Common use of Processor and Controller Clause in Contracts

Processor and Controller. 2.1 The parties agree that, for the Protected Data, the Customer shall be the Controller and the Supplier shall be the Processor. 2.2 To the extent the Customer is not sole Controller of any Protected Data it warrants that it has full authority and authorisation of all relevant Controllers to instruct the Supplier to process the Protected Data in accordance with our Agreement. 2.3 The Supplier shall process Protected Data in compliance with: 2.3.1 the obligations of Processors under Data Protection Laws in respect of the performance of its and their obligations under our Agreement; and 2.3.2 the terms of our Agreement. 2.4 The Customer shall ensure that it, its Affiliates and each Authorised User shall at all times comply with: 2.4.1 all Data Protection Laws in connection with the processing of Protected Data, the use of the Services (and each part) and the exercise and performance of its respective rights and obligations under our Agreement, including maintaining all relevant regulatory registrations and notifications as required under Data Protection Laws; and 2.4.2 the terms of our Agreement. 2.5 The Customer warrants, represents and undertakes, that at all times: 2.5.1 all Protected Data (if processed in accordance with our Agreement) shall comply in all respects, including in terms of its collection, storage and processing, with Data Protection Laws; 2.5.2 all Protected Data shall comply with clauses 10.3 and 11.2 of the SaaS Terms; 2.5.3 all necessary fair processing and other information notices have been provided to the Data Subjects of the Protected Data (and all necessary consents from such Data Subjects obtained and at all times maintained) to the extent required by Data Protection Laws in connection with all processing activities in respect of the Protected Data which may be undertaken by the Supplier and its Sub- Processors in accordance with our Agreement; 2.5.4 the Protected Data is accurate and up to date; 2.5.5 it shall establish and maintain adequate security measures to safeguard Protected Data in its possession or control from unauthorised access and maintaining complete and accurate copies of all Protected Data provided to the Supplier (or anyone acting on its behalf) so as to be able to immediately recover and reconstitute such Protected Data in the event of loss, damage or corruption of such Protected Data by the Supplier or any other person; 2.5.6 all instructions given by it to the Supplier in respect of Personal Data shall at all times be in accordance with Data Protection Laws; and 2.5.7 it has undertaken due diligence in relation to the Supplier’s processing operations and commitments and it is satisfied (and all times its continues to use the Services remains satisfied) that: (a) the Supplier’s processing operations are suitable for the purposes for which the Customer proposes to use the Services and engage the Supplier to process the Protected Data; (b) the following technical and organisational measures shall (if the Supplier complies with its obligations) ensure a level of security appropriate to the risk in regards to the Protected Data: (i) all data sent between a web browser and the Supplier’s servers shall be encrypted in transit; (ii) all personally identifiable pupil data shall remain encrypted at rest in the Supplier’s database; (iii) the Supplier’s servers are located in a highly secure ISO27001 certified data centre; (iv) all of the Supplier’s staff have an up-to-date enhanced DBS check; (v) the Supplier’s offices are monitored by CCTV and security patrols; (vi) the Supplier has protocols in place to ensure that Protected Data is handled appropriately, securely and in a legally compliant manner; (vii) all data is stored within the United Kingdom; (viii) save for any data processing undertaken by the Supplier’s ISO27001 certified UK based data centre provider, the Supplier does not subcontract any data processing activities; (ix) all of the Supplier’s staff are subject to non-disclosure terms and a duty of confidentiality with respect to information that comes into their possession during the course of employment; and (c) the Supplier has sufficient expertise, reliability and resources to implement technical and organisational measures that meet the requirements of Data Protection Laws.

Processor and Controller. 2.1 The parties We each agree that, for the Protected Data, the Customer shall be where you are the Controller and the Supplier we are your Processor, this DPA shall be the Processorapply. Nothing in this DPA or any other part of our Agreement relieves you of any responsibilities or liabilities under any Data Protection Laws. 2.2 To the extent the Customer is not sole Controller of any Protected Data it warrants You warrant that it has you have full authority and authorisation of all relevant Controllers to instruct the Supplier us to process the Protected Data in accordance with our Agreement. 2.3 The Supplier shall We will process Protected Data in compliance with: 2.3.1 the obligations of Processors under Data Protection Laws in respect of the performance of its and their our obligations under our Agreement; and 2.3.2 the terms of our Agreement. 2.4 The Customer shall You will ensure that it, its Affiliates and each Authorised User shall will at all times comply with: 2.4.1 all Data Protection Laws in connection with the processing of Protected Data, the use of the Services Verature Platform (and each part) and the exercise and performance of its your respective rights and obligations under our Agreement, including maintaining all relevant regulatory registrations and notifications as required under Data Protection Laws; and 2.4.2 the terms of our Agreement. 2.5 The Customer warrantsYou warrant, represents represent and undertakesundertake, that at all times: 2.5.1 the processing of all Protected Data (if processed in accordance with our Agreement) shall will comply in all respectsrespects with Data Protection Laws, including in terms of its collection, storage use and processing, with Data Protection Lawsstorage; 2.5.2 all Protected Data shall comply with clauses 10.3 and 11.2 of the SaaS Terms; 2.5.3 all necessary fair processing and all other information appropriate notices have been provided to the Data Subjects of the Protected Data (and all necessary consents from such Data Subjects obtained and at all times maintained) to the extent required by Data Protection Laws in connection with all processing activities in respect of the Protected Data which may be undertaken by the Supplier us and its Sub- our Sub-Processors in accordance with our Agreement; 2.5.4 2.5.3 the Protected Data is accurate and up to date; 2.5.5 it shall 2.5.4 you will establish and maintain adequate security measures to safeguard the Protected Data in its your possession or control (including from unauthorised access or unlawful destruction, corruption, processing or disclosure) and maintaining maintain complete and accurate copies backups of all Protected Data provided to the Supplier us (or anyone acting on its behalf) so as to be able to immediately recover and reconstitute such Protected Data in the event of loss, damage or corruption of such Protected Data by the Supplier us or any other person; 2.5.6 2.5.5 all instructions given by it you to the Supplier us in respect of Personal Data shall will at all times be in accordance with Data Protection Laws; and 2.5.7 it has 2.5.6 you have undertaken due diligence in relation to the Supplier’s our processing operations and commitments and it is are satisfied (and all times its continues you continue to receive the benefit of any Services and/or use the Services remains Verature Platform remain satisfied) that: (a) the Supplier’s 2.5.6.1 our processing operations are suitable for the purposes for which you propose to receive the Customer proposes to benefit of any Services and use the Services Verature Platform and engage the Supplier us to process the Protected Data; (b) 2.5.6.2 the following technical and organisational measures shall set out in the Information Security Policy (as updated by us from time to time) will (if we comply with our obligations under the Supplier complies with its obligationsInformation Security Policy) ensure a level of security appropriate to the risk in regards to the Protected Data: (i) all data sent between a web browser and the Supplier’s servers shall be encrypted in transit; (ii) all personally identifiable pupil data shall remain encrypted at rest in the Supplier’s database; (iii) the Supplier’s servers are located in a highly secure ISO27001 certified data centre; (iv) all of the Supplier’s staff have an up-to-date enhanced DBS check; (v) the Supplier’s offices are monitored Data as required by CCTV and security patrols; (vi) the Supplier has protocols in place to ensure that Protected Data is handled appropriately, securely and in a legally compliant manner; (vii) all data is stored within the United Kingdom; (viii) save for any data processing undertaken by the Supplier’s ISO27001 certified UK based data centre provider, the Supplier does not subcontract any data processing activities; (ix) all of the Supplier’s staff are subject to non-disclosure terms and a duty of confidentiality with respect to information that comes into their possession during the course of employmentProtection Laws; and (c) the Supplier has 2.5.6.3 we have sufficient expertise, reliability and resources to implement technical and organisational measures that meet the requirements of Data Protection Laws.

Processor and Controller. 2.1 The parties acknowledge and agree that, for the Protected Data, the Customer (or the relevant Data Client) shall be the Controller and the Supplier Relevant Daisy Group Member shall be the ProcessorProcessor or sub-processor. 2.2 To The Customer authorises the extent Relevant Daisy Group Member responsible for providing the Services and/or Products to the Customer is not sole Controller of any Protected Data it warrants that it has full authority and authorisation of all relevant Controllers pursuant to instruct the Supplier Principal Agreements to process Process the Protected Data pursuant to this Addendum as a Processor or sub-processor for the purpose set out in accordance with our AgreementSchedule 1. 2.3 The Supplier Relevant Daisy Group Member shall process Process Protected Data in compliance with: 2.3.1 the obligations of Processors under Data Protection Laws in respect of the performance of its and their obligations under our Agreementthis Addendum; and 2.3.2 the terms of our Agreementthis Addendum. 2.4 The Customer shall (and shall if the Customer is not the Controller ensure that it, its Affiliates and each Authorised User shall at all times the relevant Controller shall) comply with: 2.4.1 all Data Protection Laws in connection with the processing Processing of Protected Data, the use of the Services (and each part) and/or Products and the exercise and performance of its respective rights and obligations under our Agreementthis Addendum, including maintaining all relevant regulatory registrations and notifications as required under Data Protection Laws; and 2.4.2 the terms of our Agreementthis Addendum. 2.5 The Customer warrants, represents warrants to Xxxxx and undertakes, that at all timeseach Relevant Daisy Group Member that: 2.5.1 it has all necessary rights to authorise Xxxxx and each Relevant Daisy Group Member to Process Protected Data (if processed in accordance with our Agreement) this Addendum and the Data Protection Laws; 2.5.2 all data sourced by the Customer for use in connection with the Services and/or Products, shall comply in all respects, including in terms of its collection, storage and processingProcessing (which shall include the Customer providing all of the required fair processing notices and information to, and obtaining all necessary consents from, Data Subjects), with Data Protection Laws; 2.5.2 all 2.5.3 it will not send any Protected Data shall comply with clauses 10.3 and 11.2 of the SaaS Terms; 2.5.3 all necessary fair processing and other information notices have been provided to the Data Subjects of Relevant Daisy Group Member which is not necessary for the Protected Data (and all necessary consents from such Data Subjects obtained and at all times maintained) Relevant Daisy Group Member to provide the extent required by Data Protection Laws in connection with all processing activities in respect of the Protected Data which may be undertaken by the Supplier and its Sub- Processors in accordance with our AgreementServices and/or Products; 2.5.4 its instructions to the Relevant Daisy Group Member relating to Processing of Protected Data is accurate and up to date; 2.5.5 it shall establish and maintain adequate security measures to safeguard Protected Data will not put the Relevant Daisy Group Member in its possession or control from unauthorised access and maintaining complete and accurate copies breach of all Protected Data provided to the Supplier (or anyone acting on its behalf) so as to be able to immediately recover and reconstitute such Protected Data in the event of loss, damage or corruption of such Protected Data by the Supplier or any other person; 2.5.6 all instructions given by it to the Supplier in respect of Personal Data shall at all times be in accordance with Data Protection Laws, including with regard to International Transfers; and 2.5.7 2.5.5 it has undertaken due diligence in relation to Xxxxx's or the Supplier’s processing operations and commitments Relevant Daisy Group Member Processing operations, and it is satisfied (and all times its continues to use the Services remains satisfied) that: (a) Daisy or the Supplier’s processing Relevant Daisy Group Member Processing operations are suitable for the purposes for which the Customer proposes to use the Services and/or Products and engage the Supplier Group to process Process the Protected Data;; and (b) the following technical and organisational measures shall (if the Supplier complies with its obligations) ensure a level of security appropriate to the risk in regards to the Protected Data: (i) all data sent between a web browser and the Supplier’s servers shall be encrypted in transit; (ii) all personally identifiable pupil data shall remain encrypted at rest in the Supplier’s database; (iii) the Supplier’s servers are located in a highly secure ISO27001 certified data centre; (iv) all of the Supplier’s staff have an up-to-date enhanced DBS check; (v) the Supplier’s offices are monitored by CCTV and security patrols; (vi) the Supplier has protocols in place to ensure that Protected Data is handled appropriately, securely and in a legally compliant manner; (vii) all data is stored within the United Kingdom; (viii) save for any data processing undertaken by the Supplier’s ISO27001 certified UK based data centre provider, the Supplier does not subcontract any data processing activities; (ix) all of the Supplier’s staff are subject to non-disclosure terms and a duty of confidentiality with respect to information that comes into their possession during the course of employment; and (c) the Supplier Relevant Daisy Group Member has sufficient expertise, reliability and resources to implement technical and organisational measures that meet the requirements of Data Protection Laws. 2.6 If the Relevant Daisy Group Member reasonably considers that any instructions from the Customer relating to Processing of Protected Data may put the Relevant Daisy Group Member in breach of Data Protection Laws, the Relevant Daisy Group Member will be entitled not to carry out that Processing and will not be in breach of this Addendum or otherwise liable to the Customer as a result of its failure to carry out that Processing 2.7 The Customer shall remain fully liable for the acts or omissions of each Data Client as if they were its own.

Processor and Controller. ‌ 2.1 The parties agree that, for the Protected Data, the Customer shall be the Controller and the Supplier shall be the Processor. Nothing in this Agreement relieves the Customer of any responsibilities or liabilities under any Data Protection Laws. 2.2 To the extent the Customer is not sole Controller of any Protected Data it warrants that it has full authority and authorisation of all relevant Controllers to instruct the Supplier to process the Protected Data in accordance with our Agreement. 2.3 The Supplier shall process Protected Data in compliance with: 2.3.1 2.2.1 the obligations of Processors under Data Protection Laws in respect of the performance of its and their obligations under our Agreement; and 2.3.2 2.2.2 the terms of our Agreement. 2.4 2.3 The Customer shall ensure that it, its Affiliates and each Authorised User shall at all times comply with: 2.4.1 2.3.1 all Data Protection Laws in connection with the processing of Protected Data, the use of the Services (and each part) and the exercise and performance of its respective rights and obligations under our Agreement, including maintaining all relevant regulatory registrations and notifications as required under Data Protection Laws; and 2.4.2 2.3.2 the terms of our Agreement. 2.5 2.4 The Customer warrants, represents and undertakes, that at all times: 2.5.1 2.4.1 all Protected Data (if processed in accordance with our Agreement) shall comply in all respects, including in terms of its collection, storage and processing, with Data Protection Laws; 2.5.2 2.4.2 all Protected Data shall comply with clauses 10.3 and 11.2 clause 9.2 of the SaaS TermsTerms and Conditions; 2.5.3 all necessary 2.4.3 fair processing and other information notices have been provided to the Data Subjects of the Protected Data (and all necessary consents from such Data Subjects obtained and at all times maintained) to the extent required by Data Protection Laws in connection with all processing activities in respect of the Protected Data which may be undertaken by the Supplier and its Sub- Sub-Processors in accordance with our Agreement; 2.5.4 2.4.4 the Protected Data is accurate and up to date; 2.5.5 2.4.5 it shall establish and maintain adequate security measures to safeguard Protected Data in its possession or control from unauthorised access and maintaining complete and accurate copies backups of all Protected Data provided to the Supplier (or anyone acting on its behalf) so as to be able to immediately recover and reconstitute such Protected Data in the event of loss, damage or corruption of such Protected Data by the Supplier or any other person;; and 2.5.6 2.4.6 all instructions given by it to the Supplier in respect of Personal Data shall at all times be in accordance with Data Protection Laws; and 2.5.7 it has undertaken due diligence in relation to the Supplier’s processing operations and commitments and it is satisfied (and all times its continues to use the Services remains satisfied) that: (a) the Supplier’s processing operations are suitable for the purposes for which the Customer proposes to use the Services and engage the Supplier to process the Protected Data; (b) the following technical and organisational measures shall (if the Supplier complies with its obligations) ensure a level of security appropriate to the risk in regards to the Protected Data: (i) all data sent between a web browser and the Supplier’s servers shall be encrypted in transit; (ii) all personally identifiable pupil data shall remain encrypted at rest in the Supplier’s database; (iii) the Supplier’s servers are located in a highly secure ISO27001 certified data centre; (iv) all of the Supplier’s staff have an up-to-date enhanced DBS check; (v) the Supplier’s offices are monitored by CCTV and security patrols; (vi) the Supplier has protocols in place to ensure that Protected Data is handled appropriately, securely and in a legally compliant manner; (vii) all data is stored within the United Kingdom; (viii) save for any data processing undertaken by the Supplier’s ISO27001 certified UK based data centre provider, the Supplier does not subcontract any data processing activities; (ix) all of the Supplier’s staff are subject to non-disclosure terms and a duty of confidentiality with respect to information that comes into their possession during the course of employment; and (c) the Supplier has sufficient expertise, reliability and resources to implement technical and organisational measures that meet the requirements of Data Protection Laws.

Processor and Controller. 2.1 The parties agree that, for the Protected Data, the Customer shall be the Controller and the Supplier SMUK shall be the Processor. Nothing in our Agreement relieves the Customer of any responsibilities or liabilities under any Data Protection Laws. 2.2 To the extent the Customer is not sole Controller of any Protected Data it warrants that it has full authority and authorisation of all relevant Controllers to instruct the Supplier SMUK to process the Protected Data in accordance with our Agreement. 2.3 The Supplier SMUK shall process Protected Data in compliance with: 2.3.1 the obligations of Processors under Data Protection Laws in respect of the performance of its and their obligations under our Agreement; and 2.3.2 the terms of our Agreement. 2.4 The Customer shall ensure that it, its Affiliates and it each Authorised User shall at all times comply with: 2.4.1 all Data Protection Laws in connection with the processing of Protected Data, the use of the Services SERVICEmate (and each part) and the exercise and performance of its respective rights and obligations under our Agreement, including maintaining all relevant regulatory registrations and notifications as required under Data Protection Laws; and 2.4.2 the terms of our Agreement. 2.5 The Customer warrants, represents and undertakes, that at all times: 2.5.1 the processing of all Protected Data (if processed in accordance with our Agreement) shall comply in all respectsrespects with Data Protection Laws, including in terms of its collection, storage use and processing, with Data Protection Laws;storage 2.5.2 all Protected Data shall comply with clauses 10.3 and 11.2 of the SaaS Terms; 2.5.3 all necessary fair processing and all other information appropriate notices have been provided to the Data Subjects of the Protected Data (and all necessary consents from such Data Subjects obtained and at all times maintained) to the extent required by Data Protection Laws in connection with all processing activities in respect of the Protected Data which may be undertaken by the Supplier SMUK and its Sub- Sub-Processors in accordance with our Agreement; 2.5.4 2.5.3 the Protected Data is accurate and up to date; 2.5.4 except to the extent resulting from Transfers to International Recipients made by SMUK or any Sub-Processor, the Protected Data is not subject to the laws of any jurisdiction outside of the United Kingdom; 2.5.5 it shall establish and maintain adequate security measures to safeguard the Protected Data in its possession or control (including from unauthorised access or unlawful destruction, corruption, processing or disclosure) and maintaining maintain complete and accurate copies backups of all Protected Data provided to the Supplier SMUK (or anyone acting on its behalf) so as to be able to immediately recover and reconstitute such Protected Data in the event of loss, damage or corruption of such Protected Data by the Supplier SMUK or any other person; 2.5.6 all instructions given by it to the Supplier SMUK in respect of Personal Data shall at all times be in accordance with Data Protection Laws; and 2.5.7 it has undertaken due diligence in relation to the SupplierSMUK’s processing operations and commitments and it is satisfied (and all times its it continues to use the Services SERVICEmate remains satisfied) that: (a) the Supplier2.5.7.1 SMUK’s processing operations are suitable for the purposes for which the Customer proposes to use the Services SERVICEmate and engage the Supplier SMUK to process the Protected Data; (b) 2.5.7.2 the following technical and organisational measures set out in our Agreement (each as Updated from time to time) shall (if the Supplier SMUK complies with its obligationsobligations under our Agreement) ensure a level of security appropriate to the risk in regards to the Protected Data: (i) all data sent between a web browser and the Supplier’s servers shall be encrypted in transit; (ii) all personally identifiable pupil data shall remain encrypted at rest in the Supplier’s database; (iii) the Supplier’s servers are located in a highly secure ISO27001 certified data centre; (iv) all of the Supplier’s staff have an up-to-date enhanced DBS check; (v) the Supplier’s offices are monitored Data as required by CCTV and security patrols; (vi) the Supplier has protocols in place to ensure that Protected Data is handled appropriately, securely and in a legally compliant manner; (vii) all data is stored within the United Kingdom; (viii) save for any data processing undertaken by the Supplier’s ISO27001 certified UK based data centre provider, the Supplier does not subcontract any data processing activities; (ix) all of the Supplier’s staff are subject to non-disclosure terms and a duty of confidentiality with respect to information that comes into their possession during the course of employmentProtection Laws; and (c) the Supplier 2.5.7.3 SMUK has sufficient expertise, reliability and resources to implement technical and organisational measures that meet the requirements of Data Protection Laws.

Processor and Controller. 2.1 The parties Parties agree that, for the Protected Data, the Customer shall be the Controller and the Supplier Katapult shall be the Processor. Nothing in this Agreement relieves the Customer of any responsibilities or liabilities under any Data Protection Laws. 2.2 To the extent the Customer is not sole Controller of any Protected Data it warrants that it has full authority and authorisation of all relevant Controllers to instruct the Supplier Katapult to process the Protected Data in accordance with our this Agreement. 2.3 The Supplier Katapult shall process Protected Data in compliance with: 2.3.1 the obligations of Processors under Data Protection Laws in respect of the performance of its and their obligations under our this Agreement; and 2.3.2 the terms of our this Agreement. 2.4 The Customer shall ensure that it, its Affiliates it and each Authorised User shall at all times comply with: 2.4.1 all Data Protection Laws in connection with the processing of Protected Data, the use of the Services (and each part) and the exercise and performance of its respective rights and obligations under our this Agreement, including maintaining all relevant regulatory registrations and notifications as required under Data Protection Laws; and 2.4.2 the terms of our this Agreement. 2.5 The Customer warrants, represents and undertakes, that at all times: 2.5.1 all Protected Data (if processed in accordance with our this Agreement) shall comply in all respects, including in terms of its collection, storage and processing, with Data Protection Laws; 2.5.2 all it shall ensure (and is exclusively responsible for) the accuracy, quality, integrity and legality of the Protected Data shall comply and that its use (including use in connection with clauses 10.3 the Service) complies with all Applicable Laws and 11.2 of the SaaS TermsIntellectual Property Rights; 2.5.3 all necessary fair processing and all other appropriate information notices have been provided to the Data Subjects of the Protected Data (and all necessary consents from such Data Subjects obtained and at all times maintained) to the extent required by Data Protection Laws in connection with all processing activities in respect of the Protected Data which may be undertaken by the Supplier Katapult and its Sub- Sub-Processors in accordance with our this Agreement; 2.5.4 the Protected Data is accurate and up to date; 2.5.5 it shall establish and maintain adequate security measures to safeguard the Protected Data in its possession or control (including from unauthorised access or unlawful destruction, corruption, processing or disclosure) and maintaining maintain complete and accurate copies backups of all Protected Data provided to the Supplier Katapult (or anyone acting on its behalf) so as to be able to immediately recover and reconstitute such Protected Data in the event of loss, damage or corruption of such Protected Data by the Supplier Katapult or any other person; 2.5.6 all instructions given by it to the Supplier Katapult in respect of Personal Data shall at all times be in accordance with Data Protection Laws; and 2.5.7 without prejudice to the generality of clause 9.4, it has undertaken due diligence in relation to the SupplierKatapult’s processing operations and commitments and it is satisfied (and all times its it continues to use the Services remains satisfied) that: (a) the Supplier2.5.7.1 Katapult’s processing operations are suitable for the purposes for which the Customer proposes to use the Services and engage the Supplier Katapult to process the Protected Data; (b) 2.5.7.2 the following technical and organisational measures set out in Schedule 4 (as Updated from time to time) shall (if the Supplier Katapult complies with its such obligations) ensure a level of security appropriate to the risk in regards to the Protected Data: (i) all data sent between a web browser and the Supplier’s servers shall be encrypted in transit; (ii) all personally identifiable pupil data shall remain encrypted at rest in the Supplier’s database; (iii) the Supplier’s servers are located in a highly secure ISO27001 certified data centre; (iv) all of the Supplier’s staff have an up-to-date enhanced DBS check; (v) the Supplier’s offices are monitored by CCTV and security patrols; (vi) the Supplier has protocols in place to ensure that Protected Data is handled appropriately, securely and in a legally compliant manner; (vii) all data is stored within the United Kingdom; (viii) save for any data processing undertaken by the Supplier’s ISO27001 certified UK based data centre provider, the Supplier does not subcontract any data processing activities; (ix) all of the Supplier’s staff are subject to non-disclosure terms and a duty of confidentiality with respect to information that comes into their possession during the course of employment; and (c) the Supplier has sufficient expertise, reliability and resources to implement technical and organisational measures that meet the requirements of Data Protection Laws.

Processor and Controller. 2.1 The parties agree that, for the Protected Data, the Customer shall be the Controller and the Supplier shall be the Processor. Nothing in this Agreement relieves the Customer of any responsibilities or liabilities under any Data Protection Laws. 2.2 To the extent the Customer is not sole Controller of any Protected Data it warrants that it has full authority and authorisation of all relevant Controllers to instruct the Supplier to process the Protected Data in accordance with our Agreement. 2.3 The Supplier shall process Protected Data in compliance with: 2.3.1 2.2.1 the obligations of Processors under Data Protection Laws in respect of the performance of its and their obligations under our Agreement; and 2.3.2 2.2.2 the terms of our Agreement. 2.4 2.3 The Customer shall ensure that it, its Affiliates and each Authorised User shall at all times comply with: 2.4.1 2.3.1 all Data Protection Laws in connection with the processing of Protected Data, the use of the Services (and each part) and the exercise and performance of its respective rights and obligations under our Agreement, including maintaining all relevant regulatory registrations and notifications as required under Data Protection Laws; and 2.4.2 2.3.2 the terms of our Agreement. 2.5 2.4 The Customer warrants, represents and undertakes, that at all times: 2.5.1 2.4.1 all Protected Data (if processed in accordance with our Agreement) shall comply in all respects, including in terms of its collection, storage and processing, with Data Protection Laws; 2.5.2 2.4.2 all Protected Data shall comply with clauses 10.3 and 11.2 clause 9.2 of the SaaS TermsTerms and Conditions; 2.5.3 all necessary 2.4.3 fair processing and other information notices have been provided to the Data Subjects of the Protected Data (and all necessary consents from such Data Subjects obtained and at all times maintained) to the extent required by Data Protection Laws in connection with all processing activities in respect of the Protected Data which may be undertaken by the Supplier and its Sub- Sub-Processors in accordance with our Agreement; 2.5.4 2.4.4 the Protected Data is accurate and up to date; 2.5.5 2.4.5 it shall establish and maintain adequate security measures to safeguard Protected Data in its possession or control from unauthorised access and maintaining complete and accurate copies backups of all Protected Data provided to the Supplier (or anyone acting on its behalf) so as to be able to immediately recover and reconstitute such Protected Data in the event of loss, damage or corruption of such Protected Data by the Supplier or any other person;; and 2.5.6 2.4.6 all instructions given by it to the Supplier in respect of Personal Data shall at all times be in accordance with Data Protection Laws; and 2.5.7 it has undertaken due diligence in relation to the Supplier’s processing operations and commitments and it is satisfied (and all times its continues to use the Services remains satisfied) that: (a) the Supplier’s processing operations are suitable for the purposes for which the Customer proposes to use the Services and engage the Supplier to process the Protected Data; (b) the following technical and organisational measures shall (if the Supplier complies with its obligations) ensure a level of security appropriate to the risk in regards to the Protected Data: (i) all data sent between a web browser and the Supplier’s servers shall be encrypted in transit; (ii) all personally identifiable pupil data shall remain encrypted at rest in the Supplier’s database; (iii) the Supplier’s servers are located in a highly secure ISO27001 certified data centre; (iv) all of the Supplier’s staff have an up-to-date enhanced DBS check; (v) the Supplier’s offices are monitored by CCTV and security patrols; (vi) the Supplier has protocols in place to ensure that Protected Data is handled appropriately, securely and in a legally compliant manner; (vii) all data is stored within the United Kingdom; (viii) save for any data processing undertaken by the Supplier’s ISO27001 certified UK based data centre provider, the Supplier does not subcontract any data processing activities; (ix) all of the Supplier’s staff are subject to non-disclosure terms and a duty of confidentiality with respect to information that comes into their possession during the course of employment; and (c) the Supplier has sufficient expertise, reliability and resources to implement technical and organisational measures that meet the requirements of Data Protection Laws.

Processor and Controller. 2.1 The parties acknowledge and agree that, for the Protected Data, the Customer (or the relevant Data Client) shall be the Controller and the Supplier Relevant Daisy Group Member shall be the ProcessorProcessor or sub-processor. 2.2 To The Customer authorises the extent Relevant Daisy Group Member responsible for providing the Services and/or Products to the Customer is not sole Controller of any Protected Data it warrants that it has full authority and authorisation of all relevant Controllers pursuant to instruct the Supplier Principal Agreements to process Process the Protected Data pursuant to this Addendum as a Processor or sub-processor for the purpose set out in accordance with our AgreementSchedule 1. 2.3 The Supplier Relevant Daisy Group Member shall process Process Protected Data in compliance with: 2.3.1 the obligations of Processors under Data Protection Laws in respect of the performance of its and their obligations under our Agreementthis Addendum; and 2.3.2 the terms of our Agreementthis Addendum. 2.4 The Customer shall (and shall if the Customer is not the Controller ensure that it, its Affiliates and each Authorised User shall at all times the relevant Controller shall) comply with: 2.4.1 all Data Protection Laws in connection with the processing Processing of Protected Data, the use of the Services (and each part) and/or Products and the exercise and performance of its respective rights and obligations under our Agreementthis Addendum, including maintaining all relevant regulatory registrations and notifications as required under Data Protection Laws; and 2.4.2 the terms of our Agreementthis Addendum. 2.5 The Customer warrants, represents warrants to Xxxxx and undertakes, that at all timeseach Relevant Daisy Group Member that: 2.5.1 it has all necessary rights to authorise Xxxxx and each Relevant Daisy Group Member to Process Protected Data (if processed in accordance with our Agreement) this Addendum and the Data Protection Laws; 2.5.2 all data sourced by the Customer for use in connection with the Services and/or Products, shall comply in all respects, including in terms of its collection, storage and processingProcessing (which shall include the Customer providing all of the required fair processing notices and information to, and obtaining all necessary consents from, Data Subjects), with Data Protection Laws; 2.5.2 all 2.5.3 it will not send any Protected Data shall comply with clauses 10.3 and 11.2 of the SaaS Terms; 2.5.3 all necessary fair processing and other information notices have been provided to the Data Subjects of Relevant Daisy Group Member which is not necessary for the Protected Data (and all necessary consents from such Data Subjects obtained and at all times maintained) Relevant Daisy Group Member to provide the extent required by Data Protection Laws in connection with all processing activities in respect of the Protected Data which may be undertaken by the Supplier and its Sub- Processors in accordance with our AgreementServices and/or Products; 2.5.4 its instructions to the Relevant Daisy Group Member relating to Processing of Protected Data is accurate and up to date; 2.5.5 it shall establish and maintain adequate security measures to safeguard Protected Data will not put the Relevant Daisy Group Member in its possession or control from unauthorised access and maintaining complete and accurate copies breach of all Protected Data provided to the Supplier (or anyone acting on its behalf) so as to be able to immediately recover and reconstitute such Protected Data in the event of loss, damage or corruption of such Protected Data by the Supplier or any other person; 2.5.6 all instructions given by it to the Supplier in respect of Personal Data shall at all times be in accordance with Data Protection Laws, including with regard to International Transfers; and 2.5.7 2.5.5 it has undertaken due diligence in relation to Xxxxx's or the SupplierRelevant Daisy Group Member’s processing operations and commitments Processing operations, and it is satisfied (and all times its continues to use the Services remains satisfied) that: (a) Xxxxx’s or the SupplierRelevant Daisy Group Member’s processing Processing operations are suitable for the purposes for which the Customer proposes to use the Services and/or Products and engage the Supplier relevant member of Daisy’s Group to process Process the Protected Data;; and (b) the following technical and organisational measures shall (if the Supplier complies with its obligations) ensure a level of security appropriate to the risk in regards to the Protected Data: (i) all data sent between a web browser and the Supplier’s servers shall be encrypted in transit; (ii) all personally identifiable pupil data shall remain encrypted at rest in the Supplier’s database; (iii) the Supplier’s servers are located in a highly secure ISO27001 certified data centre; (iv) all of the Supplier’s staff have an up-to-date enhanced DBS check; (v) the Supplier’s offices are monitored by CCTV and security patrols; (vi) the Supplier has protocols in place to ensure that Protected Data is handled appropriately, securely and in a legally compliant manner; (vii) all data is stored within the United Kingdom; (viii) save for any data processing undertaken by the Supplier’s ISO27001 certified UK based data centre provider, the Supplier does not subcontract any data processing activities; (ix) all of the Supplier’s staff are subject to non-disclosure terms and a duty of confidentiality with respect to information that comes into their possession during the course of employment; and (c) the Supplier Relevant Daisy Group Member has sufficient expertise, reliability and resources to implement technical and organisational measures that meet the requirements of Data Protection Laws. 2.6 If the Relevant Daisy Group Member reasonably considers that any instructions from the Customer relating to Processing of Protected Data may put the Relevant Daisy Group Member in breach of Data Protection Laws, the Relevant Daisy Group Member will be entitled not to carry out that Processing and will not be in breach of this Addendum or otherwise liable to the Customer as a result of its failure to carry out that Processing 2.7 The Customer shall remain fully liable for the acts or omissions of each Data Client as if they were its own.