International Data Transfer and Processing Addendum

1. Definitions.

For the purposes of this DPA, the following terms shall have the following meanings:

“Account” means Customer’s account within the Service in which Customer stores, processes and manages Customers Personal.

“Affiliate” means an entity that, directly or indirectly, owns or controls, is owned or is controlled by, or is under common ownership or control with a party. As used herein, “control” means the power to direct the management or affairs of an entity and “ownership” means the beneficial ownership of more than fifty percent (50%) of the voting equity securities or other equivalent voting interests of an entity.

“Company Group” means the Cambium Learning Group, Inc., and includes Lexia Learning and all Affiliates.

"Data Controller" means an entity that determines the purposes and means of the Processing of Personal Data.

"Data Processor" means an entity that Processes Personal Data on behalf of a Data Controller.

"Data Protection Laws" means all data protection and privacy laws applicable to the respective party in its role in the Processing of Personal Data under the Agreement, including, but not limited to, where applicable, the GDPR, EU & UK Data Protection Laws (including the United Kingdom’s Data Protection Act 2018 (as well as any subsequent data protection law enacted by the United Kingdom, such as a version of GDPR), and the California Consumer Privacy Act of 2018 (CCPA), as may be amended from time to time.

“Data Subject” means the identified or identifiable natural person to whom Customer Personal Data relates.

"Personal Data" means any information relating to an identified or identifiable natural person that is sufficient to cause such person to be identified directly or indirectly, and includes similarly defined terms in Data Protection Laws, including, but not limited to, the definition of “personal information” in the CCPA.

“Process” or “Processing” means any operation or set of operations that is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.

"Purposes" shall mean (i) Company’s provision, support, maintenance and improvement of the Services under the Agreement and this DPA, including Processing initiated by Customer users in their use of the Services, and (ii) further documented, reasonable instructions from Customer agreed upon by the parties.

“Privacy Shield Framework” means the EU-U.S. and/or Swiss-U.S. Privacy Shield Framework.

"Services" means the generally available software-as-a-service offering provisioned and supported by Lexia Learning and described in the Service Order with Customer, and any other services provided by Lexia Learning under the Service Order and Agreement, including but not limited to support and technical services.

"Subprocessor" means any Data Processors engaged by Company/Company Group to Process Customer Personal Data.

2. SaaS-Based Services Delivered by Company.

a. The parties acknowledge and agree that the Services are publicly available offerings of Company’s SaaS-based subscription service and are provided in a multi-tenant, shared-database architecture and that individualized client-dedicated infrastructure and/or Processing is not part of the Services. Customer understands and agrees that user information, including Personal Data, is stored by Company in centrally organized data center facilities, for which client-dedicated user environments are achieved through logical segregation within a shared client infrastructure.

b. The parties agree that the categories of data subjects and Personal Data to be Processed are as described in Appendix 1 of this DPA and the Processing shall be as required to provide the Services.

3. Customer’s Obligations.

a. Customer remains the responsible Data Controller (or similar term under applicable law) for the Processing of the Personal Data subject to this DPA as instructed to Company. Subject to the provisions contained in Section 4g below, Customer agrees that its provision of Personal Data to Company and its instructions to Company related to the Processing of Personal Data shall at all times be in compliance with all applicable laws, including Data Protection Laws, in particular with any notice and/or consent requirements or authorizations necessary under Data Protection Laws for Company to lawfully Process Customer Personal Data for the Purposes, and, notwithstanding anything to the contrary in the Agreement, Customer shall remain responsible for and protect Company from any third party claims, damages or enforcement actions related to Company’s Processing of Personal Data in accordance with Customer’s instructions.

b. Customer shall not, without the prior express written consent of Company as reflected in a fully executed written amendment to this DPA specifically referencing this Section 3(b), transfer or permit to be transferred to Company any sensitive Personal Data (i.e., social security number, tax identification number, end user financial information, or Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, health or medical data, or data concerning a natural person's sex life or sexual orientation).

c. This DPA shall also extend to Customer Affiliates under the Agreement, subject to the following conditions: (a) any additional Processing instructions from Customer Affiliates shall and must be communicated to Company only by and through Customer, and Company shall be entitled to rely solely on Customer’s instructions relating to all Customer and Customer Affiliate Personal Data under the Agreement; (b) Customer shall remain responsible for its Affiliates’ compliance with this DPA and all acts and/or omissions by a Customer Affiliate with respect to Customer’s obligations in this DPA shall be considered the acts and/or omissions of Customer; and (c) Customer Affiliates shall be entitled to enforce the terms of this DPA only through Customer acting on behalf of Customer Affiliates (Customer Affiliates shall not bring any claim directly against Company, unless Data Protection Laws require the Customer Affiliate to be the sole party to such claim), and all such claims shall be considered claims made by Customer and shall be subject to any liability limitations or restrictions set forth in the Agreement.

4. Company’s Obligations.

a. Company will Process the Personal Data in compliance with applicable law and only for the purpose of fulfilling its obligations and to perform its Services under the Agreement or as otherwise instructed in writing by Customer, which instructions are defined in the Agreement and applicable order document agreed to by the parties, in accordance with the terms of this DPA. For the avoidance of doubt, Company acknowledges that it is prohibited from retaining, using or disclosing Personal Data for any purpose other than providing the Services to Customer.

b. Company will notify Customer in writing immediately upon making a determination that it has not met, or can no longer meet, its obligations under Section 4(a) of this DPA, and, in such case, will abide by Customer’s written instructions, including instructions to cease further Processing of the Personal Data, and take any necessary steps to remediate any Processing of such Personal Data not in accordance with Section 4(a) of this DPA. To the extent further costs are involved in abiding by Customer’s instructions, the terms of Section 4(f) shall apply.

c. With respect to the Personal Data transferred to or received by Company under the Agreement, Company has implemented, and will maintain, a written information security program that includes technical, organizational, and physical security measures aimed at protecting Personal Data against accidental destruction or accidental loss, alteration, and unauthorized disclosure or access.

d. Company maintains security incident management policies and procedures and shall, to the extent permitted by law, promptly notify Customer of any unauthorized disclosure of Personal Data by Company or its Subprocessors of which Company becomes aware.

e. To the extent legally permitted, Company shall promptly notify Customer if it receives a request for any Personal Data from a court, government agency, law enforcement agency, or other authority, and will direct the court, government agency, law enforcement agency, or other authority to request such information directly from Customer. As part of this effort, Company may provide Customer's basic contact information to facilitate this communication. Notwithstanding, if Company is compelled to disclose Personal Data, Company will promptly notify Customer and deliver a copy of the request (except where Company is legally prohibited from doing so) to allow Customer to seek a protective order or any other appropriate remedy.

f. With respect to requests for audits or other additional instructions by Customer, unless otherwise expressly provided in the Agreement, the following shall apply: Company shall make available to the Customer all information available to demonstrate compliance with the obligations with respect to Company’s processing of Customer Personal Data, and to contribute to audits, including inspections, or as applicable, production of available documentation satisfactory to assess internal controls programs and compliance with applicable law, if and as required of Company under applicable law. If Customer wishes to change its instruction, then Customer has the right to request such a change by sending Company a written notice, and Company shall respond in good faith and provide Customer with information regarding Company's standard processes and an estimate of additional fees and costs for such instruction that would be payable by Customer and obtain Customer’s written confirmation of such fees prior to taking such action, to the extent such request or instruction is not part of the standard Services offering. Company shall not be obligated to address Customer’s requests or instructions until written agreement on additional payments, if any, has been executed by the parties to the Agreement. If the parties cannot come to an agreement on such payments, requests or instructions, Customer may terminate the affected Services under any Service Order(s) then in effect under the Agreement upon thirty (30) days written notice to Company, provided, however, that Customer shall pay any outstanding Service fees and costs for the remainder of the term agreed in the applicable Service Order and without affecting the remainder Agreement.

g. As required by applicable law, Company shall immediately inform Customer if, in its opinion, an instruction infringes applicable data privacy regulations.

h. Company will ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

i. Company shall provide assistance to Customer as may be reasonably necessary for Customer to comply with applicable data protection laws, including by assisting Customer in responding to requests for exercising data subject rights under applicable law, taking into consideration Company's access to Customer Personal Data and the Personal Data and administrator functionality available to Customer within the Service. If Company receives a request from any data subject of Customer’s for access to, correction, amendment, deletion of, or any other rights to such data subject’s Personal Data received or processed under the Services Agreement with Customer, Company shall promptly instruct the data subject to direct his/her request to Customer , and, to the extent legally permitted, Company shall not otherwise respond to such data subject request without Customer’s prior written instructions, and Company shall provide Customer with commercially reasonable cooperation and assistance in relation to handling such data subject’s request to exercise rights to such data subject’s Personal Data if and as directed by Customer. Where requests are manifestly excessive, e.g., because of their repetitive or non-customary character, Customer acknowledges and agrees that Company may apply additional reasonable fees for Company’s costs arising from such assistance.

j. The parties agree that, as part of the Services, Personal Data may be used by Company to verify, optimize and/or improve the Services and for related internal, business administration purposes.

5. Cross-Border Transfers.

a. As required or acceptable to satisfy cross-border transfer obligations under applicable law, to the extent that Company stores or otherwise processes Personal Data in the U.S., including but not limited to Personal Data about individuals who reside in the European Economic Area ("EEA"), the United Kingdom and/or Switzerland, the parties agree that the Standard Contractual Clauses for the Transfer of Personal Data to Data Processors Established In Third Countries pursuant to Commission Decision 2010/87/EU of 5 February 2010 ("Model Processor Clauses"), including the appendices attached thereto, are attached and incorporated into this DPA by reference as Annex A, and shall apply to such transfers. For purposes of any transfers, Company shall be the "data importer," and Customer established in the relevant jurisdiction shall be the "data exporter." The data processing activities in Appendix 1 to the Model Processor Clauses shall be as described in Appendix 1 of this DPA, and the technical and organizational security measures in Appendix 2 to the Model Processor Clauses shall be those measures described in Appendix 2 of this DPA. The parties agree that acceptance of the Agreement constitutes all necessary signatures to the Model Processor Clauses with respect to transfers to Company.

b. In event that a successor to the Privacy Shield Framework or Model Processor Clauses are established, Company agrees it shall, as appropriate and required by applicable law, coordinate in good faith with Customer to establish supplemental data transfer terms with Customer.

6. Subprocessing.

a. In accordance with the structure of the Services as described in Section 2 of this DPA, Customer generally consents to Company’s use of Subprocessors and specifically consents to those Subprocessors currently engaged by Company and members of the Company Group to provision and support the Services, and to perform Company's obligations under the Agreement in accordance with the terms of this DPA.

b. Company may, by giving prior notice to Customer, add or make changes to the Subprocessors. Customer may object to the appointment of any such additional Subprocessor within fourteen (14) calendar days of such notice on reasonable and specific grounds relating to the protection of Customer’s Personal Data, in which case Company shall have the right to cure the objection through one of the following options (to be selected at Company’s sole discretion): (a) Company will cancel its plans to use the Subprocessor with regard to Personal Data or will offer an alternative to provide the Services to Customer without such Subprocessor; or (b) Company will take such corrective steps identified by Customer in its objection (which remove Customer’s objection) and proceed to use the Subprocessor with regard to Personal Data; or (c) Company may cease to provide or Customer may agree not to use (temporarily or permanently) the particular aspect of the Services that would involve the use of such Subprocessor with regard to Personal Data, subject to a mutual agreement of the parties to adjust the remuneration for the impacted subscription Services, considering the reduced scope of the subscription Services. Objections to a Subprocessor shall be submitted to Company by following the directions set forth in the Subprocessor notice or Subprocessor list provided by Company to Customer. If none of the above options are reasonably available and the objection has not been resolved to the mutual satisfaction of the parties within thirty (30) days after Company’s receipt of Customer’s objection, either party may terminate the affected Services and Customer will be entitled to a pro-rata refund for prepaid fees based on the portion of the Services not performed as of the date of termination. Notwithstanding the foregoing, Company may replace a Subprocessor if the need for the change is urgent and necessary to provide the Services and continuity thereof. In such instance, Company shall notify Customer of the replacement as soon as reasonably practicable, and Customer shall retain the right to object to the replacement Subprocessor pursuant to this paragraph. Company agrees that its agreements with Subprocessors will include contractual commitments to protect and maintain the confidentiality and security of Personal Data consistent with Company’s obligations as processor under this Agreement, the requirements of applicable law, and taking into account the Personal Data processed and nature of the services provided by Subprocessors

c. Company shall be liable for the acts and omissions of its Subprocessors to the same extent it would be liable if performing the services of each such Subprocessor directly under the terms of this DPA, except as otherwise set forth in the Agreement.

7. Governing Law.

This DPA is governed by and construed in accordance with the laws of the jurisdiction provided for in the Agreement without regard for its choice of law rules.

8. Termination.

a. This DPA shall remain in full force and effect for so long as the Agreement remains in effect, and shall immediately terminate if the Agreement is terminated for any reason.

b. The Services include self-service Account administration and reporting tools enabling Customer’s designated Account Administrator User(s) to retrieve, access, delete and/or export reports with the Personal Data of its Authorized End Users at any time during the Service period. Upon expiration or termination of the Agreement, Company shall continue to make such Personal Data available for export by Customer (i.e., allow Customer to download reports) upon request made within thirty (30) days of termination or expiration of the Agreement. After such thirty (30) day period, Company shall have no obligation to maintain or provide any Personal Data and may, unless legally prohibited, securely remove and delete or otherwise render unreadable or undecipherable Personal Data in its possession or control in accordance with Company’s then-current data removal protocols, with no liability to Customer, unless otherwise agreed to by Company and Customer in writing in the Agreement for the applicable service. When Personal Data removal has been completed, Company will provide written confirmation to Customer of same upon written request.

9. Miscellaneous.

a. This DPA is subject to the terms of, and fully incorporated and made part of, the Agreement, and except as provided in this DPA, the Agreement remains unchanged and in full force and effect. Except as expressly stated otherwise, in the event of any conflict or inconsistency between the terms of the Agreement and the terms of this DPA, the relevant terms of this DPA shall take precedence. This DPA shall amend and supplement any provisions relating to Processing of Personal Data previously negotiated or agreed to between the parties in the Agreement (including any existing Data Processing Exhibit or any other data processing terms within the Agreement).

b. The Agreement shall apply only between Company and Customer and shall not confer any rights to any third parties.

c. All other terms and conditions of the Agreement remain unchanged.

For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection.

THE PARTIES HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.

The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.

3.1 The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.

3.2 The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.

3.3 The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.

3.4 The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.

(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;

(b) that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter's behalf and in accordance with the applicable data protection law and the Clauses;

(c) that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;

(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;

(f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;

(g) to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;

(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;

(i) that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and

(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(c) that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;

(i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,

(iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;

(e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;

(f) at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;

(g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;

(h) that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;

(i) that the processing services by the subprocessor will be carried out in accordance with Clause 11;

(j) to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.

6.1 The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.

6.2 If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.

6.3 The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.

6.4 If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.

7.1 The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:

(a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;

(b) to refer the dispute to the courts in the Member State in which the data exporter is established.

7.2 The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

8.1The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.

8.2 The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.

8.3 The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).

The Clauses shall be governed by the law of the Member State in which the data exporter is established.

The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.

11.1 The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses. Where the subprocessor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor's obligations under such agreement.

11.2 The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.

11.3 The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.

11.4 The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the data exporter's data protection supervisory authority.

12.1 The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.

12.2 The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.

Provision of Services consisting in publicly available offerings of Lexia Learning’s SaaS-based educational subscriptions and associated services.

Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, subject to the terms of the Agreement, and which may include, but is not limited to the following:

● Employees, agents, advisors, contractors, or other personnel of Customer or any of its subsidiaries or affiliates (who are natural persons), and any staff or student or other end users authorized by Customer to use the Services under the Agreement.

Subject to any applicable restrictions and/or conditions in the Agreement, and subject to Section 3(b) of this DPA, Customer may also include 'special categories of personal data' or similarly sensitive personal data (as described or defined in Data Protection Laws) in Customer Personal Data, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Customer Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the Processing of genetic data, biometric data for the purposes of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.

i. Access Controls – policies, procedures, and physical and technical controls designed: (i) to limit physical access to its information systems and the facility or facilities in which they are housed to properly authorized persons; (ii) to ensure that all members of its workforce who require access to Personal Data have appropriately controlled access, and to prevent those workforce members and others who should not have access from obtaining access; (iii) to authenticate and permit access only to authorized individuals and to prevent members of its workforce from providing Personal Data or information relating thereto to unauthorized individuals; and (iv) to encrypt and decrypt Personal Data where appropriate.

ii. Security Awareness and Training – a security awareness and training program for all members of the workforce (including management), which includes training on how to implement and comply with its Information Security Program.

iii. Security Incident Procedures – a Security Incident Response Plan, and policies and procedures to detect, respond to, and otherwise address security incidents, including procedures to monitor systems and to detect actual and attempted attacks on or intrusions into Personal Data or information systems relating thereto, and procedures to identify and respond to suspected or known security incidents, mitigate harmful effects of security incidents, and document security incidents and their outcomes.

iv. Contingency Planning – policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages Personal Data or systems that contain Personal Data, including a data backup plan and a disaster recovery plan.

v. Device and Media Controls – policies and procedures that govern the receipt and removal of hardware and electronic media that contain Personal Data into and out of processing facilities, and the movement of these items within processing facilities, including policies and procedures to address the final disposition of Personal Data, and/or the hardware or electronic media on which it is stored, and procedures for removal of Personal Data from electronic media before the media are made available for re-use.

vi. Audit Controls – hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic information, including appropriate logs and reports concerning these security requirements and compliance therewith.

vii. Security Audits - annual third party security audits, such as SSAE 16 SOC2, of hosting and data center providers, who also maintain current ISO 27001 certifications.

viii. Data Integrity – policies and procedures to ensure the confidentiality, integrity, and availability of Personal Data and protect it from disclosure, improper alteration, or destruction.

ix. Storage and Transmission Security – technical security measures to guard against unauthorized access to Personal Data that is being transmitted over an electronic communications network, including a mechanism to ensure Personal Data in electronic form is encrypted while in transit and in storage on networks or systems to which unauthorized individuals may have access.

x. Assigned Security Responsibility – designate a security official responsible for the development, implementation, and maintenance of its Information Security Program, and inform Company upon request as to the person responsible for security.

xi. Storage Media - policies and procedures to ensure that prior to any storage media containing Personal Data being assigned, allocated or reallocated to another user, or prior to such storage media being permanently removed from a facility, irreversibly delete such Personal Data from both a physical and logical perspective, such that the media contains no residual data, or if necessary physically destroy such storage media such that it is impossible to recover any portion of data on the media that was destroyed. Also maintain an auditable program implementing the disposal and destruction requirements set forth in this Section for all storage media containing Personal Data.

xii. Testing – regularly test the key controls, systems and procedures of its Information Security Program to ensure that they are properly implemented and effective in addressing the threats and risks identified.

xiii. Adjust the Program – monitor, evaluate, and adjust, as appropriate, the Information Security Program in light of any relevant changes in technology or industry security standards, the sensitivity of the Personal Data, internal or external threats to the Personal Data, and changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to information systems.