Data Processing Addendum

This Data Processing Addendum (including its Annexes and any incorporated Standard Contractual Clauses, the “DPA”) forms part of the Academe Master Services Agreement, Team Subscription Services Agreement, Order Form, or other written agreement (the “Agreement”) between Academe, Inc.(“Academe”) and the entity identified in that Agreement (“Customer”).

This DPA applies solely when Academe processes Customer Personal Data (defined below) in connection with the Academe Services. Customer enters into this DPA on behalf of itself and its Authorized Affiliates. Capitalized terms not defined here have the meaning set out in the Agreement.

• Applicable Data Protection Laws. All data protection and privacy laws applicable to the parties, including where applicable European Data Protection Laws and the CCPA.
• Authorized Affiliate. A Customer affiliate authorized to use the Services under the Agreement that has not signed a separate agreement with Academe.
• CCPA. The California Consumer Privacy Act of 2018, as amended or replaced.
• Customer Content. All data processed by Academe on behalf of Customer in the course of providing the Services.
• Customer Personal Data.Any “personal data” or “personal information” within Customer Content.
• European Data Protection Laws. The EU GDPR, the UK GDPR, and the Swiss Federal Data Protection Act, as amended or replaced.
• Restricted Transfer. A transfer of personal data subject to European Data Protection Laws to a third country not covered by an adequacy determination.
• Security Addendum. Additional controls and documentation supporting the protection of data, available on request.
• Security Breach. A breach leading to accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of, or access to, Customer Personal Data.
• Standard Contractual Clauses (“SCCs”). The standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021, as amended or replaced.
• Subprocessor. A processor engaged by Academe to process Customer Personal Data.
• UK Addendum. The International Data Transfer Addendum issued by the UK Information Commissioner under section 119A of the UK Data Protection Act 2018.
• The terms controller, processor, data subject, supervisory authority, and personal datahave the meanings in Applicable Data Protection Laws. Under the CCPA, controller includes “business” and processor includes “service provider”.

This DPA applies when Customer Personal Data is processed by Academe as a processor in connection with providing the Services to Customer, who acts as controller or processor as applicable. Customer is responsible for its own compliance with Applicable Data Protection Laws and for its processing instructions to Academe.

When Academe processes Customer Personal Data as a processor, Academe will (i) comply with Applicable Data Protection Laws, (ii) process Customer Personal Data only as necessary to perform its obligations under the Agreement and in accordance with Customer's documented instructions (as set out in the Agreement, this DPA, or as directed by Customer or Customer's Authorized Users through the Services), and (iii) notify Customer if, in Academe's reasonable opinion, an instruction infringes Applicable Data Protection Laws. Details of processing are set out in Annex A.

Academe shall ensure that any personnel authorized to process Customer Personal Data is subject to an appropriate duty of confidentiality.

Authorization. Customer provides a general authorization to Academe to use Subprocessors in accordance with this DPA. A current list of Subprocessors is maintained and made available upon request.

Subprocessor obligations.Academe will (i) enter into a written agreement with each Subprocessor containing data protection terms no less protective than those in this DPA, and (ii) remain fully liable for any breach caused by a Subprocessor's acts or omissions.

Changes. Academe will notify Customer of material Subprocessor changes by updating the Subprocessor list and emailing the primary administrative contact on record.

Customer is responsible for responding to data subject requests (“DSRs”). The Services include controls Customer may use to assist. If Customer cannot access or delete Customer Personal Data using such controls, Academe will reasonably cooperate to enable Customer to respond. If a data subject contacts Academe directly and is identifiable as Customer's data subject, Academe will forward the request and will not respond substantively except to refer the data subject to Customer.

Academe will provide reasonably requested information to enable Customer to carry out data protection impact assessments and supervisory-authority consultations as required.

If Academe receives a subpoena, court order, warrant, or other legal demand from law enforcement or a public authority seeking disclosure of Customer Personal Data, Academe will attempt to redirect the authority to Customer and, where compelled to disclose, will give Customer reasonable notice unless legally prohibited.

Academe has implemented and will maintain appropriate technical and organizational security measures (the “Security Measures”) as described in the Security Addendum. Academe may update the Security Measures provided updates do not materially diminish overall security.

In the event of a Security Breach, Academe will (a) notify Customer in writing without undue delay and in no event later than seventy-two (72) hours after becoming aware of the Security Breach; and (b) promptly take reasonable steps to contain, investigate, and mitigate any adverse effects.

Where a transfer of Customer Personal Data to Academe is a Restricted Transfer, such transfer is governed by the Standard Contractual Clauses, which are deemed incorporated into this DPA. For EU GDPR transfers, Module Two applies where Customer is controller and Module Three where Customer is processor. For UK GDPR transfers, the UK Addendum applies. For Swiss Data Protection Act transfers, the SCCs apply with references updated to Swiss law. Annex A completes Annex I of the SCCs.

Upon termination or expiration of the Agreement, Academe will, at Customer's election, delete or return Customer Personal Data in its possession, except where retention is required by law. Certification of deletion will be provided on written request.

Subject matter and duration. Customer Personal Data will be processed as necessary to provide the Services under the Agreement, for the term of the Agreement and any period after termination during which Academe processes Customer Personal Data in accordance with the Agreement.

Nature and purpose. Academe processes Customer Personal Data to (a) provide, maintain, update, and support the Services; (b) generate Outputs and insights; (c) communicate with Customer about the Services; (d) provide customer support; (e) maintain security and integrity; and (f) comply with legal obligations.

Types of Customer Personal Data. May include identification data (name, email), professional data (institution, title, role), usage data, technical data (IP address, device info, browser), and any other personal data contained in Customer Content.

Categories of data subjects.Customer's employees, contractors, agents, and end users, plus any individuals whose personal data appears in Customer Content.

Sensitive data. Subject to applicable restrictions, Customer may include special categories of personal data in Customer Content, the extent of which is controlled by Customer.

Frequency. Continuous or one-off depending on the Services being provided.

Retention. For the term of the Agreement and any period after termination during which Academe processes Customer Personal Data in accordance with the Agreement.

Where the Standard Contractual Clauses apply, the parties interpret their obligations as follows:

• Where Customer is itself a processor on behalf of a third-party controller and Academe would otherwise be required to interact directly with such controller, Academe may interact solely with Customer.
• The certification of deletion under Clause 16(d) of the SCCs will be provided upon written request.
• For purposes of Clause 15(1)(a) of the SCCs, Academe will notify Customer and not the relevant data subject(s) in case of government access requests.
• Given the nature of processing, Customer acknowledges that Academe is unlikely to become aware of inaccurate or outdated Customer Personal Data; to the extent Academe becomes aware, Academe will inform Customer in accordance with Clause 8.4 of the SCCs.

Privacy inquiries: hello@academe-ai.com. DPA-related contracting: hello@academe-ai.com.