Data Sharing Agreement

Effective: 17th May, 2021

Introduction

This Data Sharing Agreement (”Agreement”) forms a legally binding agreement between Institution and ApplyBoard, applies to the extent Institution and ApplyBoard share Personal Information regarding students/applicants as described below, and is incorporated into the ApplyBoard Institution Partner Agreement.  This data sharing agreement, which is sometimes referred to as a controller-to-controller data processing agreement, serves to meet accountability obligations under the GDPR, or other Applicable Data Protection Laws. Some terms used in this Agreement are defined in the ApplyBoard Institution Partner Agreement.  ApplyBoard Inc acts as the data controller under this Agreement regardless of which ApplyBoard entity you contract with for the underlying ApplyBoard Institution Partner Agreement.

White Checkmark

1. Definitions

    • Applicable Data Protection Law” refers to all laws and regulations applicable to the parties processing of personal data under the Agreement.  As an example, in Canada, this may include the Federal and Provincial data protection laws.  In the United States, this may include the Family Education Rights Act (FERPA), the Protection of Pupil Rights Amendment (PPRA), and the Children’s Online Privacy Protection Act (COPPA), as well as applicable State student and consumer privacy laws (such as the California Consumer Privacy Act (CCPA).  In the European Union (and outside the EU, if extraterritorially applicable), this will include the General Data Protection Regulation (“GDPR”) and the national laws implementing GDPR, as applicable, In the UK, this will include the UK General Data Protection Regulation (“UK GDPR”). In Australia, this may include the Privacy Act 1988 and amendments. In New Zealand, this may include the Privacy Act 2020 and amendments.

 

    • Personal Information” means personal data about an identifiable individual (“data subject”) that is provided to Institution or ApplyBoard (the “Receiving Party”) by or on behalf of the other party (the “Disclosing Party”) when both the Receiving Party and Disclosing Party are each a controller.

 

    • Personal Data Breach” means the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Information on systems managed or controlled by a party.

 

  • The terms “personal data,” “data subject,” “processing,” “controller,” ”processor,” “representative,” and “supervisory authority,” each as used in this Agreement, have the meanings given in the GDPR, or UK Data Protection Laws, as applicable, in each case irrespective of whether Applicable Data Protection Law applies.

2. Roles and Restrictions

  1. Roles of Parties. Each party will comply with the Applicable Data Protection Law in connection with the performance of each of their respective obligations under this Agreement. Institution and ApplyBoard are each an independent data controller of Personal Information regarding students/applicants that will, subject to any restrictions set forth in this Agreement and the ApplyBoard Institution Partner Agreement, independently determine the purposes and means of the processing of Personal Information regarding students/applicants under Applicable Data Protection Law.  It is not envisaged that either party shall act as a processor on behalf of the other party as a controller.

  2. Transparency and Data Protection Rights. Institution and ApplyBoard will individually inform data subjects and allow data subjects to exercise their rights under Applicable Data Protection Law.

  3. Details of Data Processing. The subject matter and details of processing are described in Schedule 1 of this Agreement.

  4. Compliance with Law. Each party agrees it will comply with its obligations under the Applicable Data Protection Law relating to any Personal Information regarding students/applicants  it processes under or in relation to this Agreement.

  5. Data Security. In accordance with Applicable Data Protection Law, each party will implement and maintain all appropriate technical, administrative, and organizational measures required to: (i) ensure a level of confidentiality and security appropriate to the risks represented by the processing and the nature of Personal Information regarding students/applicants; and (ii) prevent unauthorized or unlawful processing of Personal Information regarding students/applicants, accidental loss, disclosure or destruction of, or damage to, Personal Information regarding students/applicants.

  6. Confidentiality. Each party will ensure that only personnel who may be required to assist in meeting its obligations under the ApplyBoard Institution Partner Agreement or this Agreement will have access to Personal Information regarding students/applicants and that such personnel are bound by appropriate obligations of confidentiality, and take all reasonable steps in accordance with best industry practice to ensure the confidentiality of the Personal Information regarding students/applicants.

3. Data Breach

  1. Notification. If a party encounters a Personal Data Breach (the “Breached Party”), that party will notify the other party without undue delay and, where feasible, no more than 72 hours after becoming aware of a Personal Data Breach. The Breached Party will also provide to the other party a description of the Personal Data Breach, the type of data that was the subject of the Personal Data Breach, (to the extent known) the categories of data subjects affected, and other information required by Applicable Data Protection Law, as soon as such information can be collected or otherwise becomes available, and the Breached Party will cooperate with any reasonable request made by the other party relating to the Personal Data Breach.
    2.  
  2. Investigation. The Breached Party agrees to immediately take action to investigate the Personal Data Breach, to identify, prevent, and mitigate the effects of any such Personal Data Breach, and with the other party’s prior agreement, to carry out any recovery or other action necessary to remedy the Personal Data Breach.

4. Data Transfers

  1. To the extent there are any transfers of Personal Information from one party to the other that require an onward transfer mechanism to lawfully transfer personal data from a jurisdiction (i.e., the European Economic Area (“EEA”), the United Kingdom, Switzerland, or any other jurisdiction to ApplyBoard located outside of that jurisdiction (“Transfer Mechanism”), the terms set forth in Schedule 2 (Cross Border Transfer Mechanisms) shall:

    1. apply to such transfers;

    2. take precedence over all other terms, including the terms of this Agreement, in respect of such transfers;

    3. form a legally binding contract between Institution as the data exporter and ApplyBoard as or on behalf of the data importer; and

    4. be hereby incorporated into the ApplyBoard Institution Partner Agreement.

  2. be hereby incorporated into the ApplyBoard Institution Partner Agreement.b.With respect to personal data of EEA, Switzerland, and UK data subjects, Institution and ApplyBoard agree that each party may process Personal Information outside the EEA, Switzerland, and the UK where the Applicable Data Protection Law requirements (including, where applicable, Articles 44 through 47 GDPR) are fulfilled, or an exception (including, where applicable, those listed in Article 49 GDPR) applies

  3. With respect to personal data in other jurisdictions, Institution and ApplyBoard agree that each party may process Personal Information outside of that jurisdiction where the Applicable Data Protection Law requirements are fulfilled, or an exception applies.

5. Termination

This Agreement will terminate automatically upon termination of the ApplyBoard Institution Partner  Agreement.

6. Conflicts

If this Agreement conflicts with the ApplyBoard Institution Partner Agreement, or ApplyBoard’s Terms and Conditions, then to the extent of the conflict the governing documents will be, in descending order: Schedule 2 of this Agreement (but only to the extent it applies under section 4.a above), this Agreement, the ApplyBoard Institution Partner Agreement, and ApplyBoard’s Terms and Conditions.

SCHEDULE 1

Details of the Processing
The subject matter and duration of the Processing The subject matter of the Processing is the Processing of Personal Information in relation to prospective applicants to the Institution. ApplyBoard will Process the Personal Information in relation to the Institution’s prospective applicants in providing the Services to the Institution. ApplyBoard will Process the Personal Information for the duration of the Agreement or as otherwise specified in the data protection provisions.
The nature and purpose of the Processing The nature and purpose of the Processing is the provision of the Services by ApplyBoard to the Institution.
The type of Personal Information being Processed. The type of personal information being processed includes all data required for an application to be submitted to the Institution for admission purposes. This includes data related to:
  • Personal details (student name, gender, date of birth, nationality/ residence)
  • Contact details (email address, telephone number, address)
  • Education qualifications
  • Professional/ Work experience
  • English language qualifications
  • Personal statement and or research proposal
  • Passport information
  • Referee information
  • Information about course of choice
  • Information about funding of studies (sponsor information)
  • Criminal convictions
  • Nominated person with whom application information can be shared
  • Socioeconomic background of a candidate including whether they have been in care, their parents’ education and occupational background.
Sensitive Data being processed
  • Equality monitoring information (ethnic origin, religion or belief, sexual orientation, whether the candidate identifies as transgender)
The categories of Data Subjects Prospective applicants to the Institution

SCHEDULE 2

Cross Border Transfer Mechanisms

    1. Definitions
      • EC” means the European Commission
      • EEA” means the European Economic Area
      • Standard Contractual Clauses” means, depending on the circumstances unique to Customer, any of the following:
        1. UK Standard Contractual Clauses, and
        2. 2021 Standard Contractual Clauses
      • “UK Standard Contractual Clauses” means the Standard Contractual Clauses for data controller to data controller transfers approved by the European Commission in decision 2004/915/EC (“UK Controller to Controller SCCs”).
      • “2021 Standard Contractual Clauses” means the Standard Contractual Clauses approved by the European Commission in decision 2021/914.
    1. Cross Border Data Transfer Mechanisms.
      • 2.1 Order of Precedence. In the event the transfers are covered by more than one Transfer Mechanism, the transfer of personal data will be subject to a single Transfer Mechanism in accordance with the following order of precedence: (a) the applicable Standard Contractual Clauses as set forth in Section 2.2 (UK Standard Contractual Clauses) or Section 2.3 (The 2021 Standard Contractual Clauses) of this Schedule 3; and, if not applicable, then (b) other applicable data Transfer Mechanisms permitted under Applicable Data Protection Law.
      • 2.2 UK Standard Contractual Clauses. The parties agree that the UK Standard Contractual Clauses will apply to personal data that is transferred via the Services from the United Kingdom, either directly or via onward transfer, to any country or recipient outside of the United Kingdom that is not recognized by the competent United Kingdom regulatory authority or governmental body for the United Kingdom as providing an adequate level of protection for personal data. For data transfers from the United Kingdom that are subject to the UK Standard Contractual Clauses, the UK Standard Contractual Clauses will be deemed entered into (and incorporated into this Addendum by this reference) and completed as follows:
        • (a) The UK Controller to Controller SCCs will apply where ApplyBoard is processing Personal Information. In Clause II(h) of the UK Controller to Controller SCCs, ApplyBoard will process personal data in accordance with the data processing principles set forth in Annex A of the UK Controller to Controller SCCs. The illustrative commercial clause will not apply. Schedule 1 (Details of Processing) of this Addendum serves as Annex B of the UK Controller to Controller SCCs. Personal data transferred under these clauses may only be disclosed to the following categories of recipients: (i) ApplyBoard’s employees, agents, affiliates, advisors, and independent contractors with a reasonable business purpose for processing such personal data; (ii) ApplyBoard’s vendors that, in their performance of their obligations to ApplyBoard, must process such personal data acting on behalf of and according to instructions from ApplyBoard; and (iii) any person (natural or legal) or organization to whom ApplyBoard may be required by applicable law or regulation to disclose personal data, including law enforcement authorities and central and local government authorities.
    • 2.4 2021 Standard Contractual Clauses. The parties agree that the 2021 Standard Contractual Clauses will apply to personal data that is transferred via the Services from the European Economic Area or Switzerland, either directly or via onward transfer, to any country or recipient outside the European Economic Area or Switzerland that is not recognized by the European Commission (or, in the case of transfers from Switzerland, the competent authority for Switzerland) as providing an adequate level of protection for personal data. For data transfers from the European Economic Area that are subject to the 2021 Standard Contractual Clauses, the 2021 Standard Contractual Clauses will be deemed entered into (and incorporated into this Addendum by this reference) and completed as follows:

      • (a) Module One (Controller to Controller) of the 2021 Standard Contractual Clauses will apply where (i) ApplyBoard is processing Student Data and (ii) Institution is a controller of Student Data and ApplyBoard is processing Student Data.

      • (e) Where applicable:
        • (i) in Clause 7 of the 2021 Standard Contractual Clauses, the optional docking clause will not apply;

        • (ii) in Clause 9 of the 2021 Standard Contractual Clauses, Option 2 will not be applicable;

        • (iii) in Clause 11 of the 2021 Standard Contractual Clauses, the optional language will not apply;

        • (iv) in Clause 17 (Option 1), the 2021 Standard Contractual Clauses will be governed by Irish law;

        • (v) in Clause 18(b) of the 2021 Standard Contractual Clauses, disputes will be resolved before the courts of Ireland;

        • (vi) in Annex I, Part A of the 2021 Standard Contractual Clauses:

          • Data Exporter: Institution.

          • Contact details: The email address(es) designated by Institution.

          • Data Exporter Role: The Data Exporter’s role is set forth in Section 2 (Relationship of the Parties) of this Agreement.

          • Signature and Date: By entering into the Agreement, Data Exporter is deemed to have signed these Standard Contractual Clauses incorporated herein, including their Annexes, as of the Effective Date of the Agreement.

          • Data Importer: ApplyBoard Inc.

          • Contact details: ApplyBoard’s Privacy Office – DPO@applyboard.com

          • Data Importer Role: The Data Importer’s role is set forth in Section 2 (Relationship of the Parties) of this Agreement.

          • Signature and Date: By entering into the Agreement, Data Importer is deemed to have signed these Standard Contractual Clauses, incorporated herein, including their Annexes, as of the Effective Date of the Agreement.

          • (vii) in Annex I, Part B of the 2021 Standard Contractual Clauses:

          • The categories of data subjects are described in Schedule 1 (Details of Processing) of this Agreement.

          • The Sensitive Data transferred is described in of Schedule 1 (Details of Processing) of this Agreement.

          • The frequency of the transfer is a continuous basis for the duration of the Agreement.

          • The nature of the processing is described in Schedule 1 (Details of Processing) of this Agreement.

          • The purpose of the processing is described inSchedule 1 (Details of Processing) of this Agreement.

          • The period for which the personal data will be retained is described in Schedule 1 (Details of Processing) of this Agreement.

          • (viii) in Annex I, Part C of the 2021 Standard Contractual Clauses: The Irish Data Protection Commission will be the competent supervisory authority.

          • (ix) Schedule 3 (Technical and Organizational Security Measures) of this Addendum serves as Annex II of the Standard Contractual Clauses.

SCHEDULE 3

TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

Where applicable, this Schedule 3 will serve as Annex II to the EU Standard Contractual Clauses. The following table provides more information regarding the technical and organizational security measures set forth below.

Technical and Organizational Security Measure Evidence of Technical and Organizational Security Measure
Measures of pseudonymisation and encryption of personal data For the ApplyBoard Services, (a) the databases that store Personal Information are encrypted using the Advanced Encryption Standard and (b) Student Data is encrypted when in transit between a student/applicant’s browser application and the ApplyBoard platform using TLS v1.2.
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services The ApplyBoard platform uses tools and mechanisms within AWS to achieve high availability and resiliency. For ApplyBoard services, the ApplyBoard infrastructure spans multiple fault-independent AWS availability zones in the USA and Canada.
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident ApplyBoard performs regular backups of Personal Information, which is hosted on AWS’s data center infrastructure. Personal Information that is backed up is retained redundantly across multiple availability zones and encrypted in transit and at rest using Advanced Encryption Standard (AES-256)
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing ApplyBoard performs penetration tests and engages independent third-party entities to conduct application-level penetration tests. Security threats and vulnerabilities that are detected are prioritized, triaged, and remediated promptly.
Measures for user identification and authorisation Each user account inside of ApplyBoard is mapped back to a unique email address which the user enters and validates during the account creation. The system enforces a strong password selection upon account setup. Password reuse is blocked for the previous four passwords. ApplyBoards use of the third party authentication provider Okta allows students the option of, after registration to the ApplyBoard system, using their Facebook, Apple, or Google authentication to provide a seamless login to the ApplyBoard system. If the user has activated MFA to 2FA with one of these three authentication systems the ApplyBoard application will automatically support it.
Measures for the protection of data during transmission and during storage. For the ApplyBoard Services, (a) the databases that store Personal Information are encrypted using the Advanced Encryption Standard and (b) Personal Information is encrypted when in transit between Student’s browser application and the Services using TLS v1.2. (Only Strong Ciphers are permitted) ApplyBoard performs regular backups of Personal Information, which is hosted on AWS’s data center infrastructure. Personal information that is backed up is retained redundantly across multiple availability zones and encrypted in transit and at rest using Advanced Encryption Standard (AES-256). The cloud platform for the ApplyBoard Services is hosted by Amazon Web Services (“AWS”). The AWS data center infrastructure used in providing the ApplyBoard Services is located in the United States. Additional information about security provided by AWS is available at https://aws.amazon.com/security and https://aws.amazon.com/whitepapers/overview-of-security-processes. ApplyBoard’s production environment within AWS, where Student Data and the ApplyBoard Services are hosted, is a logically isolated Virtual Private Cloud (VPC).
Measures for ensuring physical security of locations at which personal data are processed AWS data centers that host the ApplyBoard Services are strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication (2FA) a minimum of two (2) times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff. These facilities are designed to withstand adverse weather and other reasonably predictable natural conditions. Each data center has redundant electrical power systems that are available twenty-four (24) hours a day, seven (7) days a week. Uninterruptible power supplies and on-site generators are available to provide back-up power in the event of an electrical failure. In addition, ApplyBoard headquarters and office spaces have a physical security program that manages visitors, building entrances, CCTVs (closed circuit televisions), and overall office security. All employees, and contractors are required to possess an access badge, and visitors are required to wear identification badges.
Measures for internal IT and IT security governance and management ApplyBoard maintains a risk-based assessment security program. The framework for ApplyBoard’s security program includes administrative, organizational, technical, and physical safeguards reasonably designed to protect the Services and confidentiality, integrity, and availability of Personal Information. ApplyBoard’s security program is intended to be appropriate to the nature of the Services and the size and complexity of ApplyBoard’s business operations.