Data Processing Agreement
"Agreement" means Seesaw’s Terms of Service, which govern the provision of the Services to Customer, as such terms may be updated by Seesaw from time to time. The Terms of Service are available at http://web.seesaw.me/terms-of-service.
“Customer” means a school or school district, however organized, located with the European Economic Area (EEA) that contracts with Seesaw to receive Seesaw’s Services.
"Customer Data" means any Personal Data that Seesaw processes on behalf of Customer as a Data Processor in the course of providing Services, as more particularly described in this DPA.
"Data Protection Laws" means all data protection and privacy laws applicable to the processing of Personal Data under the Agreement, including, where applicable, EU Data Protection Law.
"Data Controller" means a school or school district, however organized, that contracts as a Customer with Seesaw to provide Seesaw’s services to the cohort of parents, students, teachers, school officials or other end users authorized by the Customer that determines the purposes and means of the processing of Personal Data.
"Data Processor" means an entity that processes Personal Data on behalf of a Data Controller.
"EU Data Protection Law" means (i) prior to 25 May 2018, Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of Personal Data and on the free movement of such data ("Directive") and on and after 25 May 2018, Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation) ("GDPR"); and (ii) Directive 2002/58/EC concerning the processing of Personal Data and the protection of privacy in the electronic communications sector and applicable national implementations of it (as may be amended, superseded or replaced).
"EEA" means, for the purposes of this DPA, the European Economic Area, United Kingdom and Switzerland.
"Personal Data" means any information relating to an identified or identifiable natural person.
"Privacy Shield" means the EU- U.S. Privacy Shield and Swiss-U.S. Privacy Shield Framework self-certification programs operated by the U.S. Department of Commerce and approved by the European Commission pursuant to Decision C(2016)4176 of 12 July 2016 and by the Swiss Federal Council on January 11, 2017 respectively.
"Privacy Shield Principles" means the Privacy Shield Principles (as supplemented by the Supplemental Principles) contained in Annex II to the European Commission Decision C(2016)4176 of 12 July 2016 (as may be amended, superseded or replaced).
"Processing" has the meaning given to it in the GDPR and "process", "processes" and "processed" shall be interpreted accordingly.
“Subprocessor” has the meaning given to it in the GDPR and refers to an entity that contracts with Seesaw to assist Seesaw in the Processing of a Customer’s data as explicitly directed and limited by the Agreement between the Controller, Seesaw’s Customer, and Seesaw.
2.1 Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict.
2.2 Any claims brought under or in connection with this DPA shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Agreement.
2.3 This DPA shall be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by applicable Data Protection Laws.
3. Scope and Applicability of this DPA
3.1 This DPA applies where and only to the extent that Seesaw processes Customer Data that originates from the EEA and/or that is otherwise subject to EU Data Protection Law on behalf of Customer as Data Processor in the course of providing Services pursuant to the Agreement.
4. Roles and Scope of Processing
4.1 Role of the Parties. As between Seesaw and Customer, Customer is the Data Controller of Customer Data, and Seesaw shall process Customer Data only as a Data Processor acting on behalf of Customer.
4.2. Customer Processing of Customer Data. Customer agrees and certifies that: (i) it shall comply with its obligations as a Data Controller under Data Protection Laws in respect of its processing of Customer Data and any processing instructions it issues to Seesaw; (ii) it has provided notice and obtained (or shall obtain) all consents and rights necessary under Data Protection Laws for Seesaw to process Customer Data and provide the Services pursuant to the Agreement and this DPA; (iii) the consents it has obtained from adults are freely given, affirmative grants of consent; (iv) the consents it has obtained regarding minors are obtained from a parent or legal guardian of the minor in question; and, (v) the Customer has a mechanism in place to capture the demonstration of those grants of consent and can provide this upon request of appropriate legal authority within the EU.
4.3 Seesaw Processing of Customer Data. Seesaw shall process Customer Data only for the purposes described in this DPA and only in accordance with Customer’s documented lawful instructions. The parties agree that this DPA and the Agreement set out the Customer’s complete and final instructions to Seesaw in relation to the processing of Customer Data and processing outside the scope of these instructions (if any) shall require prior written Agreement between Customer and Seesaw.
5.1 Authorized Subprocessors. Customer agrees that Seesaw may engage Subprocessors to process Customer Data on Customer's behalf. The Subprocessors currently engaged by Seesaw and authorized by Customer are listed at https://help.seesaw.me/hc/en-us/articles/360002362152.
5.2 Subprocessor Obligations. Seesaw shall: (i) enter into a written agreement with the Subprocessor imposing data protection terms that require the Subprocessor to protect the Customer Data to the standard required by Data Protection Laws; and (ii) remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Subprocessor that cause Seesaw to breach any of its obligations under this DPA.
5.3 Authorization of Subprocessors. Customer agrees that by agreeing to this DPA it has reviewed all of the Subprocessors utilized by Seesaw in the processing of Customer Data and expressly authorizes Seesaw to utilize those Subprocessors.
6.1 Security Measures. Seesaw shall implement and maintain appropriate technical and organizational security measures to protect Customer Data from Security Incidents and to preserve the security and confidentiality of the Customer Data, in accordance with Seesaw's security standards described in https://help.seesaw.me/hc/en-us/articles/203258429.
6.2 Updates to Security Measures. Customer is responsible for reviewing the information made available by Seesaw relating to data security and making an independent determination as to whether the Services meet Customer’s requirements and legal obligations under Data Protection Laws. Customer acknowledges that the Security Measures are subject to technical progress and development and that Seesaw may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services purchased by the Customer.
7. International Transfers
7.1 Data center locations. Seesaw may transfer Customer Data to the United States and process it there. Seesaw shall at all times provide an adequate level of protection for the Customer Data processed, in accordance with the requirements of Data Protection Laws.
7.2 Privacy Shield. Seesaw agrees to protect Personal Data in accordance with the requirements of the Privacy Shield Principles as described at www.privacyshield.gov. If Seesaw is unable to comply with this requirement, Seesaw shall inform Customer.
8. Additional Security
8.1 Confidentiality of Processing. Seesaw shall ensure that any person who is authorized by Seesaw to process Customer Data (including its staff, agents and subcontractors) shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).
8.2 Security Incident Response. Upon becoming aware of a Security Incident, Seesaw shall notify Customer without undue delay and shall provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by Customer.
9.1 Seesaw shall provide an up-to-date list of the Subprocessors it has appointed upon written request from Customer.
9.2 Customer may object in writing to Seesaw’s appointment of a new Subprocessor within five (5) calendar days of such notice, provided that such objection is based on reasonable grounds relating to data protection. In such event, the parties shall discuss such concerns in good faith with a view to achieving resolution. If this is not possible, Customer may suspend or terminate the Agreement (without prejudice to any fees incurred by Customer prior to suspension or termination).
10. Return or Deletion of Data
10.1 Upon termination or expiration of the Agreement, Seesaw shall (at Customer's election) delete or return to Customer all Customer Data (including copies) in its possession or control, unless a student or parent has created an independent account with Seesaw and wishes to retain their own information. This requirement shall not apply to the extent Seesaw is required by applicable law to retain some or all of the Customer Data.
11.1 The Services provide Customer with a number of controls that Customer may use to retrieve, correct, delete or restrict Customer Data, which Customer may use to assist it in connection with its obligations under the GDPR, including its obligations relating to responding to requests from data subjects or applicable data protection authorities. To the extent that Customer is unable to independently access the relevant Customer Data within the Services, Seesaw shall provide reasonable cooperation to assist Customer to respond to any requests from individuals or applicable data protection authorities relating to the processing of Personal Data under the Agreement. In the event that any such request is made directly to Seesaw, Seesaw shall not respond to such communication directly without Customer's prior authorization, unless legally compelled to do so. If Seesaw is required to respond to such a request, Seesaw shall promptly notify Customer and provide it with a copy of the request unless legally prohibited from doing so. It is Customer’s responsibility to verify the identity of a data subject making such a request before Seesaw will respond to any request.
11.2 If a law enforcement agency sends Seesaw a demand for Customer Data (for example, through a subpoena or court order), Seesaw shall attempt to redirect the law enforcement agency to request that data directly from Customer. As part of this effort, Seesaw may provide Customer’s basic contact information to the law enforcement agency. If compelled to disclose Customer Data to a law enforcement agency, then Seesaw shall give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy unless Seesaw is legally prohibited from doing so.
Seesaw’s Data Protection Officer is Carl Sjogreen and he can be reached at email@example.com. Seesaw’s data protection supervisory authority is Ireland. VeraSafe has been appointed as Seesaw’s representative in the European Union for data protection matters. Verasafe can be contacted at: https://www.verasafe.com/privacy-services/contact-article-27-representative. Alternatively, Verasafe can be contacted at Unit 3D North Point House, North Point Business Park, New Mallow Road, Cork T23AT2P, Ireland. Their phone number is +1 617-398-7067.