Menu
Menu
Menu
Effective: 16 April, 2024
The Data Processing Agreement (“DPA”) forms a legally binding agreement between The Institution (“Institution”) and ApplyBoard Inc. (“ApplyBoard”), applies to the extent that the Institution and ApplyBoard share Personal and confidential Information as described below, and is incorporated into the ApplyBoard-Institution Partner Agreement (“Partner Agreement”). This DPA serves to meet accountability obligations of both the data controller(s) and/or processor, as applicable, under any applicable law, statute, regulation relating to the protection of personal data including but not limited to Regulation 2016/678 (the GDPR), Canada’s Personal Information Protection & Electronic Document Act (PIPEDA) including provincial privacy laws as may be applicable, the Information Technology Act (ITA) 2000 and its ancillary rules, and any other applicable data protection laws. Some terms used in this DPA are defined in the Partner Agreement.
1.1. “Applicable Data Protection Law” refers to all laws and regulations applicable to the parties processing of personal information under the Agreement. As an example, in Canada’s Personal Information Protection & Electronic Document Act (PIPEDA) including provincial privacy laws as may be applicable. In India, this will include the Information Technology Act (ITA) 2000 and the ancillary rules and the Digital Personal Data Protection Act (DPDPA) 2023. In the United States, this may include the Family Education Rights Act (FERPA), the Protection of Pupil Rights Amendment (PPRA), and the Children’s Online Privacy Protection Act (COPPA), as well as applicable State student and consumer privacy laws (such as the California Consumer Privacy Act (CCPA). In the European Union (and outside the EU, if extraterritorially applicable), this will include the General Data Protection Regulation (“GDPR”) and the national laws implementing GDPR, as applicable, In the UK, this will include the UK General Data Protection Regulation (“UK GDPR”). In Australia, this may include the Privacy Act 1998 and amendments.
1.2. “Data Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal information.
1.3. “Data Processor” means a natural or legal person, public authority, agency or other body which processes personal information on behalf of the controller.
1.4. “Personal Data” / “Personal Information” are used interchangeably to mean personal data about an identifiable individual (“Data Subject”).
1.5. “Personal Data Breach” means a breach of security safeguards i.e. the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal information on systems managed or controlled by a party.
1.6. “Sub-Processor” means a third party appointed by the data processor to process personal information on its behalf and pursuant to the service agreement.
1.7. The terms, “Data Controller” or “Controller”, “Data Processor” or “Processor”, “Data Subject”, “Personal Data”, “Process”, “Processed” or “Processing” have the meanings given by either (a) Applicable Data Protection Law; or (b) absent any such meaning or law, the GDPR.
The subject-matter of the processing is described in Schedule 1 to this DPA.
3.1. Processor’s Obligations
3.1.1. Compliance with Instructions: The Data Processor will only process Personal Data for the purposes described in this DPA or as otherwise agreed within the scope of the Data Controller’s lawful instructions, and will comply with the obligations applicable to it under the Applicable Data Protection Law with respect to the processing of Personal Data, except where and to the extent otherwise required by applicable law.
3.1.2. The Data Controller is solely responsible for determining the purposes and means of processing Personal Data and has all necessary authority, grounds, rights, and permissions to provide the Personal Data to the Data Processor, and will comply with its obligations as a Data Controller under Applicable Data Protection Laws.
3.1.3. Conflict of Laws: Where the Data Processor becomes aware that it cannot process Personal Data in accordance with the Data Controller’s instructions due to a legal requirement under any applicable law, it will:
3.1.4. Security: The Data Processor shall implement and maintain appropriate technical and organizational measures to protect Personal Data from personal data breaches (“Security Measures“). Notwithstanding any provision to the contrary, the Data Processor may modify or update the security measures at its discretion provided that such modification or update does not result in a material degradation in the protection offered by the security measures.
3.1.5. Confidentiality: The Data Processor shall ensure that any personnel whom it authorizes to process Personal Data on its behalf is subject to appropriate confidentiality obligations (whether a contractual or statutory duty) with respect to that Personal Data.
4.1. Upon request, the Data Processor shall provide reasonable cooperation and any necessary assistance to the Data Controller in:
4.1.1. responding to any legally required inquiries, complaints, or other communication regarding its processing of Personal Data;
4.1.2. any request from a Data Subject to exercise its rights under data protection law (including access, correction, deletion, portability, as applicable) including by assisting with appropriate technical and organizational measures, and;
4.1.3. the Data Controller’s obligations under Applicable Data Protection Laws including assisting with data impact assessments where applicable, in each case in so far as possible and taking into account the nature of the Data Processors processing and the Personal Data available to the Data Processor.
4.2. The Data Processor shall be obliged to provide such assistance only insofar that the Data Controller cannot respond to such request on its own.
5.1. In the event there is, or the Data Processor reasonably believes that there is, any improper, unauthorized or unlawful access to, use of, or disclosure of, or any other compromise which affects the availability, integrity or confidentiality of Personal Data which is processed by Data Processor under or in connection with this DPA and/or the Partner Agreement (“Data Breach”), then upon becoming aware of such Data Breach, Data Processor will no later than 72 hours promptly notify the Data Controller and provide the Data Controller with the following information as it becomes available:
5.1.1. a description of the nature of the Data Breach, including where possible the categories and approximate number of Data Subjects concerned;
5.1.2. the name and contact details of the Data Processor contact from whom more information can be obtained; and
5.1.3. a description of the measures taken or proposed to be taken to address the Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
5.2. The parties agree to coordinate in good faith on developing the content of any related public statements and any required notices to the affected Data Subjects and/or the relevant regulators in connection with a Data Breach, provided that nothing in this section shall prevent either party from complying with its obligations under Applicable Data Protection Laws.
6.1. The Data Processor warrants that where Personal Data is transferred outside of the EEA, it will be processed no less than the standards in Schedule 3: Cross Border Transfer Mechanisms or in accordance with the provisions of the Standard Contractual Clauses or Binding Corporate Rules, unless the processing takes place:
6.1.1. in a third country or territory recognised by the EU Commission to have an adequate level of protection; or
6.1.2. by an organization located in a country which has other legally recognised appropriate safeguards in place, such as the EU/Swiss-US Data Privacy Framework.
The Data Processor shall take all reasonable efforts to make available to the Data Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and Applicable Data Protection Laws.
7.1. Upon the Data Controller’s request, the Data Processor shall provide the Data Controller with reasonable cooperation and assistance needed to fulfill the Data Controller’s obligation under the Applicable Data Protection Law to carry out a data protection impact assessment related to Data Controller’s use of the services, to the extent the Data Controller does not otherwise have access to the relevant information, and to the extent such information is available to the Data Processor.
7.2. The Data Processor shall provide reasonable assistance to the Data Controller in the cooperation or prior consultation with the regulator in the performance of its tasks to the extent required under the Applicable Data Protection Law.
8.1. The Data Controller agrees that the Data Processor may engage Sub-Processors to process Personal Data. The Data Processor shall ensure that each Sub-Processor has entered into a written agreement requiring the Sub-Processor to abide by terms no less protective than those provided in this DPA. The Data Processor shall be liable for the acts and omissions of any Sub-Processors to the same extent as if the acts or omissions were performed by the Data Processor.
8.1. Upon termination or expiry of the Partner Agreement or on written request of the Data Controller, the Data Processor shall at the choice of the Data Controller, delete or return to the Data Controller, all data processed, and delete existing copies of such data unless applicable law requires the storage of such Personal Data. The Data Processor shall ensure that the deletion of Personal Data is done in a secure manner and in accordance with the security requirements of Applicable Data Protection Laws
8.2. Where the Data Processor retains Personal Data, it shall continue to treat such retained Personal Data as confidential and protect it in accordance with this DPA and Applicable Data Protection Law. This obligation of confidentiality shall survive the termination or expiry of this DPA for as long as the Data Processor retains any Personal Data.
10.1. The Data Processor’s liability arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, shall be as prescribed under the Applicable Data Protection Law. This liability is subject to any ‘Limitation of Liability’ section of the Partner Agreement.
10.2. In the event of a conflict between the provision on limitation of liability in the Partner Agreement and the data processor’s liability under the applicable data protection law, the provisions of the Applicable Data Protection Law shall prevail.
10.3. Notwithstanding any other provision in this DPA or the Partner Agreement, the Data Controller retains the right to pursue the Data Processor for any losses, damages, or claims made against the Data Controller as a result of the Data Processor’s failure to adhere to its obligations under this DPA or the Applicable Data Protection Law.
This DPA will terminate automatically upon termination of the Partner Agreement subject to clause 9 of this DPA.
If this DPA conflicts with the Partner Agreement, then to the extent of the conflict the governing documents will be, in descending order:
12.1.1. the DPA;
12.1.2. the ApplyBoard-Institution Partner Agreement.
| The subject matter and duration of the Processing | The Personal Information of prospective applicants to the Institution. ApplyBoard will process the Personal Information in relation to the Institution’s prospective applicants in providing the Services to the Institution. ApplyBoard will process the Personal Information for the duration of the Agreement. |
| The nature and purpose of the Processing | The provision of the Services by ApplyBoard to the Institution. |
| The type of Personal Information being Processed. |
The type of personal information being processed includes all data required for an application to be submitted to the Institution for admission purposes. This includes data related to:
|
| Sensitive Data being processed |
Sensitive data may be included as part of the application process including:
|
| The categories of Data Subjects | Prospective applicants to the Institution |
TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES
Where applicable, this Schedule 3 will serve as Annex II to the EU Standard Contractual Clauses. The following table provides more information regarding the technical and organizational security measures set forth below.
| Technical and Organizational Security Measure | Evidence of Technical and Organizational Security Measure |
|---|---|
| Measures of pseudonymisation and encryption of personal data | For the ApplyBoard Services, (a) the databases that store Personal Information are encrypted using the Advanced Encryption Standard and (b) Student Data is encrypted when in transit between a student/applicant’s browser application and the ApplyBoard platform using TLS v1.2. |
| Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services | The ApplyBoard platform uses tools and mechanisms within AWS to achieve high availability and resiliency. For ApplyBoard services, the ApplyBoard infrastructure spans multiple fault-independent AWS availability zones in the USA and Canada. |
| Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident | ApplyBoard performs regular backups of personal data, which is hosted on AWS’s data center infrastructure. Personal data that is backed up is retained redundantly across multiple availability zones and encrypted in transit and at rest using Advanced Encryption Standard (AES-256) |
| Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing | ApplyBoard performs penetration tests and engages independent third-party entities to conduct application-level penetration tests. Security threats and vulnerabilities that are detected are prioritized, triaged, and remediated promptly. |
| Measures for user identification and authorisation | Each user account inside of ApplyBoard is mapped back to a unique email address which the user enters and validates during the account creation. The system enforces a strong password selection upon account setup. Password reuse is blocked for the previous four passwords. ApplyBoards use of the third party authentication provider Okta allows students the option of, after registration to the ApplyBoard system, using their Facebook, Apple, or Google authentication to provide a seamless login to the ApplyBoard system. If the user has activated MFA to 2FA with one of these three authentication systems the ApplyBoard application will automatically support it. |
| Measures for the protection of data during transmission and during storage. | For the ApplyBoard Services, (a) the databases that store Personal data are encrypted using the Advanced Encryption Standard and (b) Personal data is encrypted when in transit between Student’s browser application and the Services using TLS v1.2. (Only Strong Ciphers are permitted) ApplyBoard performs regular backups of Personal Information, which is hosted on AWS’s data center infrastructure. Personal information that is backed up is retained redundantly across multiple availability zones and encrypted in transit and at rest using Advanced Encryption Standard (AES-256). The cloud platform for the ApplyBoard Services is hosted by Amazon Web Services (“AWS”). The AWS data center infrastructure used in providing the ApplyBoard Services is located in the United States. Additional information about security provided by AWS is available at https://aws.amazon.com/security and https://aws.amazon.com/whitepapers/overview-of-security-processes. ApplyBoard’s production environment within AWS, where Student Data and the ApplyBoard Services are hosted, is a logically isolated Virtual Private Cloud (VPC). |
| Measures for ensuring physical security of locations at which personal data are processed | AWS data centers that host the ApplyBoard Services are strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication (2FA) a minimum of two (2) times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff. These facilities are designed to withstand adverse weather and other reasonably predictable natural conditions. Each data center has redundant electrical power systems that are available twenty-four (24) hours a day, seven (7) days a week. Uninterruptible power supplies and on-site generators are available to provide back-up power in the event of an electrical failure. In addition, ApplyBoard headquarters and office spaces have a physical security program that manages visitors, building entrances, CCTVs (closed circuit televisions), and overall office security. All employees, and contractors are required to possess an access badge, and visitors are required to wear identification badges. |
| Measures for internal IT and IT security governance and management | ApplyBoard maintains a risk-based assessment security program. The framework for ApplyBoard’s security program includes administrative, organizational, technical, and physical safeguards reasonably designed to protect the Services and confidentiality, integrity, and availability of Personal Information. ApplyBoard’s security program is intended to be appropriate to the nature of the Services and the size and complexity of ApplyBoard’s business operations. |
(b) 2021 Standard Contractual Clauses; and
(b) UK Addendum.
2.1 Order of Precedence. In the event the transfers are covered by more than one Transfer Mechanism, the transfer of personal information will be subject to a single Transfer Mechanism in accordance with the following order of precedence: (a) the applicable Standard Contractual Clauses as set forth in Section 2.2 (The 2021 Standard Contractual Clauses) or Section 2.3 (UK Addendum) of this Schedule 3; and, if not applicable, then (b) other applicable data Transfer Mechanisms permitted under Applicable data protection law.
2.2 2021 Standard Contractual Clauses. The parties agree that the 2021 Standard Contractual Clauses will apply to personal information that is transferred via the Services from the European Economic Area or Switzerland, either directly or via onward transfer, to any country or recipient outside the European Economic Area or Switzerland that is not recognized by the European Commission (or, in the case of transfers from Switzerland, the competent authority for Switzerland) as providing an adequate level of protection for personal information. For data transfers from the European Economic Area that are subject to the 2021 Standard Contractual Clauses, the 2021 Standard Contractual Clauses will be deemed entered into (and incorporated into this DPA by this reference) and completed as follows:
(a) Module One (Controller to Controller) of the 2021 Standard Contractual Clauses will apply where (i) ApplyBoard is processing Student Data and (ii) Institution is a controller of Student Data and ApplyBoard is processing Student Data.
(b) Where applicable:
(i) in Clause 7 of the 2021 Standard Contractual Clauses, the optional docking clause will not apply;
(ii) in Clause 9 of the 2021 Standard Contractual Clauses, Option 2 will not be applicable;
(iii) in Clause 11 of the 2021 Standard Contractual Clauses, the optional language will not apply;
(iv) in Clause 17 (Option 1), the 2021 Standard Contractual Clauses will be governed by Irish law;
(v) in Clause 18(b) of the 2021 Standard Contractual Clauses, disputes will be resolved before the courts of Ireland;
(vi) in Annex I, Part A of the 2021 Standard Contractual Clauses:
Data Exporter: Institution
Contact details: The email address(es) designated by Institution.
Address: The address for Institution specified in the Partner Agreement.
Data Exporter Role: The Data Exporter’s role is set forth in Section 3.2 (Processor’s Obligations) of this DPA.
Signature and Date: By entering into this DPA, Data Exporter is deemed to have signed these Standard Contractual Clauses incorporated herein, including their Annexes, as of the Effective Date of the DPA.
Data Importer: ApplyBoard
Contact details: ApplyBoard’s Privacy Office – DPO@applyboard.com.
Address: The address for ApplyBoard specified in the Partner Agreement.
Data Importer Role: The Data Importer’s role is set forth in Section 3.1 (Controller’s Obligations) of this DPA.
Signature and Date: By entering into this DPA, Data Importer is deemed to have signed these Standard Contractual Clauses, incorporated herein, including their Annexes, as of the Effective Date of the DPA.
(vii) in Annex I, Part B of the 2021 Standard Contractual Clauses:
The categories of data subjects are described in Schedule 1 (Details of Processing) of this DPA.
The Sensitive Data transferred is described in Schedule 1 (Details of Processing) of this DPA.
The frequency of the transfer is a continuous basis for the duration of the DPA.
The nature of the processing is described in Schedule 1 (Details of Processing) of this DPA.
The purpose of the processing is described in Schedule 1 (Details of Processing) of this DPA.
The period for which the personal information will be retained is described in Schedule 1 (Details of Processing) of this DPA.
(viii) in Annex I, Part C of the 2021 Standard Contractual Clauses: The Irish Data Protection Commission will be the competent supervisory authority.
(ix) Schedule 2 (Technical and Organizational Security Measures) of this DPA serves as Annex II of the Standard Contractual Clauses.
2.3 UK Addendum. The parties agree that the UK Addendum will apply to personal information that is transferred via the Services from the United Kingdom, either directly or via onward transfer, to any country or recipient outside of the United Kingdom that is not recognized by the competent United Kingdom regulatory authority or governmental body for the United Kingdom as providing an adequate level of protection for personal information. For data transfers from the United Kingdom that are subject to the UK Addendum, the UK Addendum will be deemed entered into (and incorporated into this DPA by this reference) and completed as follows: