Data Processing Addendum (DPA)

Effective date: May 1, 2025

This Data Processing Addendum (“DPA”) forms part of the Instruqt Terms of Services (“Terms”) or any other written or electronic agreement between Instruqt and Customer, which governs the provision of the Services from Instruqt to Customer (“Agreement”) and reflects the parties’ agreement regarding the processing of Personal Data. 

By signing this DPA, Customer enters this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws and Regulations, in the name and on behalf of its Affiliates, if and to the extent Instruqt processes Personal Data for which such Affiliates qualify as the Controller. Hence, for the purposes of this DPA only, and except where indicated otherwise, the term “Customer” shall include Customer and its Affiliates. 

All capitalized terms not defined in this DPA shall have the meaning set forth in the Agreement. 

While providing the Services to Customer pursuant to the Agreement, Instruqt may Process Personal Data on behalf of Customer and the Parties agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.

DATA PROCESSING TERMS

1. DEFINITIONS
   
   1. Terms such as "process/processing", "data subject", "processor”, "controller", "personal data", "data breach", "data protection impact assessment", etc., shall have the same meaning ascribed thereto in Article 4 of the GDPR, irrespective of whether the GDPR applies.
   2. “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
   3. "Authorised Subprocessors" means those Subprocessors set out in Annex 2 (Authorised Subprocessors and Data Transfers); and any additional Subprocessors consented to in writing by the Customer in accordance with section 5.1.
   4. "CCPA" means the California Consumer Privacy Act of 2018, as amended (Cal. Civ. Code §§ 1798.100 to 1798.199).
   5. “Customer” means the entity that executed the Agreement with Instruqt and its Affiliates.
   6. "Data Protection Laws" means all laws and regulations, including laws and regulations of the European Union, the EEA and their member states (such as GDPR), Switzerland, the United Kingdom (such as UK GDPR), India and the United States and its states (such as the CCPA), applicable to the Processing of Personal Data under the Agreement. 
   7. "EEA" means the European Economic Area. 
   8. "EU SCCs" means the European Commission’s standard contractual clauses for the transfer of personal data from the European Union to third countries as set out in the Annex to the EC Decision 2021, Module Two and Module Four as set out in Annex 4.
   9. “GDPR” means the General Data Protection Regulation ((EU) 2016/679).
   10. "Personal Data" means all personal data provided to Instruqt by, or on behalf of, Customer through use of the Services and as further detailed in Annex 1 (Details of the Processing of Personal Data).
   11. "Restricted Transfer" means a transfer of Personal Data from a member state of the EEA, the UK or Switzerland to a country outside the EEA, the UK or Switzerland.
   12. "Services" means the services described in the Agreement and/or the services listed in Appendix 3 to the Standard Contractual Clauses (if applicable).
   13. "Standard Contractual Clauses" or "SCCs" means the EU SCCs and UK SCCs as may be updated, supplemented or replaced from time to time under applicable Data Protection Laws, as a recognized transfer or processing mechanism (as applicable), attached to this DPA as Annex 4.
   14. "Subprocessor" means any data processor (including any third party and any Instruqt Affiliate) appointed by Instruqt to process Personal Data on behalf of Customer.
   15. "Supervisory Authority" means (a) an independent public authority which is established by a Member State pursuant to GDPR; and/or (b) any similar regulatory authority responsible for the enforcement of Data Protection Laws.
   16. "Third Country" means a country which is not a member state of the EEA.
   17. "UK GDPR" means the GDPR as implemented in the UK.
   18. "UK SCCs" means the SCCs described in Article 46(2)(c) of the GDPR and approved by the EU Commission Decision 2010/87/EU of 5 February 2010 in Annex 4.
   19. “Instruqt” means the Instruqt entity which is a party to this DPA and who provides the Services under the Agreement.

2. PROCESSING OF THE PERSONAL DATA
   
   1. Roles. Instruqt may be required to process Personal Data on behalf of Customer to perform the Services. In the processing of Personal Data, Customer is the Controller and Instruqt is the Processor.
   2. Conflict. Unless expressly stated otherwise, in the event of any conflict between (a) the main body of this DPA, and (b) the (UK) SCCs, (UK) GDPR, CCPA or any other applicable (local) Data Protection Law, the applicable local law in (b) will prevail.
   3. Purpose. Instruqt shall only process the types of Personal Data relating to the categories of data subjects, for the (specific) purpose(s) as set out in the Agreement and shall not process, transfer, modify, amend or alter the Personal Data or disclose or permit the disclosure of the Personal Data to any third party other than in accordance with Data Protection Laws and Customer's documented instructions (unless processing is required by a Data Protection Law to which Instruqt is subject to). 
   4. Transfer. For the purposes set out in section 2.3 above, the Customer hereby instructs Instruqt to transfer Personal Data to the recipients listed in Annex 2 (Authorised Subprocessors and Data Transfers) always provided that Instruqt shall comply with section 4.2 (Subprocessing) and section 10 (International Transfers of Personal Data). 
   5. Annex 1. The duration, nature and purpose of the processing, the types of Personal Data and categories of Data Subjects processed under this DPA are further specified in Annex 1 (Details of the Processing of Personal Data) to this DPA.
3. CUSTOMER OBLIGATIONS
   
   1. Compliance. Instruqt will reasonably assist Customer in complying with Customer’s obligations under applicable Data Protection Laws, taking into account the nature of Instruqt’s processing and the information made available to Instruqt, including in relation to data subject rights, data protection impact assessments and reporting to and consulting with data protection authorities under applicable Data Protection Laws. Instruqt will immediately notify Customer if, in its opinion, any instruction infringes applicable Data Protection Laws. This notification will not constitute a general obligation on the part of Instruqt to monitor or interpret the laws applicable to Customer, and this notification will not constitute legal advice to Customer.
   2. Warranty. Customer warrants that: (a) it has all necessary rights to provide the Personal Data to Instruqt for the processing to be performed in relation to the Services, and (b) Instruqt's expected use of the Personal Data for the purposes (as set out in section 2.3 above) and as specifically instructed by the Customer will comply with all applicable Data Protection Laws.
   3. Privacy notices. All obligations towards data subjects under the applicable Data Protection Laws will remain at Customer. Customer is responsible for ensuring that all necessary privacy notices are provided to data subjects, and that - if applicable - any necessary data subject consents to the processing are obtained and a record of such consents is maintained. Should such a consent be revoked by a data subject, Customer is responsible for communicating the fact of such revocation to Instruqt.
4. SECURITY
   
   1. TOMs. Instruqt will implement appropriate technical and organizational measures (‘‘TOMs’’) to ensure the security of the Personal Data in terms of applicable Data Protection Laws, including the security measures set out in Annex 3. This includes protecting the Personal Data against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to the Personal Data. 
   2. Access to Personal Data. Instruqt will grant access to the Personal Data undergoing processing to members of its personnel and/or Authorised Subprocessors engaged in processing the Personal Data only to the extent strictly necessary for implementing, managing and monitoring of the Agreement. Instruqt will ensure that persons/companies authorized to process the Personal Data received have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
   3. Costs. The parties will negotiate in good faith the cost, if any, to implement material changes other than to the extent required by specific updated security requirements set forth in applicable Data Protection Laws or by data protection authorities of competent jurisdiction (in which case Instruqt would bear the responsibilities of such cost to the extent required by applicable Data Protection Laws or by the data protection authority).
5. SUBPROCESSING
   
   1. List of Subprocessors. A list of Instruqt's Subprocessors that Instruqt directly engages for the specific Services as a (sub)processor is set out in Annex 2 (Authorised Subprocessors and Data Transfers). Customer hereby authorises Instruqt to engage those Subprocessors in light of this DPA.
   2. General authorization. Customer provides its general authorization to Instruqt’s engagement with Subprocessors, including Instruqt Affiliates, to provide some or all Services and process Personal Data on its behalf. To the fullest extent permissible under applicable Data Protection Laws, this DPA will constitute Customer’s general written authorization to the subcontracting by Instruqt of the processing of Personal Data to the Authorised Subprocessors.
   3. Changes. Instruqt will notify the Customer in writing of any intended changes to the agreed list of Subprocessors at least 30 days in advance, thereby giving the Customer the opportunity to object to such changes. Such objection must be made in writing to the Instruqt contact mentioned in Annex 1 within 10 days of notification. Customer’s failure to submit a written objection to the agreed list of sub-processors within 10 days of notification, will be deemed acceptance of the changes to the agreed list of Subprocessors. 
   4. Performance. Instruqt shall be liable for the acts and omissions of its Authorised Subprocessors to the same extent Instruqt would be liable if performing the services under the terms of this DPA, except as otherwise set forth in the Agreement.
6. INSTRUQT AND DATA SUBJECT RIGHTS
   
   1. Notification. Instruqt shall without undue delay, notify the Customer if it receives a request from a data subject under any Data Protection Laws in respect of Personal Data, including requests by a data subject to exercise its rights in chapter III of GDPR, and shall provide full details of that request.
   2. Co-operation. Instruqt shall co-operate as requested by the Customer to enable the Customer to comply with any exercise of rights by a data subject under any Data Protection Laws in respect of Personal Data and comply with any assessment, enquiry, notice or investigation under any Data Protection Laws in respect of Personal Data or this DPA.
7. INCIDENT MANAGEMENT AND DISCLOSURE
   
   1. Data breach. Instruqt shall notify the Customer without undue delay upon becoming aware of or reasonably suspecting a data breach, in any case by sending an email to the Customer providing the Customer with available information which allows the Customer to meet any obligations to report a data breach under the Data Protection Laws. 
   2. Working together. Instruqt shall co-operate with the Customer and take such reasonable steps as are directed by the Customer to assist in the investigation, mitigation and remediation of each data breach, in order to enable the Customer to (i) perform a thorough investigation into the data breach, and (ii) formulate a correct response and to take suitable further steps in respect of the data breach in order to meet any requirement under the Data Protection Laws. 
   3. Disclosure. Instruqt will not disclose Personal Data except: (a) as Customer directs in writing, (b) as described in this DPA or (c) as required by law. Where Instruqt is permitted by law to do so, upon receiving a request from a public body/authority, Instruqt will use reasonable endeavors to notify the Customer and attempt to redirect the public body/authority to request the personal data directly from Customer. If compelled to disclose Personal Data to a public body/authority, then Instruqt will give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy, unless Instruqt is legally prohibited from doing so and conduct such disclosure in compliance with Data Protection Laws and (if applicable) in accordance with the terms of the SCCs.
8. DELETION OR RETURN OF PERSONAL DATA
   
   1. In case of termination of the Agreement, Instruqt shall promptly:
      
      1. return a complete copy of all Personal Data to the Customer by secure file transfer and securely wipe all other copies of Personal Data processed by Instruqt or any Authorised Subprocessor, or;
         ‍
      2. securely wipe all copies of Personal Data processed by Instruqt or any Authorised Subprocessor, except to the extent required to demonstrate any compliance with applicable law or contract with Customer.
9. AUDIT RIGHTS
   
   1. Instruqt shall provide Customer with security compliance reporting, such as the external SOC2 Type 2 audit report, upon Customers’ request. Should Customer be required to respond to a regulatory or supervision request that requires Instruqt’s participation, and Customer’s obligations cannot reasonably be satisfied with Instruqt’s standard security compliance report, Instruqt will promptly respond to Customer’s additional instructions and requests for information. In that case, Instruqt shall at first request of Customer and to a maximum of once a year, make available to the Customer on request raised reasonably in advance (not less than 30 days prior) all information necessary to demonstrate compliance with this agreement and allow for and contribute to audits, including inspections by the Customer or another independent qualified auditor mandated by the Customer of any premises where the processing of Personal Data by Instruqt takes place. Subject to signing of a NDA, and at Customers costs, Instruqt shall permit the Customer, or another auditor mandated by the Customer to inspect, audit and copy any relevant records, processes and systems in order that the Customer may satisfy itself that the provisions of this agreement are being complied with. Information and audit rights of the Customer only arise under this section 9 to the extent that Instruqt does not otherwise provides information such as, but not limited to a third-party memorandum and/or audit rights set forth in the Agreement meeting the relevant requirements of Data Protection Law.

10. INTERNATIONAL TRANSFERS OF PERSONAL DATA
    
    1. Except as described elsewhere in the DPA, Personal Data that Instruqt processes on Customer’s behalf may be transferred to and stored and processed in any country in which Instruqt or its Subprocessors may operate.
    2. Transfer restrictions. If an applicable Data Protection Law restricts cross-border transfers of Personal Data, the Customer will only transfer that Personal Data to Instruqt if Instruqt, either through its location or participation in a valid cross-border transfer mechanism under the applicable Data Protection Laws, may legally receive that Personal Data.
    3. Change of statutory transfer mechanism. To the extent that Instruqt is relying on the SCCs or another specific statutory mechanism to allow international data transfers, and those mechanisms are subsequently modified, revoked, or held in a court of competent jurisdiction to be invalid, Customer and Instruqt agree to cooperate in good faith to promptly suspend the transfer or to pursue a suitable alternate mechanism that can lawfully support the transfer.
    4. Where the GDPR or UK GDPR is the applicable Data Protection Law, Instruqt may only process, or permit the processing, of Personal Data by the Services in respect of a Restricted Transfer under the following conditions:‍
       
       1. Adequacy decision. Where the European Commission or the UK (as applicable) has found that that the relevant countries provides adequate protection for the privacy rights of data subjects;‍
       2. Adequate safeguards. In the absence of an adequacy decision, where appropriate safeguards have been provided by the controller or processor established in third countries which do not ensure an adequate level of data protection, and who receive the Personal Data by way of a valid transfer mechanism under Article 46(2) of the GDPR, UK GDPR or other applicable Data Protection Law;‍
       3. Standard Contractual Clauses. SCCs may be used as follows: 
          
          1. the UK SCCs’ for Personal Data subject to UK GDPR; 
          2. the applicable Module(s) of the EU SCCs for Personal Data subject to GDPR and/or the Swiss Federal Act of 19 June 1992 on Data Protection (FADP).

5. Execution of SCCs. If any cross-border transfer of Personal Data between Instruqt and the Customer requires execution of SCCs to comply with the applicable Data Protection Law, the parties will complete all relevant details in, and execute, the applicable SCCs, and take all other actions required to legitimize the transfer.
6. Sub-processors. Where Customer provides it general written authorization to Instruqt (located in the EEA or UK, as applicable) appointing a Subprocessor located outside the EEA or UK (as applicable), Customer authorizes Instruqt to enter into the applicable form of the applicable SCCs with the Subprocessor in Customer’s name and on its behalf (in which case Customer will no longer require to enter into direct agreements itself with such Subprocessor).

11. LIABILITY
    
    1. The liability of each party under this agreement will be subject to the exclusions and limitations of liability set out in the Agreement. Customer will indemnify Instruqt for any regulatory penalties incurred by Instruqt in relation to the Personal Data that arise as a result of, or in connection with, Customer’s failure to comply with its obligations under Data Protection Laws. 

12. MISCELLANEOUS
    
    1. The Parties agree that this agreement shall terminate automatically upon expiration or termination of the Agreement.
    2. Should any provision of this agreement be invalid or unenforceable, then the remainder of this agreement shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties' intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
    3. This agreement is governed by the laws as set forth in the Agreement and, if not provided for, by the laws of the country in which (the) Instruqt (entity) resides. Any disputes arising out or in connection with this DPA shall be brought exclusively before the competent court of the country in which (the) Instruqt (entity) resides.

ANNEX 1: DETAILS OF THE PROCESSING OF PERSONAL DATA

This Annex 1 includes the details of the processing of Personal Data as required by Article 28(3) GDPR.

Nature and Purpose of Processing: 

• To provide access to the platform. 

Duration of Processing: 

• As long as the account exists. Users can delete their own account. After 60 days, the date is completely removed. 

Type of Personal Data: 

• Name, Email, IP-address 

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): 

• Continuous basis (every time a user signs up for an account on the platform. 

Nature of processing: 

• Automated collection, storage and usage of data. 

Purpose(s) of the data transfer and further processing: 

• Data is stored to provide users access to the platform and select private content on the platform. 

Categories of Data Subjects: 

• Employees and customers 

Contact Details: privacy@instruqt.com 

ANNEX 2: AUTHORISED SUBPROCESSORS AND DATA TRANSFERS

Please find the list with Subprocessors here.