Brisk Data Processing Addendum
Effective Date: August 22, 2024
This Data Processing Addendum ("DPA") supplements and forms part of the agreement between Brisk Labs Corp. ("Brisk") and the Educational Institution or (where applicable) a Teacher in relation to the transfer and processing of Covered Data in connection with the provision of the Service.
Unless otherwise defined in this DPA, capitalized terms used but not defined within this DPA will have the meaning set forth in the Agreement. The following capitalized terms used in this DPA will be defined as follows:
"Agreement" means the agreement entered into between Brisk and the Customer incorporating the terms at https://www.briskteaching.com/terms or as otherwise agreed between the parties.
"Applicable Data Protection Laws" means all applicable laws, rules, regulations, and governmental requirements relating to the privacy, confidentiality, or security of Personal Data, as they may be amended or otherwise updated from time to time, including (without limitation) the GDPR.
"Authorized Sub-processor" means the Sub-processors listed in Schedule 4, and any other Sub-processors appointed in accordance with paragraph 7.4.
"Controller Purposes" means: (a) undertaking internal research and development to develop, test, improve and alter the functionality of Brisk's products and services; (b) creating anonymized datasets for training or evaluation of Brisk's products and services; and (c) administering Customer accounts on the Service and managing Brisk's relationship with the Customer under the Agreement, in each case as further described in Schedule 1.
"Covered Data" means Personal Data that is: (a) provided by or on behalf of the Customer to Brisk in connection with the provision of the Service; or (b) obtained, developed, produced or otherwise Processed by Brisk, or its agents or subcontractors, for the purposes of providing the Service, in each case as further described in Schedule 1.
"Customer" means the Educational Institution or a Teacher that enters into the Agreement with Brisk in relation to the Service.
"Data Subject" has the meaning given to it in the GDPR.
"Effective Date" means the date Brisk and the Customer enter into the Agreement.
"GDPR" means Regulation (EU) 2016/679 (the "EU GDPR") or, where applicable, the "UK GDPR", as defined in section 3(10) of the Data Protection Act 2018.
"Personal Data" has the meaning given to it in the GDPR.
"Processing" has the meaning given to it in the GDPR, and "Process", "Processes" and "Processed" will be interpreted accordingly.
"Security Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to (including unauthorized internal access to), Covered Data.
"Standard Contractual Clauses" or "SCCs" means the Standard Contractual Clauses annexed to Commission Implementing Decision (EU) 2021/914 and available at https://commission.europa.eu/publications/standard-contractual-clauses-international-transfers_en.
"Sub-processor" means a processor engaged by another processor to carry out the instructions of the controller.
"Swiss Data Protection Laws" means the Swiss Federal Act on Data Protection of 25 September 2020 ("FADP") and the Swiss Data Protection Ordinance of 31 August 2022 (the "Ordinance"), and any new or revised version of these laws that may enter into force for time to time.
The terms "controller" and "processor" have the meanings given to them in the GDPR.
This DPA is incorporated into and forms an integral part of the Agreement. This DPA supplements and (in case of contradictions) supersedes the Agreement with respect to any Processing of Covered Data.
The Parties acknowledge and agree that:
- save as set out in paragraph 3.1, Brisk Processes Covered Data as a processor in the performance of its obligations under the Agreement and this DPA and Customer acts as a controller; and
- Brisk acts as a controller with respect to the Processing of Covered Data for the Controller Purposes as identified in Schedule 1.
The details of the Processing of Personal Data under the Agreement and this DPA (including subject matter, nature and purpose of the Processing, categories of Personal Data and Data Subjects) are described in the Agreement and in Schedule 1 to this DPA.
Other than in respect of its Processing of Covered Data for the Controller Purposes:
- Brisk will only Process Covered Data under the instructions provided by the Customer and in accordance with Applicable Data Protection Laws; and
- the Agreement and this DPA shall constitute the instructions to Brisk for the Processing of Covered Data by Brisk, and the Customer may issue further written instructions in accordance with this DPA.
Brisk will:
- provide the Customer with information to enable the Customer to conduct and document any data protection impact assessments and prior consultations with supervisory authorities required under Applicable Data Protection Laws; and
- promptly inform the Customer if, in its opinion, an instruction from the Customer infringes Applicable Data Protection Laws.
The Customer shall comply with its obligations under Applicable Data Protection Laws and shall ensure that:
- any instructions to Brisk in relation to the Processing of Covered Data comply with Applicable Data Protection Laws;
- it provides such information to Data Subjects regarding the Processing of Covered Data by Brisk as required under Applicable Data Protection Laws;
- it promptly notifies Brisk of any request received from a Data Subject to exercise their rights under Applicable Data Protection Laws.
Brisk shall:
- limit access to Covered Data to personnel who have a business need to have access to such Covered Data; and
- ensure that such personnel are subject to obligations at least as protective of the Covered Data as the terms of this DPA and the Agreement, including duties of confidentiality with respect to any Covered Data to which they have access.
Brisk may Process Covered Data anywhere that Brisk or its Sub-processors maintain facilities, subject to the remainder of this paragraph 7 and any restrictions on onward transfers contained in the SCCs.
The Customer grants Brisk general authorization to engage any Authorized Sub-processor to Process Covered Data.
Brisk shall:
- enter into a written agreement with each Authorized Sub-processor imposing data protection obligations that, in substance, are no less protective of Covered Data than Brisk's obligations under this DPA; and
- remain liable for each Authorized Sub-processor’s compliance with the obligations under this DPA.
Brisk will provide the Customer with at least fourteen (14) days’ notice of any proposed changes to the Authorized Sub-processors. The Customer shall notify Brisk if it objects to the proposed change to the Authorised Sub-processors (including, where applicable, when exercising its right to object under clause 9(a) of the SCCs) by providing Brisk with written notice of the objection within seven (7) days after Brisk has provided notice to the Customer of such proposed change (an "Objection").
In the event the Customer submits an Objection, Brisk and the Customer shall work together in good faith to find a mutually acceptable resolution to address such Objection. If Brisk and the Customer are unable to reach a mutually acceptable resolution within a reasonable timeframe, which shall not exceed thirty (30) days, Brisk may terminate the portion of the Agreement relating to the Services affected by such change by providing written notice to the Customer.
Brisk will notify the Customer without undue delay of any request received by Brisk or any Authorised Sub-processor from a Data Subject to assert their rights under Applicable Data Protection Laws in relation to Covered Data Processed by Brisk as a processor or Sub-processor (a "Data Subject Request").
Other than in respect of Brisk's Processing of Covered Data for the Controller Purposes, as between Brisk and the Customer, the Customer will have sole discretion in responding to the Data Subject Request. Brisk shall not respond to the Data Subject Request without the Customer's prior consent, save that Brisk may advise the Data Subject that their request has been forwarded to the Customer.
Brisk will provide the Customer with reasonable assistance as necessary for the Customer to fulfil its obligation under Applicable Data Protection Laws to respond to Data Subject Requests in respect of Covered Data.
Brisk will implement and maintain appropriate technical and organizational data protection and security measures designed to ensure security of Covered Data, including, without limitation, protection against unauthorized or unlawful Processing and against accidental loss, destruction, or damage of or to Covered Data.
When assessing the appropriate level of security, Brisk shall take into account the nature, scope, context and purpose of the Processing as well as the risks that are presented by the Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Covered Data.
Brisk will implement and maintain as a minimum standard the measures set out in Schedule 2.
The Customer may audit Brisk's compliance with this DPA in respect of its Processing of Covered Data. The Parties agree that all such audits will be conducted:
- not more than annually, unless more frequent audits are required by a supervisory authority with jurisdiction over the Processing of Covered Data or otherwise under Applicable Data Protection Laws;
- upon reasonable written notice to Brisk;
- only during Brisk's normal business hours; and
- in a manner that does not materially disrupt Brisk's business or operations.
With respect to any audits conducted in accordance with paragraph 10.3:some text
- the Customer may engage a third-party auditor to conduct the audit on its behalf, save that Brisk may reasonably object to the engagement of a third-party auditor if such third-party auditor is a competitor of Brisk; and
- Brisk shall not be required to facilitate any such audit unless and until the Parties have agreed in writing the scope and timing of such audit.
The Customer shall promptly notify Brisk of any non-compliance discovered during an audit.
The results of the audit shall be Brisk's confidential information.
Brisk shall provide to the Customer upon request, or may provide to the Customer in response to any audit request submitted by the Customer to Brisk, either of the following:
- data protection compliance certifications issued by a commonly accepted certification issuer which has been audited by a data security expert, or by a publicly certified auditing company; or
- such other documentation reasonably evidencing the implementation of the technical and organizational data security measures in accordance with industry standards.
If an audit requested by the Customer is addressed in the documents or certification provided by Brisk in accordance with paragraph 10.7, and:
- the certification or documentation is dated within twelve (12) months of the Customer's audit request; and
- Brisk confirms that there are no known material changes in the controls audited,
The Customer agrees to accept that certification or documentation in lieu of conducting a physical audit of the controls covered by the relevant certification or documentation.
Brisk shall notify the Customer in writing without undue delay after becoming aware of any Security Incident.
Brisk shall take reasonable steps to contain, investigate, and mitigate any Security Incident, and shall send the Customer timely information about the Security Incident, to the extent known to Brisk or as the information becomes available to Brisk, including, but not limited to, the nature of the Security Incident, the measures taken to mitigate or contain the Security Incident, and the status of the investigation.
Brisk shall provide reasonable assistance with the Customer's (or, where applicable, its Customers’) investigation of any Security Incidents and any of the Customer's (or, where applicable, its Customers') obligations in relation to the Security Incident under Applicable Data Protection Laws, including any notification to Data Subjects or supervisory authorities.
Brisk's notification of or response to a Security Incident under this paragraph 11 shall not be construed as an acknowledgement by Brisk of any fault or liability with respect to the Security Incident.
This DPA shall commence on the Effective Date and, notwithstanding any termination of the Agreement, will remain in effect until, and automatically expire upon, Brisk's deletion of all Covered Data as described in this DPA.
Brisk shall:
- if requested to do so by the Customer (on behalf of its Customers, as appropriate) within thirty (30) days of expiry of the Agreement (the "Retention Period"), provide a copy of all Covered Data in such commonly used format as requested by the Customer, or provide a self-service functionality allowing the Customer to download such Covered Data; and
- on expiry of the Retention Period, delete all copies of Covered Data Processed by Brisk or any Authorised Sub-processors, other than any Covered Data that Brisk is required to retain to comply with applicable law, to pursue or defend legal claims or for the Controller Purposes.
The Standard Contractual Clauses shall, as further set out in Schedule 3, apply to transfers of Covered Data from the Customer to Brisk, and form part of this DPA.
The Parties agree that execution of the Agreement shall have the same effect as signing the SCCs.
Send promotional emails in accordance with Account Administrator's preferences.
Identify ways in which Brisk can improve the Service and fix errors in the Service.
Provision of service-related communications in accordance with the data subject's preferences.
Provision of technical support in relation to the Service.
Until the earlier of:
- termination of the Agreement; and
- closure of the relevant account on the Service held by the data subject, either at the request of the controller or following 18 months of inactivity.
Account tier, namely whether the Independent Teacher uses a premium or free account on the Service.
Questions, comments and other correspondence submitted in relation to the Service.
Subjects taught and student year groups or grades.
Content and materials created through the Service, including the amendments made to content automatically generated through the Service.
Websites visited in respect of which the Service is activated.
Feedback in relation to the content generated through the Service.
The features and functionalities used on the Service.
Informing product development and improvement.
Processing subscription payments.
Provision of service-related communications in accordance with the data subject's preferences.
Provision of technical support in relation to the Service.
Distribution of promotional emails in accordance with the data subject's preferences.
Informing product development and improvement.
Until the earlier of:
- termination of the Agreement; and
- closure of the relevant account on the Service held by the data subject, either at the request of the controller or following 18 months of inactivity.
Interaction with materials generated through the Service.
Feedback on work uploaded and reviewed through the Service.
Interaction with educational chatbots on the Service.
The competent supervisory authority is the Irish Data Protection Commissioner.
Introduction
Brisk employs a combination of policies, procedures, guidelines and technical and physical controls to protect the personal data it processes from accidental loss and unauthorized access, disclosure or destruction.
Governance and Policies
Brisk assigns personnel with responsibility for the determination, review and implementation of security policies and measures.
Brisk:
- has documented the security measures it has implemented in a security policy and/or other relevant guidelines and documents;
- reviews its security measures and policies on a regular basis to ensure they continue to be appropriate for the data being protected.
Brisk establishes and follows secure configurations for systems and software and ensures that security measures are considered during project initiation and the development of new IT systems.
Breach response
Brisk has a breach response plan that has been developed to address data breach events. The plan is regularly tested and updated.
Intrusion, anti-virus and anti-malware defenses
Brisk's IT systems used to process personal data have appropriate data security software installed on them, including industry standard firewall, anti-virus, anti-malware and intrusion detection systems.
Brisk collects, maintains and reviews event logs to identify suspicious activity.
Access controls
Brisk limits access to personal data by implementing appropriate access controls, including:
- limiting administrative access privileges and use of administrative accounts;
- changing all default passwords before deploying operating systems, assets or applications;
- requiring authentication and authorization to gain access to IT systems (i.e. requiring users to enter a user id and password before they are permitted access to IT systems);
- measures to ensure least privilege access to IT systems;
- appropriate procedures for controlling the allocation and revocation of personal data access rights. For example, having in place appropriate procedures for revoking employee access to IT systems when they leave their job or change role;
- use of multi-factor authentication to access data on Brisk's systems;
- automatic timeout and locking of user terminals if left idle;
- access to IT system is blocked after multiple failed attempts to enter correct authentication and/or authorization details;
- monitoring and logging access to IT systems;
- monitoring and logging amendments to data or files on IT systems.
Availability and Back-up personal data
Brisk has a documented disaster recovery plan that ensures that key systems and data can be restored in a timely manner in the event of a physical or technical incident. The plan is regularly tested and updated.
Brisk regularly backs-up information on IT systems and keeps back-ups in separate locations. Back-ups of information are tested regularly.
Segmentation of personal data
Brisk:
- separates and limits access between network components and, where appropriate, implements measures to provide for separate processing (storage, amendment, deletion, transmission) of personal data collected and used for different purposes;
- does not use live data for testing its systems.
Disposal of IT equipment
Brisk:
- has in place processes to securely remove all personal data before disposing of IT systems;
- uses appropriate technology to purge equipment of data.
Encryption
Brisk encrypts data at rest using AES-256 and in transit using TLS 1.2 or higher.
Encryption keys are stored separately from the encrypted information.
Transmission or transport of personal data
Appropriate controls are implemented by Brisk to secure personal data during transmission or transit, including:
- encryption in transit;
- logging personal data when transmitted electronically.
Device hardening
Brisk ensures that all virtual machines are hardened in accordance with the Center for Internet Security (CIS) Benchmarks.
Asset and Software management
Brisk maintains an inventory of IT assets and the data stored on them, together with a list of owners of the relevant IT assets.
Brisk:
- documents and implements rules for acceptable use of IT assets.
- requires network level authentication and uses client certificates to validate and authenticate systems;
- deploys automated patch management tools and software update tools for operating systems and software;
- proactively monitors software vulnerabilities and promptly implements any out of cycle patches;
- permits the use of only the latest versions of fully supported web browsers and email clients.
Brisk stores all API keys securely, including as follows:
- Brisk stores API keys directly in its environment variables;
- Brisk does not store API keys on client side;
- Brisk does not publish API key credentials in online code repositories (whether private or not); and
- Brisk uses API key management tools to retrieve and manage credentials for large development projects.
Staff training and awareness
Brisk's agreements with staff and contractors and employee handbooks set out its personnel's responsibilities in relation to information security.
Brisk carries out:
- regular staff training on data security and privacy issues relevant to their job role and ensures that new starters receive appropriate training before they start their role (as part of the on boarding procedures);
- appropriate screening and background checks on individuals that have access to sensitive personal data.
Brisk ensures that information security responsibilities that are applicable immediately before termination or change of employment and those which apply after termination / change of employment are communicated and implemented.
Staff are subject to disciplinary measures for breaches of Brisk's policies and procedures relating to data privacy and security.
Selection of service providers and commission of services
Brisk assesses service providers’ ability to meet their security requirements before engaging them.
Brisk has written contracts in place with service providers which require them to implement appropriate security measures to protect the personal data they have access to and limit the use of personal data in accordance with Brisk's instructions.
Part 2
Assistance with Data Subject Rights Requests
Brisk has implemented appropriate policies and measures to identify and address data subject rights requests, including:
- Brisk maintains accurate records to enable it to identify quickly all personal data processed on behalf of the Customer; and
- back-ups of personal data processed by Brisk on behalf of the Customer are overwritten on a regular basis and in any event every thirty (30) days to ensure deletion and rectification requests are fully actioned.
With respect to any transfers referred to in clause 13, the Standard Contractual Clauses shall be completed as follows:
Module Two (controller to processor), or as appropriate, Module Three (processor to processor) of the SCCs will apply to Brisk’s Processing of Covered Data.
Clause 7 of the Standard Contractual Clauses (Docking Clause) does not apply.
Option 2 of Clause 9(a) (General written authorization) shall apply, and the time period to be specified is determined in clause 7.4 of the DPA.
The option in Clause 11(a) of the Standard Contractual Clauses (Independent dispute resolution body) does not apply.
With regard to Clause 17 of the Standard Contractual Clauses (Governing law), the Parties agree that option 1 will apply and the governing law will be Irish law.
In Clause 18 of the Standard Contractual Clauses (Choice of forum and jurisdiction), the Parties submit themselves to the jurisdiction of the courts of Ireland.
For the Purpose of Annex I of the Standard Contractual Clauses, Schedule 1 of the DPA contains the specifications regarding the parties, the description of transfer, and the competent supervisory authority.
For the Purpose of Annex II of the Standard Contractual Clauses, Schedule 2 of the DPA contains the technical and organizational measures.
This paragraph 2 (UK Addendum) shall apply to any transfer of Covered Data from the Customer (as data exporter) to Brisk (as data importer), to the extent that:
- the UK Data Protection Laws apply to the Customer when making that transfer; or
- the transfer is an "onward transfer" as defined in the Approved Addendum.
As used in this paragraph 2:
"Approved Addendum" means the template addendum, version B.1.0 issued by the UK Information Commissioner under S119A(1) Data Protection Act 2018 and laid before the UK Parliament on 2 February 2022, as it may be revised according to Section 18 of the Approved Addendum.
"UK Data Protection Laws" means all laws relating to data protection, the processing of Personal Data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018.
The Approved Addendum will form part of this DPA with respect to any transfers referred to in paragraph 2.1, and execution of this DPA shall have the same effect as signing the Approved Addendum.
The Approved Addendum shall be deemed completed as follows:some text
- the "Addendum EU SCCs" shall refer to the SCCs as they are incorporated into this Agreement in accordance with clause 13 and this Schedule 3;
- Table 1 of the Approved Addendum shall be completed with the details in paragraph A of Schedule 1;
- the "Appendix Information" shall refer to the information set out in Schedule 1 and Schedule 2
- for the purposes of Table 4 of the Approved Addendum, Brisk (as data importer) may end this DPA, to the extent the Approved Addendum applies, in accordance with Section 19 of the Approved Addendum; and
- Section 16 of the Approved Addendum does not apply.
This Swiss Addendum will apply to any Processing of Covered Data that is subject to Swiss Data Protection Laws.
Interpretation of this Addendum
- Where this Addendum uses terms that are defined in the Standard Contractual Clauses, those terms will have the same meaning as in the Standard Contractual Clauses. In addition, the following terms have the following meanings:
"Addendum" means this addendum to the Clauses;
"Clauses" means the Standard Contractual Clauses as incorporated into this DPA in accordance with paragraph 13 and as further specified in this Schedule 3; and
"FDPIC" means the Federal Data Protection and Information Commissioner.
- This Addendum shall be read and interpreted in a manner that is consistent with Swiss Data Protection Laws, and so that it fulfils the Parties' obligations under Article 16(2)(d) of the FADP.
- This Addendum will not be interpreted in a way that conflicts with rights and obligations provided for in Swiss Data Protection Laws.
- Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Swiss Addendum has been entered into.
- In relation to any Processing of Personal Data subject to Swiss Data Protection Laws, this Addendum amends and supplements the Clauses to the extent necessary so they operate:some text
- for transfers made by the data exporter to the data importer, to the extent that Swiss Data Protection Laws apply to the data exporter’s Processing when making that transfer; and
- as standard data protection clauses approved, issued or recognised by the FDPIC for the purposes of Article 16(2)(d) of the FADP.
Hierarchy
In the event of a conflict or inconsistency between this Addendum and the provisions of the Clauses or other related agreements between the Parties, existing at the time this Addendum is agreed or entered into thereafter, the provisions which provide the most protection to Data Subjects will prevail.
Changes to the Clauses
- To the extent that the data exporter's Processing of Personal Data is exclusively subject to Swiss Data Protection Laws, or the transfer of Personal Data from a data exporter to a data importer under the Clauses is an "onward transfer" (as defined in the Clauses, as amended by the remainder of this paragraph 3.3(a)) the following amendments are made to the Clauses:
- References to the "Clauses" or the "SCCs" mean this Swiss Addendum as it amends the SCCs.
- Clause 6 Description of the transfer(s) is replaced with:
- "The details of the transfer(s), and in particular the categories of Personal Data that are transferred and the purpose(s) for which they are transferred, are those specified in Schedule 1 of this DPA where Swiss Data Protection Laws apply to the data exporter’s Processing when making that transfer."
- References to "Regulation (EU) 2016/679" or "that Regulation" or ""GDPR" are replaced by "Swiss Data Protection Laws" and references to specific Article(s) of "Regulation (EU) 2016/679" or "GDPR" are replaced with the equivalent Article or Section of Swiss Data Protection Laws extent applicable.
- References to Regulation (EU) 2018/1725 are removed.
- References to the "European Union", "Union", "EU" and "EU Member State" are all replaced with "Switzerland".
- Clause 13(a) and Part C of Annex I are not used; the "competent supervisory authority" is the FDPIC;
- Clause 17 is replaced to state: "These Clauses are governed by the laws of Switzerland".
- Clause 18 is replaced to state: "Any dispute arising from these Clauses relating to Swiss Data Protection Laws will be resolved by the courts of Switzerland. A Data Subject may also bring legal proceedings against the data exporter and/or data importer before the courts of Switzerland in which he/she has his/her habitual residence. The Parties agree to submit themselves to the jurisdiction of such courts."