Revised: November 2022
This Data Processing Addendum (“DPA”) incorporates by reference the CMA between Credly, Inc. (“Credly”) and Client, or other agreement between Client and Credly governing when Personal Data is transferred between Credly and Client. This DPA is an agreement between Client and Credly. Unless otherwise defined in this DPA or in the Agreement, all capitalized terms used in this DPA will have the meanings given to them in the Agreement and this DPA. In the event of conflict of terms then this DPA shall prevail.
a. “Applicable Data Protection Laws” means all data protection, privacy and data security laws applicable to the processing of personal data, including but not limited to, GDPR; the United Kingdom Data Protection Act 2018 (“UK GDPR”); the Swiss Federal Act on Data Protection Act (“FADP”); the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100-.199 (“CCPA”); or Family Educational Rights and Privacy Act (“FERPA”).
b. “Client Data” means the data, including Personal Data, that is uploaded to the Credly Services by the Client. Client Data shall not include Earner Data.
c. "Connected Earner" means an Earner that has consented to share their Connected Earner Data with Client.
d. "Connected Earner Data" means the information, including but not limited to Personal Data, from a Connected Earner's Credly account that the Connected Earner consents to share with Client.
e. “Controller” means the entity which determines the purposes and means of the Processing of Personal Data.
f. “Credly Information Security Standards” means the security standards attached to the Agreement, or if none are attached to the Agreement, attached to this DPA as Annex II.
g. “Earner Data” means the data of an Earner that is processed by Credly pursuant to an agreement between Credly and that Earner.
h. “EEA” means the European Economic Area.
i. “GDPR” means Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
j. “processing” has the meaning given to it in the GDPR and “process”, “processes” and “processed” will be interpreted accordingly.
k. “Processor” means the entity which processes Personal Data on behalf of the Controller.
l. “Security Incident” a failure of Credly’s adherence to Annex II security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Client Data.
m. “Standard Contractual Clauses” or “SCC” means the Appendix to the European Commission Implementing Decision ((EU) 2021/914 of 4 June 2021) on Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
n. “UK Addendum” means the ‘Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses’.
2. Data Processing.
a. Scope and Roles. This DPA applies when Personal Data is transferred between Credly and Client.
b. California Consumer Privacy Act (“CCPA”). To the extent that the CCPA is applicable, the parties acknowledge and agree that where Credly is a processor, Credly shall also be considered a service provider for the purposes of the CCPA. Credly certifies that it understands the rules, restrictions, requirements and definitions of the CCPA and agrees to refrain from taking any action that would cause any transfers of Personal Data to or from Credly to qualify as a sale of Personal Data under the CCPA. Credly acknowledges and confirms that it does not receive any Personal Data from Client as consideration for any services or other items provided to Client. Credly shall not sell any Client Data. Credly shall not retain, use or disclose any Client Data except as necessary for the specific purpose of performing the services for Client pursuant to the Agreement or otherwise as set forth in the Agreement or as permitted by the CCPA. For purposes of this Section, the terms “Personal Data,” “service provider,” “sale,” and “sell” are as defined in Section 1798.140 of the CCPA.
c. Family Educational Rights and Privacy Act (“FERPA”). To the extent FERPA is applicable, Credly agrees to comply with all applicable federal and state laws related to the protection and privacy of student records, including, but not limited to FERPA. Credly will implement safeguards that: (a) ensure the security and confidentiality of Client Data; (b) protect against any anticipated threats or hazards to the security or integrity of such information; and (c) protect against unauthorized access to or use of such information which could result in substantial harm or inconvenience to any students. If Credly subcontracts with a third party for any of the services that it is required to undertake in furtherance of this Agreement, Credly will take reasonable steps to verify that such third parties implement practices which protect Client Data.
d. Details of Data Processing.
i. Subject matter: The subject matter of the data processing under this DPA is personally identifiable Client Data or Earner Data.
ii. Duration: As between Credly and Client, the duration of the data processing under this DPA is for the Term of the Agreement.
iii. Purpose: The purpose of the data processing under this DPA is the provision of the Services.
iv. Nature of the processing: Credly will provide a platform for Client to create, manage, issue and use Credentials.
v. Categories of Personal Data: Client Data uploaded to the Services under Client accounts on Credly or Earner Data made available to Client pursuant to consent of the applicable Earner.
vi. Categories of data subjects: The data subjects may include Earners or Client’s customers, employees, end-users, and other individuals that are issued Credentials by Client.
vii. Location: Credly shall store all data in the United States.
e. Storage in United States. Notwithstanding anything to the contrary in this Agreement, the Parties acknowledge that Credly stores Personal Data, including Client Data, in the United States, and the storage by Credly of Personal Data in the United States shall not be deemed a violation of this Section or create a right of action under this Agreement.
f. Compliance with Applicable Data Protections Laws. The Parties represent that (a) the Connected Earner Data shall be lawfully collected and transferred in accordance with Applicable Data Protection Laws (as defined in the DPA); and (b) the Parties have, and shall maintain, the systems and processes in place to ensure compliance with the terms of the Agreement.
g. Cooperation between the Parties. The Parties will assist each other to comply with requests or complaints of data subjects or supervisory authorities regarding compliance with Applicable Data Protection Laws with regard to Connected Earner Data. The Parties will notify each other of any requests, enquiries, monitoring activities and similar measures undertaken by supervisory authorities regarding the handling of Personal Data under this DPA.
3. Client Instructions. The parties agree that this DPA and the Agreement constitute Client’s documented instructions regarding Credly’s processing of Client Data (“Documented Instructions”). Credly will process Client Data only in accordance with Documented Instructions. Client shall obtain all consents required by any Applicable Data Protection Law from Earners for Credly to lawfully store, transfer, and process Personal Data provided by Client to Credly pursuant to the Agreement. Additional instructions outside the scope of the Documented Instructions (if any) require prior written agreement between Credly and Client, including agreement on any additional fees payable by Client to Credly for carrying out such instructions. Client is entitled to terminate this DPA and the Agreement if Credly declines to follow instructions requested by Client that are outside the scope of, or changed from, those given or agreed to be given in this DPA.
4. Confidentiality of Client Data. Credly will not access or use, or disclose to any third party, any Client Data, except, in each case, as necessary to maintain under the Agreement, or as necessary to comply with the law or a valid and binding order of a governmental body (such as a subpoena or court order). If a governmental body sends Credly a demand for Client Data, Credly will attempt to redirect the governmental body to request that data directly from Client. As part of this effort, Credly may provide Client’s basic contact information to the government body. If compelled to disclose Client Data to a government body, then Credly will give Client reasonable notice of the demand to allow Client to seek a protective order or other appropriate remedy unless Credly is legally prohibited from doing so.
5. Confidentiality Obligations of Credly Personnel. Credly restricts its personnel from processing Client Data without authorization by Credly. Credly shall impose appropriate contractual obligations upon its personnel, including relevant obligations regarding confidentiality, data protection and data security.
6. Security of Data Processing. Credly has implemented and will maintain the technical and organizational measures for the Services as described in the Credly Information Security Standards, attached hereto as Annex II of the SCC.
a. Authorized Sub-processors. Client agrees that Credly may use sub-processors to fulfill its contractual obligations under this DPA or to provide certain services on its behalf. The Credly website (currently posted at https://info.credly.com/credly-platform-subprocessors) lists sub-processors that are currently engaged by Credly to carry out processing activities on Client Data on behalf of Client. At least 30 days before Credly engages any new sub-processor to carry out processing activities on Client Data on behalf of Client, Credly will email notice to the notice email set forth on the Order Form. If Client reasonably objects to a new sub-processor and such objection cannot be satisfactorily resolved within a reasonable time, Client may terminate this Agreement without penalty upon 30 days’ written notice to Credly.
b. Sub-processor Obligations. Where Credly authorizes any sub-processor as described in Section 7(a):
i. Credly will restrict the sub-processor’s access to Client Data only to what is necessary to maintain the Services or as necessary under the Agreement. Credly will prohibit the sub-processor from accessing Client Data for any other purpose; and
ii. Credly will enter into a written agreement with the sub-processor and, to the extent that the sub-processor is performing the same data processing services that are being provided by Credly under this DPA, Credly will impose on the sub-processor the appropriate contractual obligations that Credly has under this DPA; and
iii. Credly will remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the sub-processors that violate the obligations under this DPA as if caused by Credly itself.
8. Data Subject Requests. Should a data subject contact Credly with regard to correction or deletion of Client Data, Credly will use commercially reasonable efforts to direct such data subject to Client.
9. Security Breach Notification.
a. Security Incident. Credly will (i) notify Client of a Security Incident without undue delay after becoming aware of the Security Incident, (ii) investigate the Security Incident; (iii) provide Client with a summary about the Security Incident and (iv) take reasonable steps to mitigate the effects resulting from the Security Incident and enact procedures to prevent a recurrence of the Security Incident.
b. Credly Assistance. To assist Client in relation to any personal data breach notifications Client is required to make under the Applicable Data Protection Laws, Credly will include in the notification under section 9(a) such information about the Security Incident as Credly is reasonably able to disclose to Client, taking into account the nature of the Services, the information available to Credly, and any restrictions on disclosing the information, such as confidentiality. Credly’s obligation to report or respond to a Security Incident under this Section is not and will not be construed as an acknowledgement by Credly of any fault or liability of Credly with respect to the Security Incident.
c. Client Obligations. Where a controller-to-controller relationship exists between Credly and Client, Client shall notify Credly without undue delay in the event a personal data breach, as defined in the GDPR, occurs that requires Client to notify the competent supervisory authority or other regulator and/or the impacted data subjects.
10. Credly Certifications and Audit Right.
a. Credly Audits. Credly uses external auditors to verify the technical, organizational and security measures, including the security of the physical data centers from which Credly provides the Credly Services. This audit: (a) will be performed at least annually; (b) will be performed according to the ISO27001 standard or such other alternative standards that are substantially equivalent to ISO27001; (c) will be performed by independent third-party security professionals at Credly’s selection and expense; and (d) will result in the generation of an audit report (the “Report”), which will be Credly’s Confidential Information.
b. Audit Reports. At Client’s written request, Credly will provide Client with a copy of the Report so that Client can reasonably verify Credly’s compliance with its obligations under this DPA.
c. Privacy Impact Assessment and Prior Consultation. Taking into account the nature of the Services and the information available to Credly, Credly will assist Client in complying with Client’s obligations in respect of data protection impact assessments and prior consultation pursuant to Articles 35 and 36 of the GDPR, by providing the information Credly makes available under this Section.
d. After Client has exercised its rights under paragraph (a) above, if Client requires further information
Client will have the right to, at its own cost and subject to Client’s payment of Credly’s fees in relation to such audit at its standard professional services rates prevailing at the time, require that Credly (or its independent third-party auditors) carry out a bespoke audit in relation to Credly’s compliance with this DPA. Upon receipt of such request, Credly will carry out (or arrange) such audit within such reasonable period as Client and Credly may agree and will provide a copy of the audit report to Client promptly following conclusion of the audit.
11. Limitation of Liability. Each party’s liability taken together in the aggregate arising out of or related to this DPA (including the SCCs) shall be subject to the exclusions and limitations of liability set forth in the Agreement. In no event shall either party limit its liability with respect to any individual’s data protection rights under this DPA or otherwise.
12. Application of Standard Contractual Clauses.
a. The Standard Contractual Clauses will apply to Client Data that is transferred outside the EEA, UK, or Switzerland (collectively, the “EEA-UK-CH”), either directly or via onward transfer, to any country not recognized by the European Commission, UK Information Commissioner’s Office, or the Swiss FDPIC as providing an adequate level of protection for personal data (as described in the GDPR or Swiss FADP). The Standard Contractual Clauses will not apply to Client Data that is not transferred, either directly or via onward transfer, outside the EEA-UK-CH.
b. Where the transfers contemplated under this Section result in transfers of UK Personal Data to Credly for processing by Credly in a jurisdiction other than in the UK or UK Information Commissioner’s Office-approved countries providing ‘adequate’ data protection, then each party agrees that (a) the UK Addendum for transfers of UK Personal Data shall apply; and (b) the UK Addendum will be deemed executed by and between Client and Credly; and (c) the SCCs between the parties shall be deemed amended as specified in the UK Addendum in respect of the transfer of such UK Personal Data. The UK Information Commissioner is the exclusive Supervisory Authority for the transfers of UK Personal Data under this Agreement.
c. Where the transfers contemplated under this Section result in transfers of Swiss Personal Data to Credly for processing by Credly in a jurisdiction other than in the EEA, then each party agrees that (a) references in the SCC to a “member state” or to the “EU” shall be deemed to include Switzerland; and (b) the SCC between the parties shall be deemed amended as the Swiss FDPIC is the exclusive Supervisory Authority for the transfers of Swiss Personal Data under this Agreement.
d. In the event that the Standard Contractual Clauses are amended, replaced or repealed by the European Commission or otherwise under Data Protection Laws, the Parties shall work together in good faith to enter into any updated version or negotiate in good faith a solution to enable a transfer of Personal Data to be conducted in compliance with Data Protection Laws. Either Party may terminate the Agreement on 30 days’ written notice, if the Parties are incapable of implementing or fail to implement another appropriate safeguard to ensure an adequate level of data protection within a period of 90 days.
13. Termination of the DPA. This DPA shall continue in force until the termination of the Agreement (the “Termination Date”).
14. Return or Deletion of Client Data. Up to the Termination Date, Client will continue to have the ability to retrieve or delete Client Data in accordance with this Section. For 90 days following the Termination Date, Client may delete or retrieve for export or download any Client Data from the Services, subject to the terms and conditions set out in the Agreement, unless prohibited by law or the order of a governmental or regulatory body or it could subject Credly or its Affiliates to liability. No later than the end of this 90-day period, Client will close all Credly accounts. Credly will delete Client Data when requested by Client. After that 90-day period, Credly will have no obligation to maintain Customer Data, and may thereafter delete or destroy all copies of Client Data maintained by Credly.
15. Duties to Inform. Where Client Data becomes subject to confiscation during bankruptcy or insolvency proceedings, or similar measures by third parties while being processed by Credly, Credly will inform Client without undue delay. Credly will, without undue delay, notify all relevant parties in such action (e.g., creditors, bankruptcy trustee) that any Client Data subjected to those proceedings is Client’s property and area of responsibility and that Client Data is at Client’s sole disposition.
16. Entire Agreement; Conflict. Except as amended by this DPA, the Agreement will remain in full force and effect. If there is a conflict between any other agreement between the parties including the Agreement and this DPA, the terms of this DPA will control. If there is a conflict between the Standard Contractual Clauses and this DPA, the terms of the Standard Contractual Clauses, as applicable, shall prevail.
Standard Contractual Clauses (Controller-to-Controller) Module 1, as applicable
Standard Contractual Clauses (Controller-to-Processor) Module 2, as applicable
Where applicable pursuant to the DPA or Addenda, the parties hereby enter into Module 1 or 2 of the Standard Contractual Clauses, as applicable, and where the SCCs require the parties to choose between optional clauses and to input information, the parties have done so as set out below:
1. The Optional Clause 7 “Docking clause” shall not be adopted.
2. For Clause 9 “Use of sub-processors”, the parties elect the following option:
“Option 2 General written authorisation: The data importer has the controller’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the controller in writing of any intended changes to that list through the addition or replacement of sub-processors at least 30 calendar days in advance, thereby giving the controller sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the controller with the information necessary to enable the controller to exercise its right to object. The data importer shall inform the data exporter of the engagement of the sub-processor(s).”
3. For Clause 11 (a) “Redress”, the parties do not adopt the Option.
4. For Clause 17 “Governing law”, the parties elect the following option:
“Option 1. These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of Ireland.”
5. For Clause 18 (b) “Choice of Forum and Jurisdiction”:
“The Parties agree that those shall be the courts of Ireland”.
ANNEX I (applicable to Module 2 only)
1. LIST OF PARTIES
a) Data exporter: The data exporter is the entity identified as “Client” in the DPA
b) Data importer: The data importer is Credly, Inc., a provider of web services.
2. DESCRIPTION OF TRANSFER
a) Data subjects: Data subjects are defined in Section2(d)(vi) of the DPA.
b) Categories of data: The personal data is defined in Section2(d)(v) of the DPA.
c) Processing operations:The processing operations are defined in Section 2(d)(iv)of the DPA.
d) Frequency: Continuous
C. COMPETENT SUPERVISORY AUTHORITY
Data Protection Commission (of Ireland)
ANNEX II - TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
ANNEX III – LIST OF SUB-PROCESSORS (Applicable to Module 2 only)
To support delivery of the Services, Credly may engage and use data processors with access to certain personally identifiable data of Earners (each, a "Subprocessor"). This link below provides important information about the identity, location and role of each Subprocessor. Credly undertakes to use a commercially reasonable selection process by which it evaluates the security, privacy and confidentiality practices of proposed Subprocessors that will or may have access to or process personally identifiable data.