Last Updated: June 2021

Applies if first use is on or after June 1, 2021

This Data Processing Addendum (“Addendum”) supplements the Second Step® SEL for Adults Digital Program License Agreement (the “Agreement”), between You (“Customer”) and Committee for Children (“CFC”), is effective as of the date Customer begins to implement use of the Services and Program as defined in the Agreement (the “Effective Date”), and is hereby incorporated by reference into the Agreement. All capitalized terms not otherwise defined in this Addendum will have the meaning given to them in the Agreement. In the event of any inconsistency or conflict between this Addendum and the Agreement, this Addendum will govern. Customer and CFC agree as follows:

1. 1. Personal Information. In connection with providing the Service and the Program under the Agreement, CFC will be Processing Personal Information on behalf of Customer. “Personal Information” means information that relates, directly or indirectly, to an identified or identifiable person (a “Data Subject”), which may include names, email addresses, employer information, postal addresses, or online identifiers, that Customer provides or submits in connection with the Agreement. CFC’s Services and Program are not designed to collect or process protected health information, and CFC maintains it is not a “Covered Entity” or “Business Associate” as defined by the Health Insurance Portability and Accountability Act (“HIPAA”). Customer acknowledges it is not a “Covered Entity” or a “Business Associate” as defined by HIPAA. For the avoidance of doubt “Personal Information” includes all information that falls under the definition of “Personally Identifiable Information” as that term is defined in the Family Educational Rights and Privacy Act and its implementing regulations, 20 U.S.C. §1232, 34 C.F.R. Part 99 (“FERPA”). As between Customer and CFC, all Personal Information is the sole and exclusive property of Customer. For clarity, Customer will not provide to CFC, nor instruct CFC to process within the Services or Program, sensitive Personal Information, including but not limited to, health or medical information, financial information, social security or driver’s license numbers, biometric information, genetic information, Education Records, or information concerning sex life or sexual orientation.

2. 2. CFC and Customer Responsibilities. The parties acknowledge and agree that: (a) CFC is a processor and/or service provider, as applicable, with respect to Personal Information under Applicable Law (defined below); (b) Customer is a controller and/or business with respect to Personal Information under Applicable Law; and (c) each party will comply with the obligations applicable to it under Applicable Law with respect to the Processing of Personal Information.

3. 3. CFC Responsibilities. “Process” or “Processing” means any operation or set of operations which is performed on Personal Information, whether or not by automated means, such as the access, collection, use, storage, disclosure, dissemination, combination, recording, organization, structuring, adaption, alteration, copying, transfer, retrieval, consultation, disposal, restriction, erasure and/or destruction of Personal Information. As a part of providing the Program and the Service under the Agreement, CFC will:

   1. (a) Process Personal Information solely in accordance with Customer’s documented instructions, including as contained within the Agreement and as necessary to provide the Program and the Service. Without limiting the foregoing, CFC will not: (i) collect, retain, use, or disclose Personal Information for any purpose other than as necessary for the specific purpose of performing the Service and providing the Program, or as described in the Agreement, including use of the Personal Information for a commercial purpose other than providing the Service and the Program; and (ii) sell the Personal Information;

   2. (b) Process Personal Information in accordance with laws, rules, and regulations that apply to CFC’s provision of the Service and the Program under the Agreement, including, as applicable, the California Consumer Privacy Act (“CCPA”), FERPA, the Children’s Internet Protection Act, Pub. L. 106-554 (the “CIPA”), the Protection of Pupil Rights Amendment Act, 20 U.S.C. §1232h, 34 C.F.R. Part 98 (the “PPRA”), and Washington’s Public Records Act (the “PRA”), Chapter 42.56 RCW, and other applicable US state laws regulating the processing of Personal Information (collectively, “Applicable Law”);

   3. (c) not disclose Personal Information to any third party without first, except to the extent prohibited by Applicable Law, (i) notifying Customer of the anticipated disclosure (so as to provide Customer the opportunity to oppose the disclosure and obtain a protective order or seek other relief); (ii) obtaining Customer’s prior consent to the disclosure; or (iii) imposing contractual obligations on the third party recipient that are at least reasonably equivalent to those obligations imposed on CFC under this Addendum;

   4. (d) amend, correct, or erase Personal Information at Customer’s reasonable written request and provide a means for Customer to update and make accurate Personal Information Processed by CFC;

   5. (e) notify Customer of any third party request (by a Data Subject or otherwise) to (i) restrict the Processing of Personal Information; (ii) port Personal Information to a third party; or (iii) access, rectify, or erase Personal Information. CFC will use commercially reasonable efforts to assist Customer, at Customer’s reasonable written request and expense, in complying with Customer’s obligations to respond to requests and complaints directed to Customer with respect to Personal Information Processed by CFC;

   6. (f) ensure that CFC personnel Processing Personal Information are subject to obligations of confidentiality; and

   7. (g) keep Personal Information logically distinct from other information of CFC or its personnel, suppliers, customers or other third parties.

   CFC will use commercially reasonable efforts to inform Customer if CFC becomes aware or reasonably suspects that Customer’s instructions regarding the Processing of Personal Information may breach any Applicable Law.

4. 4. CFC’s Processing of Education Records. The Program is not designed or intended to collect Personal Information contained within Education Records (as defined within FERPA). For clarity, Customer will not provide to CFC, nor instruct CFC to process within the Services or Program, Personal Information contained within Education Records (as defined within FERPA).

5. 5. Subcontractors. CFC will not engage another processor to process Customer’s Personal Information without authorization from Customer, which Customer hereby provides. Customer hereby provides its general written authorization for CFC’s use of subcontractors to Process Personal Information on behalf of Customer.

6. 6. Security Safeguards. CFC will use commercially reasonable efforts to implement and maintain appropriate technical and organizational measures consistent with industry standards to protect and ensure the confidentiality, integrity, and availability of Personal Information.

7. 7. Security Breach. If CFC becomes aware of any actual Security Breach (defined below), CFC will take commercially reasonable efforts to, without undue delay: (a) notify Customer of the Security Breach and any third-party legal processes relating to the Security Breach; and (b) help Customer investigate, remediate, and take any action required under Applicable Law regarding the Security Breach. “Security Breach” means any unauthorized acquisition of data that compromises the security, confidentiality, or integrity of Personal Information under CFC’s possession or control. The obligations in this Section do not apply to incidents that are caused by Customer or Customer’s personnel or Authorized Users.

8. 8. Return or Destruction of Personal Information. Upon written request by Customer or when CFC is no longer required to Process Personal Information to fulfill its obligations under the Agreement, CFC will use commercially reasonable efforts to (a) cease all use of Personal Information; and (b) return all Personal Information to Customer or, at Customer’s option, destroy all Personal Information and all copies thereof, except to the extent that CFC is required under Applicable Law to keep a copy of Personal Information for a specified period of time.

9. 9. DISCLAIMER. CFC MAKES NO REPRESENTATION OR WARRANTY THAT THIS ADDENDUM IS LEGALLY SUFFICIENT TO MEET CUSTOMER’S NEEDS UNDER APPLICABLE LAW, INCLUDING THE CCPA, FERPA, CIPA, PPRA AND PRA. CFC EXPRESSLY DISCLAIMS ALL REPRESENTATIONS OR WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY, THROUGH A COURSE OF DEALING, OR OTHERWISE THAT THIS ADDENDUM WILL COMPLY WITH OR SATISFY ANY OF CUSTOMER’S OBLIGATIONS UNDER APPLICABLE LAW. CUSTOMER FULLY UNDERSTANDS THAT IT IS SOLELY RESPONSIBLE FOR COMPLYING WITH ALL OF ITS OBLIGATIONS IMPOSED BY APPLICABLE LAW. THE PARTIES AGREE THAT THERE WILL BE NO PRESUMPTION THAT ANY AMBIGUITIES IN THIS ADDENDUM WILL BE CONSTRUED OR INTERPRETED AGAINST THE DRAFTER.

* * * *