the requirements in this Section. Information regarding Supplier’s current Sub-Processors, including their location and services provided, will be provided by Supplier to McGraw Hill. This Sub-Processor list may be updated by Supplier from time to time in accordance with this Section. Supplier will provide McGraw Hill with advance notice before a new Sub-Processor processes any International McGraw Hill Personal Data. McGraw Hill may object to the new Sub-Processor on grounds relating to the protection of Personal Data. In such case, Supplier will have the right to cure the objection through one of the following options (to be selected at McGraw Hill’s option): (i) Supplier will cancel its plans to use the Sub-Processor with regards to processing International McGraw Hill Personal Data or will offer an alternative to provide the Services without such Sub-Processor; (ii) Supplier will take the corrective steps requested by McGraw Hill in its objection notice (which address McGraw Hill’s objection(s)) and proceed to use the Sub-Processor; or (iii) McGraw Hill may agree not to use (temporarily or permanently) the particular aspect or feature of the Services that would involve the use of such Sub-Processor. If none of the above options are commercially feasible, in McGraw Hill’s reasonable judgment, and the objection(s) have not been resolved to the satisfaction of the Parties, then McGraw Hill may terminate the Agreement in whole or in part for cause with a pro-rated refund of any pre-paid but unearned fees. Supplier shall remain fully responsible and liable to McGraw Hill for any Sub-Processor’s Processing of Personal Data, including for any failure of the Sub-Processor to fulfil its data protection obligations.

7. Privacy and Security Audits.

7.1. Supplier agrees to cooperate with any reasonable and appropriate audits, inspections, assessments, or other steps to be performed by McGraw Hill or McGraw Hill’s designated assessor that McGraw Hill deems reasonably necessary to confirm that Supplier Processes McGraw Hill Personal Data in a manner consistent with McGraw Hill’s and Supplier’s obligations under Privacy Laws or this DPA at least once every twelve (12) months; provided however, that McGraw Hill may conduct an inspection or audit at any time if: (i) a Privacy/Security Incident has occurred or McGraw Hill has reasonable grounds to suspect Supplier is not in compliance with its obligations under this DPA; (ii) an audit is required under Privacy Laws; (iii) an audit is required by any supervisory authority; or (iv) otherwise agreed to in writing by the Parties.

7.2. Supplier shall upon request make available to McGraw Hill all information in its possession necessary to demonstrate Supplier’s compliance with Privacy Laws; and shall permit opportunities for McGraw Hill to ask questions of responsible Supplier personnel.

7.3. On McGraw Hill’s request, Supplier will: (i) respond to McGraw Hill’s privacy and security questionnaires and (ii) provide McGraw Hill with information regarding Supplier’s data security measures such as audit reports (e.g., any SOC 2, Statement on Standards for Attestation Engagement (SSAE) 18 SOC 1 Type II (US) covering the Supplier’s operations) and any summaries of test results taken by the Supplier with respect to its security measures. Supplier’s data security measures may be reviewed by McGraw Hill, both through an informal audit of policies and procedures and/or through inspection of security methods. Supplier will correct any security vulnerability within a reasonable amount of time.

8. Breach Response. In the event of a Privacy/Security Incident, Supplier will, without undue delay and in any event, within forty-eight (48) hours of detection or notification thereof: (i) notify McGraw Hill of such Privacy/Security Incident, including the type of McGraw Hill Personal Data involved and the extent of such Privacy/Security Incident; (ii) investigate and contain such Privacy/Security Incident and use best efforts to minimize the extent of such Privacy/Security Incident; (iii) not make any public statements with respect to such Privacy/Security Incident that identify McGraw Hill without the prior written approval of McGraw Hill; (iv) provide McGraw Hill with any information that is reasonably requested; and (v) implement a plan to prevent such Privacy/Security Incident from reoccurring. For the avoidance of doubt, any Privacy/Security Incident vulnerability will be remediated and resolved in accordance with leading industry standards.

ANNEX 1

1. International privacy laws.

1.1. International privacy laws include the United Kingdom’s (“UK”) General Data Protection Regulation, Data Protection Act of 2018, and all laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK (“UK Privacy Laws”).

2. Transfers from the UK.

2.1. To the extent that the International McGraw Hill Personal Data that Supplier Processes contains Personal Data that has been transferred from the UK, either directly or via onward transfer, to any jurisdiction not recognized as providing an adequate level of protection for such data under UK law, Supplier and McGraw Hill agree that Module Two (for transfers between a controller and processor) of the Standard Contractual Clauses shall govern, subject to the following additional provisions:

2.2. Part Two: the Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 28 January 2022, as it is revised under Section 18 of those Mandatory Clauses, shall apply;

2.3. With respect to Section 19 of the Approved Addendum, in the event the Approved Addendum changes, neither party may terminate the Addendum except as provided for in the Agreement; and

2.4. Any references to the “Clauses” in the Standard Contractual Clauses shall include the amendments set out in this Clause 2 of this Annex 1.

v5 04/29/22

This Data Processing Addendum (“DPA”) is entered into between McGraw Hill LLC, on behalf of itself and its affiliates (all together “McGraw Hill”) and the entity or individual identified in the agreement (the “Agreement”) that references this DPA (“Supplier”) (together, the “Parties”). This DPA constitutes a supplement to the Agreement for all purposes and is incorporated into the Agreement by this reference. All capitalized terms not defined herein will have the same meaning as in the Agreement.

DEFINITIONS

“McGraw Hill Personal Data” means any Personal Data that is Processed by Supplier in the course of performing its obligations under the Agreement.

“Personal Data” means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household.

“Privacy Laws” means all applicable federal, state and local laws, rules and regulations and ordinances and any other privacy and data security statutes, and regulations promulgated and in effect under such statutes, relating to the jurisdictions applicable to the Services and/or the McGraw Hill Personal Data. Privacy Laws include, but are not limited to, the European Union’s (“EU”) General Data Protection Regulation (“GDPR”); the California Consumer Privacy Act (“CCPA”); Swiss Privacy Laws and UK Privacy Laws (as defined in Annex 1); and all other international privacy laws set forth in Annex 1.

“Privacy/Security Incident” means a confirmed incident involving access to or handling of McGraw Hill Personal Data not expressly permitted by this DPA.

“Processing” means access to or any operation or set of operations that is performed on Personal Data or on sets of Personal Data, whether or not by automated means, including but not limited to collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Services” means the services provided by Supplier to McGraw Hill under the Agreement.

“Standard Contractual Clauses” means the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, or any such clauses amending, replacing or superseding those by a European Commission Decision or by a decision made by any other authorized body, and any other applicable sets of contractual terms and conditions which the sender and the receiver of Personal Data both sign up to (including, but not limited to, the contractual terms and conditions set out in Annex 1), aimed at protecting Personal Data through contractual obligations in compliance with applicable Privacy Laws when such data leaves one country and goes to another country that is not considered to offer adequate protection to the rights and freedoms of data subjects.

1.1. McGraw Hill Personal Data. Supplier will, and will ensure that its employees or agents will, only Process McGraw Hill Personal Data in accordance with the Agreement, this DPA, and any supplemental written instructions received from McGraw Hill. Supplier will not “sell” (as such term is defined in the CCPA), retain, disclose or use any McGraw Hill Personal Data except: (i) as in accordance with the instructions of McGraw Hill; (ii) as specifically authorized by this DPA and/or Agreement; (iii) as necessary to perform the Services; or (iv) as required by applicable law. With respect to McGraw Hill Personal Data Processed under this DPA, (1) McGraw Hill or the applicable McGraw Hill affiliate acts as the “controller” (or acts on the instructions of a third party that is the “controller”) and Supplier acts as the “processor” under the GDPR and similar Privacy Laws; and (2) McGraw Hill or the applicable McGraw Hill affiliate acts as the “business” under the CCPA (or acts on the instructions of a third party that is the “business”), and Supplier acts as the “service provider” under the CCPA. Supplier will not take any action that would result in Supplier not acting as a processor under the GDPR or similar Privacy Laws in other jurisdictions or as a “service provider” under the CCPA with respect to McGraw Hill Personal Data.

1.2. Carrying out the Services in accordance with the terms of the Agreement will be deemed an instruction by McGraw Hill to Supplier. Any additional or alternate instructions must be agreed between McGraw Hill and Supplier separately in writing.

2. International Data and International Transfers

2.1. “International McGraw Hill Personal Data” means any McGraw Hill Personal Data the processing of which is subject to the GDPR, Swiss Privacy Laws, or UK Privacy Laws or similar Privacy Laws in other jurisdictions outside the United States.

2.2. If Supplier Processes International McGraw Hill Personal Data as part of the Services and such data is transferred, directly or via onward transfer, to any jurisdiction not recognized as providing an adequate level of protection for such data under applicable Privacy Laws, Supplier and McGraw Hill will agree to terms for such onward transfer in a form compliant with the Privacy Laws in the applicable jurisdiction(s) such as Module Two (for transfers between a controller and processor) of the Standard Contractual Clauses under Privacy Laws in the EU.

2.3. For the purposes of the Standard Contractual Clauses, any McGraw Hill affiliate that is the controller of International McGraw Hill Personal Data (or is acting on behalf of the controller of such data) will be the “data exporter,” and Supplier will be the “data importer”. If there is a conflict between this DPA, any other terms in the Agreement, and/or the Standard Contractual Clauses, the Standard Contractual Clauses will take precedence; then, the term which provides a higher standard of protection to the Personal Data will apply.

2.4. With respect to International McGraw Hill Personal Data, McGraw Hill provides a general authorization to Supplier pursuant to Article 28(2) and, to the extent applicable, “Option 2” (General Written Authorization) of Clause 13(a) and Annex I.3 the Standard Contractual Clauses, to engage Sub-Processors (as defined below), subject to compliance with the requirements in this Section. Information regarding Supplier’s current Sub-Processors, including their location and services provided, will be provided by Supplier to McGraw Hill. This Sub-Processor list may be updated by Supplier from time to time in accordance with this Section. Supplier will provide McGraw Hill with advance notice before a new Sub-Processor processes any International McGraw Hill Personal Data. McGraw Hill may object to the new Sub-Processor on grounds relating to the protection of Personal Data. In such case, Supplier will have the right to cure the objection through one of the following options (to be selected at McGraw Hill’s option): (i) Supplier will cancel its plans to use the Sub-Processor with regards to processing International McGraw Hill Personal Data or will offer an alternative to provide the Services without such Sub-Processor; (ii) Supplier will take the corrective steps requested by McGraw Hill in its objection notice (which address McGraw Hill’s objection(s)) and proceed to use the Sub-Processor; or (iii) McGraw Hill may agree not to use (temporarily or permanently) the particular aspect or feature of the Services that would involve the use of such Sub-Processor. If none of the above options are commercially feasible, in McGraw Hill’s reasonable judgment, and the objection(s) have not been resolved to the satisfaction of the Parties, then McGraw Hill may terminate the Agreement in whole or in part for cause with a pro-rated refund of any pre-paid but unearned fees. Supplier shall remain fully responsible and liable to McGraw Hill for any Sub-Processor’s Processing of Personal Data, including for any failure of the Sub-Processor to fulfil its data protection obligations.

2.5. With respect to Clause 12(a) of the Standard Contractual Clauses, the Parties agree that: (i) liability between the Parties as contemplated in Clause 12(a) shall be determined by any liability and/or indemnification provisions in the Agreement; and (ii) nothing in Clause 12(a) shall change the interpretation of such liability and/or indemnification provisions in the Agreement.

3. Use of US Student Information. If Supplier Processes information concerning the student end users of McGraw Hill products/services that are residents of the United States as part of the Services, Supplier acknowledges and agrees that: (i) such information will be stored in the United States; (ii) Supplier will not attempt to re-identify such information that has been de-identified; and (iii) Supplier will not sell such information to other organizations or market to students using such information. If students or parents/guardians are requested to agree to any terms in connection with the Services that may result in waiver of any of their rights under Family Educational Rights and Privacy Act of 1974, such terms will be null and void. Supplier will use commercially reasonable efforts to comply with all reasonable requests by McGraw Hill to modify Supplier’s privacy practices and/or information security measures if they are not in compliance with Privacy Laws and/or McGraw Hill’s contractual obligations for Processing the information under this Section.

4. Compliance with Privacy Laws. When Processing McGraw Hill Personal Data, McGraw Hill and Supplier will comply with all Privacy Laws. Supplier will have in place appropriate technical and organizational policies, procedures and controls as required by applicable Privacy Laws. Supplier will cooperate with, and provide all necessary information and assistance to, McGraw Hill to allow McGraw Hill to meet its obligations under applicable Privacy Laws, including to: (i) respond to requests from individuals to exercise their rights under Privacy Laws (such as the right to access and correct any McGraw Hill Personal Data of such individual stored by Supplier) and (ii) notify any governmental authorities or affected individuals in the event of a Privacy/Security Incident, carry out privacy impact assessments and consult with governmental authorities regarding processing which is the subject of a privacy impact assessment.

5. Data and System Security. At all times, Supplier will, and will require all third parties to which it discloses McGraw Hill Personal Data to, implement and maintain a comprehensive security program that is designed to protect the security, privacy, confidentiality, and integrity of such data against risks through the use of administrative, technological, and physical safeguards, as set out in the Agreement and the Standard Contractual Clauses agreed to by the Parties, if any. McGraw Hill Personal Data must be encrypted in transmission (including via web interface) in accordance with industry-standard level of encryption, but no less than AES-128-bit.

6. Subcontractors and Sub-Processors. Where Supplier engages a third party service provider who will Process McGraw Hill Personal Data (“Sub-Processor”), Supplier will: (i) enter into a written agreement; and (ii) ensure that each such written agreement contains terms that are no less protective of McGraw Hill Personal Data than those contained in this DPA.

7. Security Audit. On McGraw Hill’s request, Supplier will: (i) respond to McGraw Hill’s privacy and security questionnaires and (ii) provide McGraw Hill with information regarding Supplier’s data security measures such as audit reports (e.g. any SOC 2, Statement on Standards for Attestation Engagement (SSAE) 18 SOC 1 Type II (US) covering the Supplier’s operations) and any summaries of test results taken by the Supplier with respect to its security measures. Supplier’s data security measures may be reviewed by McGraw Hill, both through an informal audit of policies and procedures and/or through inspection of security methods no more than once per calendar year; provided however, that McGraw Hill may conduct an inspection or audit at any time if: (i) a Privacy/Security Incident has occurred or McGraw Hill has reasonable grounds to suspect Supplier is not in compliance with its obligations under this DPA; (ii) an audit is required under Privacy Laws; (iii) an audit is required by any supervisory authority; or (iv) otherwise agreed to in writing by the Parties. Supplier will correct any security vulnerability within a reasonable amount of time.

8. Breach Response. In the event of a Privacy/Security Incident, Supplier will, without undue delay and in any event, within forty-eight (48) hours of detection or notification thereof: (i) notify McGraw Hill of such Privacy/Security Incident, including the type of McGraw Hill Personal Data involved and the extent of such Privacy/Security Incident; (ii) investigate and contain such Privacy/Security Incident and use best efforts to minimize the extent of such Privacy/Security Incident; (iii) not make any public statements with respect to such Privacy/Security Incident that identify McGraw Hill without the prior written approval of McGraw Hill; (iv) provide McGraw Hill with any information that is reasonably requested; and (v) implement a plan to prevent such Privacy/Security Incident from reoccurring. For the avoidance of doubt, any Privacy/Security Incident vulnerability will be remediated and resolved in accordance with leading industry standards.

ANNEX 1

1. International privacy laws.

1.1 International privacy laws include Switzerland’s Federal Act on Data Protection of June 19, 1992, and the Ordinance to the Federal Act on Data Protection (“FADP”), the Ordinance on Data Protection Certification, and all Swiss laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in Switzerland (“Swiss Privacy Laws”); the United Kingdom’s (“UK”) General Data Protection Regulation, Data Protection Act of 2018, and all laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK (“UK Privacy Laws”); Mexico’s Federal Law on the Protection of Personal Data in the Possession of Private Parties (Ley Federal de Protección de Datos Personales en Posesión de los Particulares) (“Mexican Privacy Laws”).

2. Transfers from the UK.

2.1 To the extent that the International McGraw Hill Personal Data that Supplier Processes contains Personal Data that has been transferred from the UK, either directly or via onward transfer, to the Supplier in any jurisdiction not recognized as providing an adequate level of protection for such data under UK law, Supplier and McGraw Hill agree that Module Two (for transfers between a controller and processor) of the Standard Contractual Clauses (as amended by the international data transfer addendum to the European Commission’s standard contractual clauses for international data transfers issued by the UK Information Commissioner’s Office, signed by the Parties, and incorporated herein by reference) shall govern.

3. Transfers from Switzerland.

3.1 To the extent that the International McGraw Hill Personal Data that Supplier Processes contains Personal Data that has been transferred from Switzerland, either directly or via onward transfer, to the Supplier in any jurisdiction not recognized as providing an adequate level of protection for such data under Swiss law (a “Swiss Transfer”), Supplier and McGraw Hill agree that Module Two (for transfers between a controller and processor) of the Standard Contractual Clauses shall govern such Swiss Transfers and be incorporated by reference into this DPA. In the event the Switzerland Federal Data Protection and Information Commissioner approves successor or supplemental clauses to legitimize Swiss Transfers to third countries, McGraw Hill may unilaterally amend this DPA to incorporate such approved successor or supplemental clauses by giving notice to Supplier of such amendment. For purposes of Swiss Transfers, the Standard Contractual Clauses are subject to the following additional amendments:

3.2 Any references to the “Clauses” in the Standard Contractual Clauses shall include the amendments set out in Section 2.4 of this DPA, which in the event of any conflict or inconsistency are subject to this Section 2 of Annex 1;

3.3 References to “Regulation (EU) 2016/679” or “that Regulation” are replaced by “FADP” (as defined in the Definitions section of this DPA) and references to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of the FADP. References to “Regulation (EU) 2018/1725” are removed. References to the “Union”, “EU” and “EU Member State” are all replaced with “Switzerland”. The footnotes to the Transfer Clauses do not apply;

3.4 Clause 6, “Description of the transfer(s)”, is replaced with: “The details of the transfer(s) (and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where Swiss Privacy Laws apply to the data exporter’s processing when making that transfer.”;

3.5 Clause 13(a) and Part C of Annex I are not used; the “competent supervisory authority” is the Switzerland Federal Data Protection and Information Commissioner; and

3.6 The Standard Contractual Clauses shall be understood to also protect the Personal Data of legal entities until the entry into force of the revised FADP.

v4 01/12/22