Common use of Question Answer Clause in Contracts

Question Answer. What kind of (personal) data is processed in the service? If you process ‘Sensitive Personal Data’ as mentioned in the GDPR, explicitly mention what type of data exactly. Portfolio Description of personal learning products/ outcomes Reflections on learning products/outcomes Teacher and/or peer feedback on learning products/outcomes Profile Name (optional) Surname (optional) Profile picture (optional) For the attributes you request via SURFconext: why do you need each of them/why can’t you do without them? UserID: unique integer based on student/employee number E-mail: e-mail address What organisations have access to the data? Your own company? What parties you contracted? The following organizations have access to the data: Leerpodium: development, administration, support CloudVPS: hosting Which individuals or job roles have what (read, write...) access to the user data? We assume you are limiting access. Consider both within your company as well as third parties you use. Leerpodium System administrators: read and write Support / helpdesk: read CloudVPS Support: server level root access: i.e. read/write permissions on files & database In which country/countries does the data reside? Also consider any copies. All data is hosted in the Netherlands List all security measures you have taken to secure the data? Also think about any encryption (during transport, in rest). Security updates (operating system, server applications, service applications) Security logs (continuous logging of login activity & hacking attempts) Security audits (periodic hacking attempts by white hat hacker employee) Backups (full + incremental, 2 month retention) Encryption: all communication is through connections over SSL / TLS (https) Two factor authentication (optional): if requested role based 2 factor authentication (e.g. all teachers need 2 factor or all students and teachers) Geo blocking & IP blocks (optional): if requested connections are blocked from ips from outside Europe/certain countries or restricted to IP ranges Can you provide a certificate like ISO27001, ISO27002, ISAE 3402 etc, including a Statement of applicability? No: not yet, but ISO27001 is work in progress.. Are you prepared to sign the SURF example Data Processing Agreement (xxxxx://xxx.xxxx.xx/binaries/content/assets/surf/en/knowledgebase/2016/processing-agreement-english-october-2016.pdf), and if not, which articles would you want to discuss/negotiate with an institution interested in your service? Yes What is the URL of your privacy policy? xxxxx://xxxxxxxxxx.xx/privacy

Question Answer. What kind of (personal) data is processed in the service? If you process ‘Sensitive Personal Data’ as mentioned in the GDPR, explicitly mention what type of data exactly. Portfolio Description of personal learning products/ outcomes Reflections on learning products/outcomes Teacher and/or peer feedback on learning products/outcomes Profile Name Name, (optionalbusiness) Surname (optional) Profile picture (optional) email address, telephone number For the attributes you request via SURFconext: why do you need each of them/why can’t you do without them? UserID: unique integer based on student/employee number E-mail: e-mail User identifier (NameID) – Identifier from Surf - We need this to identify the user. Given name – Users of Negometrix want their name to be automatically filled in Email address - Users of Negometrix want their email adress to be automatically filled in What organisations have access to the data? Your own company? What parties you contracted? The following organizations have access to the data: Leerpodium: development, administration, support CloudVPS: hosting Negometrix BV Which individuals or job roles have what (read, write...) access to the user data? We assume you are limiting access. Consider both within your company as well as third parties you use. Leerpodium Negometrix System administratorsadmins: read and write Support / helpdesk: read CloudVPS Support: server level root access: i.e. read/write permissions on files & database In which country/countries does the data reside? Also consider any copies. All data is hosted in the Netherlands United Kingdom (Rackspace LON3 Data Centre – Slough, UK) List all security measures you have taken to secure the data? Also think about any encryption (during transport, in rest). Security updates We encryipt during transport. The system uses Microsoft SQL Server. The server provides standard feature for Transparent Data Encryption (operating systemTDE), server applications, service applications) Security logs (continuous logging which performs real-time I/O encryption and decryption of login activity & hacking attempts) Security audits (periodic hacking attempts by white hat hacker employee) Backups (full + incremental, 2 month retention) Encryption: all communication the data and log files. SSL is through connections over SSL / TLS (https) Two factor authentication (optional): if requested role based 2 factor authentication (e.g. all teachers need 2 factor or all students and teachers) Geo blocking & IP blocks (optional): if requested connections are blocked from ips from outside Europe/certain countries or restricted to IP ranges SQL. Can you provide a certificate like ISO27001, ISO27002, ISAE 3402 etc, including a Statement of applicability? No/Yes ISO 27001; ISMS applied to: not yetBusiness processes analysis, but ISO27001 design, development, sales, implementation, related training and support of software products and systems. The certification can be found online (xxx.xxxxxxxxxx.xxx) or requested by email from: xx.xxxxx@xxxxxxxxxx.xxx The certificate is work in progress.. valid from July 8th 2013/until July 7th 2019. Are you prepared to sign the SURF example Data Processing Agreement (xxxxx://xxx.xxxx.xx/binaries/content/assets/surf/en/knowledgebase/2016/processing-agreement-english-october-2016.pdf), and if not, which articles would you want to discuss/negotiate with an institution interested in your service? Yes Yes/No What is the URL of your privacy policy? xxxxx://xxxxxxxxxx.xx/privacyxxxxx://xxxxxxxxxx.xxx/nl/over-negometrix/randvoorwaardenspecificaties

Question Answer. What kind of (personal) data is processed in the service? If you process ‘Sensitive Personal Data’ as mentioned in the GDPR, explicitly mention what type of data exactly. Portfolio Description of personal learning products/ outcomes Reflections on learning products/outcomes Teacher and/or peer feedback on learning products/outcomes Profile We process Saxion user accounts (employees). Data needed is: User account Full Name (optional) Surname (optional) Profile picture (optional) E-mail Address For the attributes you request via SURFconext: why do you need each of them/why can’t you do without them? UserID: unique integer based on student/employee number E-mail: e-mail address Client (Saxion) wants employees to be able to login to the cms with their existing network credentials (Saxion credentials). For this, we need this information to map a logged in user to a cms user for authentication and authorisation. What organisations have access to the data? Your own company? What parties you contracted? The following organizations have access to theFactor.e BloomReach (hosting provider, product support for the data: Leerpodium: development, administration, support CloudVPS: hosting Hippo CMS) Which individuals or job roles have what (read, write...) access to the user data? We assume you are limiting access. Consider both within your company as well as third parties you use. Leerpodium System administrators: read Developers and write Support / helpdesk: read CloudVPS Support: server level root access: i.e. read/write permissions on files & database Sysadmins have access to this data. In which country/countries does the data reside? Also consider any copies. All data is hosted in the The Netherlands List all security measures you have taken to secure the data? Also think about any encryption (during transport, in rest). Security updates (operating systemWe do not think encryption, server applications, service applications) Security logs (continuous logging of login activity & hacking attempts) Security audits (periodic hacking attempts by white hat hacker employee) Backups (full + incremental, 2 month retention) Encryption: all communication is through connections besides transport over SSL / TLS (https) Two factor authentication (optional): if requested role based 2 factor authentication (e.g. all teachers need 2 factor or all students and teachers) Geo blocking & IP blocks (optional): if requested connections are blocked from ips from outside Europe/certain countries or restricted to IP ranges SSL. We cannot store this data encrypted since the CMS needs this information. Can you provide a certificate like ISO27001, ISO27002, ISAE 3402 etc, including a Statement of applicability? No: not yet, but ISO27001 is work in progress.. No Are you prepared to sign the SURF example Data Processing Agreement (xxxxx://xxx.xxxx.xx/binaries/content/assets/surf/en/knowledgebase/2016/processing-agreement-english-october-2016.pdf), and if not, which articles would you want to discuss/negotiate with an institution interested in your service? Yes What is the URL of your privacy policy? xxxxx://xxxxxxxxxx.xx/privacyData is used on the platform of Saxion. Therefore the privacy policy of Saxion applies. xxxxx://xxx.xxxxxx.xxx/site/about-saxion/privacy/

Question Answer. Who is access given to? Anyone and everyone, we design the site together. We can include departments, faculty, staff, colleges, or a mixture of any group that needs access. With a site license agreement, remove the hassle of tracking and managing access to software. Have a mixture of MAC and Windows users? No problem! Under this licensing model, complete access to Snagit and Camtasia is granted under all of these conditions, with no restrictions. Are software updates included? What kind of (personal) data is processed in about upgrades? All users within the service? If you process ‘Sensitive Personal Data’ as mentioned in the GDPR, explicitly mention what type of data exactly. Portfolio Description of personal learning products/ outcomes Reflections on learning products/outcomes Teacher and/or peer feedback on learning products/outcomes Profile Name (optional) Surname (optional) Profile picture (optional) For the attributes you request via SURFconext: why do you need each of them/why can’t you do without them? UserID: unique integer based on student/employee number E-mail: e-mail address What organisations defined site can have access to the datalatest version available. Every single upgrade is free, but you’re in control of when they are deployed. Keep your entire user base on the same version, with the option to deploy in stages. No need to worry who is entitled to what version. How will users learn the software? Your In addition to our world-class video training series, we also provide a Camtasia Certification Course and a Snagit Certification Course as an added benefit of your site license. These courses allow your users to learn at their own company? What parties you contracted? The following organizations have access pace and take their skills to the data: Leerpodium: developmentnext level. Is tech support available? A dedicated Customer Success Manager is made available to site license customers, administrationalong with free, support CloudVPS: hosting Which individuals unlimited priority technical support. Call us, use our chat system, send an email, or job roles have what (read, write...) access to the user data? We assume you are limiting accesssubmit a ticket. Consider both within your company as well as third parties you use. Leerpodium System administrators: read and write Support / helpdesk: read CloudVPS Support: server level root access: i.e. read/write permissions on files & database In which country/countries How does the data residepayment schedule work? Also consider any copiesAnnualized fixed cost over three year agreement protects from price changes and inflation. All data (Three-year upfront payment option available.) How much does it cost? Pricing is hosted in determined by the Netherlands List number of individuals with the definition as determined by TechSmith and you. But, we understand that not everyone is going to use Snagit and Camtasia. Some employees might use Snagit or Camtasia throughout the day, every day, whereas some people may be light, occasional users. Of course, there will also be some employees who aren’t using TechSmith at all security measures you have taken to secure the data? Also think about any encryption (during transport, in restyet). Security updates (operating systemWe get that. Pricing is based on the estimated adoption of the total number of potential users. 0000 Xxxxxxxx Xxxxx, server applicationsXxxxxx, service applications) Security logs (continuous logging of login activity & hacking attempts) Security audits (periodic hacking attempts by white hat hacker employee) Backups (full + incremental, 2 month retention) Encryption: all communication is through connections over SSL / TLS (https) Two factor authentication (optional): if requested role based 2 factor authentication (e.g. all teachers need 2 factor or all students and teachers) Geo blocking & IP blocks (optional): if requested connections are blocked from ips from outside Europe/certain countries or restricted to IP ranges Can you provide a certificate like ISO27001, ISO27002, ISAE 3402 etc, including a Statement of applicability? No: not yet, but ISO27001 is work in progress.. Are you prepared to sign the SURF example Data Processing Agreement (xxxxx://xxx.xxxx.xx/binaries/content/assets/surf/en/knowledgebase/2016/processing-agreement-english-october-2016.pdf), and if not, which articles would you want to discuss/negotiate with an institution interested in your service? Yes What is the URL of your privacy policy? xxxxx://xxxxxxxxxx.xx/privacyXX 00000-0000