Data Protection Addendum
Table of contents
- 1. Introduction
- 2. Definitions
- 3. Data Processing
- Scope of Processing
- Nature and Purpose
- 6. Security Measures
- 7. Sub-processors
- Authorization
- List of Sub-processors
- Sub-processor Obligations
- 11. Data Subject Rights
- 12. Data Breach Notification
- 13. Data Transfers
- 14. Audit Rights
- 15. Term and Termination
- 16. Contact Us
Introduction
This Data Protection Addendum (“DPA”) forms part of the Agreement between Ilmiya (“Processor”) and the Customer (“Controller”) for the provision of services.
This DPA reflects the parties’ agreement with regard to the Processing of Personal Data in accordance with the requirements of Data Protection Laws, including the General Data Protection Regulation (GDPR).
Definitions
- Personal Data: Any information relating to an identified or identifiable natural person
- Processing: Any operation performed on Personal Data, whether or not by automated means
- Data Controller: The entity that determines the purposes and means of Processing Personal Data
- Data Processor: The entity that Processes Personal Data on behalf of the Controller
- Data Subject: An identified or identifiable natural person whose Personal Data is Processed
- Sub-processor: Any third party engaged by the Processor to Process Personal Data
Data Processing
Scope of Processing
Ilmiya will Process Personal Data only:
- On documented instructions from the Customer
- To provide the services described in the Agreement
- As required by applicable law
Nature and Purpose
The nature and purpose of Processing includes:
- Providing educational technology services
- User account management
- Analytics and reporting
- Customer support
Security Measures
Ilmiya implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
- Encryption of Personal Data in transit and at rest
- Ensuring ongoing confidentiality, integrity, availability of systems
- Regular testing and evaluation of security measures
- Access controls and authentication
- Security incident detection and response procedures
Sub-processors
Authorization
Customer provides general authorization for Ilmiya to engage Sub-processors for Processing Personal Data.
List of Sub-processors
A current list of Sub-processors is available at /processor.
Sub-processor Obligations
Ilmiya ensures that Sub-processors:
- Are bound by written contracts with data protection obligations
- Provide sufficient guarantees for appropriate security measures
- Process Personal Data only as instructed
Data Subject Rights
Ilmiya assists Customer in responding to requests from Data Subjects to exercise their rights under Data Protection Laws, including:
- Right of access
- Right to rectification
- Right to erasure
- Right to restriction of Processing
- Right to data portability
- Right to object
Data Breach Notification
Ilmiya will notify Customer without undue delay after becoming aware of a Personal Data breach, providing:
- Description of the nature of the breach
- Categories and approximate number of Data Subjects affected
- Likely consequences of the breach
- Measures taken or proposed to address the breach
Data Transfers
When Personal Data is transferred outside the European Economic Area, Ilmiya ensures appropriate safeguards are in place, such as:
- Standard Contractual Clauses
- Adequacy decisions
- Other approved transfer mechanisms
Audit Rights
Customer may audit Ilmiya’s compliance with this DPA by:
- Requesting and reviewing relevant documentation
- Conducting or commissioning audits (with reasonable notice)
- Reviewing third-party certifications and audit reports
Term and Termination
This DPA will remain in effect for the duration of the Agreement. Upon termination, Ilmiya will delete or return all Personal Data as directed by Customer.
Contact Us
For questions about this Data Protection Addendum, please contact us at:
- Email: privacy@ilmiya.com
- Address: Ilmiya, Data Protection Officer